How do I Docker COPY as non root?

Question

While building a Docker image, how do I COPY a file into the image so that the resulting file is owned by a user other than root?

Answer 1

For versions v17.09.0-ce and newer

Use the optional flag --chown=<user>:<group> with either the ADD or COPY commands.

For example

COPY --chown=<user>:<group> <hostPath> <containerPath>

The documentation for the --chown flag is now live on the main Dockerfile Reference page.

Issue 34263 has been merged and is available in release v17.09.0-ce.

---

For versions older than v17.09.0-ce

Docker doesn't support COPY as a user other than root. You need to chown / chmod the file after the COPY command.

Example Dockerfile:

from centos:6
RUN groupadd -r myuser && adduser -r -g myuser myuser
USER myuser
#Install code, configure application, etc...
USER root
COPY run-my-app.sh /usr/local/bin/run-my-app.sh
RUN chown myuser:myuser /usr/local/bin/run-my-app.sh && \
    chmod 744 /usr/local/bin/run-my-app.sh
USER myuser
ENTRYPOINT ["/usr/local/bin/run-my-app.sh"]

Previous to v17.09.0-ce, the Dockerfile Reference for the COPY command said:

All new files and directories are created with a UID and GID of 0.

---

History This feature has been tracked through multiple GitHub issues: 6119, 9943, 13600, 27303, 28499, Issue 30110.

Issue 34263 is the issue that implemented the optional flag functionality and Issue 467 updated the documentation.