Currently, mediawiki-containers runs each container as root. The mariadb container then starts mariadb as a mysql user inside the container, which happens to have a uid of 999.
It would be desirable to
- run all daemons in containers as non-root users, and
- have more control over how data, configuration files and logs are owned.
I created a WIP patch for running the mediawiki container as an arbitrary uid via docker run -u <uid> at https://github.com/wikimedia/mediawiki-docker/pull/1. However, the flexibility comes at the price of having to make /var/{run,lock}/apache2 world-writable.
A safer approach might be to start the container itself as root, but then drop privileges to a specified uid after chown'ing specific filesystem locations to the runtime user.
Long term: User namespaces
The longer term solution should be user namespaces, which have now arrived as an experimental feature in docker 1.9. However, this isn't ready for production yet, and wider roll-out is blocking on Linux gaining the ability to remap uid ranges in bind mounts.