Modifies ROOT user related setup to Dockerfile.curobo

docker/Dockerfile.curobo

@@ -34,6 +34,8 @@ ENV DOCKER_USER_HOME=${DOCKER_USER_HOME_ARG}
 ENV LANG=C.UTF-8
 ENV DEBIAN_FRONTEND=noninteractive
 
+# Base image ends with USER isaac-sim (uid 1234); switch to root for
+# system-level setup (apt, cuda, /bin/nvidia-* placeholders, etc.).
 USER root
 
 # Install dependencies
@@ -145,9 +147,48 @@ RUN rm -rf ${ISAACSIM_ROOT_PATH}/kit/python/lib/python3.12/site-packages/pip* &&
     ${ISAACLAB_PATH}/_isaac_sim/kit/python/bin/python3 get-pip.py && \
     rm get-pip.py
 
+# Create a non-root runtime user with uid/gid 1000 to match the CI runner
+# host user that owns the bind-mounted /workspace/isaaclab. Without this
+# match, runtime `mkdir tests` etc. fail with EACCES on the bind-mount
+# overlay. The base image already provisions an isaac-sim user (uid 1234)
+# which keeps ownership of /isaac-sim; we only chown the paths the new user
+# needs to write to so we don't trigger an OverlayFS copy-up of the multi-GB
+# Isaac Sim install. /isaac-sim stays mode 755 so isaaclab can still
+# read+exec it.
+#
+# --non-unique (-o) on both groupadd and useradd is required because some
+# base image revisions already carry a group/user at gid/uid 1000 (e.g. an
+# `ubuntu`/`kit`-style account). The file system only cares about numeric
+# IDs, so two names mapping to the same numeric ID is fine; resolving
+# "isaaclab" via /etc/passwd still returns our /home/isaaclab entry, so
+# build-time ${HOME}/.bashrc writes land where we own the path. We pin the
+# group's GID explicitly to 1000 (instead of letting useradd auto-pick one
+# when the default GID is taken) so that the BuildKit pip cache mount's
+# `gid=1000` matches the user's primary group.
+RUN groupadd --non-unique --gid 1000 isaaclab \
+ && useradd  --non-unique --uid 1000 --gid 1000 -m -l -s /bin/bash -d /home/isaaclab isaaclab
+
+RUN chown -R isaaclab:isaaclab \
+        ${ISAACLAB_PATH} \
+        ${ISAACSIM_ROOT_PATH}/kit/python/lib/python3.12/site-packages \
+        ${DOCKER_USER_HOME} \
+        /home/isaaclab
+
+# Open up traversal of ${ISAACSIM_ROOT_PATH} for non-owner users. The base
+# image creates /isaac-sim as the isaac-sim user's home directory, which on
+# recent Ubuntu defaults to mode 0700 (HOME_MODE in /etc/login.defs). Without
+# at least exec for "other", isaaclab cannot enter the directory to find
+# python.sh or the Kit runtime, and `isaaclab.sh -p` falls back to the
+# nonexistent system python3. Inner files retain their original perms (NVIDIA
+# ships them world-readable per standard distribution conventions), so we
+# only need to relax the top-level directory.
+RUN chmod 755 ${ISAACSIM_ROOT_PATH}
+
+USER isaaclab
+
 # installing Isaac Lab dependencies
 # use pip caching to avoid reinstalling large packages
-RUN --mount=type=cache,target=${DOCKER_USER_HOME}/.cache/pip \
+RUN --mount=type=cache,target=${DOCKER_USER_HOME}/.cache/pip,uid=1000,gid=1000 \
     ${ISAACLAB_PATH}/isaaclab.sh --install
 
 # HACK: Uninstall quadprog as it causes issues with some reinforcement learning frameworks
@@ -169,11 +210,11 @@ RUN echo "export ISAACLAB_PATH=${ISAACLAB_PATH}" >> ${HOME}/.bashrc && \
     echo "alias pip3='${ISAACLAB_PATH}/_isaac_sim/python.sh -m pip'" >> ${HOME}/.bashrc && \
     echo "alias tensorboard='${ISAACLAB_PATH}/_isaac_sim/python.sh ${ISAACLAB_PATH}/_isaac_sim/tensorboard'" >> ${HOME}/.bashrc && \
     echo "export TZ=$(date +%Z)" >> ${HOME}/.bashrc && \
-    echo "shopt -s histappend" >> /root/.bashrc && \
-    echo "PROMPT_COMMAND='history -a'" >> /root/.bashrc
+    echo "shopt -s histappend" >> ${HOME}/.bashrc && \
+    echo "PROMPT_COMMAND='history -a'" >> ${HOME}/.bashrc
 
 # copy the rest of the files
-COPY ../ ${ISAACLAB_PATH}/
+COPY --chown=isaaclab:isaaclab ../ ${ISAACLAB_PATH}/
 
 # make working directory as the Isaac Lab directory
 # this is the default directory when the container is run