-
Notifications
You must be signed in to change notification settings - Fork 17
Expand file tree
/
Copy pathDockerfile
More file actions
90 lines (74 loc) · 3.4 KB
/
Dockerfile
File metadata and controls
90 lines (74 loc) · 3.4 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
# syntax=docker/dockerfile:1
# ==============================================================================
# Final Stage: Build the production image.
# Includes NodeJS to give mcpd access to the npx binary.
# ==============================================================================
FROM node:24.5.0-alpine3.22
# --- Metadata ---
LABEL org.opencontainers.image.authors="Mozilla AI <security@mozilla.ai>"
LABEL org.opencontainers.image.description="A container for the mcpd application."
# The version label should be dynamically overridden in a CI/CD pipeline
LABEL org.opencontainers.image.version="dev"
ARG MCPD_USER=mcpd
ARG MCPD_HOME=/home/$MCPD_USER
# TARGETPLATFORM is set by Docker buildx for multi-platform builds (e.g., linux/amd64, linux/arm64)
# For local builds, it's passed via docker-compose build args
ARG TARGETPLATFORM
# Sensible defaults but can be easily overridden by the user with `docker run -e KEY=VALUE`.
ENV MCPD_API_PORT=8090
ENV MCPD_LOG_LEVEL=info
ENV MCPD_LOG_PATH=/var/log/mcpd/mcpd.log
ENV MCPD_CONFIG_FILE=/etc/mcpd/.mcpd.toml
ENV MCPD_RUNTIME_FILE=/home/mcpd/.config/mcpd/secrets.prod.toml
USER root
# Installs python, pip and tools
RUN apk add --no-cache \
python3 \
py3-pip \
py3-setuptools \
py3-wheel
# Installs 'tini', a lightweight init system to properly manage processes.
RUN apk add --no-cache tini
# - Adds a dedicated non-root group and user for security (using the ARG).
# - Creates necessary directories for configs, logs, and user data.
# - Sets correct ownership for the non-root user.
# - Adds mcpd user to docker group for Docker socket access
# Note: ~/.cache/mcpd is created on-demand by the application when needed
# (e.g. ~/.cache/mcpd/registries during 'mcpd add' or 'mcpd search' commands)
# but not during normal daemon operation.
RUN addgroup -S $MCPD_USER && \
adduser -D -S -h $MCPD_HOME -G $MCPD_USER $MCPD_USER && \
addgroup -S docker && \
adduser $MCPD_USER docker && \
mkdir -p \
$MCPD_HOME/.config/mcpd \
/var/log/mcpd \
/etc/mcpd && \
chmod 700 $MCPD_HOME/.config/mcpd && \
chown -R $MCPD_USER:$MCPD_USER $MCPD_HOME /var/log/mcpd
# Copy uv/uvx binaries from image.
COPY --from=ghcr.io/astral-sh/uv:0.8.4 /uv /uvx /usr/local/bin/
# Copy Docker CLI from official Docker image for running MCP servers as Docker containers
COPY --from=docker:27.3.1-cli /usr/local/bin/docker /usr/local/bin/docker
# Copy application binary and set ownership to the non-root user.
# IMPORTANT: Config/secrets are NOT copied. They should be mounted at runtime.
COPY --chown=$MCPD_USER:$MCPD_USER $TARGETPLATFORM/mcpd /usr/local/bin/mcpd
# Switch to the non-root user before execution.
USER $MCPD_USER
WORKDIR $MCPD_HOME
EXPOSE $MCPD_API_PORT
# Use 'tini' as the entrypoint to properly handle process signals (like CTRL+C)
# and prevent zombie processes, ensuring clean container shutdown.
ENTRYPOINT ["/sbin/tini", "--"]
CMD mcpd daemon \
--addr 0.0.0.0:$MCPD_API_PORT \
--log-level $MCPD_LOG_LEVEL \
--log-path $MCPD_LOG_PATH \
--config-file $MCPD_CONFIG_FILE \
--runtime-file $MCPD_RUNTIME_FILE
# Example run (for local development, mount dev secrets to the container's prod path):
# docker run -p 8090:8090 \
# -v $PWD/.mcpd.toml:/etc/mcpd/.mcpd.toml \
# -v $HOME/.config/mcpd/secrets.dev.toml:/home/mcpd/.config/mcpd/secrets.prod.toml \
# -e MCPD_LOG_LEVEL=debug \
# mzdotai/mcpd:v0.0.5