chore-2193: add Rocky Linux setup script

[jonpspri]

Summary

• Add setup script for Rocky Linux and RHEL-compatible distributions
• Adapts the Ubuntu setup script (scripts/ubuntu-contextforge-setup-script.sh) for RHEL-based systems
• Uses dnf package manager and Docker CE RHEL repository

Changes

• Use dnf package manager instead of apt
• Docker CE installation via RHEL repository (https://download.docker.com/linux/rhel/docker-ce.repo)
• OS detection for Rocky Linux, RHEL, CentOS, and AlmaLinux
• Support for x86_64 and aarch64 architectures
• Remove podman during Docker installation (common on RHEL-based systems)

Closes #2193

[Copilot]

Pull request overview

Adds a Rocky Linux / RHEL-compatible setup script to install prerequisites, install Docker CE via the RHEL repo, and bootstrap ContextForge similarly to the existing Ubuntu setup script.

Changes:

• Introduces scripts/rocky-contextforge-setup-script.sh with OS detection for Rocky/RHEL/CentOS/AlmaLinux and dnf-based package installs
• Installs Docker CE via https://download.docker.com/linux/rhel/docker-ce.repo, enables the Docker service, and configures the user for docker group usage
• Clones the ContextForge repo, creates .env from .env.example, and optionally starts/verifies services

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The help text suggests installing to /opt/contextforge, but the script is explicitly intended to run as a non-root user and will fail to git clone into /opt on most systems. Consider changing the example to a user-writable path or noting that the directory must be pre-created and owned by the running user.

Suggested change

	echo " $0 /opt/contextforge # Install to /opt/contextforge and start"
	echo " $0 ~/contextforge # Install to ~/contextforge and start"

[Copilot]

get_docker_arch() is defined but never used, which adds dead code and may confuse readers about architecture handling. Either remove this function or wire it into Docker repo/package selection so the architecture check is actually enforced.

Suggested change

	# Get architecture string for Docker repo
	get_docker_arch() {
	local arch
	arch=$(uname -m)
	case "$arch" in
	x86_64)
	echo "x86_64"
	;;
	aarch64)
	echo "aarch64"
	;;
	*)
	log_error "Unsupported architecture: $arch"
	exit 1
	;;
	esac
	}

[Copilot]

The Docker install step unconditionally removes podman (and runc) via dnf remove. On many RHEL-compatible hosts, podman is used by other tooling and removing it can uninstall dependent packages or break existing workflows. Consider making podman removal opt-in (prompt/flag), or restrict removals to packages that actually conflict with Docker CE (e.g., podman-docker) and avoid removing runc unless required.

[Copilot]

The command curl -LsSf https://astral.sh/uv/install.sh | sh downloads and executes a remote installer script without any integrity or authenticity verification, so a compromise of astral.sh or its TLS path would lead to arbitrary code execution under the current user. An attacker who can influence DNS, the network path, or that host could serve a malicious script and gain full control of the environment where this setup script is run. Use a distribution-verified package/source or at minimum verify a pinned checksum/signature of the installer before executing it, rather than piping curl output directly into sh.

[crivetimihai]

Changes Made During Review

Bug Fixes

• Fixed arg parsing bug: --skip-start now works in any position (was only working as 2nd arg)
• Fixed run_docker_cmd quoting bug: Arguments with spaces now properly escaped using printf '%q'
• Fixed password stdin handling: Option 2 now uses read -s for hidden input and pipes via printf '%s'
• Fixed git pull on non-repo directory: Now checks for .git directory and exits with clear error if missing

Security & Hardening

• Added --allowerasing to dnf install for robust package conflict handling
• Added -r flag to read commands for proper backslash handling
• Password cleared from memory with unset after use
• Removed unused get_docker_arch() function

New Features

• -y, --yes flag: Fully non-interactive mode for automation
  • Auto-confirms all prompts
  • Fails fast with clear error on unsupported OS
  • Auto-pulls latest changes if repo exists
• --remove-podman flag: Removes podman/runc without prompting
• Interactive podman removal prompt: Warns users before removing podman/runc (can break existing workflows)

Consistency Improvements

• Applied same fixes to Ubuntu setup script
• Updated help text with proper Options/Arguments sections
• Fixed examples (removed /opt paths that require root)

Commits

1. 1f6e550af - chore-2193: add Rocky Linux setup script
2. 74f062a12 - chore-2193: add Docker login check before compose-up
3. 5255f78a6 - fix: add non-interactive mode and git repo check to setup scripts

Usage Examples

# Fully non-interactive Rocky install
./rocky-contextforge-setup-script.sh -y --remove-podman --skip-start

# Fully non-interactive Ubuntu install
./ubuntu-contextforge-setup-script.sh -y --skip-start

[crivetimihai]

Testing in Docker Container

Additional Fix

Added --allowerasing to system packages install to handle curl-minimal vs curl conflict in Rocky minimal images.

Test Results (Rocky Linux 9.7 container)

✅ Detected: Rocky Linux 9.7 (Blue Onyx)
✅ System packages installed (with curl-minimal→curl replacement)  
✅ Docker CE 29.1.5 installed
✅ -y --remove-podman --skip-start flags working
❌ systemctl start docker (expected - no systemd in container)

Test Command

docker run --privileged --rm rockylinux/rockylinux:9 bash -c '
  dnf install -y sudo
  useradd -m contextforge
  echo "contextforge ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/contextforge
  curl -fsSL https://raw.githubusercontent.com/IBM/mcp-context-forge/2193-rocky/scripts/rocky-contextforge-setup-script.sh \
    -o /home/contextforge/setup.sh
  chmod +x /home/contextforge/setup.sh
  chown contextforge:contextforge /home/contextforge/setup.sh
  su - contextforge -c "./setup.sh -y --remove-podman --skip-start"
'

Full systemd testing requires a VM or init-enabled container.

[crivetimihai]

Full E2E Test with Init Container (systemd)

Test Environment

• Image: rockylinux/rockylinux:9-ubi-init
• Rocky Linux: 9.7 (Blue Onyx)
• Mode: Privileged container with systemd running as PID 1

Test Command

docker run --privileged --rm -d \
  --name rocky-init-test \
  -v /sys/fs/cgroup:/sys/fs/cgroup:rw \
  --cgroupns=host \
  rockylinux/rockylinux:9-ubi-init /sbin/init

docker exec rocky-init-test bash -c '
  dnf install -y sudo
  useradd -m contextforge
  echo "contextforge ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/contextforge
'

docker cp scripts/rocky-contextforge-setup-script.sh rocky-init-test:/home/contextforge/setup.sh
docker exec rocky-init-test chown contextforge:contextforge /home/contextforge/setup.sh
docker exec rocky-init-test chmod +x /home/contextforge/setup.sh
docker exec rocky-init-test su - contextforge -c "./setup.sh -y --remove-podman --skip-start"

Results ✅

Component	Status	Details
OS Detection	✅ PASS	Detected Rocky Linux 9.7 (Blue Onyx)
System Packages	✅ PASS	git, make, curl installed (--allowerasing fixed curl-minimal conflict)
Docker CE	✅ PASS	Version 29.1.5 installed
Docker Service	✅ PASS	systemctl start/enable docker succeeded
Docker Compose	✅ PASS	Version 5.0.2
uv	✅ PASS	Version 0.9.26 installed
Repository Clone	✅ PASS	Cloned to ~/mcp-context-forge
.env Creation	✅ PASS	Created from .env.example
Non-interactive Mode	✅ PASS	-y --remove-podman --skip-start worked without prompts

Docker Service Verification

● docker.service - Docker Application Container Engine
     Loaded: loaded (/usr/lib/systemd/system/docker.service; enabled; preset: disabled)
     Active: active (running)
     Main PID: 474 (dockerd)

Related

Created issue #2501 for comprehensive E2E setup script testing infrastructure across multiple distributions.