agent/workloadattestor/docker: add rootless Podman support

[ChSerhiiOds]

Pull Request check list

• Commit conforms to CONTRIBUTING.md?
• Proper tests/regressions included?
• Documentation updated?

Affected functionality

Agent WorkloadAttestor "docker" on Unix systems, specifically runtime socket selection for Podman workloads (including rootless Podman).

Description of change

This change adds Podman support to the Docker workload attestor path and routes API calls to the correct runtime socket based on cgroup detection.

Key updates:

• Detects Podman workloads from cgroup paths and selects Podman API instead of Docker API.
• Supports rootless Podman by extracting host UID from /user-<uid>.slice/ and using a UID-based socket template.
• Adds new config options:
  • podman_socket_path (rootful Podman socket)
  • podman_socket_path_template (rootless Podman socket template with %d UID placeholder)
• Validates podman_socket_path_template at configure time (must contain exactly one %d).
• Closes per-attestation Podman clients to avoid client/socket resource leakage.
• Keeps Docker behavior unchanged for non-Podman workloads.
• Updates Docker workload attestor documentation for new Podman options and rootless behavior.

Tests added/updated:

• Podman rootless/rootful/cgroupfs socket detection tests.
• Custom Podman socket config tests.
• Invalid podman_socket_path_template rejection test.
• Podman client close behavior test.

Which issue this PR fixes

Fixes #6549

[amartinezfayo]

Thank you so much for this contribution, @ChSerhiiOds!
Some minor comments/suggestions.

[amartinezfayo]

I'm wondering if we should log a warning when ParseUint fails here. The regex matched a user slice, so the workload is rootless, but the code would silently fall through to the rootful Podman socket.

[ChSerhiiOds]

Good point, thanks! Added a Warn log with the raw UID and cgroup path before falling back to the rootful socket.

[amartinezfayo]

I think it would be cleaner to make the close obligation explicit at the type level, for example changing podmanClientFactory to return (Docker, io.Closer, error), rather than relying on a runtime type assertion in Attest.
I believe that would make the contract more discoverable. Looks like right now, to learn that the returned client should be closeable, you have to trace through Attest and find the type assertion.

[ChSerhiiOds]

Makes sense, thanks! Replaced the runtime type assertion with a podmanDocker interface embedding Docker and Close() error, so podmanClientFactory now returns (podmanDocker, error) directly.

[amartinezfayo]

Would it make sense to also cover the trailing-% edge case? For example, "unix:///run/user/%d/podman%" or "unix:///run/user/podman%" would exercise the "trailing % at end of template" branch in validatePodmanSocketPathTemplate, which currently has no test coverage.

[ChSerhiiOds]

Sure, thanks! Added two trailing-% cases to the invalid template test to cover that branch.