Fix permissions on Docker testing (#17658)

This appears to be due to a CI change that resulted in different user IDs between the host and the container image. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2026-05-28 04:10:44 -04:00 · 2022-10-26 13:20:12 -04:00 · 2022-10-26 13:20:12 -04:00 · a5e019e020
commit a5e019e020
parent 8647c4b20b
2 changed files with 80 additions and 5 deletions
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@ -219,7 +219,9 @@ jobs:
          # has its own remote docker VM.

          make prep
-          mkdir -p test-results/go-test
+
+          # Permissions have changed inside docker containers; see hack note below.
+          mkdir --mode=777 -p test-results/go-test

          # We don't want VAULT_LICENSE set when running Go tests, because that's
          # not what developers have in their environments and it could break some
@ -240,6 +242,19 @@ jobs:
            # reasons unclear.
            export DOCKER_API_VERSION=1.39

+            # Hack: Docker permissions appear to have changed; let's explicitly
+            # chmod the docker certificate path to give other grouped users
+            # access.
+            #
+            # Notably, in this shell pipeline we see:
+            # uid=1001(circleci) gid=1002(circleci) groups=1002(circleci)
+            #
+            # but inside the docker image below, we see:
+            # uid=3434(circleci) gid=3434(circleci) groups=3434(circleci)
+            #
+            # See also: https://github.com/CircleCI-Public/cimg-base/issues/122
+            chmod o+rx -R $DOCKER_CERT_PATH
+
            TEST_DOCKER_NETWORK_NAME="${CIRCLE_WORKFLOW_JOB_ID}-${CIRCLE_NODE_INDEX}"
            export TEST_DOCKER_NETWORK_ID=$(docker network list --quiet --no-trunc --filter="name=${TEST_DOCKER_NETWORK_NAME}")
            if [ -z $TEST_DOCKER_NETWORK_ID ]; then
@ -459,7 +474,9 @@ jobs:
          # has its own remote docker VM.

          make prep
-          mkdir -p test-results/go-test
+
+          # Permissions have changed inside docker containers; see hack note below.
+          mkdir --mode=777 -p test-results/go-test

          # We don't want VAULT_LICENSE set when running Go tests, because that's
          # not what developers have in their environments and it could break some
@ -480,6 +497,19 @@ jobs:
            # reasons unclear.
            export DOCKER_API_VERSION=1.39

+            # Hack: Docker permissions appear to have changed; let's explicitly
+            # chmod the docker certificate path to give other grouped users
+            # access.
+            #
+            # Notably, in this shell pipeline we see:
+            # uid=1001(circleci) gid=1002(circleci) groups=1002(circleci)
+            #
+            # but inside the docker image below, we see:
+            # uid=3434(circleci) gid=3434(circleci) groups=3434(circleci)
+            #
+            # See also: https://github.com/CircleCI-Public/cimg-base/issues/122
+            chmod o+rx -R $DOCKER_CERT_PATH
+
            TEST_DOCKER_NETWORK_NAME="${CIRCLE_WORKFLOW_JOB_ID}-${CIRCLE_NODE_INDEX}"
            export TEST_DOCKER_NETWORK_ID=$(docker network list --quiet --no-trunc --filter="name=${TEST_DOCKER_NETWORK_NAME}")
            if [ -z $TEST_DOCKER_NETWORK_ID ]; then
@ -650,7 +680,9 @@ jobs:
          # has its own remote docker VM.

          make prep
-          mkdir -p test-results/go-test
+
+          # Permissions have changed inside docker containers; see hack note below.
+          mkdir --mode=777 -p test-results/go-test

          # We don't want VAULT_LICENSE set when running Go tests, because that's
          # not what developers have in their environments and it could break some
@ -671,6 +703,19 @@ jobs:
            # reasons unclear.
            export DOCKER_API_VERSION=1.39

+            # Hack: Docker permissions appear to have changed; let's explicitly
+            # chmod the docker certificate path to give other grouped users
+            # access.
+            #
+            # Notably, in this shell pipeline we see:
+            # uid=1001(circleci) gid=1002(circleci) groups=1002(circleci)
+            #
+            # but inside the docker image below, we see:
+            # uid=3434(circleci) gid=3434(circleci) groups=3434(circleci)
+            #
+            # See also: https://github.com/CircleCI-Public/cimg-base/issues/122
+            chmod o+rx -R $DOCKER_CERT_PATH
+
            TEST_DOCKER_NETWORK_NAME="${CIRCLE_WORKFLOW_JOB_ID}-${CIRCLE_NODE_INDEX}"
            export TEST_DOCKER_NETWORK_ID=$(docker network list --quiet --no-trunc --filter="name=${TEST_DOCKER_NETWORK_NAME}")
            if [ -z $TEST_DOCKER_NETWORK_ID ]; then
@ -951,7 +996,9 @@ jobs:
          # has its own remote docker VM.

          make prep
-          mkdir -p test-results/go-test
+
+          # Permissions have changed inside docker containers; see hack note below.
+          mkdir --mode=777 -p test-results/go-test

          # We don't want VAULT_LICENSE set when running Go tests, because that's
          # not what developers have in their environments and it could break some
@ -972,6 +1019,19 @@ jobs:
            # reasons unclear.
            export DOCKER_API_VERSION=1.39

+            # Hack: Docker permissions appear to have changed; let's explicitly
+            # chmod the docker certificate path to give other grouped users
+            # access.
+            #
+            # Notably, in this shell pipeline we see:
+            # uid=1001(circleci) gid=1002(circleci) groups=1002(circleci)
+            #
+            # but inside the docker image below, we see:
+            # uid=3434(circleci) gid=3434(circleci) groups=3434(circleci)
+            #
+            # See also: https://github.com/CircleCI-Public/cimg-base/issues/122
+            chmod o+rx -R $DOCKER_CERT_PATH
+
            TEST_DOCKER_NETWORK_NAME="${CIRCLE_WORKFLOW_JOB_ID}-${CIRCLE_NODE_INDEX}"
            export TEST_DOCKER_NETWORK_ID=$(docker network list --quiet --no-trunc --filter="name=${TEST_DOCKER_NETWORK_NAME}")
            if [ -z $TEST_DOCKER_NETWORK_ID ]; then
--- a/.circleci/config/commands/go_test.yml
+++ b/.circleci/config/commands/go_test.yml
@ -95,7 +95,9 @@ steps:
        # has its own remote docker VM.

        make prep
-        mkdir -p test-results/go-test
+
+        # Permissions have changed inside docker containers; see hack note below.
+        mkdir --mode=777 -p test-results/go-test

        # We don't want VAULT_LICENSE set when running Go tests, because that's
        # not what developers have in their environments and it could break some
@ -116,6 +118,19 @@ steps:
          # reasons unclear.
          export DOCKER_API_VERSION=1.39

+          # Hack: Docker permissions appear to have changed; let's explicitly
+          # chmod the docker certificate path to give other grouped users
+          # access.
+          #
+          # Notably, in this shell pipeline we see:
+          # uid=1001(circleci) gid=1002(circleci) groups=1002(circleci)
+          #
+          # but inside the docker image below, we see:
+          # uid=3434(circleci) gid=3434(circleci) groups=3434(circleci)
+          #
+          # See also: https://github.com/CircleCI-Public/cimg-base/issues/122
+          chmod o+rx -R $DOCKER_CERT_PATH
+
          TEST_DOCKER_NETWORK_NAME="${CIRCLE_WORKFLOW_JOB_ID}-${CIRCLE_NODE_INDEX}"
          export TEST_DOCKER_NETWORK_ID=$(docker network list --quiet --no-trunc --filter="name=${TEST_DOCKER_NETWORK_NAME}")
          if [ -z $TEST_DOCKER_NETWORK_ID ]; then