feat: manage docker group with systemd-sysusers (carry #1187)

[thaJeztah]

• carries / closes all: manage docker group with systemd-sysusers #1187
• closes manage docker group with systemd-sysusers #1186

Switches away from the groupadd postinstall commands to managing the docker group with sysusers.

This is a declarative way to create and manage users, better suited for the atomic distros such as Silverblue.

- What I did

- How I did it

- How to verify it

- Description for the changelog

deb, rpm packages: manage docker group with systemd-sysusers instead of post-install script.

- A picture of a cute animal (not mandatory but encouraged)

[thaJeztah]

With this PR;

apt-get -y  update && apt-get -y install ca-certificates curl
install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc
chmod a+r /etc/apt/keyrings/docker.asc
echo   "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
apt-get -y update
apt install ./docker-ce_0.0.0~20250520085713.af09051-1~debian.13~trixie_arm64.deb

The docker.conf is installed in /etc/sysusers.d/docker.conf

ls -l /etc/sysusers.d
total 4
-rw-r--r-- 1 root root 235 May 20 11:03 docker.conf

❓ https://manpages.debian.org/bookworm/debhelper/dh_installsysusers.1.en.html describes that dh_installsysusers would install this in /usr/lib/sysusers.d/docker.conf - is that the more correct location for this? @tianon @neersighted ?

[tianon]

If it's installed by a package, yes, absolutely.

[thaJeztah]

If it's installed by a package, yes, absolutely.

Updated to install in /usr/lib/sysusers.d/

I was also still trying to use the symlink approach, but didn't manage to get that working so far; #1196

[thaJeztah]

@vvoland @tianon @neersighted ptal

[p5]

Thank you for taking over this PR!
Work has got extremely busy lately and I've not had chance to do much else. I was going to take a look again today, then noticed this PR.

These changes all look great, and all make complete sense. The old PR had "test" code which I used while waiting for the moby/moby PR to merge, which you've cleared up.

---

I too couldn't figure out the Debian dh_installsysusers part, so did what I thought was the bare minimum to get something working, bypassing that.

[thaJeztah]

Work has got extremely busy lately and I've not had chance to do much else.

No worries!!

I too couldn't figure out the Debian dh_installsysusers part, so did what I thought was the bare minimum to get something working, bypassing that.

Yeah, same; decided to keep it as a follow-up for now (but likely also requires #1202, which also seems to have issues still to look into).

[thaJeztah]

@tianon @vvoland ptal 🤗