What user, group to use in a docker image (if not the default root)?

I've read that it is best if not the root (0) user is being used to run the app inside a container.

I can specify a user in the Dockerfile using the USER instruction while creating the image.

Do I just choose something random and hope it does not already exist on the host machine?

Will it be the same user with the same groups as if it was on the host machine?
(What is the relationship between the user inside the container and outside on the host?)

Should I just always leave the USER as a parameter (ARG)?


Do I just choose something random and hope it does not already exist on the host machine?

You don't particularly care if it exists on the host machine or not. From the perspective of things running inside the container, the host machine doesn't exist. From the perspective of the host machine, files owned by the container may have odd user and group names associated with them, but that's okay, and that's why everything is isolated inside the Docker storage area.

Will it be the same user with the same groups as if it was on the host machine? (What is the relationship between the user inside the container and outside on the host?)

Users in the container have no relation to users on the host. Inside a container there is a unique /etc/{passwd, groups, etc} that are distinct from those on the host. User id 1000 on the host may be "bob" but inside the container may be "apache".

Should I just always leave the USER as a parameter (ARG)?

Unless your image is meant to somehow integrate with filesystems on the host, which is not a usual use case, there's no reason to make this a build argument. Just pick a UID and use it.

It's always possible for someone to change the UID under which a container is running with the --user (-u) argument to docker run.