Having gone through the process of taking a medium complex service (django web app with nginx on ubuntu host) and getting it to run as a non-root user; i ran into many permission issues (apt install, binding to ports below 1024, volumes, secrets). Having resolved all of them, by adding specific UID and GUID values inside my Dockerfiles and using many RUN chown commands; has costed portability. Can no longer just use a command to start service, need to first modify Dockerfiles and rebuild, quite ugly.
is there any future feature work (for linux) that would address making it easier to run container as non-root. specifically the changing owner of files under a volume mount, copied files, etc. i understand some things would not be possible (e.g nginx binding to system ports). But it would be great if a host user that had an ACLed down directory, could easily run docker containers with maybe a single RUN_AS directive in the Dockerfile.