From 63f6da47f62ad85c8caffe5b676c17e470ea7607 Mon Sep 17 00:00:00 2001 From: mrjones <8253488+mrjones-plip@users.noreply.github.com> Date: Thu, 21 Aug 2025 13:26:20 -0700 Subject: [PATCH 1/2] Update Best Practices to include note about chown on COPY --- docs/BestPractices.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/BestPractices.md b/docs/BestPractices.md index ad6dcc4e9..e65ead15a 100644 --- a/docs/BestPractices.md +++ b/docs/BestPractices.md @@ -115,6 +115,12 @@ USER 1000 # node Note that the `node` user is neither a build-time nor a run-time dependency and it can be removed or altered, as long as the functionality of the application you want to add to the container does not depend on it. +Also note that if your image was running as the default `root` user and you're now using user `1000`, you may need to update your `COPY` commands so that the files are fully accessible to the `1000` user. You can use the `--chown` flag as seen here for the `node_modules` directory: + +```Dockerfile +COPY --chown=1000 ./node_modules ./node_modules +``` + If you do not want nor need the user created in this image, you can remove it with the following: ```Dockerfile From 5dd52cad0a414114ce79568ba3083c0380fbe68e Mon Sep 17 00:00:00 2001 From: mrjones <8253488+mrjones-plip@users.noreply.github.com> Date: Thu, 21 Aug 2025 13:55:49 -0700 Subject: [PATCH 2/2] keep it owned by root, add a chmod as well --- docs/BestPractices.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/BestPractices.md b/docs/BestPractices.md index e65ead15a..1c43ee2be 100644 --- a/docs/BestPractices.md +++ b/docs/BestPractices.md @@ -115,10 +115,10 @@ USER 1000 # node Note that the `node` user is neither a build-time nor a run-time dependency and it can be removed or altered, as long as the functionality of the application you want to add to the container does not depend on it. -Also note that if your image was running as the default `root` user and you're now using user `1000`, you may need to update your `COPY` commands so that the files are fully accessible to the `1000` user. You can use the `--chown` flag as seen here for the `node_modules` directory: +Also note that if your image was running as the default `root` user and you're now using user `1000`, you may need to update your `COPY` commands so that the files are fully accessible to the `1000` user. You can use the `chown` and `chmod` flags as seen here for the `node_modules` directory. The call ensures `root` remains the owner, but that the `1000` user can safely read (but not write) the files: ```Dockerfile -COPY --chown=1000 ./node_modules ./node_modules +COPY --chown=root:root --chmod=755 ./node_modules ./node_modules ``` If you do not want nor need the user created in this image, you can remove it with the following: