Update NeMo Jupyter to use a more recent version (#228)

* replacing java install features

* updating to use nvcr.io/nvidia/nemo:25.07.nemotron-nano-v2

* setting java version to 17

* adding digests for mise and java to feature-version/state.json for app caching

* Adding digests for mise and mise-java

* use a dockerfile now to set jupyter user and enter at the WORKDIR, removed --allow-root from docker-compose.yaml

* using build context instead of GAR image

* indentation error

* troubleshooting java installation

* Replacing root with jupyter and /workspace with /home/jupyter

* reverting to the old java install digest

* remove package list files from apt-get update

* use sudo-passwordless.sh to grant sudo access, updated .devcontainer postCreateCommand to call it

* Removing unused version of mise-java

* adding comment in Dockerfile re: /var/lib/apt/lists/* removal

Author: PeterSu92

feature-versions/state.json

@@ -18,5 +18,9 @@
   "ghcr.io/devcontainers/features/common-utils": {
     "tag": "2",
     "installed": "@sha256:00fd45550f578d9d515044d9e2226e908dbc3d7aa6fcb9dee4d8bdb60be114cf"
+  },
+  "ghcr.io/roul/devcontainer-features/mise":{
+    "tag":"1",
+    "installed": "@sha256:bcbd34b34176b6255d5aa5b881f1addc99bb3eed6049c841cb201f63fca132e4"
   }
 }

src/nemo_jupyter/.devcontainer.json

@@ -7,15 +7,16 @@
   // Get the host's docker group ID and propagate it into the .env file, which
   // allows it to be used within docker-compose.yaml.
   // "initializeCommand": "DOCKER_GID=`getent group docker | cut -d: -f3` && echo \"DOCKER_GID=${DOCKER_GID}\" > .env",
-  "postCreateCommand": "apt update && apt install -y sudo && ./startupscript/post-startup.sh root /workspace ${templateOption:cloud} ${templateOption:login} && echo -e \"alias weightsbiases='/usr/local/bin/wb'\\nalias wb='/usr/bin/wb'\" >> /root/.bashrc",  // re-mount bucket files on container start up
+  "postCreateCommand": "apt update && apt install -y sudo && ./startupscript/post-startup.sh jupyter /home/jupyter ${templateOption:cloud} ${templateOption:login} && echo -e \"alias weightsbiases='/usr/local/bin/wb'\\nalias wb='/usr/bin/wb'\" >> /home/jupyter/.bashrc && ./sudo-passwordless.sh jupyter",  // re-mount bucket files on container start up
   "postStartCommand": [
     "./startupscript/remount-on-restart.sh",
-    "root",
-    "/workspace",
+    "jupyter",
+    "/home/jupyter",
     "${templateOption:cloud}",
     "${templateOption:login}"
   ],
   "features": {
+    "ghcr.io/roul/devcontainer-features/mise@sha256:bcbd34b34176b6255d5aa5b881f1addc99bb3eed6049c841cb201f63fca132e4": {},
     "ghcr.io/devcontainers/features/java@sha256:df67d6ff6e9cdd858207ae9e92a99ddb88384b789f79eecd6f873216e951d286": {
       "version": "17"
     },

src/nemo_jupyter/Dockerfile

@@ -0,0 +1,26 @@
+FROM nvcr.io/nvidia/nemo:25.07.nemotron-nano-v2
+
+ARG NB_USER=jupyter
+ARG NB_UID=1010
+ARG NB_GID=1000
+ARG WORKDIR=/home/${NB_USER}
+
+USER root
+
+# Only create the user, not the group—GID 1000 already exists as 'ubuntu'
+RUN useradd --uid ${NB_UID} --gid ${NB_GID} --create-home --home-dir ${WORKDIR} --shell /bin/bash ${NB_USER}
+
+# Fix ownership for common dirs
+RUN mkdir -p /workspace \
+ && chown -R ${NB_UID}:${NB_GID} ${WORKDIR} /workspace /tmp \
+ && chown -R ${NB_UID}:${NB_GID} /opt/conda || true
+
+# This folder caused java installation issues, removing it resolves this
+RUN rm -rf /var/lib/apt/lists/*
+
+# Environment and working directory
+ENV HOME=${WORKDIR}
+WORKDIR ${WORKDIR}
+
+# Switch to non-root user
+USER ${NB_USER}

src/nemo_jupyter/docker-compose.yaml

@@ -2,8 +2,9 @@ version: "2.4"
 services:
   app:
     container_name: "application-server"
-    image: "nvcr.io/nvidia/nemo:24.09"
-    user: root
+    build:
+      context: .
+    user: jupyter
     restart: always
     volumes:
       - .:/workspace:cached
@@ -17,7 +18,7 @@ services:
       - /dev/fuse
     security_opt:
       - apparmor:unconfined
-    command: jupyter lab --ip=0.0.0.0 --port=8888 --no-browser --allow-root --LabApp.token=''
+    command: jupyter lab --ip=0.0.0.0 --port=8888 --no-browser --LabApp.token=''
 networks:
   app-network:
     external: true

src/nemo_jupyter/sudo-passwordless.sh

@@ -0,0 +1,34 @@
+#!/bin/bash
+
+# This script is used to set up passwordless sudo for the core user on the VM.
+# It requires to be run with root priviledges and USER_NAME to be set in the environment.
+# It is typically called from post-startup.sh.
+
+USER_NAME="${1}"
+
+if [[ -z "${USER_NAME}" ]]; then
+  echo "Usage: $0 <username>"
+  exit 1
+fi
+
+sudoers_file="/etc/sudoers"
+sudoers_d_file="/etc/sudoers.d/${USER_NAME}"
+
+# Make sure user exists
+if ! id "${USER_NAME}" &>/dev/null; then
+  echo "User ${USER_NAME} does not exist."
+  exit 1
+fi
+
+# Check if there's an old rule in the main sudoers file that requires a password
+if grep -q "^${USER_NAME} ALL=(ALL:ALL) ALL" "${sudoers_file}"; then
+  echo "Found password-requiring rule for ${USER_NAME} in /etc/sudoers. Commenting it out."
+  
+  # Comment out the old rule in /etc/sudoers
+  sed -i "s/^${USER_NAME} ALL=(ALL:ALL) ALL/# ${USER_NAME} ALL=(ALL:ALL) ALL/" "${sudoers_file}"
+fi
+
+echo "${USER_NAME} ALL=(ALL) NOPASSWD:ALL" > "${sudoers_d_file}"
+chmod 440 "${sudoers_d_file}"
+
+echo "User ${USER_NAME} has been given passwordless sudo access."