From f934300f23a77e126991a0a64bbdafc7f6313ab3 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <alex.scheel@hashicorp.com>
Date: Wed, 26 Oct 2022 17:20:12 +0000
Subject: [PATCH] backport of commit a5e019e0200a51523e434cfc156ccd6f8d864a72

---
 .circleci/config.yml                  | 68 +++++++++++++++++++++++++--
 .circleci/config/commands/go_test.yml | 17 ++++++-
 2 files changed, 80 insertions(+), 5 deletions(-)

diff --git a/.circleci/config.yml b/.circleci/config.yml
index c6ff0986de2b..20e952f08903 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -219,7 +219,9 @@ jobs:
           # has its own remote docker VM.
 
           make prep
-          mkdir -p test-results/go-test
+
+          # Permissions have changed inside docker containers; see hack note below.
+          mkdir --mode=777 -p test-results/go-test
 
           # We don't want VAULT_LICENSE set when running Go tests, because that's
           # not what developers have in their environments and it could break some
@@ -240,6 +242,19 @@ jobs:
             # reasons unclear.
             export DOCKER_API_VERSION=1.39
 
+            # Hack: Docker permissions appear to have changed; let's explicitly
+            # chmod the docker certificate path to give other grouped users
+            # access.
+            #
+            # Notably, in this shell pipeline we see:
+            # uid=1001(circleci) gid=1002(circleci) groups=1002(circleci)
+            #
+            # but inside the docker image below, we see:
+            # uid=3434(circleci) gid=3434(circleci) groups=3434(circleci)
+            #
+            # See also: https://github.com/CircleCI-Public/cimg-base/issues/122
+            chmod o+rx -R $DOCKER_CERT_PATH
+
             TEST_DOCKER_NETWORK_NAME="${CIRCLE_WORKFLOW_JOB_ID}-${CIRCLE_NODE_INDEX}"
             export TEST_DOCKER_NETWORK_ID=$(docker network list --quiet --no-trunc --filter="name=${TEST_DOCKER_NETWORK_NAME}")
             if [ -z $TEST_DOCKER_NETWORK_ID ]; then
@@ -459,7 +474,9 @@ jobs:
           # has its own remote docker VM.
 
           make prep
-          mkdir -p test-results/go-test
+
+          # Permissions have changed inside docker containers; see hack note below.
+          mkdir --mode=777 -p test-results/go-test
 
           # We don't want VAULT_LICENSE set when running Go tests, because that's
           # not what developers have in their environments and it could break some
@@ -480,6 +497,19 @@ jobs:
             # reasons unclear.
             export DOCKER_API_VERSION=1.39
 
+            # Hack: Docker permissions appear to have changed; let's explicitly
+            # chmod the docker certificate path to give other grouped users
+            # access.
+            #
+            # Notably, in this shell pipeline we see:
+            # uid=1001(circleci) gid=1002(circleci) groups=1002(circleci)
+            #
+            # but inside the docker image below, we see:
+            # uid=3434(circleci) gid=3434(circleci) groups=3434(circleci)
+            #
+            # See also: https://github.com/CircleCI-Public/cimg-base/issues/122
+            chmod o+rx -R $DOCKER_CERT_PATH
+
             TEST_DOCKER_NETWORK_NAME="${CIRCLE_WORKFLOW_JOB_ID}-${CIRCLE_NODE_INDEX}"
             export TEST_DOCKER_NETWORK_ID=$(docker network list --quiet --no-trunc --filter="name=${TEST_DOCKER_NETWORK_NAME}")
             if [ -z $TEST_DOCKER_NETWORK_ID ]; then
@@ -650,7 +680,9 @@ jobs:
           # has its own remote docker VM.
 
           make prep
-          mkdir -p test-results/go-test
+
+          # Permissions have changed inside docker containers; see hack note below.
+          mkdir --mode=777 -p test-results/go-test
 
           # We don't want VAULT_LICENSE set when running Go tests, because that's
           # not what developers have in their environments and it could break some
@@ -671,6 +703,19 @@ jobs:
             # reasons unclear.
             export DOCKER_API_VERSION=1.39
 
+            # Hack: Docker permissions appear to have changed; let's explicitly
+            # chmod the docker certificate path to give other grouped users
+            # access.
+            #
+            # Notably, in this shell pipeline we see:
+            # uid=1001(circleci) gid=1002(circleci) groups=1002(circleci)
+            #
+            # but inside the docker image below, we see:
+            # uid=3434(circleci) gid=3434(circleci) groups=3434(circleci)
+            #
+            # See also: https://github.com/CircleCI-Public/cimg-base/issues/122
+            chmod o+rx -R $DOCKER_CERT_PATH
+
             TEST_DOCKER_NETWORK_NAME="${CIRCLE_WORKFLOW_JOB_ID}-${CIRCLE_NODE_INDEX}"
             export TEST_DOCKER_NETWORK_ID=$(docker network list --quiet --no-trunc --filter="name=${TEST_DOCKER_NETWORK_NAME}")
             if [ -z $TEST_DOCKER_NETWORK_ID ]; then
@@ -951,7 +996,9 @@ jobs:
           # has its own remote docker VM.
 
           make prep
-          mkdir -p test-results/go-test
+
+          # Permissions have changed inside docker containers; see hack note below.
+          mkdir --mode=777 -p test-results/go-test
 
           # We don't want VAULT_LICENSE set when running Go tests, because that's
           # not what developers have in their environments and it could break some
@@ -972,6 +1019,19 @@ jobs:
             # reasons unclear.
             export DOCKER_API_VERSION=1.39
 
+            # Hack: Docker permissions appear to have changed; let's explicitly
+            # chmod the docker certificate path to give other grouped users
+            # access.
+            #
+            # Notably, in this shell pipeline we see:
+            # uid=1001(circleci) gid=1002(circleci) groups=1002(circleci)
+            #
+            # but inside the docker image below, we see:
+            # uid=3434(circleci) gid=3434(circleci) groups=3434(circleci)
+            #
+            # See also: https://github.com/CircleCI-Public/cimg-base/issues/122
+            chmod o+rx -R $DOCKER_CERT_PATH
+
             TEST_DOCKER_NETWORK_NAME="${CIRCLE_WORKFLOW_JOB_ID}-${CIRCLE_NODE_INDEX}"
             export TEST_DOCKER_NETWORK_ID=$(docker network list --quiet --no-trunc --filter="name=${TEST_DOCKER_NETWORK_NAME}")
             if [ -z $TEST_DOCKER_NETWORK_ID ]; then
diff --git a/.circleci/config/commands/go_test.yml b/.circleci/config/commands/go_test.yml
index 87855794f0a9..d76abfefc392 100644
--- a/.circleci/config/commands/go_test.yml
+++ b/.circleci/config/commands/go_test.yml
@@ -95,7 +95,9 @@ steps:
         # has its own remote docker VM.
 
         make prep
-        mkdir -p test-results/go-test
+
+        # Permissions have changed inside docker containers; see hack note below.
+        mkdir --mode=777 -p test-results/go-test
 
         # We don't want VAULT_LICENSE set when running Go tests, because that's
         # not what developers have in their environments and it could break some
@@ -116,6 +118,19 @@ steps:
           # reasons unclear.
           export DOCKER_API_VERSION=1.39
 
+          # Hack: Docker permissions appear to have changed; let's explicitly
+          # chmod the docker certificate path to give other grouped users
+          # access.
+          #
+          # Notably, in this shell pipeline we see:
+          # uid=1001(circleci) gid=1002(circleci) groups=1002(circleci)
+          #
+          # but inside the docker image below, we see:
+          # uid=3434(circleci) gid=3434(circleci) groups=3434(circleci)
+          #
+          # See also: https://github.com/CircleCI-Public/cimg-base/issues/122
+          chmod o+rx -R $DOCKER_CERT_PATH
+
           TEST_DOCKER_NETWORK_NAME="${CIRCLE_WORKFLOW_JOB_ID}-${CIRCLE_NODE_INDEX}"
           export TEST_DOCKER_NETWORK_ID=$(docker network list --quiet --no-trunc --filter="name=${TEST_DOCKER_NETWORK_NAME}")
           if [ -z $TEST_DOCKER_NETWORK_ID ]; then