diff --git a/deploy/prod/Dockerfile.slim b/deploy/prod/Dockerfile.slim
index 6b212cc..c5be894 100644
--- a/deploy/prod/Dockerfile.slim
+++ b/deploy/prod/Dockerfile.slim
@@ -46,7 +46,15 @@ RUN apk add --no-cache ca-certificates tzdata
 
 # Run as unprivileged user by default. Operators can override with --user root
 # if they need to bind privileged ports (shouldn't be necessary behind Caddy).
-RUN addgroup -S dchain && adduser -S -G dchain dchain
+#
+# IMPORTANT: /data must exist + be owned by dchain BEFORE the VOLUME
+# directive. Docker copies the directory ownership of the mount point
+# into any fresh named volume at first-attach time; skip this and
+# operators get "mkdir: permission denied" when the node tries to
+# create /data/chain as the dchain user.
+RUN addgroup -S dchain && adduser -S -G dchain dchain \
+ && mkdir -p /data \
+ && chown dchain:dchain /data
 
 COPY --from=builder /bin/node   /usr/local/bin/node
 COPY --from=builder /bin/client /usr/local/bin/client