Added dockerfile improvements

[rahul-madaan]

🚀 Docker Performance & Security Improvements

Summary

This PR introduces significant Docker optimizations that deliver 76.7% faster build times and enhanced security features through multi-stage builds, improved caching, and better container security practices.

📊 Performance Metrics

Build Performance

Metric	Before	After	Improvement
Build Time (no cache)	34.8s	8.1s	⬇️ 76.7% faster
Build Time (with cache)	~34.8s	0.9s	⬇️ 97.4% faster
Time Saved per Build	-	-	26.7 seconds

Image Analysis

Metric	Before	After	Change
Final Image Size	215MB	247MB	+32MB (+14.9%)
Cache Efficiency	Poor	Excellent	✅ Optimized

🔒 Security Enhancements

Feature	Before	After	Status
User Security	Random UID/GID	Fixed UID: 1001, GID: 1001	✅ Enhanced
ENTRYPOINT Format	Shell form (vulnerable)	Exec form (secure)	✅ Secure
Signal Handling	Basic	Proper exec with signals	✅ Improved

🏗️ Key Improvements

1. Multi-Stage Build Architecture

• Builder stage: Handles dependencies and virtual environment creation
• Runtime stage: Lightweight production image with only necessary components
• Result: Faster builds and better layer caching

2. Optimized Dependency Caching

# Copy dependency files first for better caching
COPY pyproject.toml uv.lock ./
COPY version.py ./
COPY README.md ./

# Install dependencies (cached layer)
RUN uv sync --no-cache-dir --no-dev --python /app/.venv/bin/python

# Copy application code last
COPY . /app

3. Enhanced Security

# Fixed UID/GID for better security
RUN groupadd -r -g 1001 appuser && \
    useradd -r -g appuser -u 1001 -m -d /home/appuser appuser

# Secure ENTRYPOINT format
ENTRYPOINT ["sh", "-c", "exec python server.py --transport \"$MCP_TRANSPORT\" --host \"$MCP_HOST\" --port \"$MCP_PORT\" --path \"$MCP_PATH\""]

4. Health Check Integration

HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
    CMD if [ "$MCP_TRANSPORT" = "sse" ] || [ "$MCP_TRANSPORT" = "streamable-http" ]; then \
        python -c "import urllib.request; urllib.request.urlopen('http://localhost:$MCP_PORT$MCP_PATH', timeout=5)" || exit 1; \
        else exit 0; fi

5. Enhanced Build Environment

ENV PYTHONDONTWRITEBYTECODE=1 \
    PYTHONUNBUFFERED=1 \
    PIP_NO_CACHE_DIR=1 \
    UV_COMPILE_BYTECODE=1 \
    UV_LINK_MODE=copy

💡 Why This Matters

For Development Teams

• ⚡ 76.7% faster builds = Reduced CI/CD pipeline times
• 🔄 97.4% faster cached builds = Near-instant local development
• 💰 Cost savings on CI/CD compute resources

For Production

• 🔒 Enhanced security with fixed UID/GID and proper signal handling
• 📊 Health monitoring with built-in health checks
• 🛡️ Improved container security posture

For DevOps

• 📦 Better layer caching reduces registry bandwidth
• 🔧 Standardized build process across environments
• 📈 Monitoring ready with health check endpoints

🎯 Impact Analysis

Size vs. Performance Trade-off

The 32MB size increase is well-justified by:

• 26.7 seconds saved per build (productivity gain)
• Enhanced security features (reduced risk)
• Better dependency management (maintainability)
• Improved caching efficiency (long-term benefits)

ROI Calculation

• Time saved per developer per day: ~5-10 builds × 26.7s = 2-4 minutes
• Team of 10 developers: 20-40 minutes saved daily
• CI/CD cost reduction: Faster builds = lower compute costs

✅ Testing Performed

• Build time benchmarking (no cache vs cached)
• Image size analysis and comparison
• Security validation (user, permissions, signals)
• Functionality testing (server starts correctly)
• Health check validation for HTTP transports
• Layer caching efficiency verification

🚀 Recommendation

MERGE RECOMMENDED - This PR delivers significant performance improvements with enhanced security, making it a high-value addition to the codebase. The build time reduction alone justifies the modest size increase, and the security enhancements provide additional value.

---

📈 Bottom Line: 76.7% faster builds + enhanced security + better architecture = Clear win for the team

[arpit-at]

We can wait for this PR merge so that we have a dedicated health endpoint to check

[rahul-madaan]

@arpit-at can we merge this since there are no dependencies yet and later I will replcae with ealth check endpoint?

[rahul-madaan]

@Hk669 once the health check PR is merged, I will make this endpoint /health
please review

[firecast]

How did you get these numbers of improvements? A docker build happens only when a version changes. Also don't think the size increase is justified for the speed in this case

[rahul-madaan]

How did you get these numbers of improvements? A docker build happens only when a version changes. Also don't think the size increase is justified for the speed in this case

@firecast I have used --no-cache flag for fair comparison:

# Baseline (main branch)
time docker build -t baseline . --no-cache    # 34.8s

# PR improvements 
time docker build -t improved . --no-cache    # 8.1s

Q: Docker build only happens when version changes?

That's exactly why this matters more:

• Development: Frequent builds during code changes (multiple times daily)
• CI/CD: Every commit triggers builds in pipelines
• Testing: Feature branches, hotfixes, dependency updates

This is metrics are produced on local Machine Mac M3 Pro.

[Hk669]

lets wait for the health check PR to merge.

[Hk669]

why is this change even required? i think we have simpler version already!

[rahul-madaan]

check docker docs: This is the preferred way.
https://docs.docker.com/reference/build-checks/json-args-recommended/
and
https://docs.docker.com/reference/dockerfile/#entrypoint

If we do not change this then

1. Shell interprets the command and may not properly forward signals (SIGTERM, SIGINT)
2. Can lead to forceful container kills instead of clean shutdowns
3. Shell form is vulnerable to injection if environment variables contain special characters:

Advantages:
Proper Signal Handling: The exec ensures Python process becomes PID 1 and receives signals directly
Security: Variables are properly quoted and escaped
Predictable Behavior: No shell interpretation surprises
Docker Best Practice: Recommended by Docker documentation