diff --git a/Dockerfile b/Dockerfile
index 3b4206a93..35ecd4f20 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -22,6 +22,16 @@ FROM opendevorg/python-base as nodepool
 
 COPY --from=builder /output/ /output
 RUN /output/install-from-bindep
+
+### Containers should NOT run as root as a good practice
+RUN chmod g=u /etc/passwd
+ENV APP_ROOT=/var/lib/nodepool
+ENV HOME=${APP_ROOT}
+ENV USER_NAME=nodepool
+USER 10001
+COPY tools/uid_entrypoint.sh /uid_entrypoint
+ENTRYPOINT ["/uid_entrypoint"]
+
 CMD ["/usr/local/bin/nodepool"]
 
 FROM nodepool as nodepool-launcher
diff --git a/tools/uid_entrypoint.sh b/tools/uid_entrypoint.sh
new file mode 100755
index 000000000..1f8acc23b
--- /dev/null
+++ b/tools/uid_entrypoint.sh
@@ -0,0 +1,22 @@
+#!/bin/sh
+# Copyright 2019 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+if ! whoami 2>&1 /dev/null; then
+  if [ -w /etc/passwd ]; then
+    echo "${USER_NAME:-default}:x:$(id -u):0:${USER_NAME:-default} user:${HOME}:/sbin/nologin" >> /etc/passwd
+  fi
+fi
+exec dumb-init "$@"