From 9b80a5af393c9f82b89ed3230e3959cb37acf531 Mon Sep 17 00:00:00 2001
From: Lizan Zhou <lizan@tetrate.io>
Date: Wed, 2 Nov 2022 15:40:24 -0700
Subject: [PATCH] ci: use host docker gid for envoybuild (#23803)

Previously `/var/run/docker.sock` is readable/writable inside docker run because group ID of `envoygroup` coincidentally matches host docker group, while it is no longer true during rolling out new image. Fixing that by forcing `envoygroup` has host docker group ID.

Risk Level: Low
Testing: CI
Docs Changes:
Release Notes:
Platform Specific Features:

Signed-off-by: Lizan Zhou <lizan@tetrate.io>
Signed-off-by: Ryan Northey <ryan@synca.io>
---
 ci/run_envoy_docker.sh | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/ci/run_envoy_docker.sh b/ci/run_envoy_docker.sh
index de0e6012ac0d1..cad4b993cd2f1 100755
--- a/ci/run_envoy_docker.sh
+++ b/ci/run_envoy_docker.sh
@@ -41,8 +41,9 @@ else
   BUILD_DIR_MOUNT_DEST=/build
   SOURCE_DIR="${PWD}"
   SOURCE_DIR_MOUNT_DEST=/source
-  START_COMMAND=("/bin/bash" "-lc" "groupadd --gid $(id -g) -f envoygroup \
-    && useradd -o --uid $(id -u) --gid $(id -g) --no-create-home --home-dir /build envoybuild \
+  DOCKER_GID="$(stat -c '%g' /var/run/docker.sock)"
+  START_COMMAND=("/bin/bash" "-lc" "groupadd --gid ${DOCKER_GID} -f envoygroup \
+    && useradd -o --uid $(id -u) --gid ${DOCKER_GID} --no-create-home --home-dir /build envoybuild \
     && usermod -a -G pcap envoybuild \
     && chown envoybuild:envoygroup /build \
     && sudo -EHs -u envoybuild bash -c 'cd /source && $*'")