[feat] Add Docker support with GHCR publishing (#311)

chris-freeman-glean · glean-code-writer · claude · web-flow · commit 486a0c6c92c4 · 2025-11-19T11:31:53.000-07:00
* [feat] Add Docker support with GHCR publishing - Add Dockerfile for multi-arch Docker image support (amd64/arm64) - Create GitHub Actions workflow to publish images to GHCR on releases - Add docker-test workflow for CI validation - Simplify Docker documentation to use published GHCR images - Remove .dockerignore (no longer needed with npm install approach) Docker images will be automatically published to ghcr.io/gleanwork/local-mcp-server when releases are created, providing users with a sandboxed execution environment that abstracts over local environment differences. * Improve Docker implementation based on review feedback - Increase test sleep times from 2s to 5s for reliability on slower systems - Add tmpfs mount for .npm directory in read-only filesystem test - Add PACKAGE_VERSION build arg to Dockerfile for version pinning - Document both env block and -e flag approaches for environment variables - Add comprehensive Docker troubleshooting section to README - Address container exits, authentication errors, and connection issues * Fix tmpfs mount path to match actual user home directory The Dockerfile creates user 'mcpserver' with home at /home/mcpserver, but the test was mounting tmpfs at /home/mcp/.npm. This caused the mount to be created at an incorrect path that doesn't match the user's actual home directory. * Fix contradictory Docker flags in stdio tests Remove -d (detached) flag which conflicts with -i (interactive) for stdio testing. Detached containers don't have stdin connected, causing MCP servers to fail or hang when trying to read from unavailable stdin. New approach: - Run container in foreground with -i flag and stdin from /dev/null - Use timeout to prevent hanging - Run in background with & to allow process checking - Verify process is running after startup - Properly cleanup with kill and wait This properly tests that the server can start and accept stdio communication. * Fix process monitoring logic in stdio tests The previous approach had critical flaws: - $! captured the timeout command PID, not docker - Killing timeout left docker running uncontrolled in background - Process checks verified wrong PID - No actual verification that stdio communication worked New approach: - Pipe actual MCP initialize message to container via stdin - Use 'timeout' as prefix (not wrapper) so docker is the background process - Capture docker's PID directly with $! - Use 'kill -0' to check if process is still running (non-destructive) - Capture output to verify MCP server responds - Check for JSON-RPC response to confirm stdio communication works - Proper cleanup with kill and wait - Show output on failure for debugging This properly tests that: 1. Container starts successfully 2. Accepts stdin input 3. MCP server can process requests 4. Works with security constraints * fix: Install npm package as root before switching to non-root user The Docker build was failing because npm install -g was being run as the mcpserver user, which doesn't have permission to write to global npm directories. This change installs the package as root first, then switches to the non-root user only for running the server. This maintains security best practices while fixing the EACCES errors during the Docker build process. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * feat: Complete Docker support with compose example and CI enhancements Add production-ready Docker deployment files and enhance CI workflows: - Add .dockerignore for optimized build context - Add docker-compose.yaml example in examples/ directory with: - Environment variable configuration - Resource limits and security options - Comprehensive inline documentation - Enhance publish-docker.yml workflow: - Add triggers for main branch and version tags - Add id-token write permission for provenance - Improve metadata with OCI labels - Add branch and SHA tags for better traceability - Update README with docker-compose reference These additions provide users with production-grade deployment options and improved CI/CD automation for multi-arch Docker images. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * fix: Add required MCP protocol fields to Docker test initialize requests * fix: Keep stdin open in Docker tests to prevent premature server exit * fix: Add tmpfs mount for .local directory in read-only mode The MCP server logger needs write access to ~/.local/state/glean for log files. When running with --read-only, this directory must be mounted as tmpfs to allow the logger to create its state directory. * fix: Set uid for tmpfs mounts to match non-root mcpserver user Tmpfs mounts are owned by root by default. Since the container runs as the non-root mcpserver user (uid 1001), we need to specify uid=1001 for the .npm and .local tmpfs mounts so the user can write to them. * chore: Update actions/checkout to v5 in publish-docker.yml workflow This change upgrades the checkout action version to ensure compatibility and access to the latest features and improvements. --------- Co-authored-by: Glean Code Writer <code_writer@glean.com> Co-authored-by: Claude <noreply@anthropic.com>
diff --git a/.dockerignore b/.dockerignore
@@ -0,0 +1,54 @@
+# Dependencies
+node_modules/
+pnpm-lock.yaml
+package-lock.json
+yarn.lock
+
+# Build outputs
+build/
+dist/
+*.tsbuildinfo
+
+# Tests and coverage
+coverage/
+test/
+tests/
+**/*.test.ts
+**/*.test.js
+**/*.spec.ts
+**/*.spec.js
+
+# Development files
+.git/
+.github/
+.vscode/
+.idea/
+*.log
+*.swp
+*.swo
+*~
+
+# Environment and secrets
+.env
+.env.*
+!.env.example
+
+# Documentation
+docs/
+*.md
+!README.md
+
+# CI/CD
+.circleci/
+.gitlab-ci.yml
+.travis.yml
+
+# Misc
+.DS_Store
+.editorconfig
+.eslintrc*
+.prettierrc*
+.gitignore
+.dockerignore
+Dockerfile*
+docker-compose*.yml
diff --git a/.github/workflows/docker-test.yml b/.github/workflows/docker-test.yml
@@ -0,0 +1,75 @@
+name: Docker Test
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+
+jobs:
+  test:
+    name: Build and Test Docker Image
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Build Docker image
+        run: docker build -t glean-mcp-server:test .
+
+      - name: Test image structure
+        run: |
+          docker run --rm glean-mcp-server:test node --version
+          docker run --rm glean-mcp-server:test which npx
+
+      - name: Verify MCP server starts with stdio
+        run: |
+          (echo '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2024-11-05","capabilities":{},"clientInfo":{"name":"test","version":"1.0"}}}'; sleep 3) | docker run --rm -i glean-mcp-server:test > /tmp/output.txt 2>&1 &
+          docker_pid=$!
+          sleep 2
+          if kill -0 $docker_pid 2>/dev/null; then
+            echo "Container is running and accepting stdio"
+            kill $docker_pid 2>/dev/null || true
+            wait $docker_pid 2>/dev/null || true
+          else
+            echo "Container exited immediately"
+            cat /tmp/output.txt 2>/dev/null || true
+            exit 1
+          fi
+          if grep -q '"result"' /tmp/output.txt 2>/dev/null; then
+            echo "MCP server responded successfully to initialize request"
+          else
+            echo "MCP server output:"
+            cat /tmp/output.txt
+            exit 1
+          fi
+
+      - name: Test with security constraints
+        run: |
+          (echo '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2024-11-05","capabilities":{},"clientInfo":{"name":"test","version":"1.0"}}}'; sleep 3) | docker run --rm -i \
+            --cpus="1.0" \
+            --memory="2g" \
+            --read-only \
+            --tmpfs /tmp \
+            --tmpfs /home/mcpserver/.npm:uid=1001 \
+            --tmpfs /home/mcpserver/.local:uid=1001 \
+            --cap-drop=ALL \
+            --security-opt=no-new-privileges:true \
+            glean-mcp-server:test > /tmp/output-secure.txt 2>&1 &
+          docker_pid=$!
+          sleep 2
+          if kill -0 $docker_pid 2>/dev/null; then
+            echo "Container is running with security constraints"
+            kill $docker_pid 2>/dev/null || true
+            wait $docker_pid 2>/dev/null || true
+          else
+            echo "Container exited immediately with security constraints"
+            cat /tmp/output-secure.txt 2>/dev/null || true
+            exit 1
+          fi
+          if grep -q '"result"' /tmp/output-secure.txt 2>/dev/null; then
+            echo "MCP server responded successfully with security constraints"
+          else
+            echo "MCP server output:"
+            cat /tmp/output-secure.txt
+            exit 1
+          fi
diff --git a/.github/workflows/publish-docker.yml b/.github/workflows/publish-docker.yml
@@ -0,0 +1,63 @@
+name: Publish Docker Image
+
+on:
+  release:
+    types: [published]
+  push:
+    branches:
+      - main
+    tags:
+      - 'v*.*.*'
+  workflow_dispatch:
+
+jobs:
+  publish:
+    name: Build and Publish Multi-Arch Docker Image
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v5
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ghcr.io/gleanwork/local-mcp-server
+          tags: |
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=ref,event=branch
+            type=sha,prefix={{branch}}-
+            type=raw,value=latest,enable={{is_default_branch}}
+          labels: |
+            org.opencontainers.image.title=Glean MCP Server
+            org.opencontainers.image.description=Model Context Protocol server for Glean API integration
+            org.opencontainers.image.vendor=Glean
+
+      - name: Build and push multi-architecture image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,19 @@
+# Use Alpine-based Node.js 20 for minimal image size and security
+FROM node:20-alpine
+
+# Install the published @gleanwork/local-mcp-server package from npm
+# PACKAGE_VERSION can be set at build time to pin to a specific version
+ARG PACKAGE_VERSION=latest
+RUN npm install -g @gleanwork/local-mcp-server@${PACKAGE_VERSION}
+
+# Create non-root user for security best practices
+# uid/gid 1001 is a common convention for application users
+RUN addgroup -g 1001 -S nodejs && \
+    adduser -S mcpserver -u 1001
+
+# Switch to non-root user for running the server
+USER mcpserver
+
+# Run the MCP server
+# The server uses stdio transport and keeps running until terminated
+CMD ["local-mcp-server"]
diff --git a/README.md b/README.md
@@ -10,6 +10,8 @@ This monorepo contains packages for Glean's local MCP server. For more details s
 - [@gleanwork/configure-mcp-server](https://github.com/gleanwork/configure-mcp-server) for configuring the local MCP server with popular MCP clients.
 - [@gleanwork/local-mcp-server](https://github.com/gleanwork/mcp-server/tree/main/packages/local-mcp-server) on running the local MCP server.
 
+The local MCP server can be run via npx or Docker. See the [@gleanwork/local-mcp-server README](https://github.com/gleanwork/mcp-server/tree/main/packages/local-mcp-server#docker-deployment) for Docker deployment instructions.
+
 ## Contributing
 
 Please see [CONTRIBUTING.md](CONTRIBUTING.md) for development setup and guidelines.
diff --git a/examples/docker-compose.yaml b/examples/docker-compose.yaml
@@ -0,0 +1,81 @@
+version: '3.8'
+
+services:
+  glean-mcp-server:
+    # Use the latest published image from GitHub Container Registry
+    # For specific versions, use: ghcr.io/gleanwork/local-mcp-server:v0.8.0
+    image: ghcr.io/gleanwork/local-mcp-server:latest
+
+    # Container name for easy reference
+    container_name: glean-mcp-server
+
+    # Required for stdio transport communication
+    stdin_open: true
+    tty: false
+
+    # Environment variables for Glean API configuration
+    environment:
+      # REQUIRED: Your Glean instance name (e.g., "acme-corp")
+      GLEAN_INSTANCE: ${GLEAN_INSTANCE}
+
+      # REQUIRED: Your Glean API token
+      GLEAN_API_TOKEN: ${GLEAN_API_TOKEN}
+
+      # OPTIONAL: Set to "production" for optimized performance
+      NODE_ENV: production
+
+    # Resource limits (optional but recommended)
+    deploy:
+      resources:
+        limits:
+          cpus: '1.0'
+          memory: 2G
+        reservations:
+          cpus: '0.5'
+          memory: 512M
+
+    # Security options (optional but recommended)
+    security_opt:
+      - no-new-privileges:true
+
+    # Read-only root filesystem for enhanced security (optional)
+    # Uncomment if your use case allows it
+    # read_only: true
+    # tmpfs:
+    #   - /tmp
+    #   - /home/mcpserver/.npm:uid=1001
+    #   - /home/mcpserver/.local:uid=1001
+
+    # Drop all capabilities for enhanced security (optional)
+    cap_drop:
+      - ALL
+
+    # Restart policy
+    restart: unless-stopped
+
+    # Logging configuration
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "10m"
+        max-file: "3"
+
+# To use this docker-compose file:
+#
+# 1. Create a .env file in the same directory with your credentials:
+#    GLEAN_INSTANCE=your-instance-name
+#    GLEAN_API_TOKEN=your-api-token
+#
+# 2. Start the service:
+#    docker-compose up -d
+#
+# 3. View logs:
+#    docker-compose logs -f
+#
+# 4. Stop the service:
+#    docker-compose down
+#
+# Note: For MCP client integration, you'll typically use the direct
+# docker run command instead of docker-compose, as MCP clients manage
+# the container lifecycle. This compose file is provided as a reference
+# for standalone deployment scenarios.
diff --git a/packages/local-mcp-server/README.md b/packages/local-mcp-server/README.md
