Use host's uid in container's executor (#17729)

When copying data into the container, due to the id changes pointed out in the previous attempt, the container couldn't read this data. By creating a new user in the container, matching the host's UID/GID, we can successfully copy data in/out of the container without worrying about differing UID/GIDs. See also: #17658 Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
hashicorp · Oct 31, 2022 · d8174be · d8174be
1 parent f11f529
commit d8174be
Show file tree

Hide file tree

Showing 2 changed files with 140 additions and 75 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
diff --git a/.circleci/config/commands/go_test.yml b/.circleci/config/commands/go_test.yml
@@ -96,8 +96,7 @@ steps:
 
         make prep
 
-        # Permissions have changed inside docker containers; see hack note below.
-        mkdir --mode=777 -p test-results/go-test
+        mkdir -p test-results/go-test
 
         # We don't want VAULT_LICENSE set when running Go tests, because that's
         # not what developers have in their environments and it could break some
@@ -118,19 +117,6 @@ steps:
           # reasons unclear.
           export DOCKER_API_VERSION=1.39
 
-          # Hack: Docker permissions appear to have changed; let's explicitly
-          # chmod the docker certificate path to give other grouped users
-          # access.
-          #
-          # Notably, in this shell pipeline we see:
-          # uid=1001(circleci) gid=1002(circleci) groups=1002(circleci)
-          #
-          # but inside the docker image below, we see:
-          # uid=3434(circleci) gid=3434(circleci) groups=3434(circleci)
-          #
-          # See also: https://github.com/CircleCI-Public/cimg-base/issues/122
-          chmod o+rx -R $DOCKER_CERT_PATH
-
           TEST_DOCKER_NETWORK_NAME="${CIRCLE_WORKFLOW_JOB_ID}-${CIRCLE_NODE_INDEX}"
           export TEST_DOCKER_NETWORK_ID=$(docker network list --quiet --no-trunc --filter="name=${TEST_DOCKER_NETWORK_NAME}")
           if [ -z $TEST_DOCKER_NETWORK_ID ]; then
@@ -156,6 +142,33 @@ steps:
           mkdir workspace
           echo ${CONTAINER_ID} > workspace/container_id
 
+          # Hack: Docker permissions appear to have changed; let's explicitly
+          # add a new user/group with the correct host uid to the docker
+          # container, fixing all of these permissions issues correctly. We
+          # then have to run with this user consistently in the future.
+          #
+          # Notably, in this shell pipeline we see:
+          # uid=1001(circleci) gid=1002(circleci) groups=1002(circleci)
+          #
+          # but inside the docker image below, we see:
+          # uid=3434(circleci) gid=3434(circleci) groups=3434(circleci)
+          #
+          # See also: https://github.com/CircleCI-Public/cimg-base/issues/122
+          export HOST_GID="$(id -g)"
+          export HOST_UID="$(id -u)"
+          export CONT_GID="$(docker exec ${CONTAINER_ID} sh -c 'id -g')"
+          export CONT_GNAME="$(docker exec ${CONTAINER_ID} sh -c 'id -g -n')"
+          export CONT_UID="$(docker exec ${CONTAINER_ID} sh -c 'id -u')"
+          if (( HOST_UID != CONT_UID )); then
+            # Only provision a group if necessary; otherwise reuse the
+            # existing one.
+            if (( HOST_GID != CONT_GID )); then
+              docker exec -e HOST_GID -e CONT_GNAME ${CONTAINER_ID} sh -c 'sudo groupmod -g $HOST_GID $CONT_GNAME'
+            fi
+
+            docker exec -e CONT_GNAME -e HOST_UID ${CONTAINER_ID} sh -c 'sudo usermod -a -G $CONT_GNAME -u $HOST_UID circleci'
+          fi
+
           # Run tests
           test -d << parameters.cache_dir >> && docker cp << parameters.cache_dir >> ${CONTAINER_ID}:/tmp/gocache
           docker exec ${CONTAINER_ID} sh -c 'mkdir -p /home/circleci/go/src/github.com/hashicorp/vault'