✦ For everyone, free.

Practical knowledge for real and everyday life

Home

4.2.3.4 COPY Ownership Flags

A focused guide to COPY Ownership Flags, connecting core concepts with practical Docker and container operations.

COPY ownership flags let a Dockerfile set the user and group ownership of copied files at the moment they are copied into the image, avoiding the need for a separate RUN chown instruction afterward.

Setting Ownership During Copy

The --chown flag specifies the user and group that copied files should be owned by, applied as part of the same instruction that copies them.

COPY --chown=node:node . /app

This copies the application source into the image with ownership already set to the node user and group, rather than defaulting to root ownership.

Why This Matters for Non-Root Containers

When a container is configured to run as a non-root user for security reasons, that user needs appropriate ownership or permissions on the files it will read or write — using --chown during COPY ensures this is correct from the moment the files exist in the image, without a separate, additional layer just for fixing ownership.

RUN useradd --create-home appuser
COPY --chown=appuser:appuser . /app
USER appuser
Avoiding an Extra Layer for Ownership Changes

Without --chown, achieving the same result would require a separate RUN chown instruction, which both adds an additional layer and, because of how layers work, can temporarily double the effective size contribution of the affected files within the image's layer history.

COPY . /app
RUN chown -R appuser:appuser /app

COPY --chown=appuser:appuser . /app

The second approach achieves the same final ownership in a single layer, without the redundant intermediate step.

Specifying Ownership by Name or Numeric ID

Ownership can be specified either by username and group name, or by their corresponding numeric IDs, which is useful when the target user does not yet exist by name at the point the instruction runs.

COPY --chown=1000:1000 . /app
Why COPY Ownership Flags Matter

The --chown flag is a small but meaningful convenience that directly supports the broader security practice of running containers as non-root users, by making correct file ownership a natural part of copying files rather than an easily forgotten follow-up step.

Related content