fix(iso): auto-detect and install kernel headers at build time

- Dockerfile: linux-headers-amd64 meta-package instead of pinned ABI;
  remove DEBIAN_KERNEL_ABI build-arg (no longer needed at image build time)
- build-in-container.sh: drop --build-arg DEBIAN_KERNEL_ABI
- build.sh: apt-get update + detect ABI from apt-cache at build time;
  auto-install linux-headers-<ABI> if kernel changed since image build

Image rebuild is now needed only when changing Go version or lb tools,
not on every Debian kernel point release.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

iso/builder/build.sh

@@ -34,18 +34,27 @@ mkdir -p "${CACHE_ROOT}"
 : "${GOMODCACHE:=${CACHE_ROOT}/go-mod}"
 export GOCACHE GOMODCACHE
 
-# Auto-detect kernel ABI from apt when not pinned explicitly.
+# Auto-detect kernel ABI: refresh apt index, then query current linux-image-amd64 dependency.
+# If headers for the detected ABI are not yet installed (kernel updated since image build),
+# install them on the fly so NVIDIA modules and ISO kernel always match.
 if [ -z "${DEBIAN_KERNEL_ABI}" ] || [ "${DEBIAN_KERNEL_ABI}" = "auto" ]; then
+    echo "=== refreshing apt index to detect current kernel ABI ==="
+    apt-get update -qq
     DEBIAN_KERNEL_ABI=$(apt-cache depends linux-image-amd64 2>/dev/null \
         | awk '/Depends:.*linux-image-[0-9]/{print $2}' \
         | grep -oE '[0-9]+\.[0-9]+\.[0-9]+-[0-9]+' \
         | head -1)
     if [ -z "${DEBIAN_KERNEL_ABI}" ]; then
         echo "ERROR: could not auto-detect kernel ABI from apt-cache" >&2
-        echo "  Run: apt-cache depends linux-image-amd64" >&2
         exit 1
     fi
-    echo "=== kernel ABI auto-detected: ${DEBIAN_KERNEL_ABI} ==="
+    echo "=== kernel ABI: ${DEBIAN_KERNEL_ABI} ==="
+fi
+
+KVER="${DEBIAN_KERNEL_ABI}-amd64"
+if [ ! -d "/usr/src/linux-headers-${KVER}" ]; then
+    echo "=== installing linux-headers-${KVER} (kernel updated since image build) ==="
+    apt-get install -y "linux-headers-${KVER}"
 fi
 
 echo "=== bee ISO build ==="