fix: system upgrade doesnt support non unix socket docker hosts

[kmendell]

Checklist

• This PR is not opened from my fork’s main branch

What This PR Implements

Fixes: #2644

Changes Made

Testing Done

• Development environment started: ./scripts/development/dev.sh start
• Frontend verified at http://localhost:3000
• Backend verified at http://localhost:3552
• Manual testing completed (describe):
• No linting errors (e.g., just lint all)
• Backend tests pass: just test backend

AI Tool Used (if applicable)

AI Tool:
Assistance Level:
What AI helped with:
I reviewed and edited all AI-generated output:
I ran all required tests and manually verified changes:

Additional Context

Disclaimer Greptiles Reviews use AI, make sure to check over its work.

To better help train Greptile on our codebase, if the comment is useful and valid Like the comment, if its not helpful or invalid Dislike

To have Greptile Re-Review the changes, mention greptileai.

Greptile Summary

This PR fixes system upgrades when Docker is accessed via a non-unix socket (e.g. a TCP socket proxy). The old code unconditionally bind-mounted /var/run/docker.sock, which is meaningless for TCP/HTTP Docker hosts.

• Error variables previously living as package-level sentinels in the services package are moved to typed error structs in common, with an IsUpgradeInProgressError helper using errors.As for unwrap-safe detection.
• A new resolveSystemUpgraderRuntimeOptionsInternal function (reusing the existing Trivy socket helpers from vulnerability_service.go) determines at runtime whether the upgrader container needs a socket bind-mount (unix) or a matching network mode + DOCKER_HOST env var (TCP/HTTP).

Confidence Score: 4/5

The change is safe to merge; the core upgrade path for non-unix Docker hosts is now handled correctly, and the unix path is functionally unchanged.

The functional logic is well-structured and reuses battle-tested helpers already used by the vulnerability scanner. The only finding is a pre-existing naming convention that two modified methods don't follow — a style gap, not a correctness problem.

system_upgrade_service.go — the two modified unexported methods could use a naming pass for consistency with the rest of the file.

Prompt To Fix All With AI

Fix the following 1 code review issue. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 1
backend/internal/services/system_upgrade_service.go:279-285
**Naming convention not followed for modified unexported methods**

The unexported methods `getCurrentContainerID` (line 279) and `findArcaneContainer` (line 288) are both modified in this PR but don't carry the required `Internal` suffix that the codebase convention mandates for all unexported functions. Every other unexported function added or modified in this changeset — `resolveSystemUpgraderRuntimeOptionsInternal`, `determineUpgradeBinaryPathInternal`, etc. — already follows the convention.

_{Reviews (1): Last reviewed commit: "fix: system upgrade doesnt support non u..." | Re-trigger Greptile}

Greptile also left 1 inline comment on this PR.

Context used:

• Rule used - What: All unexported functions must have the "Inte... (source)

[kmendell]

• fix: system upgrade doesnt support non unix socket docker hosts #2651 👈 (View in Graphite)
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[getarcaneappbot]

Container images for this PR have been built successfully!

• Manager: ghcr.io/getarcaneapp/manager:pr-2651
• Agent: ghcr.io/getarcaneapp/agent:pr-2651

Built from commit e04589b

[greptile-apps]

Naming convention not followed for modified unexported methods

The unexported methods getCurrentContainerID (line 279) and findArcaneContainer (line 288) are both modified in this PR but don't carry the required Internal suffix that the codebase convention mandates for all unexported functions. Every other unexported function added or modified in this changeset — resolveSystemUpgraderRuntimeOptionsInternal, determineUpgradeBinaryPathInternal, etc. — already follows the convention.

Rule Used: What: All unexported functions must have the "Inte... (source)

Prompt To Fix With AI

This is a comment left during a code review.
Path: backend/internal/services/system_upgrade_service.go
Line: 279-285

Comment:
**Naming convention not followed for modified unexported methods**

The unexported methods `getCurrentContainerID` (line 279) and `findArcaneContainer` (line 288) are both modified in this PR but don't carry the required `Internal` suffix that the codebase convention mandates for all unexported functions. Every other unexported function added or modified in this changeset — `resolveSystemUpgraderRuntimeOptionsInternal`, `determineUpgradeBinaryPathInternal`, etc. — already follows the convention.

**Rule Used:** What: All unexported functions must have the "Inte... ([source](https://app.greptile.com/review/custom-context?memory=306fc233-4d2f-4ac4-bdf7-8059588e8a43))

How can I resolve this? If you propose a fix, please make it concise.

Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!