feat(mc): support for uid/gid, and use default current user

mcontainer/drivers/goose/Dockerfile

@@ -3,8 +3,10 @@ FROM python:3.12-slim
 LABEL maintainer="team@monadical.com"
 LABEL description="Goose with MCP servers"
 
-# Install system dependencies
-RUN apt-get update && apt-get install -y \
+# Install system dependencies including gosu for user switching and shadow for useradd/groupadd
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    gosu \
+    passwd \
     git \
     openssh-server \
     bash \
@@ -12,22 +14,27 @@ RUN apt-get update && apt-get install -y \
     bzip2 \
     iputils-ping \
     iproute2 \
+    libxcb1 \
+    libdbus-1-3 \
     nano \
     vim \
     && rm -rf /var/lib/apt/lists/*
 
-# Set up SSH server
-RUN mkdir /var/run/sshd
-RUN echo 'root:root' | chpasswd
-RUN sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config
-RUN sed -i 's/#PasswordAuthentication yes/PasswordAuthentication yes/' /etc/ssh/sshd_config
+# Set up SSH server directory (configuration will be handled by entrypoint if needed)
+RUN mkdir -p /var/run/sshd && chmod 0755 /var/run/sshd
+# Do NOT enable root login or set root password here
 
 # Install python dependencies
 # This is done before copying scripts for better cache management
+# Consider moving this WORKDIR /tmp section if goose CLI isn't strictly needed for base image setup
 WORKDIR /tmp
 RUN curl -fsSL https://github.com/block/goose/releases/download/stable/download_cli.sh -o download_cli.sh && \
     chmod +x download_cli.sh && \
-    ./download_cli.sh
+    ./download_cli.sh && \
+    # Move goose to a system-wide location
+    mv /root/.local/bin/goose /usr/local/bin/goose && \
+    # Clean up
+    rm -rf /root/.local download_cli.sh /tmp/goose-*
 
 # Create app directory
 WORKDIR /app
@@ -46,15 +53,18 @@ RUN chmod +x /mc-init.sh /entrypoint.sh /init-status.sh \
     /usr/local/bin/update-goose-config.sh
 
 # Set up initialization status check on login
-RUN echo 'export PATH=/root/.local/bin:$PATH' >> /etc/bash.bashrc
 RUN echo '[ -x /init-status.sh ] && /init-status.sh' >> /etc/bash.bashrc
 
 # Set up environment
 ENV PYTHONUNBUFFERED=1
 ENV PYTHONDONTWRITEBYTECODE=1
+# Set WORKDIR to /app, common practice and expected by mc-init.sh
+WORKDIR /app
 
 # Expose ports
 EXPOSE 8000 22
 
-# Set entrypoint
+# Set entrypoint - container starts as root, entrypoint handles user switching
 ENTRYPOINT ["/entrypoint.sh"]
+# Default command if none is provided (entrypoint will run this via gosu)
+CMD ["tail", "-f", "/dev/null"]

mcontainer/drivers/goose/entrypoint.sh

@@ -1,17 +1,7 @@
 #!/bin/bash
 # Entrypoint script for Goose driver
+# Executes the standard initialization script, which handles user setup,
+# service startup (like sshd), and switching to the non-root user
+# before running the container's command (CMD).
 
-# Run the standard initialization script
-/mc-init.sh
-
-# Start SSH server in the background
-/usr/sbin/sshd
-
-# Print welcome message
-echo "==============================================="
-echo "Goose driver container started"
-echo "SSH server running on port 22"
-echo "==============================================="
-
-# Keep container running
-exec tail -f /dev/null
+exec /mc-init.sh "$@"

mcontainer/drivers/goose/mc-init.sh

@@ -6,6 +6,53 @@ exec > >(tee -a /init.log) 2>&1
 
 # Mark initialization as started
 echo "=== MC Initialization started at $(date) ==="
+
+# --- START INSERTED BLOCK ---
+
+# Default UID/GID if not provided (should be passed by mc tool)
+MC_USER_ID=${MC_USER_ID:-1000}
+MC_GROUP_ID=${MC_GROUP_ID:-1000}
+
+echo "Using UID: $MC_USER_ID, GID: $MC_GROUP_ID"
+
+# Create group if it doesn't exist
+if ! getent group mcuser > /dev/null; then
+    groupadd -g $MC_GROUP_ID mcuser
+else
+    # If group exists but has different GID, modify it
+    EXISTING_GID=$(getent group mcuser | cut -d: -f3)
+    if [ "$EXISTING_GID" != "$MC_GROUP_ID" ]; then
+        groupmod -g $MC_GROUP_ID mcuser
+    fi
+fi
+
+# Create user if it doesn't exist
+if ! getent passwd mcuser > /dev/null; then
+    useradd --shell /bin/bash --uid $MC_USER_ID --gid $MC_GROUP_ID --no-create-home mcuser
+else
+    # If user exists but has different UID/GID, modify it
+    EXISTING_UID=$(getent passwd mcuser | cut -d: -f3)
+    EXISTING_GID=$(getent passwd mcuser | cut -d: -f4)
+    if [ "$EXISTING_UID" != "$MC_USER_ID" ] || [ "$EXISTING_GID" != "$MC_GROUP_ID" ]; then
+        usermod --uid $MC_USER_ID --gid $MC_GROUP_ID mcuser
+    fi
+fi
+
+# Create home directory and set permissions if it doesn't exist
+if [ ! -d "/home/mcuser" ]; then
+    mkdir -p /home/mcuser
+    chown $MC_USER_ID:$MC_GROUP_ID /home/mcuser
+fi
+# Ensure /app exists and has correct ownership (important for volume mounts)
+mkdir -p /app
+chown $MC_USER_ID:$MC_GROUP_ID /app
+
+# Start SSH server as root before switching user
+echo "Starting SSH server..."
+/usr/sbin/sshd
+
+# --- END INSERTED BLOCK ---
+
 echo "INIT_COMPLETE=false" > /init.status
 
 # Project initialization
@@ -70,3 +117,6 @@ echo "MC driver initialization complete"
 # Mark initialization as complete
 echo "=== MC Initialization completed at $(date) ==="
 echo "INIT_COMPLETE=true" > /init.status
+
+# Switch to the non-root user and execute the container's CMD
+exec gosu mcuser "$@"