Docker builds containers via layers. All commands add another layer to the already existing image.
What does that mean for changing file permissions via chown
or chmod
?
Let’s say we build this image:
FROM frolvlad/alpine-miniconda3:python3.7 AS build
## set working directory
WORKDIR /usr/src/app
## copy code
COPY ./code /code
COPY ./notebooks /notebooks
## add non-root user
RUN addgroup --system user && \
adduser --system -G user user && \
chown -R user:user /usr/src/app
After copying the code from the host machine to the container, we switch permissions for the working directory from root to user.
The chown
command adds another layer to the image without deleting the previous layers.
That means, that the final container image contains both layers. Thus, the size of the container adds the size of both folders: the original working directory for the root user, and the second working directory with permissions for the normal user.
Since Docker 17.09.0-ce(2017-09-26) you can add a flag to the copy command:
COPY --chown=<user>:<group>
This flag avoids the extra layer.