How do I Docker COPY as non root?

Question

While building a Docker image, how do I COPY a file into the image so that the resulting file is owned by a user other than root?

Answer 1

i did like this & is perfectly

FROM node:lts-alpine3.17
RUN addgroup app && adduser -S -G app app
RUN mkdir /app && chown app:app /app
USER app
WORKDIR /app
COPY --chown=app:app package*.json .
RUN npm install
COPY --chown=app:app . .
EXPOSE 8090
CMD ["npm","start"]

Answer 2

For versions v17.09.0-ce and newer

Use the optional flag --chown=<user>:<group> with either the ADD or COPY commands.

For example

COPY --chown=<user>:<group> <hostPath> <containerPath>

The documentation for the --chown flag is now live on the main Dockerfile Reference page.

Issue 34263 has been merged and is available in release v17.09.0-ce.

---

For versions older than v17.09.0-ce

Docker doesn't support COPY as a user other than root. You need to chown / chmod the file after the COPY command.

Example Dockerfile:

from centos:6
RUN groupadd -r myuser && adduser -r -g myuser myuser
USER myuser
#Install code, configure application, etc...
USER root
COPY run-my-app.sh /usr/local/bin/run-my-app.sh
RUN chown myuser:myuser /usr/local/bin/run-my-app.sh && \
    chmod 744 /usr/local/bin/run-my-app.sh
USER myuser
ENTRYPOINT ["/usr/local/bin/run-my-app.sh"]

Previous to v17.09.0-ce, the Dockerfile Reference for the COPY command said:

All new files and directories are created with a UID and GID of 0.

---

History This feature has been tracked through multiple GitHub issues: 6119, 9943, 13600, 27303, 28499, Issue 30110.

Issue 34263 is the issue that implemented the optional flag functionality and Issue 467 updated the documentation.