Hi @nelson,
I found another option. Maybe this would work if you set the permissions in your runtime container: https://github.com/docker/compose/issues/3270#issuecomment-206214034
So something like:
FROM golang:1.12-alpine as builder
RUN apk add --no-cache ca-certificates git
# Create the user and group files that will be used in the running container to
# run the process as an unprivileged user.
RUN mkdir /user && \
echo 'nobody:x:65534:65534:nobody:/:' > /user/passwd && \
echo 'nobody:x:65534:' > /user/group
# Add source code.
WORKDIR /src
COPY main.go .
RUN go mod init example-app && go mod vendor
RUN CGO_ENABLED=0 GOOS=linux GOARCH=arm go build -mod=vendor -a -ldflags="-s -w" -o /app .
# create final image
FROM scratch as final
COPY --from=builder /user/group /user/passwd /etc/
COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
COPY --from=builder /app /app
RUN mkdir /data
RUN chown nobody:nobody /data
USER nobody:nobody
ENTRYPOINT ["/app"]
I have not tested this on a balena device, but maybe this works. I think it would be important, that the named volume is newly created.