CentOS without root
Docker doesn't have UID remapping yet (docker/docker#12648), which means running containers as root is a bad idea if you're allowing untrusted user code in them.
Fortunately you can just run the entire container with a filesystem owned by an unprivileged user. Provided your Docker daemon doesn't restrict PTRACE you can use proot to pretend to be root inside the container and install packages with Yum.
Docker stores files with changed permissions in their entirety to a new layer, so you can't just modify the existing CentOS container unless you want an image twice the size it should be. Instead, this this image is based on the official CentOS 7 rootfs, which is extracted and rebuilt with different file ownerships.