From 067ae95da4dd857dfc0a2f1d70285145eece032f Mon Sep 17 00:00:00 2001 From: James Nord Date: Wed, 4 Sep 2024 18:13:13 +0100 Subject: [PATCH] Fix permissions on the docker socket TestContainers does not use docker, but talks directly to the docker socket. The permissions on this socket come from the host where it is mapped and the docker groupid may not match what we have in the container. So allow th arg to be passed through at build time and add the ath-user to the docker group so it has the permissions. We retain the legacy suid on the docker binary as we publish the container and there is only a single test so far using this test-containers. (this can be revistied if required). --- Jenkinsfile | 2 +- src/main/resources/ath-container/Dockerfile | 14 +++++++++++--- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index 709730c771..5e637637a7 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -122,7 +122,7 @@ for (int i = 0; i < splits.size(); i++) { retryCounts = retryCounts + 1 // increment the retry count before allocating a node in case it fails node(nodeLabel) { checkout scm - def image = skipImageBuild ? docker.image('jenkins/ath') : docker.build('jenkins/ath', '--build-arg uid="$(id -u)" --build-arg gid="$(id -g)" ./src/main/resources/ath-container/') + def image = skipImageBuild ? docker.image('jenkins/ath') : docker.build('jenkins/ath', '--build-arg uid="$(id -u)" --build-arg gid="$(id -g)" --build-arg dockergid="$(getent group docker | cut -d: -f3)" ./src/main/resources/ath-container/') sh 'mkdir -p target/ath-reports && chmod a+rwx target/ath-reports' def cwd = pwd() image.inside("-v /var/run/docker.sock:/var/run/docker.sock -v '${cwd}/target/ath-reports:/reports:rw' --shm-size 2g") { diff --git a/src/main/resources/ath-container/Dockerfile b/src/main/resources/ath-container/Dockerfile index 5720ead197..6f19931f5b 100644 --- a/src/main/resources/ath-container/Dockerfile +++ b/src/main/resources/ath-container/Dockerfile @@ -37,6 +37,13 @@ RUN install -m 0755 -d /etc/apt/keyrings \ && apt-get clean \ && rm -rf /var/lib/apt/lists/* +# Despite the docker SUID hack below, test-containers accesses /var/run/docker.sock directly and so we can not rely on the SUID hack. +# Rather take the docker user group as an arg and make the ath-user a member of that group +# we retain the suid workaround as this method requires a local build of the container +# we need to do this before we install docker so that any files have the correct permission +ARG dockergid=1002 +RUN groupadd docker -g $dockergid + # Docker installation according to https://docs.docker.com/engine/install/ubuntu/ ARG DOCKER_BUILDX_VERSION=0.16.2 ARG DOCKER_VERSION=27.1.2 @@ -84,10 +91,11 @@ EXPOSE 5942 RUN deluser --remove-home ubuntu \ && groupadd ath-user -g $gid \ - && useradd ath-user -l -c 'ATH User' -u $uid -g $gid -m -d /home/ath-user -s /bin/bash + && useradd ath-user -l -c 'ATH User' -u $uid -g $gid -G docker -m -d /home/ath-user -s /bin/bash -# Set SUID and SGID for docker binary so it can communicate with mapped socket its uid:gid we can not control. Alternative -# approach used for this is adding ath-user to the group of /var/run/docker.sock but that require root permission we do not +# Set SUID and SGID for docker binary so it can communicate with mapped socket its uid:gid we can not control. This alternative +# approach is used as adding ath-user to the group of /var/run/docker.sock is a build time option and any published container may +# not match what is needed, and changing this at runtime would require root permission we do not # have in ENTRYPOINT as the container is started as ath-user. RUN chmod ug+s /usr/bin/docker*