I can run docker by using sudo but that is not ideal.

Have created docker group and added my user to it.

uid=1000(tom) gid=1001(docker) groups=1001(docker)

The following does not work:

docker run -u $(id -u):$(id -g) tensorflow/tensorflow bash

The following does work:

sudo docker run -u tensorflow/tensorflow bash

Okay, I misunderstood the question first. But your second example is wrong and that confused me.
If the docker group doesn’t work that could mean you have to log out and log in again. Or your system does not use that group. Who is the owner of the socket? Have you checked it?

This is related to the uid:gid used when running a container. It only works for the first USER instruction declared in the Dockerfile. Though, it this is not related to the wether a shell user is allowed to run a container.

Seems like you are looking for this convient way to use the docker cli as unprivilged user: Linux post-installation steps for Docker Engine | Docker Docs

Warning: the docker engine alway runs with root privilges (unless you specificly use rootless-docker), as such everyone able to execute docker commands is able to run a container that could be used to alter files from the host!

I am trying to understand what you wrote. Are you saying that setting userid from command line doesn’t work when you have a USER instruction in the Dockerfile? It should work. I tried it and it works.

Good catch, for the scope of this post it does not depend wether a USER instruction was declared in a Docerfile or not: technicaly my statement is incorrect

Recently we had a post that used it without the USER instructions and the effects it has. Just because something is technical possible doesn’t necessarily mean that it’s usefull.