From 8169decde29352cd751fa883f8c3a08d211ed08f Mon Sep 17 00:00:00 2001
From: Dmitry Meyer <me@undef.im>
Date: Mon, 8 Dec 2025 14:35:13 +0000
Subject: [PATCH 1/2] Set WORKDIR in base Docker images

Use /dstack/run (rwx for all) as a default working dir.

In addition, dstack:dstack user with passwordless sudo added, but not
(yet) used as a default user.

Part-of: https://github.com/dstackai/dstack/issues/3124
---
 .github/workflows/docker.yml  |  2 +-
 docker/base/Dockerfile        |  2 ++
 docker/base/Dockerfile.common | 13 +++++++++++--
 docker/base/efa/Dockerfile    |  2 ++
 4 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index f4c97b5da1..7962bbd5ac 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -67,7 +67,7 @@ jobs:
         uses: docker/setup-qemu-action@v3
       - name: Build and upload to DockerHub
         run: |
-         if [ "${{ matrix.flavor }}" = "base" ]; then
+          if [ "${{ matrix.flavor }}" = "base" ]; then
             FILE="base/Dockerfile"
           elif [ "${{ matrix.flavor }}" = "devel" ]; then
             FILE="base/Dockerfile"
diff --git a/docker/base/Dockerfile b/docker/base/Dockerfile
index e97c1b60b0..29e92f45ba 100644
--- a/docker/base/Dockerfile
+++ b/docker/base/Dockerfile
@@ -77,3 +77,5 @@ RUN apt-get update \
     && rm -rf /var/lib/apt/lists/* \
     && echo "${NCCL_HOME}/lib" >> /etc/ld.so.conf.d/nccl.conf \
     && ldconfig
+
+WORKDIR /dstack/run
diff --git a/docker/base/Dockerfile.common b/docker/base/Dockerfile.common
index c585c4dad5..b486c16800 100644
--- a/docker/base/Dockerfile.common
+++ b/docker/base/Dockerfile.common
@@ -24,12 +24,21 @@ RUN export DEBIAN_FRONTEND=noninteractive \
     && dpkg-reconfigure --frontend noninteractive tzdata \
     && apt-get install -y bzip2 ca-certificates curl build-essential git libglib2.0-0 libsm6 libxext6 libxrender1 mercurial openssh-server subversion wget \
         libibverbs1 ibverbs-providers ibverbs-utils libibverbs-dev infiniband-diags \
-    && rm -rf /var/lib/apt/lists/* \
     && sed -i "s/.*PasswordAuthentication.*/PasswordAuthentication no/g" /etc/ssh/sshd_config \
     && mkdir /run/sshd \
     && mkdir ~/.ssh && chmod 700 ~/.ssh && touch ~/.ssh/authorized_keys \
     && chmod 600 ~/.ssh/authorized_keys \
-    && rm /etc/ssh/ssh_host_*
+    && rm /etc/ssh/ssh_host_* \
+    # User
+    && apt-get install -y sudo \
+    && groupadd -g 1000 dstack \
+    && useradd -u 1000 -g 1000 -G sudo -s /bin/bash -m dstack \
+    && echo 'dstack ALL=(ALL) NOPASSWD: ALL' > /etc/sudoers.d/dstack \
+    # Default working dir
+    && mkdir -p /dstack/run \
+    && chmod a+rwx /dstack/run \
+    # Cleanup
+    && rm -rf /var/lib/apt/lists/*
 
 RUN curl -LsSf https://astral.sh/uv/install.sh | INSTALLER_NO_MODIFY_PATH=1 sh \
     && uv python install --preview --default
diff --git a/docker/base/efa/Dockerfile b/docker/base/efa/Dockerfile
index 50b6c1c5ef..105650a836 100644
--- a/docker/base/efa/Dockerfile
+++ b/docker/base/efa/Dockerfile
@@ -74,3 +74,5 @@ RUN cd /opt \
         MPI_HOME=${OPEN_MPI_PATH} \
         CUDA_HOME=${CUDA_HOME} \
         NCCL_HOME=${NCCL_HOME}
+
+WORKDIR /dstack/run

From e05435d19e13179519b542b134ac378696126d15 Mon Sep 17 00:00:00 2001
From: Dmitry Meyer <me@undef.im>
Date: Tue, 9 Dec 2025 12:15:36 +0000
Subject: [PATCH 2/2] Free up some space on GitHub runner

---
 .github/workflows/docker.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index 7962bbd5ac..7a34328969 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -65,6 +65,12 @@ jobs:
           password: ${{ secrets.DOCKERHUB_TOKEN }}
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
+      - name: Free up some space
+        run: |
+          df -h /
+          du -hs /usr/share/dotnet
+          rm -rf /usr/share/dotnet
+          df -h /
       - name: Build and upload to DockerHub
         run: |
           if [ "${{ matrix.flavor }}" = "base" ]; then