Change approach to checking GID in Docker (#62751)

Closes #62466. Since we're still seeing occasional failures when
checking the GID of all files in the Docker image due to Elasticsearch
running in the background, instead run a new container with ES running
at all.

qa/os/src/test/java/org/elasticsearch/packaging/test/DockerTests.java

@@ -25,6 +25,7 @@ import org.elasticsearch.packaging.util.Distribution;
 import org.elasticsearch.packaging.util.Installation;
 import org.elasticsearch.packaging.util.Platforms;
 import org.elasticsearch.packaging.util.ServerUtils;
+import org.elasticsearch.packaging.util.Shell;
 import org.elasticsearch.packaging.util.Shell.Result;
 import org.junit.After;
 import org.junit.Before;
@@ -46,6 +47,7 @@ import static org.elasticsearch.packaging.util.Docker.copyFromContainer;
 import static org.elasticsearch.packaging.util.Docker.existsInContainer;
 import static org.elasticsearch.packaging.util.Docker.getContainerLogs;
 import static org.elasticsearch.packaging.util.Docker.getImageLabels;
+import static org.elasticsearch.packaging.util.Docker.getImageName;
 import static org.elasticsearch.packaging.util.Docker.getJson;
 import static org.elasticsearch.packaging.util.Docker.mkDirWithPrivilegeEscalation;
 import static org.elasticsearch.packaging.util.Docker.removeContainer;
@@ -523,12 +525,17 @@ public class DockerTests extends PackagingTestCase {
     /**
      * Check that there are no files with a GID other than 0.
      */
-    public void test101AllFilesAreGroupZero() throws Exception {
+    public void test101AllFilesAreGroupZero() {
-        // We wait for Elasticsearch to finish starting up in order to avoid the situation where `find` traverses the filesystem
+        // Run a `find` command in a new container without Elasticsearch running, so
-        // and sees files in a directory listing, which have disappeared by the time `find` tries to examine them. This periodically
+        // that the results aren't subject to sporadic failures from files appearing /
-        // happened with the keystore, for example.
+        // disappearing while `find` is traversing the filesystem.
-        waitForElasticsearch(installation);
+        //
-        final String findResults = sh.run("find . -not -gid 0").stdout;
+        // We also create a file under `data/` to ensure that files are created with the
+        // expected group.
+        final Shell localSh = new Shell();
+        final String findResults = localSh.run(
+            "docker run --rm --tty " + getImageName(distribution) + " bash -c ' touch data/test && find . -not -gid 0 ' "
+        ).stdout;
 
         assertThat("Found some files whose GID != 0", findResults, is(emptyString()));
     }

qa/os/src/test/java/org/elasticsearch/packaging/util/Docker.java

@@ -612,7 +612,7 @@ public class Docker {
         return sh.run("docker logs " + containerId);
     }
 
-    private static String getImageName(Distribution distribution) {
+    public static String getImageName(Distribution distribution) {
         return distribution.flavor.name + (distribution.packaging == Distribution.Packaging.DOCKER_UBI ? "-ubi8" : "") + ":test";
     }
 }