all: manage docker group with systemd-sysusers #1187
Closed
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Switches away from the groupadd postinstall commands to managing the docker group with sysusers. This is a declarative way to create and manage users, better suited for the atomic distros such as Silverblue. Signed-off-by: Robert Sturla <robertsturla@outlook.com>
p5
changed the title
p5
changed the title
thaJeztah
reviewed
May 9, 2025
There was a problem hiding this comment.
Just gave this a try with the changes I suggested, and looks like it does do the right thing;
dpkg-deb -c ./docker-ce_0.0.0~20250508105329.6f85626-1~debian.13~trixie_arm64.deb
drwxr-xr-x root/root 0 2025-05-09 16:45 ./
drwxr-xr-x root/root 0 2025-05-09 16:45 ./etc/
drwxr-xr-x root/root 0 2025-05-09 16:45 ./etc/default/
-rw-r--r-- root/root 642 2025-05-09 16:37 ./etc/default/docker
drwxr-xr-x root/root 0 2025-05-09 16:45 ./etc/docker/
drwxr-xr-x root/root 0 2025-05-09 16:45 ./etc/init.d/
-rwxr-xr-x root/root 2946 2025-05-09 16:37 ./etc/init.d/docker
drwxr-xr-x root/root 0 2025-05-09 16:45 ./etc/sysusers.d/
-rw-r--r-- root/root 235 2025-05-09 16:37 ./etc/sysusers.d/docker.conf
drwxr-xr-x root/root 0 2025-05-09 16:45 ./usr/
drwxr-xr-x root/root 0 2025-05-09 16:45 ./usr/bin/
-rwxr-xr-x root/root 2741536 2025-05-09 16:45 ./usr/bin/docker-proxy
-rwxr-xr-x root/root 81047056 2025-05-09 16:45 ./usr/bin/dockerd
drwxr-xr-x root/root 0 2025-05-09 16:45 ./usr/lib/
drwxr-xr-x root/root 0 2025-05-09 16:45 ./usr/lib/systemd/
drwxr-xr-x root/root 0 2025-05-09 16:45 ./usr/lib/systemd/system/
-rw-r--r-- root/root 1727 2025-05-09 16:37 ./usr/lib/systemd/system/docker.service
-rw-r--r-- root/root 295 2025-05-09 16:37 ./usr/lib/systemd/system/docker.socket
drwxr-xr-x root/root 0 2025-05-09 16:45 ./usr/libexec/
drwxr-xr-x root/root 0 2025-05-09 16:45 ./usr/libexec/docker/
-rwxr-xr-x root/root 664704 2025-05-09 16:45 ./usr/libexec/docker/docker-init
drwxr-xr-x root/root 0 2025-05-09 16:45 ./usr/share/
drwxr-xr-x root/root 0 2025-05-09 16:45 ./usr/share/doc/
drwxr-xr-x root/root 0 2025-05-09 16:45 ./usr/share/doc/docker-ce/
-rw-r--r-- root/root 2248 2025-05-09 16:37 ./usr/share/doc/docker-ce/README.md
-rw-r--r-- root/root 167 2025-05-09 16:45 ./usr/share/doc/docker-ce/changelog.Debian.gz
drwxr-xr-x root/root 0 2025-05-09 16:45 ./usr/share/man/
drwxr-xr-x root/root 0 2025-05-09 16:45 ./usr/share/man/man8/
-rw-r--r-- root/root 6579 2025-05-09 16:45 ./usr/share/man/man8/dockerd.8.gzrpm -qlp docker-ce-0.0.0~20250508105329.6f85626-0.fc41.aarch64.rpm
/etc/docker
/usr/bin/docker-proxy
/usr/bin/dockerd
/usr/lib/systemd/system/docker.service
/usr/lib/systemd/system/docker.socket
/usr/lib/sysusers.d/docker.conf
/usr/libexec/docker/docker-init
/usr/share/man/man/man8
/usr/share/man/man/man8/dockerd.8.gz
Comment on lines
+5
to
+10
| configure) ;; | ||
| abort-*) | ||
| # How'd we get here?? | ||
| exit 1 | ||
| ;; | ||
| *) ;; |
There was a problem hiding this comment.
Effectively, this is now equivalent to;
Suggested change
| configure) ;; | |
| abort-*) | |
| # How'd we get here?? | |
| exit 1 | |
| ;; | |
| *) ;; | |
| abort-*) | |
| # How'd we get here?? | |
| exit 1 | |
| ;; | |
| *) ;; |
Or... basically; we don't have anything custom remaining now, so I think we can remove the docker-ce.postinst file altogether.
I just tried if it's happy if the file isn't there (because the #DEBHELPER# comment below is what's used to insert generated bits, and it looks like it is; removing the file will still produce a postinst script, just with the case removed (which I think doesn't add real value now?) cc @tianon to make sure I'm not hallucinating 😂 ❤️
diff --git a./docker-ce_0.0.0~20250508105329.6f85626-1~debian.13~trixie_arm64-previous/DEBIAN/md5sums b./docker-ce_0.0.0~20250508105329.6f85626-1~debian.13~trixie_arm64/DEBIAN/md5sums
index 04ebf3669b..1db4a3a285 100644
--- a./docker-ce_0.0.0~20250508105329.6f85626-1~debian.13~trixie_arm64-previous/DEBIAN/md5sums
+++ b./docker-ce_0.0.0~20250508105329.6f85626-1~debian.13~trixie_arm64/DEBIAN/md5sums
@@ -1,8 +1,8 @@
-9dba7f8bd7235f337e08c00987edee0c usr/bin/docker-proxy
-3809c3a45c0b395593de797d0578d68f usr/bin/dockerd
+01b414b91936c2ac11e3066d0bd92a07 usr/bin/docker-proxy
+12fb9c92f61730cd98f7fc47183fd8d8 usr/bin/dockerd
6020c4cb3076e677850f6781a7cd1e19 usr/lib/systemd/system/docker.service
10dee472f4cbf7a37b74df1d0c547417 usr/lib/systemd/system/docker.socket
8fcccc716a2aa339573bcac200c2d8ff usr/libexec/docker/docker-init
7fc9bfe14206ba304c222b144cebc0c8 usr/share/doc/docker-ce/README.md
-599a382c17777a038c522f2aa8c692e1 usr/share/doc/docker-ce/changelog.Debian.gz
+9c8df20c53886167e2c6e768b52d9537 usr/share/doc/docker-ce/changelog.Debian.gz
fd1b6d022b18abbe978be6e7fcc0a28b usr/share/man/man8/dockerd.8.gz
diff --git a./docker-ce_0.0.0~20250508105329.6f85626-1~debian.13~trixie_arm64-previous/DEBIAN/postinst b./docker-ce_0.0.0~20250508105329.6f85626-1~debian.13~trixie_arm64/DEBIAN/postinst
index e2a38e5072..f344702c3a 100644
--- a./docker-ce_0.0.0~20250508105329.6f85626-1~debian.13~trixie_arm64-previous/DEBIAN/postinst
+++ b./docker-ce_0.0.0~20250508105329.6f85626-1~debian.13~trixie_arm64/DEBIAN/postinst
@@ -1,15 +1,5 @@
#!/bin/sh
set -e
-
-case "$1" in
-configure) ;;
-abort-*)
- # How'd we get here??
- exit 1
- ;;
-*) ;;
-esac
-
# Automatically added by dh_apparmor/4.1.0-1
if [ "$1" = "configure" ]; then
APP_PROFILE="/etc/apparmor.d/docker-ce"
@@ -92,4 +82,3 @@ if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-decon
fi
fi
# End automatically added section
-
There was a problem hiding this comment.
Correct if we're not doing anything else, we should just drop the file completely 🚀
Comment on lines
+127
to
+130
| mkdir -p debian/docker-ce/etc/sysusers.d | ||
| echo "g docker -" >> debian/docker-ce/etc/sysusers.d/docker.conf | ||
| chmod 0644 debian/docker-ce/etc/sysusers.d/docker.conf | ||
| # install -D -p -m 0644 engine/contrib/systemd-sysusers/docker.conf debian/docker-ce/etc/sysusers.d/docker.conf |
There was a problem hiding this comment.
Moby PR was merged, so this can now use;
Suggested change
| mkdir -p debian/docker-ce/etc/sysusers.d | |
| echo "g docker -" >> debian/docker-ce/etc/sysusers.d/docker.conf | |
| chmod 0644 debian/docker-ce/etc/sysusers.d/docker.conf | |
| # install -D -p -m 0644 engine/contrib/systemd-sysusers/docker.conf debian/docker-ce/etc/sysusers.d/docker.conf | |
| install -D -p -m 0644 engine/contrib/systemd-sysusers/docker.conf debian/docker-ce/etc/sysusers.d/docker.conf |
There was a problem hiding this comment.
This should actually be a (dangling in Git) symlink and use debhelper: https://manpages.debian.org/bookworm/debhelper/dh_installsysusers.1.en.html
There was a problem hiding this comment.
(most/all of this section should be using dh_install too, but that's orthogonal)
Comment on lines
+87
to
+91
| # install systemd sysusers config | ||
| mkdir -p ${RPM_BUILD_ROOT}%{_sysusersdir} | ||
| echo "g docker -" >> ${RPM_BUILD_ROOT}%{_sysusersdir}/docker.conf | ||
| chmod 0644 ${RPM_BUILD_ROOT}%{_sysusersdir}/docker.conf | ||
| # install -D -p -m 0644 engine/contrib/systemd-sysusers/docker.conf ${RPM_BUILD_ROOT}%{_sysusersdir}/docker.conf |
There was a problem hiding this comment.
Same here
Suggested change
| # install systemd sysusers config | |
| mkdir -p ${RPM_BUILD_ROOT}%{_sysusersdir} | |
| echo "g docker -" >> ${RPM_BUILD_ROOT}%{_sysusersdir}/docker.conf | |
| chmod 0644 ${RPM_BUILD_ROOT}%{_sysusersdir}/docker.conf | |
| # install -D -p -m 0644 engine/contrib/systemd-sysusers/docker.conf ${RPM_BUILD_ROOT}%{_sysusersdir}/docker.conf | |
| # install systemd sysusers config | |
| install -D -p -m 0644 engine/contrib/systemd-sysusers/docker.conf ${RPM_BUILD_ROOT}%{_sysusersdir}/docker.conf |
This was referenced May 20, 2025
vvoland
added a commit
that referenced
this pull request
May 27, 2025
feat: manage docker group with systemd-sysusers (carry #1187)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Closes #1186
Switches away from the groupadd postinstall commands to managing the docker group with sysusers.
This is a declarative way to create and manage users, better suited for the atomic distros such as Silverblue.
This is certainly not ready to merge just yet - there's a dependency on moby/moby#49813. But hopefully it makes sense as to how this will work.