Merge remote-tracking branch 'origin/master' into add-oic-auth-e2e

fcojfernandez · Sep 5, 2024 · b0a679c · b0a679c
2 parents 5df158e + 180888e
commit b0a679c
Show file tree

Hide file tree

Showing 4 changed files with 10 additions and 18 deletions.
diff --git a/Jenkinsfile b/Jenkinsfile
@@ -122,10 +122,11 @@ for (int i = 0; i < splits.size(); i++) {
           retryCounts = retryCounts + 1 // increment the retry count before allocating a node in case it fails
           node(nodeLabel) {
             checkout scm
-            def image = skipImageBuild ? docker.image('jenkins/ath') : docker.build('jenkins/ath', '--build-arg uid="$(id -u)" --build-arg gid="$(id -g)" --build-arg dockergid="$(getent group docker | cut -d: -f3)" ./src/main/resources/ath-container/')
+            def image = skipImageBuild ? docker.image('jenkins/ath') : docker.build('jenkins/ath', '--build-arg uid="$(id -u)" --build-arg gid="$(id -g)" ./src/main/resources/ath-container/')
             sh 'mkdir -p target/ath-reports && chmod a+rwx target/ath-reports'
             def cwd = pwd()
-            image.inside("-v /var/run/docker.sock:/var/run/docker.sock -v '${cwd}/target/ath-reports:/reports:rw' --shm-size 2g") {
+            def dockergid = sh label: 'get docker group', returnStdout: true, script: 'getent group docker | cut -d: -f3'
+            image.inside("--group-add ${dockergid} -v /var/run/docker.sock:/var/run/docker.sock -v '${cwd}/target/ath-reports:/reports:rw' --shm-size 2g") {
               def exclusions = splits.get(index).join('\n')
               writeFile file: 'excludes.txt', text: exclusions
               infra.withArtifactCachingProxy {

diff --git a/ath-container.sh b/ath-container.sh
@@ -26,6 +26,9 @@ docker build \
 	"$DIR/src/main/resources/ath-container" \
 	-t "$tag"
 
+# obtain the groupId to grant to access the docker socket
+dockergid=$(docker run --rm -v /var/run/docker.sock:/var/run/docker.sock ubuntu:noble stat -c %g /var/run/docker.sock)
+
 docker run \
 	--interactive \
 	--tty \
@@ -34,6 +37,7 @@ docker run \
 	--user ath-user \
 	--workdir /home/ath-user/sources \
 	--shm-size 2g \
+	--group-add ${dockergid} \
 	-v /var/run/docker.sock:/var/run/docker.sock \
 	-v "$(pwd):/home/ath-user/sources" \
 	-v "${HOME}/.m2/repository:/home/ath-user/.m2/repository" \

diff --git a/pom.xml b/pom.xml
@@ -351,7 +351,7 @@
         <!-- upper bounds conflict -->
         <groupId>io.netty</groupId>
         <artifactId>netty-bom</artifactId>
-        <version>4.1.112.Final</version>
+        <version>4.1.113.Final</version>
         <type>pom</type>
         <scope>import</scope>
       </dependency>

diff --git a/src/main/resources/ath-container/Dockerfile b/src/main/resources/ath-container/Dockerfile
@@ -37,16 +37,9 @@ RUN install -m 0755 -d /etc/apt/keyrings \
   && apt-get clean \
   && rm -rf /var/lib/apt/lists/*
 
-# Despite the docker SUID hack below, test-containers accesses /var/run/docker.sock directly and so we can not rely on the SUID hack.
-# Rather take the docker user group as an arg and make the ath-user a member of that group
-# we retain the suid workaround as this method requires a local build of the container
-# we need to do this before we install docker so that any files have the correct permission
-ARG dockergid=1002
-RUN groupadd docker -g $dockergid
-
 # Docker installation according to https://docs.docker.com/engine/install/ubuntu/
 ARG DOCKER_BUILDX_VERSION=0.16.2
-ARG DOCKER_VERSION=27.1.2
+ARG DOCKER_VERSION=27.2.0
 RUN install -m 0755 -d /etc/apt/keyrings \
   && curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc \
   && printf 'deb [arch=%s signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu %s stable\n' "$(dpkg --print-architecture)" "$(lsb_release -cs)" > /etc/apt/sources.list.d/docker.list \
@@ -91,13 +84,7 @@ EXPOSE 5942
 
 RUN deluser --remove-home ubuntu \
   && groupadd ath-user -g $gid \
-  && useradd ath-user -l -c 'ATH User' -u $uid -g $gid -G docker -m -d /home/ath-user -s /bin/bash
-
-# Set SUID and SGID for docker binary so it can communicate with mapped socket its uid:gid we can not control. This alternative
-# approach is used as adding ath-user to the group of /var/run/docker.sock is a build time option and any published container may
-# not match what is needed, and changing this at runtime would require root permission we do not
-# have in ENTRYPOINT as the container is started as ath-user.
-RUN chmod ug+s /usr/bin/docker*
+  && useradd ath-user -l -c 'ATH User' -u $uid -g $gid -m -d /home/ath-user -s /bin/bash
 
 # Give permission to modify the alternatives links to change the java version in use
 RUN chmod u+s "$(which update-alternatives)"