From d8174be87eea9da9c21bab9ed3f976dab601c28d Mon Sep 17 00:00:00 2001 From: Alexander Scheel Date: Mon, 31 Oct 2022 10:16:02 -0400 Subject: [PATCH] Use host's uid in container's executor (#17729) When copying data into the container, due to the id changes pointed out in the previous attempt, the container couldn't read this data. By creating a new user in the container, matching the host's UID/GID, we can successfully copy data in/out of the container without worrying about differing UID/GIDs. See also: https://github.com/hashicorp/vault/pull/17658 Signed-off-by: Alexander Scheel Signed-off-by: Alexander Scheel --- .circleci/config.yml | 172 +++++++++++++++++--------- .circleci/config/commands/go_test.yml | 43 ++++--- 2 files changed, 140 insertions(+), 75 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 20e952f08903..9d0c4f63c96d 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -220,8 +220,7 @@ jobs: make prep - # Permissions have changed inside docker containers; see hack note below. - mkdir --mode=777 -p test-results/go-test + mkdir -p test-results/go-test # We don't want VAULT_LICENSE set when running Go tests, because that's # not what developers have in their environments and it could break some @@ -242,19 +241,6 @@ jobs: # reasons unclear. export DOCKER_API_VERSION=1.39 - # Hack: Docker permissions appear to have changed; let's explicitly - # chmod the docker certificate path to give other grouped users - # access. - # - # Notably, in this shell pipeline we see: - # uid=1001(circleci) gid=1002(circleci) groups=1002(circleci) - # - # but inside the docker image below, we see: - # uid=3434(circleci) gid=3434(circleci) groups=3434(circleci) - # - # See also: https://github.com/CircleCI-Public/cimg-base/issues/122 - chmod o+rx -R $DOCKER_CERT_PATH - TEST_DOCKER_NETWORK_NAME="${CIRCLE_WORKFLOW_JOB_ID}-${CIRCLE_NODE_INDEX}" export TEST_DOCKER_NETWORK_ID=$(docker network list --quiet --no-trunc --filter="name=${TEST_DOCKER_NETWORK_NAME}") if [ -z $TEST_DOCKER_NETWORK_ID ]; then @@ -280,6 +266,33 @@ jobs: mkdir workspace echo ${CONTAINER_ID} > workspace/container_id + # Hack: Docker permissions appear to have changed; let's explicitly + # add a new user/group with the correct host uid to the docker + # container, fixing all of these permissions issues correctly. We + # then have to run with this user consistently in the future. + # + # Notably, in this shell pipeline we see: + # uid=1001(circleci) gid=1002(circleci) groups=1002(circleci) + # + # but inside the docker image below, we see: + # uid=3434(circleci) gid=3434(circleci) groups=3434(circleci) + # + # See also: https://github.com/CircleCI-Public/cimg-base/issues/122 + export HOST_GID="$(id -g)" + export HOST_UID="$(id -u)" + export CONT_GID="$(docker exec ${CONTAINER_ID} sh -c 'id -g')" + export CONT_GNAME="$(docker exec ${CONTAINER_ID} sh -c 'id -g -n')" + export CONT_UID="$(docker exec ${CONTAINER_ID} sh -c 'id -u')" + if (( HOST_UID != CONT_UID )); then + # Only provision a group if necessary; otherwise reuse the + # existing one. + if (( HOST_GID != CONT_GID )); then + docker exec -e HOST_GID -e CONT_GNAME ${CONTAINER_ID} sh -c 'sudo groupmod -g $HOST_GID $CONT_GNAME' + fi + + docker exec -e CONT_GNAME -e HOST_UID ${CONTAINER_ID} sh -c 'sudo usermod -a -G $CONT_GNAME -u $HOST_UID circleci' + fi + # Run tests test -d /tmp/go-cache && docker cp /tmp/go-cache ${CONTAINER_ID}:/tmp/gocache docker exec ${CONTAINER_ID} sh -c 'mkdir -p /home/circleci/go/src/github.com/hashicorp/vault' @@ -475,8 +488,7 @@ jobs: make prep - # Permissions have changed inside docker containers; see hack note below. - mkdir --mode=777 -p test-results/go-test + mkdir -p test-results/go-test # We don't want VAULT_LICENSE set when running Go tests, because that's # not what developers have in their environments and it could break some @@ -497,19 +509,6 @@ jobs: # reasons unclear. export DOCKER_API_VERSION=1.39 - # Hack: Docker permissions appear to have changed; let's explicitly - # chmod the docker certificate path to give other grouped users - # access. - # - # Notably, in this shell pipeline we see: - # uid=1001(circleci) gid=1002(circleci) groups=1002(circleci) - # - # but inside the docker image below, we see: - # uid=3434(circleci) gid=3434(circleci) groups=3434(circleci) - # - # See also: https://github.com/CircleCI-Public/cimg-base/issues/122 - chmod o+rx -R $DOCKER_CERT_PATH - TEST_DOCKER_NETWORK_NAME="${CIRCLE_WORKFLOW_JOB_ID}-${CIRCLE_NODE_INDEX}" export TEST_DOCKER_NETWORK_ID=$(docker network list --quiet --no-trunc --filter="name=${TEST_DOCKER_NETWORK_NAME}") if [ -z $TEST_DOCKER_NETWORK_ID ]; then @@ -535,6 +534,33 @@ jobs: mkdir workspace echo ${CONTAINER_ID} > workspace/container_id + # Hack: Docker permissions appear to have changed; let's explicitly + # add a new user/group with the correct host uid to the docker + # container, fixing all of these permissions issues correctly. We + # then have to run with this user consistently in the future. + # + # Notably, in this shell pipeline we see: + # uid=1001(circleci) gid=1002(circleci) groups=1002(circleci) + # + # but inside the docker image below, we see: + # uid=3434(circleci) gid=3434(circleci) groups=3434(circleci) + # + # See also: https://github.com/CircleCI-Public/cimg-base/issues/122 + export HOST_GID="$(id -g)" + export HOST_UID="$(id -u)" + export CONT_GID="$(docker exec ${CONTAINER_ID} sh -c 'id -g')" + export CONT_GNAME="$(docker exec ${CONTAINER_ID} sh -c 'id -g -n')" + export CONT_UID="$(docker exec ${CONTAINER_ID} sh -c 'id -u')" + if (( HOST_UID != CONT_UID )); then + # Only provision a group if necessary; otherwise reuse the + # existing one. + if (( HOST_GID != CONT_GID )); then + docker exec -e HOST_GID -e CONT_GNAME ${CONTAINER_ID} sh -c 'sudo groupmod -g $HOST_GID $CONT_GNAME' + fi + + docker exec -e CONT_GNAME -e HOST_UID ${CONTAINER_ID} sh -c 'sudo usermod -a -G $CONT_GNAME -u $HOST_UID circleci' + fi + # Run tests test -d /tmp/go-cache && docker cp /tmp/go-cache ${CONTAINER_ID}:/tmp/gocache docker exec ${CONTAINER_ID} sh -c 'mkdir -p /home/circleci/go/src/github.com/hashicorp/vault' @@ -681,8 +707,7 @@ jobs: make prep - # Permissions have changed inside docker containers; see hack note below. - mkdir --mode=777 -p test-results/go-test + mkdir -p test-results/go-test # We don't want VAULT_LICENSE set when running Go tests, because that's # not what developers have in their environments and it could break some @@ -703,19 +728,6 @@ jobs: # reasons unclear. export DOCKER_API_VERSION=1.39 - # Hack: Docker permissions appear to have changed; let's explicitly - # chmod the docker certificate path to give other grouped users - # access. - # - # Notably, in this shell pipeline we see: - # uid=1001(circleci) gid=1002(circleci) groups=1002(circleci) - # - # but inside the docker image below, we see: - # uid=3434(circleci) gid=3434(circleci) groups=3434(circleci) - # - # See also: https://github.com/CircleCI-Public/cimg-base/issues/122 - chmod o+rx -R $DOCKER_CERT_PATH - TEST_DOCKER_NETWORK_NAME="${CIRCLE_WORKFLOW_JOB_ID}-${CIRCLE_NODE_INDEX}" export TEST_DOCKER_NETWORK_ID=$(docker network list --quiet --no-trunc --filter="name=${TEST_DOCKER_NETWORK_NAME}") if [ -z $TEST_DOCKER_NETWORK_ID ]; then @@ -741,6 +753,33 @@ jobs: mkdir workspace echo ${CONTAINER_ID} > workspace/container_id + # Hack: Docker permissions appear to have changed; let's explicitly + # add a new user/group with the correct host uid to the docker + # container, fixing all of these permissions issues correctly. We + # then have to run with this user consistently in the future. + # + # Notably, in this shell pipeline we see: + # uid=1001(circleci) gid=1002(circleci) groups=1002(circleci) + # + # but inside the docker image below, we see: + # uid=3434(circleci) gid=3434(circleci) groups=3434(circleci) + # + # See also: https://github.com/CircleCI-Public/cimg-base/issues/122 + export HOST_GID="$(id -g)" + export HOST_UID="$(id -u)" + export CONT_GID="$(docker exec ${CONTAINER_ID} sh -c 'id -g')" + export CONT_GNAME="$(docker exec ${CONTAINER_ID} sh -c 'id -g -n')" + export CONT_UID="$(docker exec ${CONTAINER_ID} sh -c 'id -u')" + if (( HOST_UID != CONT_UID )); then + # Only provision a group if necessary; otherwise reuse the + # existing one. + if (( HOST_GID != CONT_GID )); then + docker exec -e HOST_GID -e CONT_GNAME ${CONTAINER_ID} sh -c 'sudo groupmod -g $HOST_GID $CONT_GNAME' + fi + + docker exec -e CONT_GNAME -e HOST_UID ${CONTAINER_ID} sh -c 'sudo usermod -a -G $CONT_GNAME -u $HOST_UID circleci' + fi + # Run tests test -d /tmp/go-cache && docker cp /tmp/go-cache ${CONTAINER_ID}:/tmp/gocache docker exec ${CONTAINER_ID} sh -c 'mkdir -p /home/circleci/go/src/github.com/hashicorp/vault' @@ -997,8 +1036,7 @@ jobs: make prep - # Permissions have changed inside docker containers; see hack note below. - mkdir --mode=777 -p test-results/go-test + mkdir -p test-results/go-test # We don't want VAULT_LICENSE set when running Go tests, because that's # not what developers have in their environments and it could break some @@ -1019,19 +1057,6 @@ jobs: # reasons unclear. export DOCKER_API_VERSION=1.39 - # Hack: Docker permissions appear to have changed; let's explicitly - # chmod the docker certificate path to give other grouped users - # access. - # - # Notably, in this shell pipeline we see: - # uid=1001(circleci) gid=1002(circleci) groups=1002(circleci) - # - # but inside the docker image below, we see: - # uid=3434(circleci) gid=3434(circleci) groups=3434(circleci) - # - # See also: https://github.com/CircleCI-Public/cimg-base/issues/122 - chmod o+rx -R $DOCKER_CERT_PATH - TEST_DOCKER_NETWORK_NAME="${CIRCLE_WORKFLOW_JOB_ID}-${CIRCLE_NODE_INDEX}" export TEST_DOCKER_NETWORK_ID=$(docker network list --quiet --no-trunc --filter="name=${TEST_DOCKER_NETWORK_NAME}") if [ -z $TEST_DOCKER_NETWORK_ID ]; then @@ -1057,6 +1082,33 @@ jobs: mkdir workspace echo ${CONTAINER_ID} > workspace/container_id + # Hack: Docker permissions appear to have changed; let's explicitly + # add a new user/group with the correct host uid to the docker + # container, fixing all of these permissions issues correctly. We + # then have to run with this user consistently in the future. + # + # Notably, in this shell pipeline we see: + # uid=1001(circleci) gid=1002(circleci) groups=1002(circleci) + # + # but inside the docker image below, we see: + # uid=3434(circleci) gid=3434(circleci) groups=3434(circleci) + # + # See also: https://github.com/CircleCI-Public/cimg-base/issues/122 + export HOST_GID="$(id -g)" + export HOST_UID="$(id -u)" + export CONT_GID="$(docker exec ${CONTAINER_ID} sh -c 'id -g')" + export CONT_GNAME="$(docker exec ${CONTAINER_ID} sh -c 'id -g -n')" + export CONT_UID="$(docker exec ${CONTAINER_ID} sh -c 'id -u')" + if (( HOST_UID != CONT_UID )); then + # Only provision a group if necessary; otherwise reuse the + # existing one. + if (( HOST_GID != CONT_GID )); then + docker exec -e HOST_GID -e CONT_GNAME ${CONTAINER_ID} sh -c 'sudo groupmod -g $HOST_GID $CONT_GNAME' + fi + + docker exec -e CONT_GNAME -e HOST_UID ${CONTAINER_ID} sh -c 'sudo usermod -a -G $CONT_GNAME -u $HOST_UID circleci' + fi + # Run tests test -d /tmp/go-cache && docker cp /tmp/go-cache ${CONTAINER_ID}:/tmp/gocache docker exec ${CONTAINER_ID} sh -c 'mkdir -p /home/circleci/go/src/github.com/hashicorp/vault' diff --git a/.circleci/config/commands/go_test.yml b/.circleci/config/commands/go_test.yml index d76abfefc392..57a920d06376 100644 --- a/.circleci/config/commands/go_test.yml +++ b/.circleci/config/commands/go_test.yml @@ -96,8 +96,7 @@ steps: make prep - # Permissions have changed inside docker containers; see hack note below. - mkdir --mode=777 -p test-results/go-test + mkdir -p test-results/go-test # We don't want VAULT_LICENSE set when running Go tests, because that's # not what developers have in their environments and it could break some @@ -118,19 +117,6 @@ steps: # reasons unclear. export DOCKER_API_VERSION=1.39 - # Hack: Docker permissions appear to have changed; let's explicitly - # chmod the docker certificate path to give other grouped users - # access. - # - # Notably, in this shell pipeline we see: - # uid=1001(circleci) gid=1002(circleci) groups=1002(circleci) - # - # but inside the docker image below, we see: - # uid=3434(circleci) gid=3434(circleci) groups=3434(circleci) - # - # See also: https://github.com/CircleCI-Public/cimg-base/issues/122 - chmod o+rx -R $DOCKER_CERT_PATH - TEST_DOCKER_NETWORK_NAME="${CIRCLE_WORKFLOW_JOB_ID}-${CIRCLE_NODE_INDEX}" export TEST_DOCKER_NETWORK_ID=$(docker network list --quiet --no-trunc --filter="name=${TEST_DOCKER_NETWORK_NAME}") if [ -z $TEST_DOCKER_NETWORK_ID ]; then @@ -156,6 +142,33 @@ steps: mkdir workspace echo ${CONTAINER_ID} > workspace/container_id + # Hack: Docker permissions appear to have changed; let's explicitly + # add a new user/group with the correct host uid to the docker + # container, fixing all of these permissions issues correctly. We + # then have to run with this user consistently in the future. + # + # Notably, in this shell pipeline we see: + # uid=1001(circleci) gid=1002(circleci) groups=1002(circleci) + # + # but inside the docker image below, we see: + # uid=3434(circleci) gid=3434(circleci) groups=3434(circleci) + # + # See also: https://github.com/CircleCI-Public/cimg-base/issues/122 + export HOST_GID="$(id -g)" + export HOST_UID="$(id -u)" + export CONT_GID="$(docker exec ${CONTAINER_ID} sh -c 'id -g')" + export CONT_GNAME="$(docker exec ${CONTAINER_ID} sh -c 'id -g -n')" + export CONT_UID="$(docker exec ${CONTAINER_ID} sh -c 'id -u')" + if (( HOST_UID != CONT_UID )); then + # Only provision a group if necessary; otherwise reuse the + # existing one. + if (( HOST_GID != CONT_GID )); then + docker exec -e HOST_GID -e CONT_GNAME ${CONTAINER_ID} sh -c 'sudo groupmod -g $HOST_GID $CONT_GNAME' + fi + + docker exec -e CONT_GNAME -e HOST_UID ${CONTAINER_ID} sh -c 'sudo usermod -a -G $CONT_GNAME -u $HOST_UID circleci' + fi + # Run tests test -d << parameters.cache_dir >> && docker cp << parameters.cache_dir >> ${CONTAINER_ID}:/tmp/gocache docker exec ${CONTAINER_ID} sh -c 'mkdir -p /home/circleci/go/src/github.com/hashicorp/vault'