Mastodon hachyterm.io

Docker builds containers via layers. All commands add another layer to the already existing image.

What does that mean for changing file permissions via chown or chmod?

Let’s say we build this image:

FROM frolvlad/alpine-miniconda3:python3.7 AS build

## set working directory
WORKDIR /usr/src/app

## copy code
COPY ./code /code
COPY ./notebooks /notebooks

## add non-root user
RUN addgroup --system user && \
          adduser --system -G user user && \
          chown -R user:user /usr/src/app

After copying the code from the host machine to the container, we switch permissions for the working directory from root to user.

The chown command adds another layer to the image without deleting the previous layers.

That means, that the final container image contains both layers. Thus, the size of the container adds the size of both folders: the original working directory for the root user, and the second working directory with permissions for the normal user.

Since Docker 17.09.0-ce(2017-09-26) you can add a flag to the copy command:

COPY --chown=<user>:<group>

This flag avoids the extra layer.

Further Reading