Hi,
not sure if stupid question but
as in-container root is considered by host OS a normal user,
is it wise to use (through incus shell) that root account
not only to set up container, but also to run services?
Or it’s better to create separate user and ssh to it?
Thanks.
It’s entirely up to you.
It’s common to treat the container like a lightweight “VM” and manage it like a VM. Typically you install your applications from OS packages and those packages usually create service users. You can also ssh to it.
However, if it’s running just a single service, then you can run that service as root if you like. If someone breaks into that service from outside, then they will have root inside the container but won’t have root on the host. In principle they might be able to do more container-level damage, but the host should still be OK.
If you use the /cloud variety of the Incus images, then you get a default non-root account.
For example, images:ubuntu/24.04/cloud gets a ubuntu non-root account created and configured properly for sudo. For images:debian/12/cloud, the non-root account is debian. Again, sudo is configured accordingly, and you can sudo where necessary without providing a password.
But why would you opt to use those non-root accounts in the instances? It’s an issue of uniformity. If, on the host, you are using your non-root account, then many people prefer to keep this paradigm in their instances as well. When you SSH to a system, it’s common practice to SSH to a non-root account.