Adding user to dialout group in Docker build (Permission denied opening serial port in Docker container)?

My app runs with user vapor, who I create and add to the dialout group in my Dockerfile like this:

RUN useradd --user-group --groups dialout --create-home --system --skel /dev/null --home-dir /app vapor

I run the image with

# docker run --env SERIAL_PORT=/dev/serial0 --device=/dev/serial0:/dev/serial0 -v /home/pi/data:/data -ti -p 8080:8080 myimage

Unfortunately, when I try to open the serial port, I get a permission denied error. At first I thought it was because the serial port is owned by root:dialout, which is why I added the user to the dialout group.

But oddly, if I log into the container and show my groups, I don’t get the dialout group:

# docker exec -ti 02b9c8309d4b bash

$ groups


But if I log in as root and show the groups for vapor, it does have the group:

# docker exec -ti -u 0 02b9c8309d4b bash

root@02b9c8309d4b:/app# groups vapor

vapor : vapor dialout

Lastly, if I try to use --privileged instead of --device, I get ENOENT (not found) instead (/dev/serial0 doesn’t exist). If I try using /dev/ttyAMA0 or /dev/ttyS0 and --privileged, I still get Permission Denied.

Needless to say, I’m very confused about what’s going on. The host is Raspbian bullseye. Note that the serial port is not a USB device, it’s the main Raspberry Pi 4 serial port (I have an RS-485 HAT that connects to it).

How do I give the user running my app membership in a group?

I found --group-add, which seems to do the trick, although I’m not sure why I can’t add the group to the user in the docker build.