From 9d001baba4b5044aa136edcca1221c97149d0bc0 Mon Sep 17 00:00:00 2001
From: Lizan Zhou <lizan@tetrate.io>
Date: Wed, 15 Jul 2020 19:32:23 -0700
Subject: [PATCH 1/9] ci: enable full test on arm64

Signed-off-by: Lizan Zhou <lizan@tetrate.io>
---
 .azure-pipelines/pipelines.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.azure-pipelines/pipelines.yml b/.azure-pipelines/pipelines.yml
index 582d2e221699..ac6470c941d1 100644
--- a/.azure-pipelines/pipelines.yml
+++ b/.azure-pipelines/pipelines.yml
@@ -53,15 +53,15 @@ jobs:
   - job: release_arm64
     displayName: "Linux-arm64 release.server_only"
     dependsOn: ["format"]
-    condition: ne(variables['Build.Reason'], 'PullRequest')
     pool: "arm-large"
     steps:
       - template: bazel.yml
         parameters:
           managedAgent: false
-          ciTarget: bazel.release.server_only
+          ciTarget: bazel.release
           rbe: false
           artifactSuffix: ".arm64"
+          bazelBuildExtraOptions: "--define=hot_restart=disabled --test_env=HEAPCHECK= --conlyopt=-fexceptions"
 
   - job: bazel
     displayName: "Linux-x64"

From 1e867e010489c52329ac0f2ef69ae5392a1cbefb Mon Sep 17 00:00:00 2001
From: Lizan Zhou <lizan@tetrate.io>
Date: Thu, 16 Jul 2020 01:51:49 -0700
Subject: [PATCH 2/9] adjust timeout

Signed-off-by: Lizan Zhou <lizan@tetrate.io>
---
 .azure-pipelines/pipelines.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.azure-pipelines/pipelines.yml b/.azure-pipelines/pipelines.yml
index ac6470c941d1..f0ade665edd8 100644
--- a/.azure-pipelines/pipelines.yml
+++ b/.azure-pipelines/pipelines.yml
@@ -53,6 +53,9 @@ jobs:
   - job: release_arm64
     displayName: "Linux-arm64 release.server_only"
     dependsOn: ["format"]
+    # For master builds, continue even if format fails
+    condition: and(not(canceled()), or(succeeded(), ne(variables['Build.Reason'], 'PullRequest')))
+    timeoutInMinutes: 360
     pool: "arm-large"
     steps:
       - template: bazel.yml

From 7d1ddc00843f9840ba1477a5d637ef7780876ee0 Mon Sep 17 00:00:00 2001
From: Lizan Zhou <lizan@tetrate.io>
Date: Thu, 16 Jul 2020 04:08:48 -0700
Subject: [PATCH 3/9] fix

Signed-off-by: Lizan Zhou <lizan@tetrate.io>
---
 .azure-pipelines/pipelines.yml | 4 ++--
 .bazelrc                       | 1 +
 ci/do_ci.sh                    | 3 ++-
 3 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/.azure-pipelines/pipelines.yml b/.azure-pipelines/pipelines.yml
index f0ade665edd8..7b0c8263c034 100644
--- a/.azure-pipelines/pipelines.yml
+++ b/.azure-pipelines/pipelines.yml
@@ -51,7 +51,7 @@ jobs:
           ciTarget: bazel.release
 
   - job: release_arm64
-    displayName: "Linux-arm64 release.server_only"
+    displayName: "Linux-arm64 release"
     dependsOn: ["format"]
     # For master builds, continue even if format fails
     condition: and(not(canceled()), or(succeeded(), ne(variables['Build.Reason'], 'PullRequest')))
@@ -64,7 +64,7 @@ jobs:
           ciTarget: bazel.release
           rbe: false
           artifactSuffix: ".arm64"
-          bazelBuildExtraOptions: "--define=hot_restart=disabled --test_env=HEAPCHECK= --conlyopt=-fexceptions"
+          bazelBuildExtraOptions: "--remote_cache=$(LocalCacheProxy) --remote_timeout=300"
 
   - job: bazel
     displayName: "Linux-x64"
diff --git a/.bazelrc b/.bazelrc
index bf32a37e6b02..23b709b17a3d 100644
--- a/.bazelrc
+++ b/.bazelrc
@@ -23,6 +23,7 @@ build --enable_platform_specific_config
 # Enable position independent code, this option is not supported on Windows and default on on macOS.
 build:linux --copt=-fPIC
 build:linux --cxxopt=-std=c++17
+build:linux --conlyopt=-fexceptions
 
 # We already have absl in the build, define absl=1 to tell googletest to use absl for backtrace.
 build --define absl=1
diff --git a/ci/do_ci.sh b/ci/do_ci.sh
index d13c7be545bd..c1d5d712a9f6 100755
--- a/ci/do_ci.sh
+++ b/ci/do_ci.sh
@@ -110,7 +110,8 @@ if [[ "$CI_TARGET" == "bazel.release" ]]; then
   # toolchain is kept consistent. This ifdef is checked in
   # test/common/stats/stat_test_utility.cc when computing
   # Stats::TestUtil::MemoryTest::mode().
-  BAZEL_BUILD_OPTIONS="${BAZEL_BUILD_OPTIONS} --test_env=ENVOY_MEMORY_TEST_EXACT=true"
+  [[ "$(uname -m)" == "x86_64" ]] && BAZEL_BUILD_OPTIONS="${BAZEL_BUILD_OPTIONS} --test_env=ENVOY_MEMORY_TEST_EXACT=true"
+  [[ "$(uname -m)" == "aarch64" ]] && BAZEL_BUILD_OPTIONS="${BAZEL_BUILD_OPTIONS} --define=hot_restart=disabled --test_env=HEAPCHECK="
 
   setup_clang_toolchain
   echo "bazel release build with tests..."

From 2907186ba01ba618d666fe775b453cbdb7f001fa Mon Sep 17 00:00:00 2001
From: Lizan Zhou <lizan@tetrate.io>
Date: Thu, 16 Jul 2020 15:01:39 -0700
Subject: [PATCH 4/9] try deflake

Signed-off-by: Lizan Zhou <lizan@tetrate.io>
---
 .azure-pipelines/pipelines.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.azure-pipelines/pipelines.yml b/.azure-pipelines/pipelines.yml
index 7b0c8263c034..c7d5f949a8f3 100644
--- a/.azure-pipelines/pipelines.yml
+++ b/.azure-pipelines/pipelines.yml
@@ -64,7 +64,7 @@ jobs:
           ciTarget: bazel.release
           rbe: false
           artifactSuffix: ".arm64"
-          bazelBuildExtraOptions: "--remote_cache=$(LocalCacheProxy) --remote_timeout=300"
+          bazelBuildExtraOptions: "--config=docker-sandbox --remote_cache=$(LocalCacheProxy) --remote_timeout=300 --sandbox_base=/tmp/sandbox_base"
 
   - job: bazel
     displayName: "Linux-x64"

From c641cad9efe7b04fe74e1a32782cc0c89c96cea5 Mon Sep 17 00:00:00 2001
From: Lizan Zhou <lizan@tetrate.io>
Date: Thu, 16 Jul 2020 16:13:54 -0700
Subject: [PATCH 5/9] docker perm

Signed-off-by: Lizan Zhou <lizan@tetrate.io>
---
 ci/run_envoy_docker.sh | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/ci/run_envoy_docker.sh b/ci/run_envoy_docker.sh
index 886a2347d378..b1fa06b11865 100755
--- a/ci/run_envoy_docker.sh
+++ b/ci/run_envoy_docker.sh
@@ -21,14 +21,18 @@ USER_GROUP=root
 
 export ENVOY_BUILD_IMAGE="${IMAGE_NAME}:${IMAGE_ID}"
 
+ENVOY_DOCKER_SOCK=${ENVOY_DOCKER_SOCK:-/var/run/docker.sock}
+DOCKER_GID="$(stat -c '%g' ${ENVOY_DOCKER_SOCK})"
+
 mkdir -p "${ENVOY_DOCKER_BUILD_DIR}"
 # Since we specify an explicit hash, docker-run will pull from the remote repo if missing.
 docker run --rm ${ENVOY_DOCKER_OPTIONS} -e HTTP_PROXY=${http_proxy} -e HTTPS_PROXY=${https_proxy} -e NO_PROXY=${no_proxy} \
-  -u "${USER}":"${USER_GROUP}" -v "${ENVOY_DOCKER_BUILD_DIR}":/build -v /var/run/docker.sock:/var/run/docker.sock  \
+  -u "${USER}":"${USER_GROUP}" -v "${ENVOY_DOCKER_BUILD_DIR}":/build -v "${ENVOY_DOCKER_SOCK}":/var/run/docker.sock  \
   -e BAZEL_BUILD_EXTRA_OPTIONS -e BAZEL_EXTRA_TEST_OPTIONS -e BAZEL_REMOTE_CACHE -e ENVOY_STDLIB -e BUILD_REASON \
   -e BAZEL_REMOTE_INSTANCE -e GCP_SERVICE_ACCOUNT_KEY -e NUM_CPUS -e ENVOY_RBE -e FUZZIT_API_KEY -e ENVOY_BUILD_IMAGE \
   -e ENVOY_SRCDIR -e ENVOY_BUILD_TARGET -e SYSTEM_PULLREQUEST_TARGETBRANCH -e SYSTEM_PULLREQUEST_PULLREQUESTNUMBER \
   -e GCS_ARTIFACT_BUCKET -e BUILD_SOURCEBRANCHNAME -e BAZELISK_BASE_URL \
   -v "$PWD":/source --cap-add SYS_PTRACE --cap-add NET_RAW --cap-add NET_ADMIN "${ENVOY_BUILD_IMAGE}" \
-  /bin/bash -lc "groupadd --gid $(id -g) -f envoygroup && useradd -o --uid $(id -u) --gid $(id -g) --no-create-home \
-  --home-dir /build envoybuild && usermod -a -G pcap envoybuild && sudo -EHs -u envoybuild bash -c \"cd /source && $*\""
+  /bin/bash -lc "groupadd --gid $(id -g) -f envoygroup && groupadd --gid ${DOCKER_GID} -f docker && \
+  useradd -o --uid $(id -u) --gid $(id -g) --no-create-home --home-dir /build -G pcap,docker envoybuild \
+  && sudo -EHs -u envoybuild bash -c \"cd /source && $*\""

From d5e36bff6d6eea4e97e0f93fcb93a9c1f0d35f9d Mon Sep 17 00:00:00 2001
From: Lizan Zhou <lizan@tetrate.io>
Date: Sat, 18 Jul 2020 15:01:02 -0700
Subject: [PATCH 6/9] update image

Signed-off-by: Lizan Zhou <lizan@tetrate.io>
---
 .bazelrc                       |  2 +-
 .circleci/config.yml           |  2 +-
 .devcontainer/Dockerfile       |  2 +-
 bazel/repository_locations.bzl | 16 ++++++++--------
 4 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/.bazelrc b/.bazelrc
index 08657d667546..3adcbd2a7ad1 100644
--- a/.bazelrc
+++ b/.bazelrc
@@ -212,7 +212,7 @@ build:remote-msvc-cl --config=rbe-toolchain-msvc-cl
 
 # Docker sandbox
 # NOTE: Update this from https://github.com/envoyproxy/envoy-build-tools/blob/master/toolchains/rbe_toolchains_config.bzl#L8
-build:docker-sandbox --experimental_docker_image=envoyproxy/envoy-build-ubuntu:736b8db2e1f0b55edb50719d2f8ddf383f46030b
+build:docker-sandbox --experimental_docker_image=envoyproxy/envoy-build-ubuntu:923df85a4ba7f30dcd0cb6b0c6d8d604f0e20f48
 build:docker-sandbox --spawn_strategy=docker
 build:docker-sandbox --strategy=Javac=docker
 build:docker-sandbox --strategy=Closure=docker
diff --git a/.circleci/config.yml b/.circleci/config.yml
index 822d995b2d3c..a9f9145da241 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -5,7 +5,7 @@ executors:
     description: "A regular build executor based on ubuntu image"
     docker:
       # NOTE: Update this from https://github.com/envoyproxy/envoy-build-tools/blob/master/toolchains/rbe_toolchains_config.bzl#L8
-      - image: envoyproxy/envoy-build-ubuntu:736b8db2e1f0b55edb50719d2f8ddf383f46030b
+      - image: envoyproxy/envoy-build-ubuntu:923df85a4ba7f30dcd0cb6b0c6d8d604f0e20f48
     resource_class: xlarge
     working_directory: /source
 
diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile
index 33ca454d55ad..8f28f19e276a 100644
--- a/.devcontainer/Dockerfile
+++ b/.devcontainer/Dockerfile
@@ -1,4 +1,4 @@
-FROM gcr.io/envoy-ci/envoy-build:736b8db2e1f0b55edb50719d2f8ddf383f46030b
+FROM gcr.io/envoy-ci/envoy-build:923df85a4ba7f30dcd0cb6b0c6d8d604f0e20f48
 
 ARG USERNAME=vscode
 ARG USER_UID=501
diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl
index 5c098ce04975..a1b67594d1f3 100644
--- a/bazel/repository_locations.bzl
+++ b/bazel/repository_locations.bzl
@@ -53,11 +53,11 @@ DEPENDENCY_REPOSITORIES = dict(
         use_category = ["build"],
     ),
     bazel_toolchains = dict(
-        sha256 = "2431088b38fd8e2878db17e3c5babb431de9e5c52b6d8b509d3070fa279a5be2",
-        strip_prefix = "bazel-toolchains-3.3.1",
+        sha256 = "882fecfc88d3dc528f5c5681d95d730e213e39099abff2e637688a91a9619395",
+        strip_prefix = "bazel-toolchains-3.4.0",
         urls = [
-            "https://github.com/bazelbuild/bazel-toolchains/releases/download/3.3.1/bazel-toolchains-3.3.1.tar.gz",
-            "https://mirror.bazel.build/github.com/bazelbuild/bazel-toolchains/archive/3.3.1.tar.gz",
+            "https://github.com/bazelbuild/bazel-toolchains/releases/download/3.4.0/bazel-toolchains-3.4.0.tar.gz",
+            "https://mirror.bazel.build/github.com/bazelbuild/bazel-toolchains/archive/3.4.0.tar.gz",
         ],
         use_category = ["build"],
     ),
@@ -67,10 +67,10 @@ DEPENDENCY_REPOSITORIES = dict(
         use_category = ["build"],
     ),
     envoy_build_tools = dict(
-        sha256 = "dd5cc89bb69544659b20b88b28e642da0174739b68c82f029617b9749d61ab1d",
-        strip_prefix = "envoy-build-tools-289a5ca65aefd5a76f18f103d1425cfec5591417",
-        # 2020-07-15
-        urls = ["https://github.com/envoyproxy/envoy-build-tools/archive/289a5ca65aefd5a76f18f103d1425cfec5591417.tar.gz"],
+        sha256 = "88e58fdb42021e64a0b35ae3554a82e92f5c37f630a4dab08a132fc77f8db4b7",
+        strip_prefix = "envoy-build-tools-1d6573e60207efaae6436b25ecc594360294f63a",
+        # 2020-07-19
+        urls = ["https://github.com/envoyproxy/envoy-build-tools/archive/1d6573e60207efaae6436b25ecc594360294f63a.tar.gz"],
         use_category = ["build"],
     ),
     boringssl = dict(

From 38cb729e5e8678922b9af3211c603c20758ea4ca Mon Sep 17 00:00:00 2001
From: Lizan Zhou <lizan@tetrate.io>
Date: Sat, 18 Jul 2020 15:03:35 -0700
Subject: [PATCH 7/9] fix

Signed-off-by: Lizan Zhou <lizan@tetrate.io>
---
 ci/build_setup.sh | 2 ++
 ci/do_ci.sh       | 1 -
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/ci/build_setup.sh b/ci/build_setup.sh
index ee60c484ca4e..0e5442adf662 100755
--- a/ci/build_setup.sh
+++ b/ci/build_setup.sh
@@ -92,6 +92,8 @@ export BAZEL_BUILD_OPTIONS="--verbose_failures ${BAZEL_OPTIONS} --action_env=HOM
   --repository_cache=${BUILD_DIR}/repository_cache --experimental_repository_cache_hardlinks \
   ${BAZEL_BUILD_EXTRA_OPTIONS} ${BAZEL_EXTRA_TEST_OPTIONS}"
 
+[[ "$(uname -m)" == "aarch64" ]] && BAZEL_BUILD_OPTIONS="${BAZEL_BUILD_OPTIONS} --define=hot_restart=disabled --test_env=HEAPCHECK="
+
 [[ "${BAZEL_EXPUNGE}" == "1" ]] && "${BAZEL}" clean --expunge
 
 # Also setup some space for building Envoy standalone.
diff --git a/ci/do_ci.sh b/ci/do_ci.sh
index eecc3c631d85..fcc5981f3b62 100755
--- a/ci/do_ci.sh
+++ b/ci/do_ci.sh
@@ -111,7 +111,6 @@ if [[ "$CI_TARGET" == "bazel.release" ]]; then
   # test/common/stats/stat_test_utility.cc when computing
   # Stats::TestUtil::MemoryTest::mode().
   [[ "$(uname -m)" == "x86_64" ]] && BAZEL_BUILD_OPTIONS="${BAZEL_BUILD_OPTIONS} --test_env=ENVOY_MEMORY_TEST_EXACT=true"
-  [[ "$(uname -m)" == "aarch64" ]] && BAZEL_BUILD_OPTIONS="${BAZEL_BUILD_OPTIONS} --define=hot_restart=disabled --test_env=HEAPCHECK="
 
   setup_clang_toolchain
   echo "bazel release build with tests..."

From fa66c834af001817e42cf5a47749722ae51886e9 Mon Sep 17 00:00:00 2001
From: Lizan Zhou <lizan@tetrate.io>
Date: Sat, 18 Jul 2020 18:20:54 -0700
Subject: [PATCH 8/9] not use docker-sandbox

Signed-off-by: Lizan Zhou <lizan@tetrate.io>
---
 .azure-pipelines/pipelines.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.azure-pipelines/pipelines.yml b/.azure-pipelines/pipelines.yml
index 96c64c554822..8b968f9f6227 100644
--- a/.azure-pipelines/pipelines.yml
+++ b/.azure-pipelines/pipelines.yml
@@ -64,7 +64,7 @@ jobs:
           ciTarget: bazel.release
           rbe: false
           artifactSuffix: ".arm64"
-          bazelBuildExtraOptions: "--config=docker-sandbox --remote_cache=$(LocalCacheProxy) --remote_timeout=300 --sandbox_base=/tmp/sandbox_base"
+          bazelBuildExtraOptions: "--sandbox_base=/tmp/sandbox_base"
 
   - job: bazel
     displayName: "Linux-x64"

From bb25127f3564a331babac6c5c5b903b365cc2b68 Mon Sep 17 00:00:00 2001
From: Lizan Zhou <lizan@tetrate.io>
Date: Mon, 20 Jul 2020 02:53:49 -0700
Subject: [PATCH 9/9] revert unnecessary changes

Signed-off-by: Lizan Zhou <lizan@tetrate.io>
---
 .bazelrc                       |  2 +-
 .circleci/config.yml           |  2 +-
 .devcontainer/Dockerfile       |  2 +-
 bazel/repository_locations.bzl | 16 ++++++++--------
 ci/run_envoy_docker.sh         | 10 +++-------
 5 files changed, 14 insertions(+), 18 deletions(-)

diff --git a/.bazelrc b/.bazelrc
index 3adcbd2a7ad1..08657d667546 100644
--- a/.bazelrc
+++ b/.bazelrc
@@ -212,7 +212,7 @@ build:remote-msvc-cl --config=rbe-toolchain-msvc-cl
 
 # Docker sandbox
 # NOTE: Update this from https://github.com/envoyproxy/envoy-build-tools/blob/master/toolchains/rbe_toolchains_config.bzl#L8
-build:docker-sandbox --experimental_docker_image=envoyproxy/envoy-build-ubuntu:923df85a4ba7f30dcd0cb6b0c6d8d604f0e20f48
+build:docker-sandbox --experimental_docker_image=envoyproxy/envoy-build-ubuntu:736b8db2e1f0b55edb50719d2f8ddf383f46030b
 build:docker-sandbox --spawn_strategy=docker
 build:docker-sandbox --strategy=Javac=docker
 build:docker-sandbox --strategy=Closure=docker
diff --git a/.circleci/config.yml b/.circleci/config.yml
index a9f9145da241..822d995b2d3c 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -5,7 +5,7 @@ executors:
     description: "A regular build executor based on ubuntu image"
     docker:
       # NOTE: Update this from https://github.com/envoyproxy/envoy-build-tools/blob/master/toolchains/rbe_toolchains_config.bzl#L8
-      - image: envoyproxy/envoy-build-ubuntu:923df85a4ba7f30dcd0cb6b0c6d8d604f0e20f48
+      - image: envoyproxy/envoy-build-ubuntu:736b8db2e1f0b55edb50719d2f8ddf383f46030b
     resource_class: xlarge
     working_directory: /source
 
diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile
index 8f28f19e276a..33ca454d55ad 100644
--- a/.devcontainer/Dockerfile
+++ b/.devcontainer/Dockerfile
@@ -1,4 +1,4 @@
-FROM gcr.io/envoy-ci/envoy-build:923df85a4ba7f30dcd0cb6b0c6d8d604f0e20f48
+FROM gcr.io/envoy-ci/envoy-build:736b8db2e1f0b55edb50719d2f8ddf383f46030b
 
 ARG USERNAME=vscode
 ARG USER_UID=501
diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl
index a1b67594d1f3..5c098ce04975 100644
--- a/bazel/repository_locations.bzl
+++ b/bazel/repository_locations.bzl
@@ -53,11 +53,11 @@ DEPENDENCY_REPOSITORIES = dict(
         use_category = ["build"],
     ),
     bazel_toolchains = dict(
-        sha256 = "882fecfc88d3dc528f5c5681d95d730e213e39099abff2e637688a91a9619395",
-        strip_prefix = "bazel-toolchains-3.4.0",
+        sha256 = "2431088b38fd8e2878db17e3c5babb431de9e5c52b6d8b509d3070fa279a5be2",
+        strip_prefix = "bazel-toolchains-3.3.1",
         urls = [
-            "https://github.com/bazelbuild/bazel-toolchains/releases/download/3.4.0/bazel-toolchains-3.4.0.tar.gz",
-            "https://mirror.bazel.build/github.com/bazelbuild/bazel-toolchains/archive/3.4.0.tar.gz",
+            "https://github.com/bazelbuild/bazel-toolchains/releases/download/3.3.1/bazel-toolchains-3.3.1.tar.gz",
+            "https://mirror.bazel.build/github.com/bazelbuild/bazel-toolchains/archive/3.3.1.tar.gz",
         ],
         use_category = ["build"],
     ),
@@ -67,10 +67,10 @@ DEPENDENCY_REPOSITORIES = dict(
         use_category = ["build"],
     ),
     envoy_build_tools = dict(
-        sha256 = "88e58fdb42021e64a0b35ae3554a82e92f5c37f630a4dab08a132fc77f8db4b7",
-        strip_prefix = "envoy-build-tools-1d6573e60207efaae6436b25ecc594360294f63a",
-        # 2020-07-19
-        urls = ["https://github.com/envoyproxy/envoy-build-tools/archive/1d6573e60207efaae6436b25ecc594360294f63a.tar.gz"],
+        sha256 = "dd5cc89bb69544659b20b88b28e642da0174739b68c82f029617b9749d61ab1d",
+        strip_prefix = "envoy-build-tools-289a5ca65aefd5a76f18f103d1425cfec5591417",
+        # 2020-07-15
+        urls = ["https://github.com/envoyproxy/envoy-build-tools/archive/289a5ca65aefd5a76f18f103d1425cfec5591417.tar.gz"],
         use_category = ["build"],
     ),
     boringssl = dict(
diff --git a/ci/run_envoy_docker.sh b/ci/run_envoy_docker.sh
index b1fa06b11865..886a2347d378 100755
--- a/ci/run_envoy_docker.sh
+++ b/ci/run_envoy_docker.sh
@@ -21,18 +21,14 @@ USER_GROUP=root
 
 export ENVOY_BUILD_IMAGE="${IMAGE_NAME}:${IMAGE_ID}"
 
-ENVOY_DOCKER_SOCK=${ENVOY_DOCKER_SOCK:-/var/run/docker.sock}
-DOCKER_GID="$(stat -c '%g' ${ENVOY_DOCKER_SOCK})"
-
 mkdir -p "${ENVOY_DOCKER_BUILD_DIR}"
 # Since we specify an explicit hash, docker-run will pull from the remote repo if missing.
 docker run --rm ${ENVOY_DOCKER_OPTIONS} -e HTTP_PROXY=${http_proxy} -e HTTPS_PROXY=${https_proxy} -e NO_PROXY=${no_proxy} \
-  -u "${USER}":"${USER_GROUP}" -v "${ENVOY_DOCKER_BUILD_DIR}":/build -v "${ENVOY_DOCKER_SOCK}":/var/run/docker.sock  \
+  -u "${USER}":"${USER_GROUP}" -v "${ENVOY_DOCKER_BUILD_DIR}":/build -v /var/run/docker.sock:/var/run/docker.sock  \
   -e BAZEL_BUILD_EXTRA_OPTIONS -e BAZEL_EXTRA_TEST_OPTIONS -e BAZEL_REMOTE_CACHE -e ENVOY_STDLIB -e BUILD_REASON \
   -e BAZEL_REMOTE_INSTANCE -e GCP_SERVICE_ACCOUNT_KEY -e NUM_CPUS -e ENVOY_RBE -e FUZZIT_API_KEY -e ENVOY_BUILD_IMAGE \
   -e ENVOY_SRCDIR -e ENVOY_BUILD_TARGET -e SYSTEM_PULLREQUEST_TARGETBRANCH -e SYSTEM_PULLREQUEST_PULLREQUESTNUMBER \
   -e GCS_ARTIFACT_BUCKET -e BUILD_SOURCEBRANCHNAME -e BAZELISK_BASE_URL \
   -v "$PWD":/source --cap-add SYS_PTRACE --cap-add NET_RAW --cap-add NET_ADMIN "${ENVOY_BUILD_IMAGE}" \
-  /bin/bash -lc "groupadd --gid $(id -g) -f envoygroup && groupadd --gid ${DOCKER_GID} -f docker && \
-  useradd -o --uid $(id -u) --gid $(id -g) --no-create-home --home-dir /build -G pcap,docker envoybuild \
-  && sudo -EHs -u envoybuild bash -c \"cd /source && $*\""
+  /bin/bash -lc "groupadd --gid $(id -g) -f envoygroup && useradd -o --uid $(id -u) --gid $(id -g) --no-create-home \
+  --home-dir /build envoybuild && usermod -a -G pcap envoybuild && sudo -EHs -u envoybuild bash -c \"cd /source && $*\""