We currently call the entrypoint script with gosu/sudo so we can do some first-run commands. However, it would be much better for our customers in high-security environments if we could make the container run entirely non-root. This will require pulling all the setup commands out of the entrypoint script and into Dockerfile and setting an explicit USER directive. If it's not possible to be completely non-root, we need to restrict root access as much as possible.