[Docker] Make kit/data writable by the non-root user

[hujc7]

Summary

Adds a named volume for ${DOCKER_ISAACSIM_ROOT_PATH}/kit/data so the non-root isaaclab user can write the Kit kernel config there.

Fixes the residual omni.kit.app.plugin error reported in nvbug 6288406:

[Error] [omni.kit.app.plugin] failed to open file '/isaac-sim/kit/data/Kit/IsaacLab/3.0/user.config.json' - unable to save the dictionary

Root cause

PR #6082 made every docker-compose named-volume mount point writable by the non-root user (driven by docker/utils/volume_mounts.py + the build-time chown). But kit/data was never a declared volume — pre–non-root migration it was writable simply because the container ran as root. Under the non-root image it stays root:root, so the Kit kernel cannot write kit/data/.../user.config.json. This is universal to every docker user (the image bakes USER isaaclab; kit/data is neither mounted nor chowned), independent of the launch flow.

(The sibling omni.datastore lock errors on kit/cache in the original report were a QA workflow artifact of a raw docker run that bypasses the compose volumes; the documented container.py/compose flow already handles those via #6082.)

Fix

Declare kit/data as a named volume. docker-compose.yaml is the single source of truth, so this routes it through the existing volume_mounts.py + chown machinery — the build pre-creates and chowns /isaac-sim/kit/data to isaaclab. Consistent with kit/cache/kit/logs, and it benignly persists Kit config across runs.

Validation

Built the image (nvcr.io/nvidian/isaac-sim:latest-release-6-0 base) and verified as the non-root runtime user (uid 1000):

	/isaac-sim/kit/data	non-root write of user.config.json
Pre-fix (base image, inherited)	not writable	Permission denied
Post-fix (this PR)	owned by uid 1000	OK

volume_mounts.py now emits /isaac-sim/kit/data, and the running container no longer logs the user.config.json / omni.datastore / DerivedDataCache errors.

[isaaclab-review-bot]

Review: [Docker] Make kit/data writable by the non-root user

Overall Assessment: Clean, minimal fix that correctly addresses the permission issue. The approach is consistent with the existing volume management pattern and properly leverages the volume_mounts.py + chown machinery. No concerns with correctness.

---

✅ Strengths

1. Root cause properly identified — The PR description clearly explains why kit/data was never an issue pre-migration (container ran as root) and why it is now.
2. Minimal, focused change — Only 4 lines added, no unnecessary refactoring.
3. Consistent with existing patterns — The isaac-data-kit volume follows the same pattern as isaac-cache-kit, isaac-carb-logs, etc.
4. Leverages existing infrastructure — volume_mounts.py will automatically discover this new volume target since it iterates all type: volume entries under x-default-isaac-lab-volumes. No code changes needed there.

---

💬 Minor Observations (non-blocking)

1. Volume naming adjacency (nit, informational):

   • isaac-data-kit (this PR) → targets kit/data
   • isaac-data (existing) → targets ~/.local/share/ov/data

   The names are distinguishable, but at a glance isaac-data-kit vs isaac-data could confuse someone skimming the volumes list. A comment like # kit/data above the volume declaration would help, consistent with the # isaac-sim / # isaac-lab section comments already present. Purely optional.

2. Existing users with stale containers: Users who already have running containers/volumes from before this fix will not automatically benefit — they'd need to recreate. This is standard Docker behavior and not actionable in the PR itself, but might be worth a note in release notes or migration docs if not already covered by #6082's documentation.

---

🔍 CI Status

Some checks are still pending (Docker image builds, license check). The content-relevant checks (pre-commit, changelog, broken links, wheel build) have all passed.

---

Verdict: LGTM. Straightforward infrastructure fix, no concerns.

[greptile-apps]

Greptile Summary

This PR adds a single named volume (isaac-data-kit) for ${DOCKER_ISAACSIM_ROOT_PATH}/kit/data in docker-compose.yaml, enabling the non-root isaaclab user (uid 1000) to write Kit kernel configuration there. The fix routes through the existing volume_mounts.py + Dockerfile.base chown machinery, so no Dockerfile changes are required.

• Declares isaac-data-kit in the x-default-isaac-lab-volumes anchor (between kit/cache and .cache/ov, consistent with sibling kit volumes) and in the top-level volumes: map.
• Dockerfile.base already parses docker-compose.yaml via volume_mounts.py at build time, mkdir -ps every named-volume target, and chown -R isaaclab:isaaclabs them — picking up kit/data automatically without any Dockerfile edits.

Confidence Score: 5/5

Safe to merge — two-line yaml addition that mirrors a well-established existing pattern.

The change is minimal and self-consistent: the volume declaration is added in both the mount anchor and the top-level volumes: map. The Dockerfile.base build machinery already dynamically picks up every named-volume target from docker-compose.yaml, so kit/data is automatically pre-created and chowned to isaaclab without any Dockerfile edits. The pattern is identical to isaac-cache-kit / kit/cache, which is already well-validated.

No files require special attention.

Important Files Changed

Filename	Overview
docker/docker-compose.yaml	Adds isaac-data-kit named volume mapped to ${DOCKER_ISAACSIM_ROOT_PATH}/kit/data so the non-root isaaclab user can write Kit kernel config; follows the exact same pattern as the adjacent isaac-cache-kit volume

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[docker-compose.yaml\nadd isaac-data-kit volume] --> B[Dockerfile.base build step\nvolume_mounts.py parses compose]
    B --> C[mkdir -p kit/data\nin image layer]
    C --> D[chown -R isaaclab:isaaclab kit/data\nin image layer]
    D --> E{Container start}
    E -->|Fresh named volume| F[Docker copies image dir\ninto volume, owner = isaaclab]
    E -->|Existing named volume| G[Volume already chowned\nfrom prior run]
    F --> H[isaaclab user writes\nkit/data/.../user.config.json ✓]
    G --> H

Loading

_{Reviews (1): Last reviewed commit: "[Docker] Make kit/data writable by the n..." | Re-trigger Greptile}