Make Isaac Lab Docker images run as non-root

[sheikh-nv]

Description

Makes the Isaac Lab base, ROS 2, and cuRobo Docker images run as a non-root runtime user by creating an isaaclab user after root-only setup and switching the final images to USER isaaclab.

The ROS 2 Dockerfile temporarily switches back to USER root for apt-based ROS setup, then restores USER isaaclab for runtime. The installci Dockerfile is intentionally unchanged.

This also updates deprecated Isaac Sim Dockerfile comments to point to the NGC Isaac Sim container page, removes the default root-allowance compose setting, updates Docker documentation, and adds CI coverage to verify the built base and cuRobo images do not run as root by default. ROS 2 is covered by the static Dockerfile regression test because this workflow does not build a ROS 2 image.

Fixes: N/A

Validation:

• ./isaaclab.sh -f
• git diff --check
• docker run ... /isaac-sim/python.sh -m pytest docker/test/test_dockerfile_nonroot.py -q -> 7 passed, 1 skipped
• Manual cuRobo runtime check confirmed non-root uid=1000

Type of change

• Bug fix (non-breaking change which fixes an issue)

Screenshots

N/A

Checklist

• I have read and understood the contribution guidelines
• I have run the pre-commit checks with ./isaaclab.sh --format
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• I have added a changelog fragment under source/<pkg>/changelog.d/ for every touched package (not applicable; no source/<pkg>/ package touched)
• I have added my name to the CONTRIBUTORS.md or my name already exists there

[isaaclab-review-bot]

🤖 Isaac Lab Review Bot

Summary

This PR implements Docker security best practices by converting the cuRobo image to run as a non-root user (isaaclab with uid/gid 1000). The change includes proper CI verification and comprehensive regression tests to prevent future regressions.

Design Assessment

Architecture: ✅ Well-structured
The implementation follows the correct Docker pattern: perform all root-required setup first, create the non-root user, adjust ownership, then switch to USER isaaclab at the end. The use of --non-unique for uid/gid handles potential conflicts with base image users gracefully.

CI Integration: ✅ Solid
The new verify-curobo-non-root job provides defense-in-depth with both static Dockerfile analysis (pytest) and runtime identity verification.

Findings

🟡 Minor Suggestions

1. docker/Dockerfile.curobo — Hardcoded uid/gid 1000
   The comment explains this matches GitHub runner bind mounts, which is appropriate for CI. However, users running locally may have different host uids. Consider documenting this in the container usage docs or providing a --user override example.

2. .github/workflows/build.yaml:262-271 — First run step lacks explicit error handling
   While pytest exit codes propagate correctly, adding set -euo pipefail at the start of the shell block would match the defensive style used in the second step.

✅ Good Patterns Observed

• --non-unique flag handles edge case where uid/gid 1000 already exists in base image
• chmod 755 ${ISAACSIM_ROOT_PATH} opens traversal without recursively changing inner file permissions
• DOCKERFILE_RUNTIME_USERS mapping forces explicit decisions for new Dockerfiles (regression protection)
• Runtime verification (id -u != 0) as separate CI step provides independent validation

Test Coverage

Coverage: ✅ Good

• Static analysis tests verify Dockerfile structure
• Runtime CI job verifies actual container behavior
• test_all_dockerfiles_have_runtime_user_expectations() prevents new Dockerfiles from escaping review

Minor gap: No direct test that the non-root user can actually execute Isaac Lab scripts (though the pytest run itself serves as an indirect functional test).

CI Status

• ⚠️ pre-commit: failed (may be unrelated to this PR — please verify)
• 🔄 Docker builds: pending
• ✅ Changelog, links, labeler: passed

Verdict

Minor fixes needed — The implementation is sound and follows security best practices. Address the pre-commit failure and consider the minor suggestions above. Once CI passes, this is ready to ship. 🚀

---

Update (e9f0135): Reviewed incremental changes. The implementation is complete and well-structured. The .bashrc path fix (using ${DOCKER_USER_HOME} instead of hardcoded /root) is a good catch. Previous minor suggestions (uid/gid docs, set -euo pipefail) are non-blocking. No new issues found. ✅

---

Update (b772981): Both minor suggestions from my initial review have been addressed:

• ✅ Added documentation in docs/source/deployment/docker.rst explaining uid/gid 1000 and the --user override option
• ✅ Added set -euo pipefail to the CI shell blocks

No new issues found. LGTM! 🚀

---

Update (81b2b4e): PR scope expanded — base and ROS2 images now also run as non-root user. Changes:

• ✅ Dockerfile.base — Creates isaaclab user (uid/gid 1000), sets correct ownership, switches to non-root at end
• ✅ Dockerfile.ros2 — Properly handles non-root base: USER root for apt setup, restores USER isaaclab at end
• ✅ docker-compose.yaml — Removed OMNI_KIT_ALLOW_ROOT=1 (no longer needed)
• ✅ New verify-base-non-root CI job mirrors the cuRobo verification pattern
• ✅ Test coverage updated: DOCKERFILE_RUNTIME_USERS map reflects new expectations, new test_ros2_dockerfile_restores_non_root_runtime_user() test added
• ✅ Documentation updated consistently

Implementation is consistent with the previously approved cuRobo pattern. No new issues found. LGTM! 🚀

---

Update (c9b944a): CI test action updated to handle volume-mounted containers correctly:

• ✅ When bind-mounting source code, container now runs as host uid/gid with --user ${host_uid}:${host_gid}
• ✅ Proper environment variables set (HOME, XDG_CACHE_HOME, USER, LOGNAME) for the mounted user
• This ensures correct file ownership and prevents permission issues with the mounted volume

Good fix for CI compatibility with the non-root images. No issues found. ✅

---

Update (d1acb0f): Enhanced CI runtime storage for volume-mounted containers:

• ✅ Creates dedicated docker_runtime_dir with full Kit/Omniverse directory hierarchy
• ✅ Mounts writable volumes for cache, config, data, and logs (mirrors compose/singularity setup)
• ✅ Adds XDG_DATA_HOME environment variable for proper XDG compliance
• ✅ Cleanup logic in both trap handler and normal exit path

This addresses Kit writing generated files outside the source tree — provides proper writable storage for the non-root user in CI. Well done! ✅

[sheikh-nv]

Addressed the review-bot suggestions in b772981:

• added set -euo pipefail to the Dockerfile non-root regression step
• documented the cuRobo non-root uid/gid behavior and docker run --user "$(id -u):$(id -g)" override for local bind mounts

Pre-commit is passing; Docker/docs/license checks are still running.

[greptile-apps]

Greptile Summary

This PR migrates the Isaac Lab base, ros2, and curobo Docker images from running as root to a dedicated isaaclab user at uid/gid 1000, with corresponding CI jobs and a static regression test to prevent future regressions. The installci image is intentionally left on root, and OMNI_KIT_ALLOW_ROOT=1 is removed from the compose environment since it is no longer needed.

• Dockerfile changes (base, curobo): after all root-only installation steps, a new isaaclab user is created (--non-unique, uid/gid 1000, home at /root), ownership of ISAACLAB_PATH and DOCKER_USER_HOME is transferred with chown -R, and the final USER isaaclab instruction is added. Dockerfile.ros2 brackets the apt installation with USER root / USER isaaclab.
• CI additions: two new verify-*-non-root workflow jobs assert the runtime uid is non-zero; action.yml in volume-mount mode now creates a writable docker_runtime_dir tree on the runner and runs the container as the host uid with overridden HOME/XDG variables.
• Test: docker/test/test_dockerfile_nonroot.py statically verifies each Dockerfile's final USER directive and enforces that any newly added Dockerfile must declare an explicit runtime user.

Confidence Score: 3/5

Safe to merge on a clean install; breaks existing deployments with root-owned named volumes until they are manually pruned.

The code changes themselves are structurally correct and the new non-root images work as advertised on a fresh setup. The gap is operational: users who already have running deployments with persistent Docker named volumes will get permission errors on first launch because those volumes retain root ownership. The upgrade path is undocumented in the added docker.rst note.

docs/source/deployment/docker.rst needs a migration note for existing named volumes; docker/Dockerfile.base and docker/Dockerfile.curobo have the chmod 755 /root concern.

Security Review

• /root world-traversal (docker/Dockerfile.base, docker/Dockerfile.curobo): chmod 755 ${DOCKER_USER_HOME} opens /root to read and traverse by any uid inside the container. While low-impact in a single-user container, any secrets or credentials written to /root by other image layers would become readable to processes running as a different uid. No other security issues identified.

Important Files Changed

Filename	Overview
docker/Dockerfile.base	Adds non-root runtime user isaaclab at uid/gid 1000 with home=/root; applies chmod 755 to /root (weakening its standard 700 perms) and chown -R to transfer ownership
docker/Dockerfile.curobo	Mirror of Dockerfile.base non-root changes; adds isaaclab user, chown, chmod 755 on /root, and USER isaaclab at end
docker/Dockerfile.ros2	Adds USER root at start and USER isaaclab at end to bracket the ROS 2 apt installation; uses --chown=isaaclab:isaaclab for COPY
docker/docker-compose.yaml	Removes OMNI_KIT_ALLOW_ROOT=1 from shared environment; existing named Docker volumes retain root ownership and will be unwritable by uid 1000 on upgrade
.github/actions/run-tests/action.yml	Adds writable bind-mount tree under RUNNER_TEMP for volume-mount mode, runs container with host uid:gid, and overrides HOME/XDG env vars to avoid writes to /root
.github/workflows/build.yaml	Adds verify-base-non-root and verify-curobo-non-root CI jobs that pull images and assert runtime uid != 0
docker/test/test_dockerfile_nonroot.py	New static regression test: verifies final USER directive, user creation commands, and ROS 2 root→isaaclab sequence; enforces explicit runtime-user declaration for any new Dockerfiles
docs/source/deployment/docker.rst	Adds note about uid/gid 1000 and --user flag; missing guidance on pruning existing root-owned named volumes before upgrading

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[FROM isaacsim base] --> B[USER root]
    B --> C[apt-get install deps]
    C --> D[COPY source files]
    D --> E[pip install Isaac Lab deps]
    E --> F[Write .bashrc aliases to DOCKER_USER_HOME]
    F --> G[groupadd/useradd isaaclab uid=1000 gid=1000 home=/root]
    G --> H[chown -R isaaclab:isaaclab ISAACLAB_PATH + DOCKER_USER_HOME]
    H --> I[chmod 755 ISAACSIM_ROOT_PATH + DOCKER_USER_HOME]
    I --> J[COPY --chown=isaaclab:isaaclab ../ to ISAACLAB_PATH]
    J --> K[USER isaaclab]
    K --> L[WORKDIR ISAACLAB_PATH]

    subgraph ROS2 Overlay
        M[FROM isaac-lab-base] --> N[USER root]
        N --> O[apt-get install ROS 2 Humble]
        O --> P[COPY --chown=isaaclab:isaaclab .ros/]
        P --> Q[USER isaaclab]
    end

    subgraph cuRobo Overlay
        R[FROM isaacsim base] --> S[same root setup as base]
        S --> T[pip install cuRobo extras]
        T --> U[groupadd/useradd isaaclab uid=1000]
        U --> V[USER isaaclab]
    end

Loading

_{Reviews (1): Last reviewed commit: "Fix Docker test runtime mounts for non-r..." | Re-trigger Greptile}

[greptile-apps]

Upgrade path breaks existing named volumes

The new note covers the --user flag for docker run, but omits a more impactful case: users upgrading from the root-based images with existing Docker named volumes (isaac-cache-kit, isaac-cache-ov, isaac-cache-compute, etc.). Named volumes persist their data across image rebuilds and are not re-initialised when the image changes. Old volumes contain root-owned files; the isaaclab user at uid 1000 cannot write to them, so Isaac Sim will fail on first launch with permission errors until the volumes are recreated. The note should direct existing users to prune the affected volumes before running the new image (e.g., docker volume rm isaac-cache-ov isaac-cache-pip isaac-cache-compute … or docker volume prune --filter label=com.docker.compose.project=…).

[isaaclab-review-bot]

✅ Resolved — Documentation now includes upgrade instructions with docker compose ... down --volumes for users migrating from root-based images.

[greptile-apps]

chmod 755 on ${DOCKER_USER_HOME} (which resolves to /root) relaxes the standard 700 permissions on the root home directory. With 755, any process running inside the container as a different uid can traverse into /root and read its contents. In a single-user container this is low-risk, but it is a deliberate security relaxation worth making explicit. Consider 750 to allow group traversal (isaaclab group) while blocking world access, or document why 755 is required.

Suggested change

	# Open up traversal of the Isaac Sim root and runtime home for non-root users.
	# Inner Isaac Sim files keep their original permissions, so avoid chowning the
	# full install.
	RUN chmod 755 \
	${ISAACSIM_ROOT_PATH} \
	${DOCKER_USER_HOME}
	# Open up traversal of the Isaac Sim root and runtime home for non-root users.
	# Inner Isaac Sim files keep their original permissions, so avoid chowning the
	# full install.
	# 750: owner (isaaclab) rwx, group r-x, world ---
	RUN chmod 755 \
	${ISAACSIM_ROOT_PATH} \
	&& chmod 750 \
	${DOCKER_USER_HOME}

[isaaclab-review-bot]

✅ Resolved — Changed to chmod 750 for ${DOCKER_USER_HOME}, restricting world access while allowing group traversal.

[greptile-apps]

Same chmod 755 on ${DOCKER_USER_HOME} (/root) as in Dockerfile.base — makes /root world-traversable. Consider 750 for consistency with any hardening applied to the base Dockerfile.

Suggested change

	# Open up traversal of the Isaac Sim root and runtime home for non-root users.
	# Inner Isaac Sim files keep their original permissions, so avoid chowning the
	# full install.
	RUN chmod 755 \
	${ISAACSIM_ROOT_PATH} \
	${DOCKER_USER_HOME}
	# Open up traversal of the Isaac Sim root and runtime home for non-root users.
	# Inner Isaac Sim files keep their original permissions, so avoid chowning the
	# full install.
	RUN chmod 755 \
	${ISAACSIM_ROOT_PATH} \
	&& chmod 750 \
	${DOCKER_USER_HOME}

[isaaclab-review-bot]

✅ Resolved — Changed to chmod 750 for ${DOCKER_USER_HOME}, consistent with the hardening applied to Dockerfile.base.

[isaaclab-review-bot]

Update (88400eb): All previous inline review comments have been addressed:

• ✅ Documentation now includes upgrade path guidance for recreating named volumes (docker compose ... down --volumes)
• ✅ chmod 755 on ${DOCKER_USER_HOME} changed to chmod 750 in both Dockerfile.base and Dockerfile.curobo

No new issues found. LGTM 👍

[isaaclab-review-bot]

🤖 Incremental Review Update (c34c247)

Reviewed the new commits since my last review (88400eb → c34c247). Changes include:

• CUDA startup crash fix (deferring torch.cuda.set_device until after SimulationApp)
• Version bumps (isaaclab 5.2.1, isaaclab_newton 0.9.1, isaaclab_physx 0.7.1)
• Changelog consolidation from .d/ files
• LEAPP export script refactoring for better modularity
• Test improvements (batched exports, removed unnecessary AppLauncher usage)
• CI improvements (leapp diagnostics, HUB__ARGS__DETECT_ONLY handling)

✅ No new issues in the incremental changes.

⏳ Previous concerns remain open (original inline comments still visible):

• P1: Named volumes upgrade path documentation (docker.rst)
• P2: chmod 755 on /root in both Dockerfiles

[isaaclab-review-bot]

🤖 Incremental Review: f9e8322

Commit: Adjust CI Kit startup threshold

Changes:

• Introduces separate timeout constants: _LOCAL_STARTUP_TIME_LIMIT = 15.0 (local) vs _CI_STARTUP_TIME_LIMIT = 20.0 (CI)
• Uses GITHUB_ACTIONS environment variable to detect CI environment
• Adds clearer assertion error message showing elapsed vs limit times

Assessment: ✅ Looks Good

This is a sensible adjustment. The non-root Docker images use isolated writable runtime/cache mounts in CI, which results in colder startup than reused local caches. The 5-second buffer (15s→20s) accounts for this appropriately.

Code quality:

• ✅ Constants are clearly named and self-documenting
• ✅ Comment explains the rationale (isolated writable mounts for non-root users)
• ✅ Improved assertion message aids debugging

No new issues found. Previous inline review comments still apply. 🚀