Assign unique uids to containers
Right now everything runs as root. For various reasons we can't currently use uid remapping (which uses user namespaces), so we need a solution that allows us to:
- automatically generate users (per-service) to run containers as
- make it so you don't have to know the user id at container build time (so container images can be reused)
If we dynamically generate a user for each container, we can then control access to filesystem data with group memberships (for instance, we already have a service-credentials user for internal credentials, and we could add a service-data user for other types of data). Ansible can manage this part easily.
We can then use docker run --user to set the user ID for the container at runtime.