AWX docker containers running as non-root

Having followed the docker install instructions, I notice that although the postgres and memcached containers are running as non-root, the awx_web and awx_task containers are running as root.

I am pretty new to docker but my understanding is that following the principle of least privilege, it is not desirable to run containers as root.

How would I go about changing this so that awx_task and awx_web containers run as specific non-root users? Is this something that I can configure in the inventory?

I tried creating a user awx_web in the host, and then edited the awx installer file “standalone.yml”, changing “user: root” to “user: awx_web”, and then ran install.yml, but I get:

TASK [local_docker : Activate AWX Web Container] **************************************************************************************************************************************
[WARNING]: Non-string value found for env option. Ambiguous env options should be wrapped in quotes to avoid YAML parsing. This will become an error in Ansible 2.8. Key:
DATABASE_PORT; value will be treated as: 5432

fatal: [localhost]: FAILED! => {“changed”: false, “msg”: “Error starting container 1fee59dbdc78e950b68f147278e62dc73f138f020b7861ddbe2593ca7de51f7e: 500 Server Error: Internal Server Error ("linux spec user: unable to find user awx_web: no matching entries in passwd file")”}

It seems like the container doesn’t know of any user “awx-web”. You can try adding the user to the container (you’d have to modify the Dockerfile and rebuild the images) as in https://stackoverflow.com/questions/27701930/add-user-to-docker-container and then changing the user in the standalone.yml file.

But I don’t know if this will break anything internally because it is owned by root but is being run as another user.

Can you post your inventory file? With what user did you run the install.yml playbook? Is that user in the docker group?