Skip to content

Modifies ROOT user related setup to Dockerfile.curobo #5376

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
njawale42 wants to merge 8 commits into
base: develop
Choose a base branch
from
+45 −4
Open

Modifies ROOT user related setup to Dockerfile.curobo #5376

Changes from 4 commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
182a9df
Removes redundant USER root from Dockerfile.curobo
njawale42 Apr 23, 2026
3f9dfbe
Use ${HOME}/.bashrc consistently in Dockerfile.curobo
njawale42 Apr 23, 2026
b0643e4
Drops privileges to isaac-sim for pip installs and runtime in Dockerf…
njawale42 Apr 23, 2026
61f1fd7
Runs Dockerfile.curobo as new isaaclab user (uid 1000) for bind-mount…
njawale42 Apr 24, 2026
7d5bf6d
Merge branch 'develop' into neel/dockerfile-curobo-remove-root-user
kellyguo11 Apr 26, 2026
fc7c605
Allows non-unique uid when creating isaaclab user in Dockerfile.curobo
njawale42 Apr 27, 2026
02a97eb
Pins isaaclab gid to 1000 with explicit groupadd in Dockerfile.curobo
njawale42 Apr 27, 2026
e0e7b86
Opens up /isaac-sim traversal for the isaaclab user in Dockerfile.curobo
njawale42 Apr 27, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 23 additions & 4 deletions docker/Dockerfile.curobo
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,8 @@ ENV DOCKER_USER_HOME=${DOCKER_USER_HOME_ARG}
ENV LANG=C.UTF-8
ENV DEBIAN_FRONTEND=noninteractive

# Base image ends with USER isaac-sim (uid 1234); switch to root for
# system-level setup (apt, cuda, /bin/nvidia-* placeholders, etc.).
USER root

# Install dependencies
Expand Down Expand Up @@ -145,9 +147,26 @@ RUN rm -rf ${ISAACSIM_ROOT_PATH}/kit/python/lib/python3.12/site-packages/pip* &&
${ISAACLAB_PATH}/_isaac_sim/kit/python/bin/python3 get-pip.py && \
rm get-pip.py

# Create a non-root runtime user with uid 1000 to match the CI runner host
# user that owns the bind-mounted /workspace/isaaclab. Without this match,
# runtime `mkdir tests` etc. fail with EACCES on the bind-mount overlay.
# The base image already provisions an isaac-sim user (uid 1234) which keeps
# ownership of /isaac-sim; we only chown the paths the new user needs to
# write to so we don't trigger an OverlayFS copy-up of the multi-GB Isaac
# Sim install. /isaac-sim stays mode 755 so isaaclab can still read+exec it.
RUN useradd -ms /bin/bash -l --uid 1000 isaaclab -d /home/isaaclab

RUN chown -R isaaclab:isaaclab \
${ISAACLAB_PATH} \
${ISAACSIM_ROOT_PATH}/kit/python/lib/python3.12/site-packages \
Copy link
Copy Markdown
Contributor

@greptile-apps greptile-apps Bot Apr 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Hardcoded Python version will break on base-image upgrade

python3.12 is hard-coded in the chown path. If the upstream Isaac Sim base image ships Python 3.13 (or any other version), this path won't exist and the RUN chown -R layer will fail at build time with "No such file or directory," breaking the entire image build.

Use a glob or a shell expansion to resolve the versioned directory dynamically:

Suggested change
${ISAACSIM_ROOT_PATH}/kit/python/lib/python3.12/site-packages \
$(ls -d ${ISAACSIM_ROOT_PATH}/kit/python/lib/python3.*/site-packages 2>/dev/null | head -1) \

${DOCKER_USER_HOME} \
/home/isaaclab

USER isaaclab
Comment thread
njawale42 marked this conversation as resolved.
Outdated

# installing Isaac Lab dependencies
# use pip caching to avoid reinstalling large packages
RUN --mount=type=cache,target=${DOCKER_USER_HOME}/.cache/pip \
RUN --mount=type=cache,target=${DOCKER_USER_HOME}/.cache/pip,uid=1000,gid=1000 \
${ISAACLAB_PATH}/isaaclab.sh --install
Comment on lines +191 to 192
Copy link
Copy Markdown
Contributor

@greptile-apps greptile-apps Bot Apr 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Pip cache mount target mismatches the isaaclab user's $HOME

After USER isaaclab, pip resolves its cache via ${HOME} — which points to /home/isaaclab (the user's home directory from /etc/passwd). The --mount target is ${DOCKER_USER_HOME}/.cache/pip which expands to /root/.cache/pip in CI. Pip will therefore write to /home/isaaclab/.cache/pip and never read from (or populate) the BuildKit cache mounted at /root/.cache/pip, making the cache layer a no-op.

The mount target should follow the user's actual $HOME:

RUN --mount=type=cache,target=/home/isaaclab/.cache/pip,uid=1000,gid=1000 \
    ${ISAACLAB_PATH}/isaaclab.sh --install

If keeping DOCKER_USER_HOME as the single source of truth is preferred, ENV HOME=${DOCKER_USER_HOME} (after updating DOCKER_USER_HOME_ARG to /home/isaaclab in CI) would reconcile both variables.


# HACK: Uninstall quadprog as it causes issues with some reinforcement learning frameworks
Expand All @@ -169,11 +188,11 @@ RUN echo "export ISAACLAB_PATH=${ISAACLAB_PATH}" >> ${HOME}/.bashrc && \
echo "alias pip3='${ISAACLAB_PATH}/_isaac_sim/python.sh -m pip'" >> ${HOME}/.bashrc && \
echo "alias tensorboard='${ISAACLAB_PATH}/_isaac_sim/python.sh ${ISAACLAB_PATH}/_isaac_sim/tensorboard'" >> ${HOME}/.bashrc && \
echo "export TZ=$(date +%Z)" >> ${HOME}/.bashrc && \
echo "shopt -s histappend" >> /root/.bashrc && \
echo "PROMPT_COMMAND='history -a'" >> /root/.bashrc
echo "shopt -s histappend" >> ${HOME}/.bashrc && \
echo "PROMPT_COMMAND='history -a'" >> ${HOME}/.bashrc

# copy the rest of the files
COPY ../ ${ISAACLAB_PATH}/
COPY --chown=isaaclab:isaaclab ../ ${ISAACLAB_PATH}/

# make working directory as the Isaac Lab directory
# this is the default directory when the container is run
Expand Down
Loading