From 04b171b25ff271249ddd71f2f5072b58a2390255 Mon Sep 17 00:00:00 2001
From: Alexey Sachkov <alexey.sachkov@intel.com>
Date: Thu, 5 Dec 2024 11:39:46 -0800
Subject: [PATCH 01/15] [SYCL][Devops] Fix AVD-DS-0017

See https://avd.aquasec.com/misconfig/ds017

Docker best practices says that running `update` and `install` commands
separately may lead to situations where Docker skips `update` step and
re-uses cache leading to outdated versions of packages being installed.
---
 devops/containers/ubuntu2204_build.Dockerfile | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/devops/containers/ubuntu2204_build.Dockerfile b/devops/containers/ubuntu2204_build.Dockerfile
index 313b455dbc25b..4373fc8d636e9 100644
--- a/devops/containers/ubuntu2204_build.Dockerfile
+++ b/devops/containers/ubuntu2204_build.Dockerfile
@@ -24,10 +24,9 @@ gpg --dearmor | tee /etc/apt/keyrings/rocm.gpg > /dev/null && \
 # Add rocm repo
 echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/rocm.gpg] https://repo.radeon.com/rocm/apt/6.1.1 jammy main" \
 | tee --append /etc/apt/sources.list.d/rocm.list && \
-printf 'Package: *\nPin: release o=repo.radeon.com\nPin-Priority: 600' | tee /etc/apt/preferences.d/rocm-pin-600 && \
-apt update
+printf 'Package: *\nPin: release o=repo.radeon.com\nPin-Priority: 600' | tee /etc/apt/preferences.d/rocm-pin-600
 # Install the kernel driver
-RUN apt install -yqq rocm-dev && \
+RUN apt update && apt install -yqq rocm-dev && \
   apt-get clean && \
   rm -rf /var/lib/apt/lists/*
 

From d2c634b094af815de46efe164b54d31dd62178c7 Mon Sep 17 00:00:00 2001
From: Alexey Sachkov <alexey.sachkov@intel.com>
Date: Thu, 5 Dec 2024 11:56:35 -0800
Subject: [PATCH 02/15] [SYCL][Devops] Fix AVD-DS-0002

See https://avd.aquasec.com/misconfig/ds002

Made it so that the last `USER` command in `base` and `build` is not
`root`.
---
 devops/containers/ubuntu2204_base.Dockerfile  | 2 ++
 devops/containers/ubuntu2204_build.Dockerfile | 2 ++
 devops/containers/ubuntu2404_base.Dockerfile  | 2 ++
 devops/scripts/docker_entrypoint.sh           | 3 +--
 4 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/devops/containers/ubuntu2204_base.Dockerfile b/devops/containers/ubuntu2204_base.Dockerfile
index 07bb343cae93c..4adf21f8871ff 100644
--- a/devops/containers/ubuntu2204_base.Dockerfile
+++ b/devops/containers/ubuntu2204_base.Dockerfile
@@ -29,4 +29,6 @@ COPY actions/cleanup /actions/cleanup
 COPY scripts/docker_entrypoint.sh /docker_entrypoint.sh
 COPY scripts/install_drivers.sh /opt/install_drivers.sh
 
+USER sycl
+
 ENTRYPOINT ["/docker_entrypoint.sh"]
diff --git a/devops/containers/ubuntu2204_build.Dockerfile b/devops/containers/ubuntu2204_build.Dockerfile
index 4373fc8d636e9..faeb86126574a 100644
--- a/devops/containers/ubuntu2204_build.Dockerfile
+++ b/devops/containers/ubuntu2204_build.Dockerfile
@@ -41,5 +41,7 @@ RUN usermod -aG irc sycl
 
 COPY scripts/docker_entrypoint.sh /docker_entrypoint.sh
 
+USER sycl
+
 ENTRYPOINT ["/docker_entrypoint.sh"]
 
diff --git a/devops/containers/ubuntu2404_base.Dockerfile b/devops/containers/ubuntu2404_base.Dockerfile
index c30e562c630e8..f8c96e8b1b7bb 100644
--- a/devops/containers/ubuntu2404_base.Dockerfile
+++ b/devops/containers/ubuntu2404_base.Dockerfile
@@ -29,4 +29,6 @@ COPY actions/cleanup /actions/cleanup
 COPY scripts/docker_entrypoint.sh /docker_entrypoint.sh
 COPY scripts/install_drivers.sh /opt/install_drivers.sh
 
+USER sycl
+
 ENTRYPOINT ["/docker_entrypoint.sh"]
diff --git a/devops/scripts/docker_entrypoint.sh b/devops/scripts/docker_entrypoint.sh
index f0e89244d013f..6b323d17b084d 100755
--- a/devops/scripts/docker_entrypoint.sh
+++ b/devops/scripts/docker_entrypoint.sh
@@ -1,8 +1,7 @@
 #!/bin/bash
 
 if [ -d "$GITHUB_WORKSPACE" ]; then
-  chown -R sycl:sycl $GITHUB_WORKSPACE
-  su sycl
+  sudo chown -R sycl:sycl $GITHUB_WORKSPACE
 fi
 
 exec "$@"

From 6be44f39914418e425aaa9c63903b80488539ea8 Mon Sep 17 00:00:00 2001
From: Alexey Sachkov <alexey.sachkov@intel.com>
Date: Thu, 5 Dec 2024 12:02:57 -0800
Subject: [PATCH 03/15] [SYCL][Devops] Fix remaining AVD-DS-0002 issues

See https://avd.aquasec.com/misconfig/ds002

Made it so our docker files have at least one `USER` command which is
not `root`.
---
 devops/containers/ubuntu2204_intel_drivers.Dockerfile | 11 +++++++++++
 devops/containers/ubuntu2204_preinstalled.Dockerfile  | 11 +++++++++++
 devops/containers/ubuntu2404_intel_drivers.Dockerfile | 11 +++++++++++
 .../ubuntu2404_intel_drivers_igc_dev.Dockerfile       | 11 +++++++++++
 4 files changed, 44 insertions(+)

diff --git a/devops/containers/ubuntu2204_intel_drivers.Dockerfile b/devops/containers/ubuntu2204_intel_drivers.Dockerfile
index fb018f195a48f..090ad12a1720a 100644
--- a/devops/containers/ubuntu2204_intel_drivers.Dockerfile
+++ b/devops/containers/ubuntu2204_intel_drivers.Dockerfile
@@ -25,5 +25,16 @@ RUN --mount=type=secret,id=github_token \
 
 COPY scripts/drivers_entrypoint.sh /drivers_entrypoint.sh
 
+# By default Ubuntu sets an arbitrary UID value, that is different from host
+# system. When CI passes default UID value of 1001, some of LLVM tools fail to
+# discover user home directory and fail a few LIT tests. Fixes UID and GID to
+# 1001, that is used as default by GitHub Actions.
+RUN groupadd -g 1001 sycl && useradd sycl -u 1001 -g 1001 -m -s /bin/bash
+# Add sycl user to video/irc groups so that it can access GPU
+RUN usermod -aG video sycl
+RUN usermod -aG irc sycl
+
+USER sycl
+
 ENTRYPOINT ["/bin/bash", "/drivers_entrypoint.sh"]
 
diff --git a/devops/containers/ubuntu2204_preinstalled.Dockerfile b/devops/containers/ubuntu2204_preinstalled.Dockerfile
index 4d39cca4d6baa..60fb91226398e 100644
--- a/devops/containers/ubuntu2204_preinstalled.Dockerfile
+++ b/devops/containers/ubuntu2204_preinstalled.Dockerfile
@@ -10,5 +10,16 @@ ADD sycl_linux.tar.gz /opt/sycl/
 ENV PATH /opt/sycl/bin:$PATH
 ENV LD_LIBRARY_PATH /opt/sycl/lib:$LD_LIBRARY_PATH
 
+# By default Ubuntu sets an arbitrary UID value, that is different from host
+# system. When CI passes default UID value of 1001, some of LLVM tools fail to
+# discover user home directory and fail a few LIT tests. Fixes UID and GID to
+# 1001, that is used as default by GitHub Actions.
+RUN groupadd -g 1001 sycl && useradd sycl -u 1001 -g 1001 -m -s /bin/bash
+# Add sycl user to video/irc groups so that it can access GPU
+RUN usermod -aG video sycl
+RUN usermod -aG irc sycl
+
+USER sycl
+
 ENTRYPOINT ["/bin/bash", "/drivers_entrypoint.sh"]
 
diff --git a/devops/containers/ubuntu2404_intel_drivers.Dockerfile b/devops/containers/ubuntu2404_intel_drivers.Dockerfile
index b45e4a8adbb51..283b9c0195eb2 100644
--- a/devops/containers/ubuntu2404_intel_drivers.Dockerfile
+++ b/devops/containers/ubuntu2404_intel_drivers.Dockerfile
@@ -25,5 +25,16 @@ RUN --mount=type=secret,id=github_token \
 
 COPY scripts/drivers_entrypoint.sh /drivers_entrypoint.sh
 
+# By default Ubuntu sets an arbitrary UID value, that is different from host
+# system. When CI passes default UID value of 1001, some of LLVM tools fail to
+# discover user home directory and fail a few LIT tests. Fixes UID and GID to
+# 1001, that is used as default by GitHub Actions.
+RUN groupadd -g 1001 sycl && useradd sycl -u 1001 -g 1001 -m -s /bin/bash
+# Add sycl user to video/irc groups so that it can access GPU
+RUN usermod -aG video sycl
+RUN usermod -aG irc sycl
+
+USER sycl
+
 ENTRYPOINT ["/bin/bash", "/drivers_entrypoint.sh"]
 
diff --git a/devops/containers/ubuntu2404_intel_drivers_igc_dev.Dockerfile b/devops/containers/ubuntu2404_intel_drivers_igc_dev.Dockerfile
index fd40361a379f5..d9352e8543e8c 100644
--- a/devops/containers/ubuntu2404_intel_drivers_igc_dev.Dockerfile
+++ b/devops/containers/ubuntu2404_intel_drivers_igc_dev.Dockerfile
@@ -20,5 +20,16 @@ RUN --mount=type=secret,id=github_token \
 
 COPY scripts/drivers_entrypoint.sh /drivers_entrypoint.sh
 
+# By default Ubuntu sets an arbitrary UID value, that is different from host
+# system. When CI passes default UID value of 1001, some of LLVM tools fail to
+# discover user home directory and fail a few LIT tests. Fixes UID and GID to
+# 1001, that is used as default by GitHub Actions.
+RUN groupadd -g 1001 sycl && useradd sycl -u 1001 -g 1001 -m -s /bin/bash
+# Add sycl user to video/irc groups so that it can access GPU
+RUN usermod -aG video sycl
+RUN usermod -aG irc sycl
+
+USER sycl
+
 ENTRYPOINT ["/bin/bash", "/drivers_entrypoint.sh"]
 

From f8ddea9a521b81c5cf5566251488f2c45801a7ae Mon Sep 17 00:00:00 2001
From: Alexey Sachkov <alexey.sachkov@intel.com>
Date: Fri, 6 Dec 2024 01:02:22 -0800
Subject: [PATCH 04/15] An attempt to fix docker images build

---
 devops/containers/ubuntu2204_intel_drivers.Dockerfile    | 9 ---------
 devops/containers/ubuntu2404_intel_drivers.Dockerfile    | 9 ---------
 .../ubuntu2404_intel_drivers_igc_dev.Dockerfile          | 9 ---------
 3 files changed, 27 deletions(-)

diff --git a/devops/containers/ubuntu2204_intel_drivers.Dockerfile b/devops/containers/ubuntu2204_intel_drivers.Dockerfile
index 090ad12a1720a..fa3745141b827 100644
--- a/devops/containers/ubuntu2204_intel_drivers.Dockerfile
+++ b/devops/containers/ubuntu2204_intel_drivers.Dockerfile
@@ -25,15 +25,6 @@ RUN --mount=type=secret,id=github_token \
 
 COPY scripts/drivers_entrypoint.sh /drivers_entrypoint.sh
 
-# By default Ubuntu sets an arbitrary UID value, that is different from host
-# system. When CI passes default UID value of 1001, some of LLVM tools fail to
-# discover user home directory and fail a few LIT tests. Fixes UID and GID to
-# 1001, that is used as default by GitHub Actions.
-RUN groupadd -g 1001 sycl && useradd sycl -u 1001 -g 1001 -m -s /bin/bash
-# Add sycl user to video/irc groups so that it can access GPU
-RUN usermod -aG video sycl
-RUN usermod -aG irc sycl
-
 USER sycl
 
 ENTRYPOINT ["/bin/bash", "/drivers_entrypoint.sh"]
diff --git a/devops/containers/ubuntu2404_intel_drivers.Dockerfile b/devops/containers/ubuntu2404_intel_drivers.Dockerfile
index 283b9c0195eb2..a3f68a449ec54 100644
--- a/devops/containers/ubuntu2404_intel_drivers.Dockerfile
+++ b/devops/containers/ubuntu2404_intel_drivers.Dockerfile
@@ -25,15 +25,6 @@ RUN --mount=type=secret,id=github_token \
 
 COPY scripts/drivers_entrypoint.sh /drivers_entrypoint.sh
 
-# By default Ubuntu sets an arbitrary UID value, that is different from host
-# system. When CI passes default UID value of 1001, some of LLVM tools fail to
-# discover user home directory and fail a few LIT tests. Fixes UID and GID to
-# 1001, that is used as default by GitHub Actions.
-RUN groupadd -g 1001 sycl && useradd sycl -u 1001 -g 1001 -m -s /bin/bash
-# Add sycl user to video/irc groups so that it can access GPU
-RUN usermod -aG video sycl
-RUN usermod -aG irc sycl
-
 USER sycl
 
 ENTRYPOINT ["/bin/bash", "/drivers_entrypoint.sh"]
diff --git a/devops/containers/ubuntu2404_intel_drivers_igc_dev.Dockerfile b/devops/containers/ubuntu2404_intel_drivers_igc_dev.Dockerfile
index d9352e8543e8c..bd73fdde26bec 100644
--- a/devops/containers/ubuntu2404_intel_drivers_igc_dev.Dockerfile
+++ b/devops/containers/ubuntu2404_intel_drivers_igc_dev.Dockerfile
@@ -20,15 +20,6 @@ RUN --mount=type=secret,id=github_token \
 
 COPY scripts/drivers_entrypoint.sh /drivers_entrypoint.sh
 
-# By default Ubuntu sets an arbitrary UID value, that is different from host
-# system. When CI passes default UID value of 1001, some of LLVM tools fail to
-# discover user home directory and fail a few LIT tests. Fixes UID and GID to
-# 1001, that is used as default by GitHub Actions.
-RUN groupadd -g 1001 sycl && useradd sycl -u 1001 -g 1001 -m -s /bin/bash
-# Add sycl user to video/irc groups so that it can access GPU
-RUN usermod -aG video sycl
-RUN usermod -aG irc sycl
-
 USER sycl
 
 ENTRYPOINT ["/bin/bash", "/drivers_entrypoint.sh"]

From 6dde2be36a17b5eb10c697c21da9d59d60ef1503 Mon Sep 17 00:00:00 2001
From: Alexey Sachkov <alexey.sachkov@intel.com>
Date: Fri, 13 Dec 2024 08:13:32 -0800
Subject: [PATCH 05/15] Outline sycl user creation into a separate script; Make
 it require password for sudo

---
 devops/containers/ubuntu2204_base.Dockerfile  | 17 ++---------
 devops/containers/ubuntu2204_build.Dockerfile | 10 ++-----
 .../ubuntu2204_preinstalled.Dockerfile        | 11 ++-----
 devops/containers/ubuntu2404_base.Dockerfile  | 17 ++---------
 devops/scripts/create-sycl-user.sh            | 30 +++++++++++++++++++
 5 files changed, 38 insertions(+), 47 deletions(-)
 create mode 100644 devops/scripts/create-sycl-user.sh

diff --git a/devops/containers/ubuntu2204_base.Dockerfile b/devops/containers/ubuntu2204_base.Dockerfile
index 4adf21f8871ff..076b885e2249d 100644
--- a/devops/containers/ubuntu2204_base.Dockerfile
+++ b/devops/containers/ubuntu2204_base.Dockerfile
@@ -8,21 +8,8 @@ USER root
 COPY scripts/install_build_tools.sh /install.sh
 RUN /install.sh
 
-# By default Ubuntu sets an arbitrary UID value, that is different from host
-# system. When CI passes default UID value of 1001, some of LLVM tools fail to
-# discover user home directory and fail a few LIT tests. Fixes UID and GID to
-# 1001, that is used as default by GitHub Actions.
-RUN groupadd -g 1001 sycl && useradd sycl -u 1001 -g 1001 -m -s /bin/bash
-# Add sycl user to video/irc groups so that it can access GPU
-RUN usermod -aG video sycl
-RUN usermod -aG irc sycl
-
-# group 109 is required for sycl user to access PVC card.
-RUN groupadd -g 109 render
-RUN usermod -aG render sycl
-
-# Allow sycl user to run as sudo
-RUN echo "sycl  ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers
+COPY scripts/setup-sycl-user.sh /user-setup.sh
+RUN /user-setup.sh
 
 COPY actions/cached_checkout /actions/cached_checkout
 COPY actions/cleanup /actions/cleanup
diff --git a/devops/containers/ubuntu2204_build.Dockerfile b/devops/containers/ubuntu2204_build.Dockerfile
index faeb86126574a..375a406ad8647 100644
--- a/devops/containers/ubuntu2204_build.Dockerfile
+++ b/devops/containers/ubuntu2204_build.Dockerfile
@@ -30,14 +30,8 @@ RUN apt update && apt install -yqq rocm-dev && \
   apt-get clean && \
   rm -rf /var/lib/apt/lists/*
 
-# By default Ubuntu sets an arbitrary UID value, that is different from host
-# system. When CI passes default UID value of 1001, some of LLVM tools fail to
-# discover user home directory and fail a few LIT tests. Fixes UID and GID to
-# 1001, that is used as default by GitHub Actions.
-RUN groupadd -g 1001 sycl && useradd sycl -u 1001 -g 1001 -m -s /bin/bash
-# Add sycl user to video/irc groups so that it can access GPU
-RUN usermod -aG video sycl
-RUN usermod -aG irc sycl
+COPY scripts/setup-sycl-user.sh /user-setup.sh
+RUN /user-setup.sh
 
 COPY scripts/docker_entrypoint.sh /docker_entrypoint.sh
 
diff --git a/devops/containers/ubuntu2204_preinstalled.Dockerfile b/devops/containers/ubuntu2204_preinstalled.Dockerfile
index 60fb91226398e..58fcec5a32115 100644
--- a/devops/containers/ubuntu2204_preinstalled.Dockerfile
+++ b/devops/containers/ubuntu2204_preinstalled.Dockerfile
@@ -3,6 +3,8 @@ ARG base_image=ghcr.io/intel/llvm/ubuntu2204_intel_drivers
 
 FROM $base_image:$base_tag
 
+USER ROOT
+
 COPY scripts/drivers_entrypoint.sh /drivers_entrypoint.sh
 RUN mkdir -p /opt/sycl
 ADD sycl_linux.tar.gz /opt/sycl/
@@ -10,15 +12,6 @@ ADD sycl_linux.tar.gz /opt/sycl/
 ENV PATH /opt/sycl/bin:$PATH
 ENV LD_LIBRARY_PATH /opt/sycl/lib:$LD_LIBRARY_PATH
 
-# By default Ubuntu sets an arbitrary UID value, that is different from host
-# system. When CI passes default UID value of 1001, some of LLVM tools fail to
-# discover user home directory and fail a few LIT tests. Fixes UID and GID to
-# 1001, that is used as default by GitHub Actions.
-RUN groupadd -g 1001 sycl && useradd sycl -u 1001 -g 1001 -m -s /bin/bash
-# Add sycl user to video/irc groups so that it can access GPU
-RUN usermod -aG video sycl
-RUN usermod -aG irc sycl
-
 USER sycl
 
 ENTRYPOINT ["/bin/bash", "/drivers_entrypoint.sh"]
diff --git a/devops/containers/ubuntu2404_base.Dockerfile b/devops/containers/ubuntu2404_base.Dockerfile
index f8c96e8b1b7bb..7af9ccfec1e5f 100644
--- a/devops/containers/ubuntu2404_base.Dockerfile
+++ b/devops/containers/ubuntu2404_base.Dockerfile
@@ -8,21 +8,8 @@ USER root
 COPY scripts/install_build_tools.sh /install.sh
 RUN /install.sh
 
-# By default Ubuntu sets an arbitrary UID value, that is different from host
-# system. When CI passes default UID value of 1001, some of LLVM tools fail to
-# discover user home directory and fail a few LIT tests. Fixes UID and GID to
-# 1001, that is used as default by GitHub Actions.
-RUN groupadd -g 1001 sycl && useradd sycl -u 1001 -g 1001 -m -s /bin/bash
-# Add sycl user to video/irc groups so that it can access GPU
-RUN usermod -aG video sycl
-RUN usermod -aG irc sycl
-
-# group 109 is required for sycl user to access PVC card.
-RUN groupadd -g 109 render
-RUN usermod -aG render sycl
-
-# Allow sycl user to run as sudo
-RUN echo "sycl  ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers
+COPY scripts/create-sycl-user.sh /user-setup.sh
+RUN /user-setup.sh
 
 COPY actions/cached_checkout /actions/cached_checkout
 COPY actions/cleanup /actions/cleanup
diff --git a/devops/scripts/create-sycl-user.sh b/devops/scripts/create-sycl-user.sh
new file mode 100644
index 0000000000000..09f491f7ac863
--- /dev/null
+++ b/devops/scripts/create-sycl-user.sh
@@ -0,0 +1,30 @@
+#!/bin/bash
+
+# By default Ubuntu sets an arbitrary UID value, that is different from host
+# system. When CI passes default UID value of 1001, some of LLVM tools fail to
+# discover user home directory and fail a few LIT tests. Fixes UID and GID to
+# 1001, that is used as default by GitHub Actions.
+groupadd -g 1001 sycl && useradd sycl -u 1001 -g 1001 -m -s /bin/bash
+# Add sycl user to video/irc groups so that it can access GPU
+usermod -aG video sycl
+usermod -aG irc sycl
+
+# group 109 is required for sycl user to access PVC card.
+groupadd -g 109 render
+usermod -aG render sycl
+
+if [[ -f /run/secrets/sycl_passwd ]]; then
+  # When running in our CI environment, we restrict access to root.
+
+  # Set password for sycl user
+  cat /run/secrets/sycl_passwd | passwd -s sycl
+
+  # Allow sycl user to run as sudo, but only with password
+  echo "sycl  ALL=(root) PASSWD:ALL" >> /etc/sudoers
+else
+  # Otherwise, we allow password-less root to simplify building other
+  # containers on top.
+
+  # Allow sycl user to run as sudo passwrod-less
+  echo "sycl  ALL=(root) NOPASSWD:ALL" >> /etc/sudoers
+fi

From 6b2e414260a27fdc043441f008b3914bd4b30f5b Mon Sep 17 00:00:00 2001
From: Alexey Sachkov <alexey.sachkov@intel.com>
Date: Fri, 13 Dec 2024 08:13:56 -0800
Subject: [PATCH 06/15] Drop seemingly dead legacy code

---
 devops/scripts/docker_entrypoint.sh | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/devops/scripts/docker_entrypoint.sh b/devops/scripts/docker_entrypoint.sh
index 6b323d17b084d..5fc44481d2355 100755
--- a/devops/scripts/docker_entrypoint.sh
+++ b/devops/scripts/docker_entrypoint.sh
@@ -1,7 +1,3 @@
 #!/bin/bash
 
-if [ -d "$GITHUB_WORKSPACE" ]; then
-  sudo chown -R sycl:sycl $GITHUB_WORKSPACE
-fi
-
 exec "$@"

From 293ce52ec54e0a7ae7fb1007926efb8c1400b7fc Mon Sep 17 00:00:00 2001
From: Alexey Sachkov <alexey.sachkov@intel.com>
Date: Fri, 13 Dec 2024 08:21:27 -0800
Subject: [PATCH 07/15] Propagate new secret to images and use sudo with
 password in workflows

---
 .github/workflows/sycl-linux-run-tests.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/sycl-linux-run-tests.yml b/.github/workflows/sycl-linux-run-tests.yml
index 73b2a1f336db7..a1062dbbdd5ad 100644
--- a/.github/workflows/sycl-linux-run-tests.yml
+++ b/.github/workflows/sycl-linux-run-tests.yml
@@ -159,8 +159,8 @@ jobs:
     - name: Reset Intel GPU
       if: inputs.reset_intel_gpu == 'true'
       run: |
-        sudo mount -t debugfs none /sys/kernel/debug
-        sudo bash -c 'echo 1 > /sys/kernel/debug/dri/0/i915_wedged'
+        cat /run/secrets/sycl_passwd | sudo -S mount -t debugfs none /sys/kernel/debug
+        cat /run/secrets/sycl_passwd | sudo -S bash -c 'echo 1 > /sys/kernel/debug/dri/0/i915_wedged'
     - uses: actions/checkout@v4
       with:
         ref: ${{ inputs.ref }}
@@ -196,9 +196,9 @@ jobs:
       run: |
         if [ "${{ inputs.install_dev_igc_driver }}" = "true" ]; then
             # If libllvm14 is already installed (dev igc docker), still return true.
-            sudo apt-get install -yqq libllvm14 || true;
+            cat /run/secrets/sycl_passwd | sudo -S apt-get install -yqq libllvm14 || true;
         fi
-        sudo -E bash devops/scripts/install_drivers.sh llvm/devops/dependencies.json ${{ inputs.install_dev_igc_driver == 'true' && 'llvm/devops/dependencies-igc-dev.json --use-dev-igc' || '' }} --all
+        cat /run/secrets/sycl_passwd | sudo -S -E bash devops/scripts/install_drivers.sh llvm/devops/dependencies.json ${{ inputs.install_dev_igc_driver == 'true' && 'llvm/devops/dependencies-igc-dev.json --use-dev-igc' || '' }} --all
     - name: Source OneAPI TBB vars.sh
       shell: bash
       run: |

From 4f32c5bd3389e8431847d7459fb10916d7a61b20 Mon Sep 17 00:00:00 2001
From: Alexey Sachkov <alexey.sachkov@intel.com>
Date: Fri, 13 Dec 2024 08:28:03 -0800
Subject: [PATCH 08/15] Run various driver installs as root when building
 containers

---
 devops/containers/ubuntu2204_intel_drivers.Dockerfile         | 2 ++
 devops/containers/ubuntu2404_intel_drivers.Dockerfile         | 2 ++
 devops/containers/ubuntu2404_intel_drivers_igc_dev.Dockerfile | 2 ++
 3 files changed, 6 insertions(+)

diff --git a/devops/containers/ubuntu2204_intel_drivers.Dockerfile b/devops/containers/ubuntu2204_intel_drivers.Dockerfile
index fa3745141b827..5ee7ca8910f50 100644
--- a/devops/containers/ubuntu2204_intel_drivers.Dockerfile
+++ b/devops/containers/ubuntu2204_intel_drivers.Dockerfile
@@ -7,6 +7,8 @@ ENV DEBIAN_FRONTEND=noninteractive
 
 ARG use_latest=true
 
+USER root
+
 RUN apt update && apt install -yqq wget
 
 COPY scripts/get_release.py /
diff --git a/devops/containers/ubuntu2404_intel_drivers.Dockerfile b/devops/containers/ubuntu2404_intel_drivers.Dockerfile
index a3f68a449ec54..9b4f45216bd34 100644
--- a/devops/containers/ubuntu2404_intel_drivers.Dockerfile
+++ b/devops/containers/ubuntu2404_intel_drivers.Dockerfile
@@ -7,6 +7,8 @@ ENV DEBIAN_FRONTEND=noninteractive
 
 ARG use_latest=true
 
+USER root
+
 RUN apt update && apt install -yqq wget
 
 COPY scripts/get_release.py /
diff --git a/devops/containers/ubuntu2404_intel_drivers_igc_dev.Dockerfile b/devops/containers/ubuntu2404_intel_drivers_igc_dev.Dockerfile
index bd73fdde26bec..25cb0ff9819ed 100644
--- a/devops/containers/ubuntu2404_intel_drivers_igc_dev.Dockerfile
+++ b/devops/containers/ubuntu2404_intel_drivers_igc_dev.Dockerfile
@@ -5,6 +5,8 @@ FROM $base_image:$base_tag
 
 ENV DEBIAN_FRONTEND=noninteractive
 
+USER root
+
 RUN apt update && apt install -yqq libllvm14
 
 COPY scripts/get_release.py /

From c10b9861f3951ed68cebd668f8b0c96fced64599 Mon Sep 17 00:00:00 2001
From: Alexey Sachkov <alexey.sachkov@intel.com>
Date: Fri, 13 Dec 2024 08:28:25 -0800
Subject: [PATCH 09/15] Properly propagate secrets down to user creation script

---
 devops/containers/ubuntu2204_base.Dockerfile  |  6 +-
 devops/containers/ubuntu2204_build.Dockerfile |  6 +-
 .../ubuntu2204_intel_drivers.Dockerfile       |  2 +-
 .../ubuntu2204_preinstalled.Dockerfile        |  5 +-
 devops/containers/ubuntu2404_base.Dockerfile  |  4 +-
 .../ubuntu2404_intel_drivers.Dockerfile       |  2 +-
 ...buntu2404_intel_drivers_igc_dev.Dockerfile |  2 +-
 devops/scripts/create-sycl-user.sh            | 70 ++++++++++++-------
 8 files changed, 60 insertions(+), 37 deletions(-)
 mode change 100644 => 100755 devops/scripts/create-sycl-user.sh

diff --git a/devops/containers/ubuntu2204_base.Dockerfile b/devops/containers/ubuntu2204_base.Dockerfile
index 076b885e2249d..b694124c26f13 100644
--- a/devops/containers/ubuntu2204_base.Dockerfile
+++ b/devops/containers/ubuntu2204_base.Dockerfile
@@ -8,14 +8,14 @@ USER root
 COPY scripts/install_build_tools.sh /install.sh
 RUN /install.sh
 
-COPY scripts/setup-sycl-user.sh /user-setup.sh
-RUN /user-setup.sh
+COPY scripts/create-sycl-user.sh /user-setup.sh
+RUN --mount=type=secret,id=sycl_ci_passwd /user-setup.sh
 
 COPY actions/cached_checkout /actions/cached_checkout
 COPY actions/cleanup /actions/cleanup
 COPY scripts/docker_entrypoint.sh /docker_entrypoint.sh
 COPY scripts/install_drivers.sh /opt/install_drivers.sh
 
-USER sycl
+USER sycl_ci
 
 ENTRYPOINT ["/docker_entrypoint.sh"]
diff --git a/devops/containers/ubuntu2204_build.Dockerfile b/devops/containers/ubuntu2204_build.Dockerfile
index 375a406ad8647..ee8a32411f742 100644
--- a/devops/containers/ubuntu2204_build.Dockerfile
+++ b/devops/containers/ubuntu2204_build.Dockerfile
@@ -30,12 +30,12 @@ RUN apt update && apt install -yqq rocm-dev && \
   apt-get clean && \
   rm -rf /var/lib/apt/lists/*
 
-COPY scripts/setup-sycl-user.sh /user-setup.sh
-RUN /user-setup.sh
+COPY scripts/create-sycl-user.sh /user-setup.sh
+RUN --mount=type=secret,id=sycl_ci_passwd /user-setup.sh
 
 COPY scripts/docker_entrypoint.sh /docker_entrypoint.sh
 
-USER sycl
+USER sycl_ci
 
 ENTRYPOINT ["/docker_entrypoint.sh"]
 
diff --git a/devops/containers/ubuntu2204_intel_drivers.Dockerfile b/devops/containers/ubuntu2204_intel_drivers.Dockerfile
index 5ee7ca8910f50..951a5d3c854c0 100644
--- a/devops/containers/ubuntu2204_intel_drivers.Dockerfile
+++ b/devops/containers/ubuntu2204_intel_drivers.Dockerfile
@@ -27,7 +27,7 @@ RUN --mount=type=secret,id=github_token \
 
 COPY scripts/drivers_entrypoint.sh /drivers_entrypoint.sh
 
-USER sycl
+USER sycl_ci
 
 ENTRYPOINT ["/bin/bash", "/drivers_entrypoint.sh"]
 
diff --git a/devops/containers/ubuntu2204_preinstalled.Dockerfile b/devops/containers/ubuntu2204_preinstalled.Dockerfile
index 58fcec5a32115..b6b4d1ca1d77b 100644
--- a/devops/containers/ubuntu2204_preinstalled.Dockerfile
+++ b/devops/containers/ubuntu2204_preinstalled.Dockerfile
@@ -3,7 +3,7 @@ ARG base_image=ghcr.io/intel/llvm/ubuntu2204_intel_drivers
 
 FROM $base_image:$base_tag
 
-USER ROOT
+USER root
 
 COPY scripts/drivers_entrypoint.sh /drivers_entrypoint.sh
 RUN mkdir -p /opt/sycl
@@ -12,6 +12,9 @@ ADD sycl_linux.tar.gz /opt/sycl/
 ENV PATH /opt/sycl/bin:$PATH
 ENV LD_LIBRARY_PATH /opt/sycl/lib:$LD_LIBRARY_PATH
 
+# For preinstalled containers we create a different user which has
+# password-less sudo access
+RUN /user-setup.sh --regular
 USER sycl
 
 ENTRYPOINT ["/bin/bash", "/drivers_entrypoint.sh"]
diff --git a/devops/containers/ubuntu2404_base.Dockerfile b/devops/containers/ubuntu2404_base.Dockerfile
index 7af9ccfec1e5f..adc1695ded6f7 100644
--- a/devops/containers/ubuntu2404_base.Dockerfile
+++ b/devops/containers/ubuntu2404_base.Dockerfile
@@ -9,13 +9,13 @@ COPY scripts/install_build_tools.sh /install.sh
 RUN /install.sh
 
 COPY scripts/create-sycl-user.sh /user-setup.sh
-RUN /user-setup.sh
+RUN --mount=type=secret,id=sycl_ci_passwd /user-setup.sh
 
 COPY actions/cached_checkout /actions/cached_checkout
 COPY actions/cleanup /actions/cleanup
 COPY scripts/docker_entrypoint.sh /docker_entrypoint.sh
 COPY scripts/install_drivers.sh /opt/install_drivers.sh
 
-USER sycl
+USER sycl_ci
 
 ENTRYPOINT ["/docker_entrypoint.sh"]
diff --git a/devops/containers/ubuntu2404_intel_drivers.Dockerfile b/devops/containers/ubuntu2404_intel_drivers.Dockerfile
index 9b4f45216bd34..1cb8857fecc5e 100644
--- a/devops/containers/ubuntu2404_intel_drivers.Dockerfile
+++ b/devops/containers/ubuntu2404_intel_drivers.Dockerfile
@@ -27,7 +27,7 @@ RUN --mount=type=secret,id=github_token \
 
 COPY scripts/drivers_entrypoint.sh /drivers_entrypoint.sh
 
-USER sycl
+USER sycl_ci
 
 ENTRYPOINT ["/bin/bash", "/drivers_entrypoint.sh"]
 
diff --git a/devops/containers/ubuntu2404_intel_drivers_igc_dev.Dockerfile b/devops/containers/ubuntu2404_intel_drivers_igc_dev.Dockerfile
index 25cb0ff9819ed..8ab6f2b5fdb7c 100644
--- a/devops/containers/ubuntu2404_intel_drivers_igc_dev.Dockerfile
+++ b/devops/containers/ubuntu2404_intel_drivers_igc_dev.Dockerfile
@@ -22,7 +22,7 @@ RUN --mount=type=secret,id=github_token \
 
 COPY scripts/drivers_entrypoint.sh /drivers_entrypoint.sh
 
-USER sycl
+USER sycl_ci
 
 ENTRYPOINT ["/bin/bash", "/drivers_entrypoint.sh"]
 
diff --git a/devops/scripts/create-sycl-user.sh b/devops/scripts/create-sycl-user.sh
old mode 100644
new mode 100755
index 09f491f7ac863..add65d0f4a4ac
--- a/devops/scripts/create-sycl-user.sh
+++ b/devops/scripts/create-sycl-user.sh
@@ -1,30 +1,50 @@
 #!/bin/bash
 
-# By default Ubuntu sets an arbitrary UID value, that is different from host
-# system. When CI passes default UID value of 1001, some of LLVM tools fail to
-# discover user home directory and fail a few LIT tests. Fixes UID and GID to
-# 1001, that is used as default by GitHub Actions.
-groupadd -g 1001 sycl && useradd sycl -u 1001 -g 1001 -m -s /bin/bash
-# Add sycl user to video/irc groups so that it can access GPU
-usermod -aG video sycl
-usermod -aG irc sycl
-
-# group 109 is required for sycl user to access PVC card.
-groupadd -g 109 render
-usermod -aG render sycl
-
-if [[ -f /run/secrets/sycl_passwd ]]; then
-  # When running in our CI environment, we restrict access to root.
-
-  # Set password for sycl user
-  cat /run/secrets/sycl_passwd | passwd -s sycl
-
-  # Allow sycl user to run as sudo, but only with password
-  echo "sycl  ALL=(root) PASSWD:ALL" >> /etc/sudoers
+set -e
+
+if [[ $# -eq 0 ]]; then
+  # When launched without arguments, we assume that it was launched as part of
+  # CI workflow and therefore a different kind of user is created
+  USER_NAME=sycl_ci
+  SET_PASSWD=true
+
+  # By default Ubuntu sets an arbitrary UID value, that is different from host
+  # system. When CI passes default UID value of 1001, some of LLVM tools fail to
+  # discover user home directory and fail a few LIT tests. Fixes UID and GID to
+  # 1001, that is used as default by GitHub Actions.
+  USER_ID=1001
 else
-  # Otherwise, we allow password-less root to simplify building other
-  # containers on top.
+  if [[ "${1:-}" != "--regular" ]]; then
+    echo "The only supported argument is --regular!"
+    exit 1
+  fi
+  USER_NAME=sycl
+  SET_PASSWD=false
+
+  # Some user id which is different from the one assigned to sycl_ci user
+  USER_ID=1234
+fi
+
+groupadd -g $USER_ID $USER_NAME && useradd $USER_NAME -u $USER_ID -g $USER_ID -m -s /bin/bash
+# Add user to video/irc groups so that it can access GPU
+usermod -aG video $USER_NAME
+usermod -aG irc $USER_NAME
 
-  # Allow sycl user to run as sudo passwrod-less
-  echo "sycl  ALL=(root) NOPASSWD:ALL" >> /etc/sudoers
+# group 109 is required for user to access PVC card.
+groupadd -f -g 109 render
+usermod -aG render $USER_NAME
+
+if [[ $SET_PASSWD == true ]]; then
+  if [[ ! -f /run/secrets/sycl_ci_passwd ]]; then
+    echo "Password is requested, but /run/secrtes/sycl_ci_passwd doesn't exists!"
+    exit 2
+  fi
+
+  # Set password for user
+  echo "$USER_NAME:$(cat /run/secrets/sycl_ci_passwd)" | chpasswd
+
+  # Allow user to run as sudo, but only with password
+  echo "$USER_NAME  ALL=(ALL) PASSWD:ALL" >> /etc/sudoers
+else
+  echo "$USER_NAME  ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers
 fi

From 8d423f0bfaebc441882b412018dcc1d2ea9c1df8 Mon Sep 17 00:00:00 2001
From: Alexey Sachkov <alexey.sachkov@intel.com>
Date: Wed, 18 Dec 2024 08:27:49 -0800
Subject: [PATCH 10/15] Fix trivy reported issues in a new docker file

---
 .../containers/ubuntu2404_build_oneapi.Dockerfile | 15 +++++----------
 1 file changed, 5 insertions(+), 10 deletions(-)

diff --git a/devops/containers/ubuntu2404_build_oneapi.Dockerfile b/devops/containers/ubuntu2404_build_oneapi.Dockerfile
index e5c576016f398..a5bc6c8c595a2 100644
--- a/devops/containers/ubuntu2404_build_oneapi.Dockerfile
+++ b/devops/containers/ubuntu2404_build_oneapi.Dockerfile
@@ -32,22 +32,17 @@ wget -O- https://apt.repos.intel.com/intel-gpg-keys/GPG-PUB-KEY-INTEL-SW-PRODUCT
 | tee /usr/share/keyrings/oneapi-archive-keyring.gpg > /dev/null && \
 echo "deb [signed-by=/usr/share/keyrings/oneapi-archive-keyring.gpg] https://apt.repos.intel.com/oneapi all main" \
 | tee /etc/apt/sources.list.d/oneAPI.list && \
-apt update
 # Install the ROCM kernel driver and oneAPI
-RUN apt install -yqq rocm-dev intel-oneapi-compiler-dpcpp-cpp && \
+RUN apt update && apt install -yqq rocm-dev intel-oneapi-compiler-dpcpp-cpp && \
   apt-get clean && \
   rm -rf /var/lib/apt/lists/*
 
-# By default Ubuntu sets an arbitrary UID value, that is different from host
-# system. When CI passes default UID value of 1001, some of LLVM tools fail to
-# discover user home directory and fail a few LIT tests. Fixes UID and GID to
-# 1001, that is used as default by GitHub Actions.
-RUN groupadd -g 1001 sycl && useradd sycl -u 1001 -g 1001 -m -s /bin/bash
-# Add sycl user to video/irc groups so that it can access GPU
-RUN usermod -aG video sycl
-RUN usermod -aG irc sycl
+COPY scripts/create-sycl-user.sh /user-setup.sh
+RUN --mount=type=secret,id=sycl_ci_passwd /user-setup.sh
 
 COPY scripts/docker_entrypoint.sh /docker_entrypoint.sh
 
+USER sycl_ci
+
 ENTRYPOINT ["/docker_entrypoint.sh"]
 

From d6f9541efaa2f3eceabdcae0b9247fbb4540ea38 Mon Sep 17 00:00:00 2001
From: Alexey Sachkov <alexey.sachkov@intel.com>
Date: Wed, 18 Dec 2024 08:34:46 -0800
Subject: [PATCH 11/15] Switch all containers to `sycl_ci` user and update the
 documentation

---
 .../ubuntu2204_preinstalled.Dockerfile         |  5 +----
 sycl/doc/developer/DockerBKMs.md               | 18 ++++++++++++++----
 2 files changed, 15 insertions(+), 8 deletions(-)

diff --git a/devops/containers/ubuntu2204_preinstalled.Dockerfile b/devops/containers/ubuntu2204_preinstalled.Dockerfile
index b6b4d1ca1d77b..18ec7de01acb3 100644
--- a/devops/containers/ubuntu2204_preinstalled.Dockerfile
+++ b/devops/containers/ubuntu2204_preinstalled.Dockerfile
@@ -12,10 +12,7 @@ ADD sycl_linux.tar.gz /opt/sycl/
 ENV PATH /opt/sycl/bin:$PATH
 ENV LD_LIBRARY_PATH /opt/sycl/lib:$LD_LIBRARY_PATH
 
-# For preinstalled containers we create a different user which has
-# password-less sudo access
-RUN /user-setup.sh --regular
-USER sycl
+USER sycl_ci
 
 ENTRYPOINT ["/bin/bash", "/drivers_entrypoint.sh"]
 
diff --git a/sycl/doc/developer/DockerBKMs.md b/sycl/doc/developer/DockerBKMs.md
index 13bd1e9d63454..e613099d40f01 100644
--- a/sycl/doc/developer/DockerBKMs.md
+++ b/sycl/doc/developer/DockerBKMs.md
@@ -143,10 +143,20 @@ instructions.
 
 ## Changing Docker user
 
-By default all processes inside Docker run as root. Some LLVM or Clang tests
-expect your user to be anything but root. You can change the user by specifying
-`-u <username or uid>` option. All Docker containers come with user `sycl`
-created.
+By default all processes within our containers are run as `sycl_ci` user.
+Note: it **does not** have password-less `root` access.
+
+If you want to change the user, you can do that by specifying
+`-u <username or uid>` option when running the container.
+
+All containers come with `/user-setup.sh` script which can used to create `sycl`
+user which has all the same groups as `sycl_ci` user, but also has passwrod-less
+access to `root`. Use the script as follows:
+
+```bash
+# Note: the script requires root permissions to create a new user
+/user-setup.sh --regular
+```
 
 ## Managing downloaded Docker images
 

From 127080e1b5851aee412bd7e60165880313e7efb5 Mon Sep 17 00:00:00 2001
From: Alexey Sachkov <alexey.sachkov@intel.com>
Date: Wed, 18 Dec 2024 08:36:20 -0800
Subject: [PATCH 12/15] Fix typos

---
 devops/scripts/create-sycl-user.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/devops/scripts/create-sycl-user.sh b/devops/scripts/create-sycl-user.sh
index add65d0f4a4ac..43633f4499adc 100755
--- a/devops/scripts/create-sycl-user.sh
+++ b/devops/scripts/create-sycl-user.sh
@@ -36,7 +36,7 @@ usermod -aG render $USER_NAME
 
 if [[ $SET_PASSWD == true ]]; then
   if [[ ! -f /run/secrets/sycl_ci_passwd ]]; then
-    echo "Password is requested, but /run/secrtes/sycl_ci_passwd doesn't exists!"
+    echo "Password is requested, but /run/secrets/sycl_ci_passwd doesn't exist!"
     exit 2
   fi
 

From 0de86c4b56dedb141fa5d76418982fa9f774d50f Mon Sep 17 00:00:00 2001
From: Alexey Sachkov <alexey.sachkov@intel.com>
Date: Wed, 18 Dec 2024 09:40:28 -0800
Subject: [PATCH 13/15] Fix new container build

---
 devops/containers/ubuntu2404_build_oneapi.Dockerfile | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/devops/containers/ubuntu2404_build_oneapi.Dockerfile b/devops/containers/ubuntu2404_build_oneapi.Dockerfile
index a5bc6c8c595a2..8f0d0b5d27bb3 100644
--- a/devops/containers/ubuntu2404_build_oneapi.Dockerfile
+++ b/devops/containers/ubuntu2404_build_oneapi.Dockerfile
@@ -31,7 +31,8 @@ echo -e 'Package: *\nPin: release o=repo.radeon.com\nPin-Priority: 600' \
 wget -O- https://apt.repos.intel.com/intel-gpg-keys/GPG-PUB-KEY-INTEL-SW-PRODUCTS.PUB | gpg --dearmor \
 | tee /usr/share/keyrings/oneapi-archive-keyring.gpg > /dev/null && \
 echo "deb [signed-by=/usr/share/keyrings/oneapi-archive-keyring.gpg] https://apt.repos.intel.com/oneapi all main" \
-| tee /etc/apt/sources.list.d/oneAPI.list && \
+| tee /etc/apt/sources.list.d/oneAPI.list
+
 # Install the ROCM kernel driver and oneAPI
 RUN apt update && apt install -yqq rocm-dev intel-oneapi-compiler-dpcpp-cpp && \
   apt-get clean && \

From ce80d93eb584ab2104129170103a275429176e48 Mon Sep 17 00:00:00 2001
From: Alexey Sachkov <alexey.sachkov@intel.com>
Date: Thu, 19 Dec 2024 06:10:26 -0800
Subject: [PATCH 14/15] Apply comments

---
 sycl/doc/developer/DockerBKMs.md | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/sycl/doc/developer/DockerBKMs.md b/sycl/doc/developer/DockerBKMs.md
index e613099d40f01..e95eb42654ea8 100644
--- a/sycl/doc/developer/DockerBKMs.md
+++ b/sycl/doc/developer/DockerBKMs.md
@@ -143,15 +143,15 @@ instructions.
 
 ## Changing Docker user
 
-By default all processes within our containers are run as `sycl_ci` user.
+By default all processes within our containers are run as the `sycl_ci` user.
 Note: it **does not** have password-less `root` access.
 
-If you want to change the user, you can do that by specifying
+If you want to change the user, you can do that by specifying the
 `-u <username or uid>` option when running the container.
 
-All containers come with `/user-setup.sh` script which can used to create `sycl`
-user which has all the same groups as `sycl_ci` user, but also has passwrod-less
-access to `root`. Use the script as follows:
+All containers come with the `/user-setup.sh` script which can used to create
+the `sycl` user which has all the same groups as the `sycl_ci` user, but also
+has password-less access to `root`. Use the script as follows:
 
 ```bash
 # Note: the script requires root permissions to create a new user

From db221e4a7007d77d27e3355b7ac72a74fbf531e8 Mon Sep 17 00:00:00 2001
From: Alexey Sachkov <alexey.sachkov@intel.com>
Date: Thu, 19 Dec 2024 19:37:13 +0100
Subject: [PATCH 15/15] Update sycl/doc/developer/DockerBKMs.md

---
 sycl/doc/developer/DockerBKMs.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/sycl/doc/developer/DockerBKMs.md b/sycl/doc/developer/DockerBKMs.md
index e95eb42654ea8..e36585c335090 100644
--- a/sycl/doc/developer/DockerBKMs.md
+++ b/sycl/doc/developer/DockerBKMs.md
@@ -156,6 +156,8 @@ has password-less access to `root`. Use the script as follows:
 ```bash
 # Note: the script requires root permissions to create a new user
 /user-setup.sh --regular
+# Switch to the newly created user
+su - sycl
 ```
 
 ## Managing downloaded Docker images