Add container's executor to host's group for copy

When copying data into the container, due to the id changes pointed out in the previous attempt, the container couldn't read this data. By creating a new group inside the container, with the host's GID (if it doesn't already exist) and modifying the container user to also have this group, it should be able to access these files without requiring a chmod. See also: #17658 Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
hashicorp · Oct 28, 2022 · 6f10010 · 6f10010
1 parent 965f8c2
commit 6f10010
Show file tree

Hide file tree

Showing 2 changed files with 80 additions and 75 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
diff --git a/.circleci/config/commands/go_test.yml b/.circleci/config/commands/go_test.yml
@@ -96,8 +96,7 @@ steps:
 
         make prep
 
-        # Permissions have changed inside docker containers; see hack note below.
-        mkdir --mode=777 -p test-results/go-test
+        mkdir -p test-results/go-test
 
         # We don't want VAULT_LICENSE set when running Go tests, because that's
         # not what developers have in their environments and it could break some
@@ -118,19 +117,6 @@ steps:
           # reasons unclear.
           export DOCKER_API_VERSION=1.39
 
-          # Hack: Docker permissions appear to have changed; let's explicitly
-          # chmod the docker certificate path to give other grouped users
-          # access.
-          #
-          # Notably, in this shell pipeline we see:
-          # uid=1001(circleci) gid=1002(circleci) groups=1002(circleci)
-          #
-          # but inside the docker image below, we see:
-          # uid=3434(circleci) gid=3434(circleci) groups=3434(circleci)
-          #
-          # See also: https://github.com/CircleCI-Public/cimg-base/issues/122
-          chmod o+rx -R $DOCKER_CERT_PATH
-
           TEST_DOCKER_NETWORK_NAME="${CIRCLE_WORKFLOW_JOB_ID}-${CIRCLE_NODE_INDEX}"
           export TEST_DOCKER_NETWORK_ID=$(docker network list --quiet --no-trunc --filter="name=${TEST_DOCKER_NETWORK_NAME}")
           if [ -z $TEST_DOCKER_NETWORK_ID ]; then
@@ -156,6 +142,21 @@ steps:
           mkdir workspace
           echo ${CONTAINER_ID} > workspace/container_id
 
+          # Hack: Docker permissions appear to have changed; let's explicitly
+          # add a new group with the correct host gid to the docker container
+          # for safety, and then add the user to the (potentially new) group.
+          #
+          # Notably, in this shell pipeline we see:
+          # uid=1001(circleci) gid=1002(circleci) groups=1002(circleci)
+          #
+          # but inside the docker image below, we see:
+          # uid=3434(circleci) gid=3434(circleci) groups=3434(circleci)
+          #
+          # See also: https://github.com/CircleCI-Public/cimg-base/issues/122
+          HOST_GID="$(id -g)"
+          CONT_UID="$(docker exec ${CONTAINER_ID} sh -c 'id -u')"
+          docker exec -e HOST_GID -e CONT_UID ${CONTAINER_ID} sh -c 'sudo groupadd hcp-circleci -g $HOST_GID ; sudo usermod -a -G $HOST_GID $CONT_UID'
+
           # Run tests
           test -d << parameters.cache_dir >> && docker cp << parameters.cache_dir >> ${CONTAINER_ID}:/tmp/gocache
           docker exec ${CONTAINER_ID} sh -c 'mkdir -p /home/circleci/go/src/github.com/hashicorp/vault'