Unlike virtual machines, containers are not completely isolated from their host. Containers and the host share the same kernel.
Containers are isolated using namespaces in Linux (The host has a namespace and containers have their own namespaces). Containers can see its own processes only. Processes can have different process IDs in different namespaces.
Users in Context of Security
By default, Docker runs processes within containers as root user.
It is possible to run commands as non-root user by specifying a new user ID (ex: docker run --user=1000 ubuntu sleep 3600)
Alternatively, we can enforce user security in docker image at the time of creation
FROM ubuntuUSER 1000
With this, we can run with docker build -t ubuntu-image . without specifying user ID.
Can root user in container do something on the host system?
Docker has a set of security features that limits the abilities of the root user within containers.
The processes running within the container do not have the privileges of root user in the host system.
If we want to give the root user within the container the privilege, we can run docker container with --cap-add option (--cap-drop option to drop privileges) or --privileged option to included all privileges