feat(install): ensure Docker is installed and user is in docker group

[zyang-dev]

Summary

On vanilla Linux, install.sh assumed Docker was already installed and the current user could run it without sudo. A user without Docker, or with Docker but not in the docker group, would hit permission errors during phase 3 onboard. This PR adds an ensure_docker step that runs before phase 1 to install Docker (via the official convenience script) and add the user to the docker group, then exits with instructions to run newgrp docker (or log out and log back in) so the new group membership is active before re-running install.

Changes

• scripts/install.sh: new ensure_docker helper called from main() before the banner.
  • Fast path: returns immediately if docker info already works (root, or already-active docker group).
  • Skipped on macOS and inside WSL — Docker is host-managed there.
  • Installs Docker via curl -fsSL https://get.docker.com | sh if missing.
  • Starts and enables docker.service if not running.
  • Adds the current user to the docker group via sudo usermod -aG docker $USER.
  • When a group change was needed, exits 0 with a two-step instruction: 1) Run: newgrp docker (or log out and log back in) then 2) Re-run: curl -fsSL https://www.nvidia.com/nemoclaw.sh | bash.
  • Each sudo prompt is preceded by an info line explaining what the password is for, so users see why root is needed.

Type of Change

• Code change (feature, bug fix, or refactor)
• Code change with doc updates
• Doc only (prose changes, no code sample modifications)
• Doc only (includes code sample changes)

Verification

• npx prek run --all-files passes
• npm test passes
• Tests added or updated for new or changed behavior
• No secrets, API keys, or credentials committed
• Docs updated for user-facing behavior changes
• make docs builds without warnings (doc changes only)
• Doc pages follow the style guide (doc changes only)
• New doc pages include SPDX header and frontmatter (new pages only)

---

Signed-off-by: zyang-dev 267119621+zyang-dev@users.noreply.github.com

Summary by CodeRabbit

• Chores

  • Installer now performs a Linux-only Docker preflight: checks if Docker is reachable, installs the official Docker installer if missing, attempts to start/enable the Docker daemon, and ensures the user is in the Docker group (may prompt for re-login or suggest running a provided command). macOS and WSL/Windows environments are unchanged.

• Tests

  • Added tests covering Docker preflight behavior: group membership prompts, daemon start/reachability, and root-path skipping.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

The installer adds a Linux-only ensure_docker() preflight that verifies docker info, installs Docker if missing (with download verification), enables/starts the Docker systemd unit when applicable, ensures the user is in the docker group (exits with re-login/newgrp guidance if changed), and is called from main() immediately after the preflight prompt.

Changes

Docker Verification Prerequisite

Layer / File(s)	Summary
Docker Setup Function scripts/install.sh	New ensure_docker() function checks Docker daemon via docker info, downloads and verifies the official Docker install script if docker is missing, runs it with sudo sh, enables/starts the Docker systemd unit when inactive, ensures current user is in the docker group (exits 0 with re-login/newgrp instructions if membership changed), re-checks docker info, and hard-fails if Docker remains unreachable. Skips on macOS/MSYS/MINGW and under WSL.
Installer Integration scripts/install.sh	ensure_docker() is invoked in main() immediately after preflight_usage_notice_prompt, before recording _INSTALL_START and before the rest of installation steps.
Docker Preflight Tests test/install-preflight.test.ts	Adds tests that stub docker, id, sudo, and systemctl to verify ensure_docker behavior for prompting on inactive docker group membership, starting the Docker daemon if unreachable, and skipping group checks when run as root.

Sequence Diagram(s)

sequenceDiagram
  participant User
  participant Installer
  participant ensure_docker
  participant DockerDaemon
  participant Systemd

  User->>Installer: sees preflight_usage_notice_prompt
  Installer->>ensure_docker: call ensure_docker()
  ensure_docker->>DockerDaemon: run `docker info`
  alt docker available
    DockerDaemon-->>ensure_docker: reachable
    ensure_docker-->>Installer: return success
  else docker missing/unreachable
    ensure_docker->>Installer: download & verify install script
    ensure_docker->>Installer: run `sudo sh` (install)
    ensure_docker->>Systemd: check/enable/start docker unit
    Systemd-->>ensure_docker: unit active?
    ensure_docker->>ensure_docker: ensure user in `docker` group
    alt user added to group
      ensure_docker-->>User: print newgrp/re-login guidance and exit 0
    else still unreachable
      DockerDaemon-->>ensure_docker: unreachable -> error
    end
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 I hop through scripts to fetch and try,
I curl the bits and make them fly,
I wake the daemon, add your name,
Then nudge: "newgrp docker" — re-login's the game! 🥕

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely describes the main change: adding Docker installation and docker group membership checks to the installer.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/install-docker-bootstrap

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@scripts/install.sh`:
- Around line 1703-1709: Replace the silent suppression on the systemd start
command: instead of using the trailing "|| true" after "sudo systemctl enable
--now docker", capture the command's exit status and stderr, and log a clear
error message (using the script's info/error helper functions) including the
stderr output if the command fails; keep the subsequent "docker info" check but
provide this explicit log so users see why enabling the docker.service failed
(reference: the "sudo systemctl enable --now docker" invocation and the later
"docker info" check).
- Around line 1695-1701: Replace the direct piping in the Docker install block
(the if ! command -v docker ... sudo sh -c 'curl -fsSL https://get.docker.com |
sh') with a safer flow: curl the script to a temp file, run a verification step
(reuse or add a verify_downloaded_script that checks for a shebang and non-empty
file and optionally SHA-256 if provided), ensure download errors surface
(respecting set -o pipefail) before running sudo sh on the temp file, and delete
the temp file afterward; update the error message inside the Docker install
branch to include failure details if the verification or execution fails.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 784e1f7f-4789-49c7-a616-10cb1a8a547e

📥 Commits

Reviewing files that changed from the base of the PR and between c4aaec3 and cae79bd.

📒 Files selected for processing (1)

• scripts/install.sh

[ericksoa]

Thanks for tightening up the Docker bootstrap path. I think this needs one more fix before approval.

scripts/install.sh now uses id -nG "$USER" to decide whether the user is in the docker group. That checks the account's group database entry, not the groups active in the current shell. The common case this flow is trying to handle is: Docker is installed, the user has already been added to docker, but they have not run newgrp docker or logged back in yet. In that state docker info still fails, while id -nG "$USER" already includes docker, so the script skips the group-refresh instructions and falls through to:

Docker is installed but not reachable. Try: sudo systemctl start docker

That sends the user toward the wrong fix when the daemon may already be active; they actually need the same newgrp docker / relogin guidance. Please distinguish active process groups from the persisted user database, e.g. check id -nG for active membership, then if id -nG "$target_user" already contains docker, exit with the group-refresh instructions instead of the daemon error. This should also get a small installer test/stub case so this path does not regress.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@scripts/install.sh`:
- Around line 1722-1743: Short-circuit the docker-group logic for root (UID 0)
and stop using the environment $USER: at the top of the block check UID via id
-u and if it equals 0 skip the group membership checks; replace any use of $USER
with the resolved account name from id -un; ensure the id -nG calls that check
persisted/active groups reference the proper username when needed and only call
sudo usermod -aG docker "$(id -un)" when not root, leaving needs_group_refresh
behavior unchanged for non-root accounts.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 6c78c32c-d04e-40b5-99e7-789d58c4e5f8

📥 Commits

Reviewing files that changed from the base of the PR and between 20a2248 and ba8190a.

📒 Files selected for processing (1)

• scripts/install.sh

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

test/install-preflight.test.ts (1)

2637-2641: ⚡ Quick win

This test never hits the daemon-start branch.

systemctlScript defaults is-active to exit 0, so this scenario skips sudo systemctl enable --now docker and only asserts the final docker info failure. If you want coverage for the new daemon remediation path, make is-active fail here and assert the sudo log captured the enable/start call.

Suggested coverage adjustment

-  it("reports daemon reachability when the active shell already has docker", () => {
-    const { result } = runEnsureDockerWithStubs({
+  it("tries to start docker when the active shell already has docker access but the daemon is down", () => {
+    const { result, sudoLog } = runEnsureDockerWithStubs({
       dockerScript: `#!/usr/bin/env bash
 if [ "\${1:-}" = "info" ]; then exit 1; fi
 exit 0
 `,
       idScript: `#!/usr/bin/env bash
 case "$*" in
   "-u") printf '1000\\n' ;;
   "-un") printf 'alice\\n' ;;
   "-nG alice") printf 'alice docker\\n' ;;
   "-nG") printf 'alice docker adm\\n' ;;
   *) printf 'unexpected id %s\\n' "$*" >&2; exit 99 ;;
 esac
 `,
+      systemctlScript: `#!/usr/bin/env bash
+if [ "\${1:-}" = "is-active" ]; then exit 3; fi
+if [ "\${1:-}" = "enable" ]; then exit 0; fi
+exit 0
+`,
     });
 
     const output = `${result.stdout}${result.stderr}`;
     expect(result.status, output).not.toBe(0);
+    expect(sudoLog).toMatch(/systemctl enable --now docker/);
     expect(output).toMatch(/Docker is installed but not reachable/);
     expect(output).toMatch(/sudo systemctl start docker/);
     expect(output).not.toMatch(/newgrp docker/);
   });

Also applies to: 2730-2752

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/install-preflight.test.ts` around lines 2637 - 2641, The test's mocked
systemctlScript currently returns success for "is-active", so the daemon-start
remediation path is never exercised; change the systemctlScript used in the test
to return a non-zero exit for the "is-active" check (so the code will take the
branch that runs sudo systemctl enable --now docker) and add an assertion that
the sudo log captured the enable/start invocation (look for the string matching
"sudo systemctl enable --now docker" in the test's captured logs). Apply the
same change to the parallel test case around the other block (the similar
systemctlScript usage at the 2730–2752 area) so both cover the daemon-start
branch.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@scripts/install.sh`:
- Around line 1753-1758: The exit message when needs_group_refresh=1 currently
tells users to rerun a hardcoded installer one-liner; update the messaging
and/or implementation to instruct the user to re-run the exact command they
originally invoked (preserving flags and environment) instead of the fixed curl
line. Replace the hardcoded "curl -fsSL https://www.nvidia.com/nemoclaw.sh |
bash" suggestion with a reconstructed invocation using the script name and
original arguments (e.g., "$0 $@" or equivalent) and include a note to preserve
any important env vars (NEMOCLAW_AGENT, --non-interactive, --fresh, etc.) so the
re-run uses the same options; keep the same needs_group_refresh exit path and
exit status.
- Around line 1689-1691: The script's fast-path and preflight checks use plain
`docker info`, which respects DOCKER_HOST/contexts; update each occurrence of
`docker info` (the checks in the install.sh preflight/fast-path logic) to
explicitly target the local daemon socket by invoking `docker --host
unix:///var/run/docker.sock info` and, when `$XDG_RUNTIME_DIR` is set
(rootless), try `docker --host unix://$XDG_RUNTIME_DIR/docker.sock info` as a
fallback; ensure the check treats success the same way as before and try the
rootful socket first, then the rootless socket, falling back to the original
`docker info` only if both socket checks fail.

---

Nitpick comments:
In `@test/install-preflight.test.ts`:
- Around line 2637-2641: The test's mocked systemctlScript currently returns
success for "is-active", so the daemon-start remediation path is never
exercised; change the systemctlScript used in the test to return a non-zero exit
for the "is-active" check (so the code will take the branch that runs sudo
systemctl enable --now docker) and add an assertion that the sudo log captured
the enable/start invocation (look for the string matching "sudo systemctl enable
--now docker" in the test's captured logs). Apply the same change to the
parallel test case around the other block (the similar systemctlScript usage at
the 2730–2752 area) so both cover the daemon-start branch.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: b8cc6221-f72d-4704-8eb5-03a6a817c62e

📥 Commits

Reviewing files that changed from the base of the PR and between ba01d2f and 6a59bfd.

📒 Files selected for processing (2)

• scripts/install.sh
• test/install-preflight.test.ts

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

Does docker infouse the current Docker context and theDOCKER_HOST/DOCKER_CONTEXT environment variables, and what is the recommended way for a Linux shell script to force a check against the local Docker daemon/socket?

💡 Result:

Yes. docker info (alias of docker system info) connects to whatever daemon endpoint the Docker CLI is configured to use, which is determined by the active Docker context unless overridden by higher-priority connection settings like DOCKER_HOST/--host/-H. The Docker docs state that commands run against the current context “unless overridden with environment variables such as DOCKER_HOST and DOCKER_CONTEXT,” or with --context/--host flags [1]. Also, DOCKER_CONTEXT overrides the context selected via docker context use when the environment variable is set [1][2]. Separately, the CLI reference describes DOCKER_HOST as the “Daemon socket to connect to” and that -c/--context overrides DOCKER_HOST only relative to default context selection; and the context commands explain DOCKER_HOST/DOCKER_CONTEXT and flags affect what daemon is used [3]. The docker info page shows “Client/Context: …” in its output, confirming it reports the client-side context it’s using [4]. Recommended way (Linux shell script) to force a check against the local Docker daemon/socket: run docker info with an explicit host override to the local Unix socket and clear any env overrides that could redirect the CLI. Docker provides troubleshooting guidance that if DOCKER_HOST is set then the Docker client is connecting to a daemon on that host, and recommends unsetting it when you want local behavior [5]. So in a script, do something like: unset DOCKER_HOST DOCKER_CONTEXT export DOCKER_CONTEXT=default # optional; ensures you’re not using a non-local named context # Force local daemon via unix socket (typical rootful Docker): docker --host unix:///var/run/docker.sock info >/dev/null If you’re using rootless Docker, the socket is typically under $XDG_RUNTIME_DIR/docker.sock as documented; you’d use that path instead of /var/run/docker.sock [6]. This approach forces the check against the intended local socket regardless of whatever current context the user/session has selected via docker context use or environment variables such as DOCKER_CONTEXT, because DOCKER_HOST is either unset or the connection is overridden explicitly via --host/socket URI [1][5].

Citations:

• 1: http://docs.docker.com/engine/context/working-with-contexts
• 2: https://docs.docker.com/reference/cli/docker/context/use/
• 3: https://docs.docker.com/engine/reference/commandline/cli/
• 4: https://docs.docker.com/reference/cli/docker/system/info
• 5: https://docs.docker.com/engine/daemon/troubleshoot
• 6: https://docs.docker.com/engine/security/rootless/tips/

---

🏁 Script executed:

# First, check if the file exists and its size
wc -l scripts/install.sh

# Then read the specific sections mentioned in the review
echo "=== Lines 1680-1695 (around 1689-1691) ==="
sed -n '1680,1695p' scripts/install.sh

echo -e "\n=== Lines 1718-1735 (around 1725-1728) ==="
sed -n '1718,1735p' scripts/install.sh

echo -e "\n=== Lines 1754-1770 (around 1761-1762) ==="
sed -n '1754,1770p' scripts/install.sh

# Check for SPDX header
echo -e "\n=== First 5 lines of file (SPDX header check) ==="
head -5 scripts/install.sh

# Check for shebang
echo -e "\n=== Shebang check ==="
head -1 scripts/install.sh

Repository: NVIDIA/NemoClaw

Length of output: 2330

---

Force Docker reachability checks against the local daemon socket, not the active Docker context.

The bare docker info checks on lines 1689-1691, 1725-1728, and 1761-1762 honor the user's current Docker context and DOCKER_HOST environment variables. If the user has Docker pointed at a remote or stale endpoint, the preflight will falsely fail or take the wrong remediation path even though the local daemon is accessible. Explicitly target the local Unix socket using docker --host unix:///var/run/docker.sock info (or the rootless equivalent under $XDG_RUNTIME_DIR/docker.sock).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/install.sh` around lines 1689 - 1691, The script's fast-path and
preflight checks use plain `docker info`, which respects DOCKER_HOST/contexts;
update each occurrence of `docker info` (the checks in the install.sh
preflight/fast-path logic) to explicitly target the local daemon socket by
invoking `docker --host unix:///var/run/docker.sock info` and, when
`$XDG_RUNTIME_DIR` is set (rootless), try `docker --host
unix://$XDG_RUNTIME_DIR/docker.sock info` as a fallback; ensure the check treats
success the same way as before and try the rootful socket first, then the
rootless socket, falling back to the original `docker info` only if both socket
checks fail.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Don’t tell users to rerun a different installer invocation.

This exit path runs after args/env have already been parsed, so the hardcoded one-liner drops flags like --non-interactive, --fresh, NEMOCLAW_AGENT, or explicit acceptance. In headless or customized installs, following this message can change behavior or fail on the next run. Tell the user to rerun the same command they used originally, or reconstruct it from the current args/env.

Suggested tweak

-    info "  2) Re-run: curl -fsSL https://www.nvidia.com/nemoclaw.sh | bash"
+    info "  2) Re-run the same installer command you used originally, with the same flags/env."

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if [ "$needs_group_refresh" = "1" ]; then
	printf "\n"
	info "Docker group membership is not active in this shell yet. To finish:"
	info " 1) Run: newgrp docker (or log out and log back in)"
	info " 2) Re-run: curl -fsSL https://www.nvidia.com/nemoclaw.sh | bash"
	exit 0
	if [ "$needs_group_refresh" = "1" ]; then
	printf "\n"
	info "Docker group membership is not active in this shell yet. To finish:"
	info " 1) Run: newgrp docker (or log out and log back in)"
	info " 2) Re-run the same installer command you used originally, with the same flags/env."
	exit 0

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/install.sh` around lines 1753 - 1758, The exit message when
needs_group_refresh=1 currently tells users to rerun a hardcoded installer
one-liner; update the messaging and/or implementation to instruct the user to
re-run the exact command they originally invoked (preserving flags and
environment) instead of the fixed curl line. Replace the hardcoded "curl -fsSL
https://www.nvidia.com/nemoclaw.sh | bash" suggestion with a reconstructed
invocation using the script name and original arguments (e.g., "$0 $@" or
equivalent) and include a note to preserve any important env vars
(NEMOCLAW_AGENT, --non-interactive, --fresh, etc.) so the re-run uses the same
options; keep the same needs_group_refresh exit path and exit status.

[ericksoa]

Approved after updating the branch in 6a59bfd. The previous blocker is covered now: persisted docker-group membership without active shell membership exits with newgrp/relogin guidance instead of the daemon-start error, while active-group daemon failures still report daemon reachability. I also merged current main to resolve the installer conflict and kept the DGX express prompt path intact. Local validation passed: bash syntax/diff check, installer hash check, focused installer Vitest coverage, and build:cli. GitHub checks are green on the updated head.