Cleanup the docker permission issues. (#1706)

* Cleanup the docker permission issues. The permissions on the mounted docker.sock where incorrect for the current user, which lead to workarounds setting the docker binary SUID. However this was a bit hacky and if programatic access to docker was needed (e.g. TestContainers, or anything else that used the socket and not the binary) then access would fail. Rather than set the binary SUID which only works for some of the docker use cases, we add the ath-user to the docker group that has access to the socket on the host at run time. * Update method of obtaining docker group Suggested by @dduportal that for docker-dekstop on mac the permission needeed needs to be obtained from the server (so spawn a container and check it!) * use ubuntu:noble to avoid pulling a new image
jenkinsci · Sep 5, 2024 · 180888e · 180888e
1 parent 93f5d22
commit 180888e
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 6 deletions.
diff --git a/Jenkinsfile b/Jenkinsfile
@@ -125,7 +125,8 @@ for (int i = 0; i < splits.size(); i++) {
             def image = skipImageBuild ? docker.image('jenkins/ath') : docker.build('jenkins/ath', '--build-arg uid="$(id -u)" --build-arg gid="$(id -g)" ./src/main/resources/ath-container/')
             sh 'mkdir -p target/ath-reports && chmod a+rwx target/ath-reports'
             def cwd = pwd()
-            image.inside("-v /var/run/docker.sock:/var/run/docker.sock -v '${cwd}/target/ath-reports:/reports:rw' --shm-size 2g") {
+            def dockergid = sh label: 'get docker group', returnStdout: true, script: 'getent group docker | cut -d: -f3'
+            image.inside("--group-add ${dockergid} -v /var/run/docker.sock:/var/run/docker.sock -v '${cwd}/target/ath-reports:/reports:rw' --shm-size 2g") {
               def exclusions = splits.get(index).join('\n')
               writeFile file: 'excludes.txt', text: exclusions
               infra.withArtifactCachingProxy {

diff --git a/ath-container.sh b/ath-container.sh
@@ -26,6 +26,9 @@ docker build \
 	"$DIR/src/main/resources/ath-container" \
 	-t "$tag"
 
+# obtain the groupId to grant to access the docker socket
+dockergid=$(docker run --rm -v /var/run/docker.sock:/var/run/docker.sock ubuntu:noble stat -c %g /var/run/docker.sock)
+
 docker run \
 	--interactive \
 	--tty \
@@ -34,6 +37,7 @@ docker run \
 	--user ath-user \
 	--workdir /home/ath-user/sources \
 	--shm-size 2g \
+	--group-add ${dockergid} \
 	-v /var/run/docker.sock:/var/run/docker.sock \
 	-v "$(pwd):/home/ath-user/sources" \
 	-v "${HOME}/.m2/repository:/home/ath-user/.m2/repository" \

diff --git a/src/main/resources/ath-container/Dockerfile b/src/main/resources/ath-container/Dockerfile
@@ -86,11 +86,6 @@ RUN deluser --remove-home ubuntu \
   && groupadd ath-user -g $gid \
   && useradd ath-user -l -c 'ATH User' -u $uid -g $gid -m -d /home/ath-user -s /bin/bash
 
-# Set SUID and SGID for docker binary so it can communicate with mapped socket its uid:gid we can not control. Alternative
-# approach used for this is adding ath-user to the group of /var/run/docker.sock but that require root permission we do not
-# have in ENTRYPOINT as the container is started as ath-user.
-RUN chmod ug+s /usr/bin/docker*
-
 # Give permission to modify the alternatives links to change the java version in use
 RUN chmod u+s "$(which update-alternatives)"