- Notifications
You must be signed in to change notification settings - Fork2k
Update Best Practices to include note about chown on COPY#2271
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
base:main
Are you sure you want to change the base?
Uh oh!
There was an error while loading.Please reload this page.
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Pull Request Overview
Updates the Best Practices documentation to include guidance on file permissions when using the non-rootnode user. This addresses a common issue where users switching from root to the node user encounter permission problems accessing copied files.
- Adds explicit advice about using
chownandchmodflags withCOPYcommands - Provides a practical example showing how to set appropriate permissions for the
1000user - Helps users avoid permission-related issues when implementing the non-root user best practice
Tip: Customize your code reviews with copilot-instructions.md.Create the file orlearn how to get started.
| Also note that if your image was running as the default`root` user and you're now using user`1000`, you may need to update your`COPY` commands so that the files are fully accessible to the`1000` user. You can use the`chown` and`chmod` flags as seen here for the`node_modules` directory. The call ensures`root` remains the owner, but that the`1000` user can safely read (but not write) the files: | ||
| ```Dockerfile | ||
| COPY --chown=root:root --chmod=755 ./node_modules ./node_modules |
CopilotAIOct 11, 2025
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
The example shows setting ownership toroot:root but the explanation states this is for the1000 user to access files. This is contradictory - if the goal is to give the1000 user access, the ownership should be--chown=1000:1000 or--chown=node:node, notroot:root. Additionally,755 permissions onnode_modules may be overly permissive as it grants execute permissions to all users.
| COPY --chown=root:root --chmod=755 ./node_modules ./node_modules | |
| COPY --chown=1000:1000 --chmod=755 ./node_modules ./node_modules |
Description
When implementing the advice on thebest practice page, I was struggling to get my code to execute. After some debugging I realized that the
nodeuser did not have enough permissions to access my files.Motivation and Context
We should include explicit advice to easily give
nodeuser access to the files which most users will do via aCOPYcommand in their Dockerfile. If they're doing it via a bind mount, the same advice will get them thinking about file permissions.Testing Details
As this is a docs change, no code tests are done, but I did confirm that the advice I'm adding does indeed work.
Note - I didn't run any of the tests (All new and existing tests passed) as I'm just making an edit to an
.mdfile.Example Output(if appropriate)
Types of changes
Checklist