2

I am new to multistage builds and using chown -R appuser:appuser /app

# Copy the virtual environment
COPY --from=builder --chown=appuser:appuser ${VIRTUAL_ENV} ${VIRTUAL_ENV}

# Copy application code
COPY --from=builder --chown=appuser:appuser /app /app

vs

# Copy the virtual environment
COPY --from=builder ${VIRTUAL_ENV} ${VIRTUAL_ENV}

# Copy application code
COPY --from=builder /app /app

RUN chown -R appuser:appuser /app

There is a difference of 4GB. am i missing something here? The first approach uses close to 16GB while the second only uses 20GB

Improve this question
1
  • (Do you need to chown the files at all? Or can you leave your application code owned by root, world-readable but not writable?) Commented Apr 27, 2024 at 10:47

1 Answer 1

Reset to default
4

The difference in disk usage between the two methods you mentioned is due to the way Docker handles filesystem layers and permissions changes. In Docker, each RUN, COPY, ADD(etc.) command creates a new layer. Changing file permissions with a separate RUN chown command leads to an additional layer that essentially duplicates the data but with different permissions. This can double the size impact of the files and directories whose permissions were changed, which is likely why you see an additional 4GB in the first method.

To break it down better, let’s look at both methods you used.

  1. First Approach (Inline chown with COPY):

    • When you use --chown=appuser:appuser directly in the COPY command, Docker applies the ownership change at the time of copying the files into the image. This means the files are written to the image with the final ownership already set, which avoids creating additional layers.

  2. Second Approach (Separate chown command):

    • In this approach, files are first copied with the default root ownership and then the ownership is changed in a separate step using the RUN chown -R appuser:appuser /app command. This creates at least two layers: one for the copied files and another for the permission changes.

I hope this helps.

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

the problem describes the opposite, chown is creating smaller docker image
The difference between both scenarios is that one changes the user using COPY, while the latter approach uses RUN, which is what I mentioned. Both approaches use chown, just at separate layers.
I mean that @aceminer complains about the fact that the final image with RUN chown is smaller than COPY --chown. Which is not the case in your answer
@ShadiNaif It was my typo. helpinghand was right
thank you for correcting the post aceminer , it was confusing! +1 to @helpinghand

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.