fix(upgrade): pin docker pull platform off DEVICE_TYPE

[vpetersson]

Issues Fixed

Reported on a Pi 4 running 64-bit Raspberry Pi OS Trixie with Docker Engine 29.4.2:

$ docker compose pull
Error response from daemon: no matching manifest for linux/arm/v8 in the manifest list entries: no match for platform in manifest: not found

uname -m is aarch64, dpkg --print-architecture is arm64, docker info reports Architecture: aarch64, and the GHCR manifest for latest-pi4-64 exposes a clean arm64/linux entry — yet the daemon requests linux/arm/v8 (32-bit ARMv8) and fails to match. docker pull --platform linux/arm64 … succeeds, confirming this is host-platform auto-detect on Docker 29.4.x mis-classifying the host.

Description

bin/upgrade_containers.sh already derives DEVICE_TYPE from /proc/device-tree/model, so we know the correct platform without trusting Docker's host detection. Set DOCKER_DEFAULT_PLATFORM explicitly:

• pi4-64, pi5 → linux/arm64
• pi2, pi3 → linux/arm/v7
• x86 → linux/amd64

The existing sudo -E docker compose pull propagates the export. No build-pipeline / image-builder change needed — the published manifests are correct.

Checklist

• I have performed a self-review of my own code.
• New and existing unit tests pass locally and on CI with my changes.
• I have done an end-to-end test for Raspberry Pi devices.
• I have tested my changes for x86 devices.
• I added a documentation for the changes I have made (when necessary).

[sonarqubecloud]

Quality Gate passed

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[vpetersson]

Superseded by the ansible-side fix on `fix/ansible-docker-arch-reconciliation` (PR coming).

Diagnosis got further than this PR: the `linux/arm/v8` platform error wasn't a Docker host-detection bug, it was a downstream symptom of `docker-ce:armhf` getting installed on aarch64 Pi 4 hosts. Root cause is a regression introduced in #2779 — the Trixie upgrade renamed `DEVICE_TYPE` from `pi4` to `pi4-64` in `bin/install.sh` / `bin/upgrade_containers.sh` / `ansible/site.yml` validator, but missed the conditional in `ansible/roles/system/tasks/docker.yml`, which still checks `device_type in ['pi4', 'pi5']`. Every Pi 4 host that ran `bin/run_upgrade.sh` after #2779 merged on 2026-04-30 had its docker-ce silently swapped from arm64 to armhf — confirmed via apt history on a live device (arm64 install on 2026-04-28, armhf re-install on 2026-05-02).

This PR's `DOCKER_DEFAULT_PLATFORM` pin would only have worked around the manifest match step; the seccomp filter on an armhf daemon would still SIGSYS containers at runtime regardless. Ansible-side fix is the correct layer.