Make generic service image coordinate non-root users

- have generic service image start in root, create non-root user+group, then sed[ug]id+exec
- coordinate uids inside and outside so external top makes sense