From 6f10010af22ed223e1b039550c46f3d7584ef7d5 Mon Sep 17 00:00:00 2001 From: Alexander Scheel Date: Fri, 28 Oct 2022 09:04:29 -0400 Subject: [PATCH] Add container's executor to host's group for copy When copying data into the container, due to the id changes pointed out in the previous attempt, the container couldn't read this data. By creating a new group inside the container, with the host's GID (if it doesn't already exist) and modifying the container user to also have this group, it should be able to access these files without requiring a chmod. See also: https://github.com/hashicorp/vault/pull/17658 Signed-off-by: Alexander Scheel --- .circleci/config.yml | 124 +++++++++++++------------- .circleci/config/commands/go_test.yml | 31 +++---- 2 files changed, 80 insertions(+), 75 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 20e952f08903cb..69d411b53beebc 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -220,8 +220,7 @@ jobs: make prep - # Permissions have changed inside docker containers; see hack note below. - mkdir --mode=777 -p test-results/go-test + mkdir -p test-results/go-test # We don't want VAULT_LICENSE set when running Go tests, because that's # not what developers have in their environments and it could break some @@ -242,19 +241,6 @@ jobs: # reasons unclear. export DOCKER_API_VERSION=1.39 - # Hack: Docker permissions appear to have changed; let's explicitly - # chmod the docker certificate path to give other grouped users - # access. - # - # Notably, in this shell pipeline we see: - # uid=1001(circleci) gid=1002(circleci) groups=1002(circleci) - # - # but inside the docker image below, we see: - # uid=3434(circleci) gid=3434(circleci) groups=3434(circleci) - # - # See also: https://github.com/CircleCI-Public/cimg-base/issues/122 - chmod o+rx -R $DOCKER_CERT_PATH - TEST_DOCKER_NETWORK_NAME="${CIRCLE_WORKFLOW_JOB_ID}-${CIRCLE_NODE_INDEX}" export TEST_DOCKER_NETWORK_ID=$(docker network list --quiet --no-trunc --filter="name=${TEST_DOCKER_NETWORK_NAME}") if [ -z $TEST_DOCKER_NETWORK_ID ]; then @@ -280,6 +266,21 @@ jobs: mkdir workspace echo ${CONTAINER_ID} > workspace/container_id + # Hack: Docker permissions appear to have changed; let's explicitly + # add a new group with the correct host gid to the docker container + # for safety, and then add the user to the (potentially new) group. + # + # Notably, in this shell pipeline we see: + # uid=1001(circleci) gid=1002(circleci) groups=1002(circleci) + # + # but inside the docker image below, we see: + # uid=3434(circleci) gid=3434(circleci) groups=3434(circleci) + # + # See also: https://github.com/CircleCI-Public/cimg-base/issues/122 + HOST_GID="$(id -g)" + CONT_UID="$(docker exec ${CONTAINER_ID} sh -c 'id -u')" + docker exec -e HOST_GID -e CONT_UID ${CONTAINER_ID} sh -c 'sudo groupadd hcp-circleci -g $HOST_GID ; sudo usermod -a -G $HOST_GID $CONT_UID' + # Run tests test -d /tmp/go-cache && docker cp /tmp/go-cache ${CONTAINER_ID}:/tmp/gocache docker exec ${CONTAINER_ID} sh -c 'mkdir -p /home/circleci/go/src/github.com/hashicorp/vault' @@ -475,8 +476,7 @@ jobs: make prep - # Permissions have changed inside docker containers; see hack note below. - mkdir --mode=777 -p test-results/go-test + mkdir -p test-results/go-test # We don't want VAULT_LICENSE set when running Go tests, because that's # not what developers have in their environments and it could break some @@ -497,19 +497,6 @@ jobs: # reasons unclear. export DOCKER_API_VERSION=1.39 - # Hack: Docker permissions appear to have changed; let's explicitly - # chmod the docker certificate path to give other grouped users - # access. - # - # Notably, in this shell pipeline we see: - # uid=1001(circleci) gid=1002(circleci) groups=1002(circleci) - # - # but inside the docker image below, we see: - # uid=3434(circleci) gid=3434(circleci) groups=3434(circleci) - # - # See also: https://github.com/CircleCI-Public/cimg-base/issues/122 - chmod o+rx -R $DOCKER_CERT_PATH - TEST_DOCKER_NETWORK_NAME="${CIRCLE_WORKFLOW_JOB_ID}-${CIRCLE_NODE_INDEX}" export TEST_DOCKER_NETWORK_ID=$(docker network list --quiet --no-trunc --filter="name=${TEST_DOCKER_NETWORK_NAME}") if [ -z $TEST_DOCKER_NETWORK_ID ]; then @@ -535,6 +522,21 @@ jobs: mkdir workspace echo ${CONTAINER_ID} > workspace/container_id + # Hack: Docker permissions appear to have changed; let's explicitly + # add a new group with the correct host gid to the docker container + # for safety, and then add the user to the (potentially new) group. + # + # Notably, in this shell pipeline we see: + # uid=1001(circleci) gid=1002(circleci) groups=1002(circleci) + # + # but inside the docker image below, we see: + # uid=3434(circleci) gid=3434(circleci) groups=3434(circleci) + # + # See also: https://github.com/CircleCI-Public/cimg-base/issues/122 + HOST_GID="$(id -g)" + CONT_UID="$(docker exec ${CONTAINER_ID} sh -c 'id -u')" + docker exec -e HOST_GID -e CONT_UID ${CONTAINER_ID} sh -c 'sudo groupadd hcp-circleci -g $HOST_GID ; sudo usermod -a -G $HOST_GID $CONT_UID' + # Run tests test -d /tmp/go-cache && docker cp /tmp/go-cache ${CONTAINER_ID}:/tmp/gocache docker exec ${CONTAINER_ID} sh -c 'mkdir -p /home/circleci/go/src/github.com/hashicorp/vault' @@ -681,8 +683,7 @@ jobs: make prep - # Permissions have changed inside docker containers; see hack note below. - mkdir --mode=777 -p test-results/go-test + mkdir -p test-results/go-test # We don't want VAULT_LICENSE set when running Go tests, because that's # not what developers have in their environments and it could break some @@ -703,19 +704,6 @@ jobs: # reasons unclear. export DOCKER_API_VERSION=1.39 - # Hack: Docker permissions appear to have changed; let's explicitly - # chmod the docker certificate path to give other grouped users - # access. - # - # Notably, in this shell pipeline we see: - # uid=1001(circleci) gid=1002(circleci) groups=1002(circleci) - # - # but inside the docker image below, we see: - # uid=3434(circleci) gid=3434(circleci) groups=3434(circleci) - # - # See also: https://github.com/CircleCI-Public/cimg-base/issues/122 - chmod o+rx -R $DOCKER_CERT_PATH - TEST_DOCKER_NETWORK_NAME="${CIRCLE_WORKFLOW_JOB_ID}-${CIRCLE_NODE_INDEX}" export TEST_DOCKER_NETWORK_ID=$(docker network list --quiet --no-trunc --filter="name=${TEST_DOCKER_NETWORK_NAME}") if [ -z $TEST_DOCKER_NETWORK_ID ]; then @@ -741,6 +729,21 @@ jobs: mkdir workspace echo ${CONTAINER_ID} > workspace/container_id + # Hack: Docker permissions appear to have changed; let's explicitly + # add a new group with the correct host gid to the docker container + # for safety, and then add the user to the (potentially new) group. + # + # Notably, in this shell pipeline we see: + # uid=1001(circleci) gid=1002(circleci) groups=1002(circleci) + # + # but inside the docker image below, we see: + # uid=3434(circleci) gid=3434(circleci) groups=3434(circleci) + # + # See also: https://github.com/CircleCI-Public/cimg-base/issues/122 + HOST_GID="$(id -g)" + CONT_UID="$(docker exec ${CONTAINER_ID} sh -c 'id -u')" + docker exec -e HOST_GID -e CONT_UID ${CONTAINER_ID} sh -c 'sudo groupadd hcp-circleci -g $HOST_GID ; sudo usermod -a -G $HOST_GID $CONT_UID' + # Run tests test -d /tmp/go-cache && docker cp /tmp/go-cache ${CONTAINER_ID}:/tmp/gocache docker exec ${CONTAINER_ID} sh -c 'mkdir -p /home/circleci/go/src/github.com/hashicorp/vault' @@ -997,8 +1000,7 @@ jobs: make prep - # Permissions have changed inside docker containers; see hack note below. - mkdir --mode=777 -p test-results/go-test + mkdir -p test-results/go-test # We don't want VAULT_LICENSE set when running Go tests, because that's # not what developers have in their environments and it could break some @@ -1019,19 +1021,6 @@ jobs: # reasons unclear. export DOCKER_API_VERSION=1.39 - # Hack: Docker permissions appear to have changed; let's explicitly - # chmod the docker certificate path to give other grouped users - # access. - # - # Notably, in this shell pipeline we see: - # uid=1001(circleci) gid=1002(circleci) groups=1002(circleci) - # - # but inside the docker image below, we see: - # uid=3434(circleci) gid=3434(circleci) groups=3434(circleci) - # - # See also: https://github.com/CircleCI-Public/cimg-base/issues/122 - chmod o+rx -R $DOCKER_CERT_PATH - TEST_DOCKER_NETWORK_NAME="${CIRCLE_WORKFLOW_JOB_ID}-${CIRCLE_NODE_INDEX}" export TEST_DOCKER_NETWORK_ID=$(docker network list --quiet --no-trunc --filter="name=${TEST_DOCKER_NETWORK_NAME}") if [ -z $TEST_DOCKER_NETWORK_ID ]; then @@ -1057,6 +1046,21 @@ jobs: mkdir workspace echo ${CONTAINER_ID} > workspace/container_id + # Hack: Docker permissions appear to have changed; let's explicitly + # add a new group with the correct host gid to the docker container + # for safety, and then add the user to the (potentially new) group. + # + # Notably, in this shell pipeline we see: + # uid=1001(circleci) gid=1002(circleci) groups=1002(circleci) + # + # but inside the docker image below, we see: + # uid=3434(circleci) gid=3434(circleci) groups=3434(circleci) + # + # See also: https://github.com/CircleCI-Public/cimg-base/issues/122 + HOST_GID="$(id -g)" + CONT_UID="$(docker exec ${CONTAINER_ID} sh -c 'id -u')" + docker exec -e HOST_GID -e CONT_UID ${CONTAINER_ID} sh -c 'sudo groupadd hcp-circleci -g $HOST_GID ; sudo usermod -a -G $HOST_GID $CONT_UID' + # Run tests test -d /tmp/go-cache && docker cp /tmp/go-cache ${CONTAINER_ID}:/tmp/gocache docker exec ${CONTAINER_ID} sh -c 'mkdir -p /home/circleci/go/src/github.com/hashicorp/vault' diff --git a/.circleci/config/commands/go_test.yml b/.circleci/config/commands/go_test.yml index d76abfefc392fd..f5b83c95589ec2 100644 --- a/.circleci/config/commands/go_test.yml +++ b/.circleci/config/commands/go_test.yml @@ -96,8 +96,7 @@ steps: make prep - # Permissions have changed inside docker containers; see hack note below. - mkdir --mode=777 -p test-results/go-test + mkdir -p test-results/go-test # We don't want VAULT_LICENSE set when running Go tests, because that's # not what developers have in their environments and it could break some @@ -118,19 +117,6 @@ steps: # reasons unclear. export DOCKER_API_VERSION=1.39 - # Hack: Docker permissions appear to have changed; let's explicitly - # chmod the docker certificate path to give other grouped users - # access. - # - # Notably, in this shell pipeline we see: - # uid=1001(circleci) gid=1002(circleci) groups=1002(circleci) - # - # but inside the docker image below, we see: - # uid=3434(circleci) gid=3434(circleci) groups=3434(circleci) - # - # See also: https://github.com/CircleCI-Public/cimg-base/issues/122 - chmod o+rx -R $DOCKER_CERT_PATH - TEST_DOCKER_NETWORK_NAME="${CIRCLE_WORKFLOW_JOB_ID}-${CIRCLE_NODE_INDEX}" export TEST_DOCKER_NETWORK_ID=$(docker network list --quiet --no-trunc --filter="name=${TEST_DOCKER_NETWORK_NAME}") if [ -z $TEST_DOCKER_NETWORK_ID ]; then @@ -156,6 +142,21 @@ steps: mkdir workspace echo ${CONTAINER_ID} > workspace/container_id + # Hack: Docker permissions appear to have changed; let's explicitly + # add a new group with the correct host gid to the docker container + # for safety, and then add the user to the (potentially new) group. + # + # Notably, in this shell pipeline we see: + # uid=1001(circleci) gid=1002(circleci) groups=1002(circleci) + # + # but inside the docker image below, we see: + # uid=3434(circleci) gid=3434(circleci) groups=3434(circleci) + # + # See also: https://github.com/CircleCI-Public/cimg-base/issues/122 + HOST_GID="$(id -g)" + CONT_UID="$(docker exec ${CONTAINER_ID} sh -c 'id -u')" + docker exec -e HOST_GID -e CONT_UID ${CONTAINER_ID} sh -c 'sudo groupadd hcp-circleci -g $HOST_GID ; sudo usermod -a -G $HOST_GID $CONT_UID' + # Run tests test -d << parameters.cache_dir >> && docker cp << parameters.cache_dir >> ${CONTAINER_ID}:/tmp/gocache docker exec ${CONTAINER_ID} sh -c 'mkdir -p /home/circleci/go/src/github.com/hashicorp/vault'