Docker Copy and change owner

Asked 5/3, 2015 at 13:49 Answered 12/4, 2023 at 10:14

Solved docker file-permissions dockerfile

145

Given the following Dockerfile

FROM ubuntu
RUN groupadd mygroup
RUN useradd -ms /bin/bash -G mygroup john
MKDIR /data
COPY test/ /data/test data
RUN chown -R john:mygroup /data
CMD /bin/bash

In my test directory, which is copied I have set the file permissions to 770.

If I do a su john inside my container, I cannot access any of the files or subdirectories in my test directory. It seems this problem is related to the ownership in the aufs filesystem, where the copied directory still is owned by root and permissions are set to 770.

Is there a workaround for this problem to set the permissions correctly? One could be to set the permissions of the original directory to the uid of the container user before copying it. But this seems more like a hack.

Fulmis answered 5/3, 2015 at 13:49 Comment(2)

before the COPY and the MKDIR I think you should have a USER john – Trent 5/3, 2015 at 17:33

Perhaps this could work, but I would have to create the complete directory structure which is copied and so this is not acceptable. – Fulmis 6/3, 2015 at 7:43

I think I found a solution, which works. Using a data volume container will do the trick. First I create the Data Volume Container, which contains the copy of my external directory:

FROM busybox
RUN mkdir /data
VOLUME /data
COPY /test /data/test
CMD /bin/sh

In my application container, where I have my users, which could look something like this

FROM ubuntu
RUN groupadd mygroup
RUN useradd -ms /bin/bash -G mygroup john
COPY setpermissions.sh /root/setpermissions.sh
CMD /root/setpermissions.sh && /bin/bash

The setpermissions script does the job of setting the user permissions:

#!/bin/bash

if [ ! -e /data/.bootstrapped ] ; then
  chown -R john:mygroup /data
  touch /data/.bootstrapped
fi

Now I just have to use the --volumes-from <myDataContainerId> when running the application container.

Fulmis answered 6/3, 2015 at 7:58 Comment(2)

This is just the same you had before. You should consider accepting the other answer as correct. It uses an official docker flag for it without scripting. – Antisyphilitic 3/3, 2018 at 16:6

Please consider accepting the other answer to also help other people! Additionally, you probably should just do RUN <fullpath_of_setpermissions.sh> in your Dockerfile – Westberry 27/11, 2020 at 11:5

345

A --chown flag has finally been added to COPY:

COPY --chown=patrick hostPath containerPath

This new syntax seems to work on Docker 17.09.

See the PR for more information.

Cheddite answered 3/10, 2017 at 8:46 Comment(5)

for me it worked with --chown=user:group , I had that user and group created in container – Rockwell 19/10, 2017 at 6:19

Thanks for that comment, I used the normal user.group syntax and it didn't work, glad I stumbled across this. – Ambuscade 31/7, 2019 at 9:46

@Ambuscade Where is user.group the "normal" syntax? A . is usually accepted as part of a username, so I'm a bit suspicious/curious on why one would use it as a separator... – Axiom 15/1, 2020 at 12:22

In docker version: 19.03.9, even ADD --chown=user:group or UID:GID works well. – Roll 17/6, 2020 at 14:17

For whatever it's worth, user.group used to be common. I can't give you a reference but I think it might have been used in Sun's YP. Anyway, the "normal" format changed from user.group to user:group at some point, but as is the nature of these things, both formats frequently work, it's not surprising that someone who's been around a while might get tricked. – Spinner 15/2, 2021 at 1:11

I think I found a solution, which works. Using a data volume container will do the trick. First I create the Data Volume Container, which contains the copy of my external directory:

FROM busybox
RUN mkdir /data
VOLUME /data
COPY /test /data/test
CMD /bin/sh

In my application container, where I have my users, which could look something like this

FROM ubuntu
RUN groupadd mygroup
RUN useradd -ms /bin/bash -G mygroup john
COPY setpermissions.sh /root/setpermissions.sh
CMD /root/setpermissions.sh && /bin/bash

The setpermissions script does the job of setting the user permissions:

#!/bin/bash

if [ ! -e /data/.bootstrapped ] ; then
  chown -R john:mygroup /data
  touch /data/.bootstrapped
fi

Now I just have to use the --volumes-from <myDataContainerId> when running the application container.

Fulmis answered 6/3, 2015 at 7:58 Comment(2)

This is just the same you had before. You should consider accepting the other answer as correct. It uses an official docker flag for it without scripting. – Antisyphilitic 3/3, 2018 at 16:6

Docker Copy and change owner (for Windows Container)

FROM mcr.microsoft.com/windows/servercore:ltsc2019
WORKDIR /src
COPY . /src 
RUN takeown /F . /d Y /r

For other user as owner, add /u <username>. For more detail see reference below.

Reference:

takeown

Robert answered 12/4, 2023 at 10:14 Comment(4)

I'm adding the answer here, even though the question example given is in linux ubuntu. But because most Windows users who is Googling for Windows specific, will eventually landed here first. – Robert 12/4, 2023 at 10:17

to surpress the takeown output you can use RUN takeown /f . /d Y /r >nul – Robert 12/4, 2023 at 10:18

to surpress the takeown output & error you can use RUN takeown /f . /d Y /r >nul 2>nul – Robert 12/4, 2023 at 10:20

FTR chown creates HUGE layers last I checked – Brachypterous 11/12, 2023 at 16:35

Docker Copy and change owner (for Windows Container)

Reference:

Recommended topics

Hot tags