Skip to content

Update Best Practices to include note about chown on COPY #2271

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Update Best Practices to include note about chown on COPY #2271

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
63f6da4
Update Best Practices to include note about chown on COPY
mrjones-plip Aug 21, 2025
5dd52ca
keep it owned by root, add a chmod as well
mrjones-plip Aug 21, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions docs/BestPractices.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -115,6 +115,12 @@ USER 1000 # node

Note that the `node` user is neither a build-time nor a run-time dependency and it can be removed or altered, as long as the functionality of the application you want to add to the container does not depend on it.

Also note that if your image was running as the default `root` user and you're now using user `1000`, you may need to update your `COPY` commands so that the files are fully accessible to the `1000` user. You can use the `chown` and `chmod` flags as seen here for the `node_modules` directory. The call ensures `root` remains the owner, but that the `1000` user can safely read (but not write) the files:

```Dockerfile
COPY --chown=root:root --chmod=755 ./node_modules ./node_modules
Copy link

Copilot AI Oct 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The example shows setting ownership to root:root but the explanation states this is for the 1000 user to access files. This is contradictory - if the goal is to give the 1000 user access, the ownership should be --chown=1000:1000 or --chown=node:node, not root:root. Additionally, 755 permissions on node_modules may be overly permissive as it grants execute permissions to all users.

Suggested change
COPY --chown=root:root --chmod=755 ./node_modules ./node_modules
COPY --chown=1000:1000 --chmod=755 ./node_modules ./node_modules

Copilot uses AI. Check for mistakes.

```

If you do not want nor need the user created in this image, you can remove it with the following:

```Dockerfile
Expand Down