[CI] Change docker user to ec2-user (#2834)

Add back in an explicitly defined user in the docker build because I can't figure out which user is being used by the docker image.  If a user other than ec2-user is being used, then it is not possibly for the next job to clean up files from previous jobs because it lacks permission.

Should fix the problems like https://github.com/pytorch/tutorials/actions/runs/8635938916/job/23674817847
```

Cleaning the repository
Warning: Unable to clean or reset the repository. The repository will be recreated instead.
Deleting the contents of '/home/ec2-user/actions-runner/_work/tutorials/tutorials'
Error: File was unable to be removed Error: EACCES: permission denied, unlink '/home/ec2-user/actions-runner/_work/tutorials/tutorials/.jenkins/__pycache__/get_files_to_run.cpython-310.pyc'
```

.ci/docker/Dockerfile

@@ -7,6 +7,11 @@ ENV DEBIAN_FRONTEND noninteractive
 COPY ./common/install_base.sh install_base.sh
 RUN bash ./install_base.sh && rm install_base.sh
 
+# Setup user
+# TODO: figure out how to remove this part
+COPY ./common/install_user.sh install_user.sh
+RUN bash ./install_user.sh && rm install_user.sh
+
 COPY ./common/install_docs_reqs.sh install_docs_reqs.sh
 RUN bash ./install_docs_reqs.sh && rm install_docs_reqs.sh
 
@@ -20,4 +25,5 @@ COPY ./common/install_conda.sh install_conda.sh
 COPY ./common/common_utils.sh common_utils.sh
 RUN bash ./install_conda.sh && rm install_conda.sh common_utils.sh /opt/conda/requirements.txt
 
+USER ci-user
 CMD ["bash"]

.ci/docker/common/common_utils.sh

@@ -7,7 +7,7 @@ as_ci_user() {
   # NB: Pass on PATH and LD_LIBRARY_PATH to sudo invocation
   # NB: This must be run from a directory that the user has access to,
   # works around https://github.com/conda/conda-package-handling/pull/34
-  sudo -E -H env -u SUDO_UID -u SUDO_GID -u SUDO_COMMAND -u SUDO_USER env "PATH=$PATH" "LD_LIBRARY_PATH=$LD_LIBRARY_PATH" $*
+  sudo -E -H -u ci-user env -u SUDO_UID -u SUDO_GID -u SUDO_COMMAND -u SUDO_USER env "PATH=$PATH" "LD_LIBRARY_PATH=$LD_LIBRARY_PATH" $*
 }
 
 conda_install() {

.ci/docker/common/install_conda.sh

@@ -12,6 +12,7 @@ if [ -n "$ANACONDA_PYTHON_VERSION" ]; then
   CONDA_FILE="Miniconda3-latest-Linux-x86_64.sh"
 
   mkdir -p /opt/conda
+  chown ci-user:ci-user /opt/conda
 
   source "$(dirname "${BASH_SOURCE[0]}")/common_utils.sh"
 

.ci/docker/common/install_user.sh

@@ -0,0 +1,26 @@
+#!/bin/bash
+# Copyright (c) Meta Platforms, Inc. and affiliates.
+# All rights reserved.
+#
+# This source code is licensed under the BSD-style license found in the
+# LICENSE file in the root directory of this source tree.
+
+# Copied from https://github.com/pytorch/executorch/blob/6e431355a554e5f84c3a05dfa2b981ead90c2b48/.ci/docker/common/install_user.sh#L1
+
+set -ex
+
+# Same as ec2-user
+echo "ci-user:x:1000:1000::/var/lib/ci-user:" >> /etc/passwd
+echo "ci-user:x:1000:" >> /etc/group
+# Needed on Focal or newer
+echo "ci-user:*:19110:0:99999:7:::" >> /etc/shadow
+
+# Create $HOME
+mkdir -p /var/lib/ci-user
+chown ci-user:ci-user /var/lib/ci-user
+
+# Allow sudo
+echo 'ci-user ALL=(ALL) NOPASSWD:ALL' > /etc/sudoers.d/ci-user
+
+# Test that sudo works
+sudo -u ci-user sudo -v

.github/workflows/build-tutorials.yml

@@ -93,7 +93,7 @@ jobs:
             "${DOCKER_IMAGE}"
           )
 
-          docker exec -t "${container_name}" sh -c ".jenkins/build.sh"
+          docker exec -u ci-user -t "${container_name}" sh -c ".jenkins/build.sh"
 
       - name: Teardown Linux
         uses: pytorch/test-infra/.github/actions/teardown-linux@main
@@ -162,9 +162,7 @@ jobs:
             "${DOCKER_IMAGE}"
           )
 
-          docker exec -u root -i "${container_name}" bash
-
-          docker exec -t "${container_name}" sh -c ".jenkins/build.sh"
+          docker exec -u ci-user -t "${container_name}" sh -c ".jenkins/build.sh"
 
       - name: Upload docs preview
         uses: seemethere/upload-artifact-s3@v5