What is the USER instruction in Dockerfile?

The USER instruction sets the user (and optionally group) that the container runs as for subsequent RUN, CMD, and ENTRYPOINT instructions. By default, containers run as root — a significant security risk. If a vulnerability in the app allows code execution, running as root gives full container access and potentially host access (with certain misconfigurations). Best practice: always create a non-root user and use USER to switch to it before CMD/ENTRYPOINT. Example: FROM node:20-alpine\nWORKDIR /app\n# Install deps as root\nCOPY package*.json ./\nRUN npm ci --only=production\nCOPY . .\n# Create and switch to non-root user\nRUN addgroup -S appgroup && adduser -S appuser -G appgroup\nRUN chown -R appuser:appgroup /app\nUSER appuser\nEXPOSE 3000\nCMD ["node", "app.js"]. The node Docker image comes with a pre-created node user — you can simply use USER node. Syntax: USER username or USER username:group or use numeric IDs: USER 1000:1000 (preferred in Kubernetes for security contexts). Some operations (binding to ports below 1024) require root — use cap_add or run on a port ≥ 1024 instead.