Merge branch 'develop' into jichuanh/changelog-allow-dots-in-slug

Author: hujc7

.github/actions/run-tests/action.yml

@@ -85,6 +85,7 @@ runs:
           local logs_pid=""
           local wait_pid=""
           local docker_wait_file="/tmp/.docker_exit_${container_name}"
+          local docker_runtime_dir=""
 
           # Kill the container immediately if the runner is cancelled.
           # The GitHub Actions runner can deliver HUP, INT, or TERM on cancellation
@@ -94,6 +95,7 @@ runs:
                 docker kill '${container_name}' 2>/dev/null || true; \
                 docker rm -f '${container_name}' 2>/dev/null || true; \
                 rm -f '${docker_wait_file}'; \
+                if [ -n \"\$docker_runtime_dir\" ]; then rm -rf \"\$docker_runtime_dir\" 2>/dev/null || true; fi; \
                 if [ -n \"\$logs_pid\" ]; then kill \"\$logs_pid\" 2>/dev/null || true; fi; \
                 if [ -n \"\$wait_pid\" ]; then kill \"\$wait_pid\" 2>/dev/null || true; fi; \
                 exit 130" HUP INT TERM
@@ -180,16 +182,56 @@ runs:
             docker_env_vars="$docker_env_vars -e TEST_EXTRA_PIP_PACKAGES"
           fi
 
-          echo "Docker environment variables: '$docker_env_vars'"
-
           # Volume mount for deps-cache-hit mode: bind-mount the checked-out
           # source code over /workspace/isaaclab instead of baking it into the image.
           docker_volume_args=""
+          docker_user_args=""
           if [ -n "$volume_mount_source" ]; then
-            docker_volume_args="-v ${volume_mount_source}:/workspace/isaaclab"
+            host_uid="$(id -u)"
+            host_gid="$(id -g)"
+            host_user="$(id -un)"
+            # Kit writes generated cache, config, data, and log files outside
+            # the Isaac Lab source tree. Provide writable runtime storage for
+            # host-uid test runs, mirroring the compose/singularity mounts.
+            docker_runtime_dir="$(mktemp -d "${RUNNER_TEMP:-/tmp}/isaaclab-docker-runtime.XXXXXX")"
+            mkdir -p \
+              "${docker_runtime_dir}/home/.cache" \
+              "${docker_runtime_dir}/home/.local/share/ov/data" \
+              "${docker_runtime_dir}/home/.local/share/ov/pkg" \
+              "${docker_runtime_dir}/home/.nv/ComputeCache" \
+              "${docker_runtime_dir}/home/.nvidia-omniverse/config" \
+              "${docker_runtime_dir}/home/.nvidia-omniverse/logs" \
+              "${docker_runtime_dir}/home/Documents/Kit/shared" \
+              "${docker_runtime_dir}/isaac-sim/kit/cache" \
+              "${docker_runtime_dir}/isaac-sim/kit/data" \
+              "${docker_runtime_dir}/isaac-sim/kit/logs" \
+              "${docker_runtime_dir}/isaac-sim/cache" \
+              "${docker_runtime_dir}/isaac-sim/computecache" \
+              "${docker_runtime_dir}/isaac-sim/config" \
+              "${docker_runtime_dir}/isaac-sim/data" \
+              "${docker_runtime_dir}/isaac-sim/logs" \
+              "${docker_runtime_dir}/isaac-sim/pkg"
+            docker_volume_args="\
+              -v ${volume_mount_source}:/workspace/isaaclab:rw \
+              -v ${docker_runtime_dir}/home:/tmp/isaaclab-ci-home:rw \
+              -v ${docker_runtime_dir}/isaac-sim/kit/cache:/isaac-sim/kit/cache:rw \
+              -v ${docker_runtime_dir}/isaac-sim/kit/data:/isaac-sim/kit/data:rw \
+              -v ${docker_runtime_dir}/isaac-sim/kit/logs:/isaac-sim/kit/logs:rw \
+              -v ${docker_runtime_dir}/isaac-sim/cache:/isaac-sim/.cache:rw \
+              -v ${docker_runtime_dir}/isaac-sim/computecache:/isaac-sim/.nv/ComputeCache:rw \
+              -v ${docker_runtime_dir}/isaac-sim/config:/isaac-sim/.nvidia-omniverse/config:rw \
+              -v ${docker_runtime_dir}/isaac-sim/data:/isaac-sim/.local/share/ov/data:rw \
+              -v ${docker_runtime_dir}/isaac-sim/logs:/isaac-sim/.nvidia-omniverse/logs:rw \
+              -v ${docker_runtime_dir}/isaac-sim/pkg:/isaac-sim/.local/share/ov/pkg:rw"
+            docker_user_args="--user ${host_uid}:${host_gid}"
+            docker_env_vars="$docker_env_vars -e HOME=/tmp/isaaclab-ci-home -e XDG_CACHE_HOME=/tmp/isaaclab-ci-home/.cache -e XDG_DATA_HOME=/tmp/isaaclab-ci-home/.local/share -e USER=${host_user} -e LOGNAME=${host_user}"
             echo "🔵 Volume-mounting ${volume_mount_source} >> /workspace/isaaclab"
+            echo "🔵 Mounting writable Docker runtime storage from ${docker_runtime_dir}"
+            echo "🔵 Running volume-mounted container as host uid:gid ${host_uid}:${host_gid} (${host_user})"
           fi
 
+          echo "Docker environment variables: '$docker_env_vars'"
+
           # Run tests in a detached container and follow logs.  Running detached
           # means the container lifecycle is independent of the shell - if the
           # runner kills this step on cancellation, the `if: always()` cleanup
@@ -206,6 +248,7 @@ runs:
             --ulimit nofile=65536:65536 \
             --ulimit nproc=4096:4096 \
             $docker_volume_args \
+            $docker_user_args \
             $docker_env_vars \
             $image_tag \
             -c "
@@ -318,6 +361,9 @@ runs:
           # Clean up container
           echo "🔵 Cleaning up Docker container..."
           docker rm $container_name 2>/dev/null || echo "🟠 Container cleanup failed, but continuing..."
+          if [ -n "$docker_runtime_dir" ]; then
+            rm -rf "$docker_runtime_dir" || echo "🟠 Docker runtime storage cleanup failed, but continuing..."
+          fi
 
           return $DOCKER_EXIT
         }

.github/workflows/build.yaml

@@ -101,7 +101,7 @@ jobs:
           $'^\\.github/workflows/config\\.yaml$\tBase image config'
           $'^\\.github/actions/\tCI actions'
         )
-        triggered_jobs="Docker build + all test-* matrix jobs"
+        triggered_jobs="Docker build + non-root verify jobs + all test-* matrix jobs"
 
         render_table() {
           local files="$1" entry regex desc count sample
@@ -215,6 +215,51 @@ jobs:
         dockerfile-path: docker/Dockerfile.base
         cache-tag: cache-base
 
+  verify-base-non-root:
+    name: verify-base-non-root
+    runs-on: [self-hosted, gpu]
+    timeout-minutes: 30
+    needs: [build, config]
+    if: needs.build.result == 'success'
+    steps:
+    - name: Checkout Code
+      uses: actions/checkout@v6
+      with:
+        fetch-depth: 1
+        lfs: true
+
+    - name: Pull Base Docker image
+      uses: ./.github/actions/ecr-build-push-pull
+      with:
+        image-tag: ${{ env.CI_IMAGE_TAG }}
+        isaacsim-base-image: ${{ needs.config.outputs.isaacsim_image_name }}
+        isaacsim-version: ${{ needs.config.outputs.isaacsim_image_tag }}
+        dockerfile-path: docker/Dockerfile.base
+        cache-tag: cache-base
+
+    - name: Run Dockerfile non-root regression test
+      shell: bash
+      run: |
+        set -euo pipefail
+        docker run --rm \
+          -v "$PWD":/workspace/isaaclab \
+          --entrypoint bash \
+          "${{ env.CI_IMAGE_TAG }}" \
+          -lc 'cd /workspace/isaaclab && /isaac-sim/python.sh -m pytest docker/test/test_dockerfile_nonroot.py -q'
+
+    - name: Verify Base runtime user is non-root
+      shell: bash
+      run: |
+        set -euo pipefail
+        runtime_identity="$(docker run --rm --entrypoint bash "${{ env.CI_IMAGE_TAG }}" \
+          -lc 'printf "%s %s %s\n" "$(id -u)" "$(id -g)" "$(id -un 2>/dev/null || true)"')"
+        read -r runtime_uid runtime_gid runtime_user <<< "${runtime_identity}"
+        echo "Base runtime identity: uid=${runtime_uid} gid=${runtime_gid} user=${runtime_user}"
+        if [ "${runtime_uid}" = "0" ]; then
+          echo "::error::Base Docker image must not run as root by default."
+          exit 1
+        fi
+
   build-curobo:
     name: Build cuRobo Docker Image
     runs-on: [self-hosted, gpu]
@@ -235,6 +280,51 @@ jobs:
         isaacsim-version: ${{ needs.config.outputs.isaacsim_image_tag }}
         dockerfile-path: docker/Dockerfile.curobo
         cache-tag: cache-curobo
+
+  verify-curobo-non-root:
+    name: verify-curobo-non-root
+    runs-on: [self-hosted, gpu]
+    timeout-minutes: 30
+    needs: [build-curobo, config]
+    if: needs.build-curobo.result == 'success'
+    steps:
+    - name: Checkout Code
+      uses: actions/checkout@v6
+      with:
+        fetch-depth: 1
+        lfs: true
+
+    - name: Pull cuRobo Docker image
+      uses: ./.github/actions/ecr-build-push-pull
+      with:
+        image-tag: ${{ env.CI_IMAGE_TAG }}-curobo
+        isaacsim-base-image: ${{ needs.config.outputs.isaacsim_image_name }}
+        isaacsim-version: ${{ needs.config.outputs.isaacsim_image_tag }}
+        dockerfile-path: docker/Dockerfile.curobo
+        cache-tag: cache-curobo
+
+    - name: Run Dockerfile non-root regression test
+      shell: bash
+      run: |
+        set -euo pipefail
+        docker run --rm \
+          -v "$PWD":/workspace/isaaclab \
+          --entrypoint bash \
+          "${{ env.CI_IMAGE_TAG }}-curobo" \
+          -lc 'cd /workspace/isaaclab && /isaac-sim/python.sh -m pytest docker/test/test_dockerfile_nonroot.py -q'
+
+    - name: Verify cuRobo runtime user is non-root
+      shell: bash
+      run: |
+        set -euo pipefail
+        runtime_identity="$(docker run --rm --entrypoint bash "${{ env.CI_IMAGE_TAG }}-curobo" \
+          -lc 'printf "%s %s %s\n" "$(id -u)" "$(id -g)" "$(id -un 2>/dev/null || true)"')"
+        read -r runtime_uid runtime_gid runtime_user <<< "${runtime_identity}"
+        echo "cuRobo runtime identity: uid=${runtime_uid} gid=${runtime_gid} user=${runtime_user}"
+        if [ "${runtime_uid}" = "0" ]; then
+          echo "::error::cuRobo Docker image must not run as root by default."
+          exit 1
+        fi
   #endregion
 
   #region test jobs

CONTRIBUTORS.md

@@ -80,6 +80,7 @@ Guidelines for modifications:
 * Emily Sturman
 * Emmanuel Ferdman
 * Fabian Jenelten
+* Fatima Anes
 * Felipe Mohr
 * Felix Yu
 * Frank Lai

docker/.env.base

@@ -13,7 +13,7 @@ ISAACSIM_VERSION=6.0.0-dev2
 DOCKER_ISAACSIM_ROOT_PATH=/isaac-sim
 # The Isaac Lab path in the container
 DOCKER_ISAACLAB_PATH=/workspace/isaaclab
-# Docker user directory - by default this is the root user's home directory
+# Docker runtime user directory
 DOCKER_USER_HOME=/root
 # Docker image and container name suffix (default "", set by the container_interface.py script)
 # Example: "-custom"

docker/Dockerfile.base

@@ -3,8 +3,8 @@
 #
 # SPDX-License-Identifier: BSD-3-Clause
 
-# Nvidia Dockerfiles: https://github.com/NVIDIA-Omniverse/IsaacSim-dockerfiles
-# Please check above link for license information.
+# Isaac Sim base container: https://catalog.ngc.nvidia.com/orgs/nvidia/containers/isaac-sim
+# Please check the NGC container page for license information.
 
 # Base image
 ARG ISAACSIM_BASE_IMAGE_ARG
@@ -26,14 +26,17 @@ ENV ISAACSIM_ROOT_PATH=${ISAACSIM_ROOT_PATH_ARG}
 # Path to the Isaac Lab directory
 ARG ISAACLAB_PATH_ARG
 ENV ISAACLAB_PATH=${ISAACLAB_PATH_ARG}
-# Home dir of docker user, typically '/root'
+# Home dir of the runtime docker user, typically '/root'
 ARG DOCKER_USER_HOME_ARG
 ENV DOCKER_USER_HOME=${DOCKER_USER_HOME_ARG}
+ENV HOME=${DOCKER_USER_HOME}
 
 # Set environment variables
 ENV LANG=C.UTF-8
 ENV DEBIAN_FRONTEND=noninteractive
 
+# Base image may end with a non-root user; switch to root for system-level
+# setup and package installation.
 USER root
 
 # Install dependencies
@@ -121,19 +124,40 @@ RUN --mount=type=cache,target=${DOCKER_USER_HOME}/.cache/pip \
 RUN ${ISAACLAB_PATH}/isaaclab.sh -p -m pip uninstall -y quadprog
 
 # aliasing isaaclab.sh and python for convenience
-RUN echo "export ISAACLAB_PATH=${ISAACLAB_PATH}" >> ${HOME}/.bashrc && \
-    echo "alias isaaclab=${ISAACLAB_PATH}/isaaclab.sh" >> ${HOME}/.bashrc && \
-    echo "alias python=${ISAACLAB_PATH}/_isaac_sim/python.sh" >> ${HOME}/.bashrc && \
-    echo "alias python3=${ISAACLAB_PATH}/_isaac_sim/python.sh" >> ${HOME}/.bashrc && \
-    echo "alias pip='${ISAACLAB_PATH}/_isaac_sim/python.sh -m pip'" >> ${HOME}/.bashrc && \
-    echo "alias pip3='${ISAACLAB_PATH}/_isaac_sim/python.sh -m pip'" >> ${HOME}/.bashrc && \
-    echo "alias tensorboard='${ISAACLAB_PATH}/_isaac_sim/python.sh ${ISAACLAB_PATH}/_isaac_sim/tensorboard'" >> ${HOME}/.bashrc && \
-    echo "export TZ=$(date +%Z)" >> ${HOME}/.bashrc && \
-    echo "shopt -s histappend" >> /root/.bashrc && \
-    echo "PROMPT_COMMAND='history -a'" >> /root/.bashrc
+RUN echo "export ISAACLAB_PATH=${ISAACLAB_PATH}" >> ${DOCKER_USER_HOME}/.bashrc && \
+    echo "alias isaaclab=${ISAACLAB_PATH}/isaaclab.sh" >> ${DOCKER_USER_HOME}/.bashrc && \
+    echo "alias python=${ISAACLAB_PATH}/_isaac_sim/python.sh" >> ${DOCKER_USER_HOME}/.bashrc && \
+    echo "alias python3=${ISAACLAB_PATH}/_isaac_sim/python.sh" >> ${DOCKER_USER_HOME}/.bashrc && \
+    echo "alias pip='${ISAACLAB_PATH}/_isaac_sim/python.sh -m pip'" >> ${DOCKER_USER_HOME}/.bashrc && \
+    echo "alias pip3='${ISAACLAB_PATH}/_isaac_sim/python.sh -m pip'" >> ${DOCKER_USER_HOME}/.bashrc && \
+    echo "alias tensorboard='${ISAACLAB_PATH}/_isaac_sim/python.sh ${ISAACLAB_PATH}/_isaac_sim/tensorboard'" >> ${DOCKER_USER_HOME}/.bashrc && \
+    echo "export TZ=$(date +%Z)" >> ${DOCKER_USER_HOME}/.bashrc && \
+    echo "shopt -s histappend" >> ${DOCKER_USER_HOME}/.bashrc && \
+    echo "PROMPT_COMMAND='history -a'" >> ${DOCKER_USER_HOME}/.bashrc
+
+# Create the non-root runtime user after root-only image setup is complete.
+# The uid/gid 1000 match GitHub runner bind mounts used by Docker tests.
+# --non-unique is required because some base image revisions already carry
+# another user or group at uid/gid 1000.
+RUN groupadd --non-unique --gid 1000 isaaclab \
+ && useradd --non-unique --uid 1000 --gid 1000 -M -l -s /bin/bash -d ${DOCKER_USER_HOME} isaaclab
+
+RUN chown -R isaaclab:isaaclab \
+        ${ISAACLAB_PATH} \
+        ${DOCKER_USER_HOME}
+
+# Open up traversal of the Isaac Sim root and runtime home for non-root users.
+# Inner Isaac Sim files keep their original permissions, so avoid chowning the
+# full install. Keep the runtime home closed to unrelated users.
+RUN chmod 755 \
+        ${ISAACSIM_ROOT_PATH} \
+ && chmod 750 \
+        ${DOCKER_USER_HOME}
 
 # copy the rest of the files
-COPY ../ ${ISAACLAB_PATH}/
+COPY --chown=isaaclab:isaaclab ../ ${ISAACLAB_PATH}/
+
+USER isaaclab
 
 # make working directory as the Isaac Lab directory
 # this is the default directory when the container is run

docker/Dockerfile.curobo

@@ -3,8 +3,8 @@
 #
 # SPDX-License-Identifier: BSD-3-Clause
 
-# Nvidia Dockerfiles: https://github.com/NVIDIA-Omniverse/IsaacSim-dockerfiles
-# Please check above link for license information.
+# Isaac Sim base container: https://catalog.ngc.nvidia.com/orgs/nvidia/containers/isaac-sim
+# Please check the NGC container page for license information.
 
 # Base image
 ARG ISAACSIM_BASE_IMAGE_ARG
@@ -26,14 +26,17 @@ ENV ISAACSIM_ROOT_PATH=${ISAACSIM_ROOT_PATH_ARG}
 # Path to the Isaac Lab directory
 ARG ISAACLAB_PATH_ARG
 ENV ISAACLAB_PATH=${ISAACLAB_PATH_ARG}
-# Home dir of docker user, typically '/root'
+# Home dir of the runtime docker user, typically '/root'
 ARG DOCKER_USER_HOME_ARG
 ENV DOCKER_USER_HOME=${DOCKER_USER_HOME_ARG}
+ENV HOME=${DOCKER_USER_HOME}
 
 # Set environment variables
 ENV LANG=C.UTF-8
 ENV DEBIAN_FRONTEND=noninteractive
 
+# Base image may end with a non-root user; switch to root for system-level
+# setup and package installation.
 USER root
 
 # Install dependencies
@@ -176,19 +179,40 @@ RUN ${ISAACLAB_PATH}/isaaclab.sh -p -m pip install --no-build-isolation \
 RUN ${ISAACLAB_PATH}/isaaclab.sh -p -m pip install --editable ${ISAACLAB_PATH}/source/isaaclab_teleop
 
 # aliasing isaaclab.sh and python for convenience
-RUN echo "export ISAACLAB_PATH=${ISAACLAB_PATH}" >> ${HOME}/.bashrc && \
-    echo "alias isaaclab=${ISAACLAB_PATH}/isaaclab.sh" >> ${HOME}/.bashrc && \
-    echo "alias python=${ISAACLAB_PATH}/_isaac_sim/python.sh" >> ${HOME}/.bashrc && \
-    echo "alias python3=${ISAACLAB_PATH}/_isaac_sim/python.sh" >> ${HOME}/.bashrc && \
-    echo "alias pip='${ISAACLAB_PATH}/_isaac_sim/python.sh -m pip'" >> ${HOME}/.bashrc && \
-    echo "alias pip3='${ISAACLAB_PATH}/_isaac_sim/python.sh -m pip'" >> ${HOME}/.bashrc && \
-    echo "alias tensorboard='${ISAACLAB_PATH}/_isaac_sim/python.sh ${ISAACLAB_PATH}/_isaac_sim/tensorboard'" >> ${HOME}/.bashrc && \
-    echo "export TZ=$(date +%Z)" >> ${HOME}/.bashrc && \
-    echo "shopt -s histappend" >> /root/.bashrc && \
-    echo "PROMPT_COMMAND='history -a'" >> /root/.bashrc
+RUN echo "export ISAACLAB_PATH=${ISAACLAB_PATH}" >> ${DOCKER_USER_HOME}/.bashrc && \
+    echo "alias isaaclab=${ISAACLAB_PATH}/isaaclab.sh" >> ${DOCKER_USER_HOME}/.bashrc && \
+    echo "alias python=${ISAACLAB_PATH}/_isaac_sim/python.sh" >> ${DOCKER_USER_HOME}/.bashrc && \
+    echo "alias python3=${ISAACLAB_PATH}/_isaac_sim/python.sh" >> ${DOCKER_USER_HOME}/.bashrc && \
+    echo "alias pip='${ISAACLAB_PATH}/_isaac_sim/python.sh -m pip'" >> ${DOCKER_USER_HOME}/.bashrc && \
+    echo "alias pip3='${ISAACLAB_PATH}/_isaac_sim/python.sh -m pip'" >> ${DOCKER_USER_HOME}/.bashrc && \
+    echo "alias tensorboard='${ISAACLAB_PATH}/_isaac_sim/python.sh ${ISAACLAB_PATH}/_isaac_sim/tensorboard'" >> ${DOCKER_USER_HOME}/.bashrc && \
+    echo "export TZ=$(date +%Z)" >> ${DOCKER_USER_HOME}/.bashrc && \
+    echo "shopt -s histappend" >> ${DOCKER_USER_HOME}/.bashrc && \
+    echo "PROMPT_COMMAND='history -a'" >> ${DOCKER_USER_HOME}/.bashrc
+
+# Create the non-root runtime user after root-only image setup is complete.
+# The uid/gid 1000 match GitHub runner bind mounts used by the cuRobo tests.
+# --non-unique is required because some base image revisions already carry
+# another user or group at uid/gid 1000.
+RUN groupadd --non-unique --gid 1000 isaaclab \
+ && useradd --non-unique --uid 1000 --gid 1000 -M -l -s /bin/bash -d ${DOCKER_USER_HOME} isaaclab
+
+RUN chown -R isaaclab:isaaclab \
+        ${ISAACLAB_PATH} \
+        ${DOCKER_USER_HOME}
+
+# Open up traversal of the Isaac Sim root and runtime home for non-root users.
+# Inner Isaac Sim files keep their original permissions, so avoid chowning the
+# full install. Keep the runtime home closed to unrelated users.
+RUN chmod 755 \
+        ${ISAACSIM_ROOT_PATH} \
+ && chmod 750 \
+        ${DOCKER_USER_HOME}
 
 # copy the rest of the files
-COPY ../ ${ISAACLAB_PATH}/
+COPY --chown=isaaclab:isaaclab ../ ${ISAACLAB_PATH}/
+
+USER isaaclab
 
 # make working directory as the Isaac Lab directory
 # this is the default directory when the container is run