From 27a48be28dba64040a58a2547a51b93de329fcd6 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Wed, 4 Sep 2024 10:44:00 -0700
Subject: [PATCH 1/3] Update docker Docker tag to v27.2.0 (#1704)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
 src/main/resources/ath-container/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/main/resources/ath-container/Dockerfile b/src/main/resources/ath-container/Dockerfile
index 5720ead19..7cde7566e 100644
--- a/src/main/resources/ath-container/Dockerfile
+++ b/src/main/resources/ath-container/Dockerfile
@@ -39,7 +39,7 @@ RUN install -m 0755 -d /etc/apt/keyrings \
 
 # Docker installation according to https://docs.docker.com/engine/install/ubuntu/
 ARG DOCKER_BUILDX_VERSION=0.16.2
-ARG DOCKER_VERSION=27.1.2
+ARG DOCKER_VERSION=27.2.0
 RUN install -m 0755 -d /etc/apt/keyrings \
   && curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc \
   && printf 'deb [arch=%s signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu %s stable\n' "$(dpkg --print-architecture)" "$(lsb_release -cs)" > /etc/apt/sources.list.d/docker.list \

From 93f5d22015268caea286a15d7c6288aec1d2c43c Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Wed, 4 Sep 2024 10:44:40 -0700
Subject: [PATCH 2/3] Update dependency io.netty:netty-bom to v4.1.113.Final
 (#1703)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 83177b0c5..05ac00c60 100644
--- a/pom.xml
+++ b/pom.xml
@@ -329,7 +329,7 @@
         <!-- upper bounds conflict -->
         <groupId>io.netty</groupId>
         <artifactId>netty-bom</artifactId>
-        <version>4.1.112.Final</version>
+        <version>4.1.113.Final</version>
         <type>pom</type>
         <scope>import</scope>
       </dependency>

From 180888e5176136231bfdc8bad66f75a74173b976 Mon Sep 17 00:00:00 2001
From: James Nord <jtnord@users.noreply.github.com>
Date: Thu, 5 Sep 2024 18:25:00 +0100
Subject: [PATCH 3/3] Cleanup the docker permission issues. (#1706)

* Cleanup the docker permission issues.

The permissions on the mounted docker.sock where incorrect for the
current user, which lead to workarounds setting the docker binary SUID.

However this was a bit hacky and if programatic access to docker was
needed (e.g. TestContainers, or anything else that used the socket and
not the binary) then access would fail.

Rather than set the binary SUID which only works for some of the docker
use cases, we add the ath-user to the docker group that has access to
the socket on the host at run time.

* Update method of obtaining docker group

Suggested by @dduportal that for docker-dekstop on mac the permission
needeed needs to be obtained from the server (so spawn a container and
check it!)

* use ubuntu:noble to avoid pulling a new image
---
 Jenkinsfile                                 | 3 ++-
 ath-container.sh                            | 4 ++++
 src/main/resources/ath-container/Dockerfile | 5 -----
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/Jenkinsfile b/Jenkinsfile
index 709730c77..6ada015aa 100644
--- a/Jenkinsfile
+++ b/Jenkinsfile
@@ -125,7 +125,8 @@ for (int i = 0; i < splits.size(); i++) {
             def image = skipImageBuild ? docker.image('jenkins/ath') : docker.build('jenkins/ath', '--build-arg uid="$(id -u)" --build-arg gid="$(id -g)" ./src/main/resources/ath-container/')
             sh 'mkdir -p target/ath-reports && chmod a+rwx target/ath-reports'
             def cwd = pwd()
-            image.inside("-v /var/run/docker.sock:/var/run/docker.sock -v '${cwd}/target/ath-reports:/reports:rw' --shm-size 2g") {
+            def dockergid = sh label: 'get docker group', returnStdout: true, script: 'getent group docker | cut -d: -f3'
+            image.inside("--group-add ${dockergid} -v /var/run/docker.sock:/var/run/docker.sock -v '${cwd}/target/ath-reports:/reports:rw' --shm-size 2g") {
               def exclusions = splits.get(index).join('\n')
               writeFile file: 'excludes.txt', text: exclusions
               infra.withArtifactCachingProxy {
diff --git a/ath-container.sh b/ath-container.sh
index 836c21eaf..df015a197 100755
--- a/ath-container.sh
+++ b/ath-container.sh
@@ -26,6 +26,9 @@ docker build \
 	"$DIR/src/main/resources/ath-container" \
 	-t "$tag"
 
+# obtain the groupId to grant to access the docker socket
+dockergid=$(docker run --rm -v /var/run/docker.sock:/var/run/docker.sock ubuntu:noble stat -c %g /var/run/docker.sock)
+
 docker run \
 	--interactive \
 	--tty \
@@ -34,6 +37,7 @@ docker run \
 	--user ath-user \
 	--workdir /home/ath-user/sources \
 	--shm-size 2g \
+	--group-add ${dockergid} \
 	-v /var/run/docker.sock:/var/run/docker.sock \
 	-v "$(pwd):/home/ath-user/sources" \
 	-v "${HOME}/.m2/repository:/home/ath-user/.m2/repository" \
diff --git a/src/main/resources/ath-container/Dockerfile b/src/main/resources/ath-container/Dockerfile
index 7cde7566e..ab34cf3c2 100644
--- a/src/main/resources/ath-container/Dockerfile
+++ b/src/main/resources/ath-container/Dockerfile
@@ -86,11 +86,6 @@ RUN deluser --remove-home ubuntu \
   && groupadd ath-user -g $gid \
   && useradd ath-user -l -c 'ATH User' -u $uid -g $gid -m -d /home/ath-user -s /bin/bash
 
-# Set SUID and SGID for docker binary so it can communicate with mapped socket its uid:gid we can not control. Alternative
-# approach used for this is adding ath-user to the group of /var/run/docker.sock but that require root permission we do not
-# have in ENTRYPOINT as the container is started as ath-user.
-RUN chmod ug+s /usr/bin/docker*
-
 # Give permission to modify the alternatives links to change the java version in use
 RUN chmod u+s "$(which update-alternatives)"