Dependency updates and docker build cleanup and optimization (#655)

* Update container images and all dependencies

Signed-off-by: Mihai Criveti <[email protected]>

* Update container images and all dependencies

Signed-off-by: Mihai Criveti <[email protected]>

* Make image smaller

Signed-off-by: Mihai Criveti <[email protected]>

* Make image smaller

Signed-off-by: Mihai Criveti <[email protected]>

* Make image smaller

Signed-off-by: Mihai Criveti <[email protected]>

* Precompile python bytecode

Signed-off-by: Mihai Criveti <[email protected]>

* Remove unnecessary micro image

Signed-off-by: Mihai Criveti <[email protected]>

* Update dockerignore

Signed-off-by: Mihai Criveti <[email protected]>

* Update dockerignore

Signed-off-by: Mihai Criveti <[email protected]>

* Cleanup pre-commit

Signed-off-by: Mihai Criveti <[email protected]>

* Cleanup pre-commit

Signed-off-by: Mihai Criveti <[email protected]>

* Cleanup pre-commit

Signed-off-by: Mihai Criveti <[email protected]>

---------

Signed-off-by: Mihai Criveti <[email protected]>

Author: crivetimihai

.dockerignore

@@ -1,4 +1,4 @@
-FROM registry.access.redhat.com/ubi9-minimal:9.6-1752587672
+FROM registry.access.redhat.com/ubi9-minimal:9.6-1754000177
 LABEL maintainer="Mihai Criveti" \
       name="mcp/mcpgateway" \
       version="0.4.0" \

Containerfile

@@ -23,76 +23,183 @@ ARG ROOTFS_PATH=/tmp/rootfs
 # Python major.minor series to track
 ARG PYTHON_VERSION=3.11
 
-###########################
-# Base image for copying into scratch
-###########################
-FROM registry.access.redhat.com/ubi9/ubi-micro:9.6-1752751762 AS base
-
 ###########################
 # Builder stage
 ###########################
-FROM registry.access.redhat.com/ubi9/ubi:9.6-1752625787 AS builder
-SHELL ["/bin/bash", "-c"]
+FROM registry.access.redhat.com/ubi9/ubi:9.6-1753978585 AS builder
+SHELL ["/bin/bash", "-euo", "pipefail", "-c"]
 
 ARG PYTHON_VERSION
 ARG ROOTFS_PATH
 
 # ----------------------------------------------------------------------------
 # 1) Patch the OS
 # 2) Install Python + headers for building wheels
-# 3) Register python3 alternative
-# 4) Clean caches to reduce layer size
+# 3) Install binutils for strip command
+# 4) Register python3 alternative
+# 5) Clean caches to reduce layer size
 # ----------------------------------------------------------------------------
 # hadolint ignore=DL3041
 RUN set -euo pipefail \
     && dnf upgrade -y \
     && dnf install -y \
          python${PYTHON_VERSION} \
          python${PYTHON_VERSION}-devel \
+         binutils \
     && update-alternatives --install /usr/bin/python3 python3 /usr/bin/python${PYTHON_VERSION} 1 \
     && dnf clean all
 
 WORKDIR /app
 
-# Copy project source last so small code changes don't bust earlier caches
-COPY . /app
+# ----------------------------------------------------------------------------
+# Copy only the files needed for dependency installation first
+# This maximizes Docker layer caching - dependencies change less often
+# ----------------------------------------------------------------------------
+COPY pyproject.toml /app/
 
 # ----------------------------------------------------------------------------
 # Create and populate virtual environment
 #  - Upgrade pip, setuptools, wheel, pdm, uv
 #  - Install project dependencies and package
-#  - Remove build caches
+#  - Remove build tools but keep runtime dist-info
+#  - Remove build caches and build artifacts
 # ----------------------------------------------------------------------------
 RUN set -euo pipefail \
     && python3 -m venv /app/.venv \
     && /app/.venv/bin/pip install --no-cache-dir --upgrade pip setuptools wheel pdm uv \
     && /app/.venv/bin/uv pip install ".[redis,postgres]" \
-    && /app/.venv/bin/pip uninstall --yes uv pip setuptools \
-    && rm -rf /root/.cache /var/cache/dnf
+    && /app/.venv/bin/pip uninstall --yes uv pip setuptools wheel pdm \
+    && rm -rf /root/.cache /var/cache/dnf \
+    && find /app/.venv -name "*.dist-info" -type d \
+        \( -name "pip-*" -o -name "setuptools-*" -o -name "wheel-*" -o -name "pdm-*" -o -name "uv-*" \) \
+        -exec rm -rf {} + 2>/dev/null || true \
+    && rm -rf /app/.venv/share/python-wheels \
+    && rm -rf /app/*.egg-info /app/build /app/dist /app/.eggs
+
+# ----------------------------------------------------------------------------
+# Now copy only the application files needed for runtime
+# This ensures code changes don't invalidate the dependency layer
+# ----------------------------------------------------------------------------
+COPY run-gunicorn.sh /app/
+COPY mcpgateway/ /app/mcpgateway/
+COPY gunicorn.config.py /app/
+COPY plugins/ /app/plugins/
+
+# Optional: Copy run.sh if it's needed in production
+COPY run.sh /app/
+
+# ----------------------------------------------------------------------------
+# Ensure executable permissions for scripts
+# ----------------------------------------------------------------------------
+RUN chmod +x /app/run-gunicorn.sh /app/run.sh
+
+# ----------------------------------------------------------------------------
+# Pre-compile Python bytecode with -OO optimization
+#  - Strips docstrings and assertions
+#  - Improves startup performance
+#  - Must be done before copying to rootfs
+#  - Remove __pycache__ directories after compilation
+# ----------------------------------------------------------------------------
+RUN python3 -OO -m compileall -q /app/.venv /app/mcpgateway /app/plugins \
+    && find /app -type d -name "__pycache__" -exec rm -rf {} + 2>/dev/null || true
 
 # ----------------------------------------------------------------------------
 # Build a minimal, fully-patched rootfs containing only the runtime Python
+# Include ca-certificates for HTTPS connections
 # ----------------------------------------------------------------------------
 # hadolint ignore=DL3041
 RUN set -euo pipefail \
-    && mkdir -p "${ROOTFS_PATH}" \
-    && dnf --installroot="${ROOTFS_PATH}" --releasever=9 upgrade -y \
-    && dnf --installroot="${ROOTFS_PATH}" --releasever=9 install -y \
+    && mkdir -p "${ROOTFS_PATH:?}" \
+    && dnf --installroot="${ROOTFS_PATH:?}" --releasever=9 upgrade -y \
+    && dnf --installroot="${ROOTFS_PATH:?}" --releasever=9 install -y \
          --setopt=install_weak_deps=0 \
+         --setopt=tsflags=nodocs \
          python${PYTHON_VERSION} \
-    && dnf clean all --installroot="${ROOTFS_PATH}"
+         ca-certificates \
+    && dnf clean all --installroot="${ROOTFS_PATH:?}"
 
 # ----------------------------------------------------------------------------
 # Create `python3` symlink in the rootfs for compatibility
 # ----------------------------------------------------------------------------
-RUN ln -s /usr/bin/python${PYTHON_VERSION} ${ROOTFS_PATH}/usr/bin/python3
+RUN ln -s /usr/bin/python${PYTHON_VERSION} ${ROOTFS_PATH:?}/usr/bin/python3
+
+# ----------------------------------------------------------------------------
+# Clean up unnecessary files from rootfs (if they exist)
+#  - Remove development headers, documentation
+#  - Use ${var:?} to prevent accidental deletion of host directories
+# ----------------------------------------------------------------------------
+RUN set -euo pipefail \
+    && rm -rf ${ROOTFS_PATH:?}/usr/include/* \
+    ${ROOTFS_PATH:?}/usr/share/man/* \
+    ${ROOTFS_PATH:?}/usr/share/doc/* \
+    ${ROOTFS_PATH:?}/usr/share/info/* \
+    ${ROOTFS_PATH:?}/usr/share/locale/* \
+    ${ROOTFS_PATH:?}/var/log/* \
+    ${ROOTFS_PATH:?}/boot \
+    ${ROOTFS_PATH:?}/media \
+    ${ROOTFS_PATH:?}/srv \
+    ${ROOTFS_PATH:?}/usr/games \
+    && find ${ROOTFS_PATH:?}/usr/lib*/python*/ -type d -name "test" -exec rm -rf {} + 2>/dev/null || true \
+    && find ${ROOTFS_PATH:?}/usr/lib*/python*/ -type d -name "tests" -exec rm -rf {} + 2>/dev/null || true \
+    && find ${ROOTFS_PATH:?}/usr/lib*/python*/ -type d -name "idle_test" -exec rm -rf {} + 2>/dev/null || true \
+    && find ${ROOTFS_PATH:?}/usr/lib*/python*/ -name "*.mo" -delete 2>/dev/null || true \
+    && rm -rf ${ROOTFS_PATH:?}/usr/lib*/python*/ensurepip \
+    ${ROOTFS_PATH:?}/usr/lib*/python*/idlelib \
+    ${ROOTFS_PATH:?}/usr/lib*/python*/tkinter \
+    ${ROOTFS_PATH:?}/usr/lib*/python*/turtle* \
+    ${ROOTFS_PATH:?}/usr/lib*/python*/distutils/command/*.exe
+
+# ----------------------------------------------------------------------------
+# Remove package managers and unnecessary system tools from rootfs
+# - Keep RPM database for security scanning with Trivy/Dockle
+# - This keeps the final image size minimal while allowing vulnerability scanning
+# ----------------------------------------------------------------------------
+RUN rm -rf ${ROOTFS_PATH:?}/usr/bin/dnf* \
+    ${ROOTFS_PATH:?}/usr/bin/yum* \
+    ${ROOTFS_PATH:?}/usr/bin/rpm* \
+    ${ROOTFS_PATH:?}/usr/bin/microdnf \
+    ${ROOTFS_PATH:?}/usr/lib/rpm \
+    ${ROOTFS_PATH:?}/usr/lib/dnf \
+    ${ROOTFS_PATH:?}/usr/lib/yum* \
+    ${ROOTFS_PATH:?}/etc/dnf \
+    ${ROOTFS_PATH:?}/etc/yum*
+
+# ----------------------------------------------------------------------------
+# Strip unneeded symbols from shared libraries and remove binutils
+# - This reduces the final image size and removes the build tool in one step
+# ----------------------------------------------------------------------------
+RUN find "${ROOTFS_PATH:?}/usr/lib64" -name '*.so*' -exec strip --strip-unneeded {} + 2>/dev/null || true \
+    && dnf remove -y binutils \
+    && dnf clean all
+
+# ----------------------------------------------------------------------------
+# Remove setuid/setgid binaries for security
+# ----------------------------------------------------------------------------
+RUN find ${ROOTFS_PATH:?} -perm /4000 -o -perm /2000 -type f -delete 2>/dev/null || true
+
+# ----------------------------------------------------------------------------
+# Create minimal passwd/group files for user 1001
+# - Using GID 1001 to match UID for consistency
+# - OpenShift compatible (accepts any UID in group 1001)
+# ----------------------------------------------------------------------------
+RUN printf 'app:x:1001:1001:app:/app:/sbin/nologin\n' > "${ROOTFS_PATH:?}/etc/passwd" && \
+    printf 'app:x:1001:\n' > "${ROOTFS_PATH:?}/etc/group"
+
+# ----------------------------------------------------------------------------
+# Create necessary directories in the rootfs
+#  - /tmp and /var/tmp with sticky bit for security
+# ----------------------------------------------------------------------------
+RUN chmod 1777 ${ROOTFS_PATH:?}/tmp ${ROOTFS_PATH:?}/var/tmp 2>/dev/null || true \
+    && chown 1001:1001 ${ROOTFS_PATH:?}/tmp ${ROOTFS_PATH:?}/var/tmp
 
 # ----------------------------------------------------------------------------
 # Copy application directory into the rootfs and fix permissions for non-root
+# - Set ownership to 1001:1001 (matching passwd/group)
+# - Allow group write permissions for OpenShift compatibility
 # ----------------------------------------------------------------------------
-RUN cp -r /app ${ROOTFS_PATH}/app \
-    && chown -R 1001:0 ${ROOTFS_PATH}/app \
-    && chmod -R g=u ${ROOTFS_PATH}/app
+RUN cp -r /app ${ROOTFS_PATH:?}/app \
+    && chown -R 1001:1001 ${ROOTFS_PATH:?}/app \
+    && chmod -R g=u ${ROOTFS_PATH:?}/app
 
 ###########################
 # Final runtime (squashed)
@@ -118,8 +225,18 @@ COPY --from=builder ${ROOTFS_PATH}/ /
 
 # ----------------------------------------------------------------------------
 # Ensure our virtual environment binaries have priority in PATH
+# - Don't write bytecode files (we pre-compiled with -OO)
+# - Unbuffered output for better logging
+# - Random hash seed for security
+# - Disable pip cache to save space
+# - Disable pip version check to reduce startup time
 # ----------------------------------------------------------------------------
-ENV PATH="/app/.venv/bin:${PATH}"
+ENV PATH="/app/.venv/bin:${PATH}" \
+    PYTHONDONTWRITEBYTECODE=1 \
+    PYTHONUNBUFFERED=1 \
+    PYTHONHASHSEED=random \
+    PIP_NO_CACHE_DIR=1 \
+    PIP_DISABLE_PIP_VERSION_CHECK=1
 
 # ----------------------------------------------------------------------------
 # Application working directory

Containerfile.lite

@@ -5,6 +5,7 @@
 # 1️⃣  Core project files that SDists/Wheels should always carry
 include LICENSE
 include README.md
+include plugins/README.md
 include pyproject.toml
 include gunicorn.config.py
 include Containerfile

MANIFEST.in

@@ -1225,6 +1225,7 @@ container-build:
 		--tag $(IMAGE_BASE):$(IMAGE_TAG) \
 		.
 	@echo "✅ Built image: $(call get_image_name)"
+	$(CONTAINER_RUNTIME) images $(IMAGE_BASE):$(IMAGE_TAG)
 
 container-run: container-check-image
 	@echo "🚀 Running with $(CONTAINER_RUNTIME)..."
@@ -1269,7 +1270,6 @@ container-run-ssl: certs container-check-image
 	-$(CONTAINER_RUNTIME) stop $(PROJECT_NAME) 2>/dev/null || true
 	-$(CONTAINER_RUNTIME) rm $(PROJECT_NAME) 2>/dev/null || true
 	$(CONTAINER_RUNTIME) run --name $(PROJECT_NAME) \
-		-u $(id -u):$(id -g) \
 		--env-file=.env \
 		-e SSL=true \
 		-e CERT_FILE=certs/cert.pem \
@@ -1290,7 +1290,6 @@ container-run-ssl-host: certs container-check-image
 	-$(CONTAINER_RUNTIME) stop $(PROJECT_NAME) 2>/dev/null || true
 	-$(CONTAINER_RUNTIME) rm $(PROJECT_NAME) 2>/dev/null || true
 	$(CONTAINER_RUNTIME) run --name $(PROJECT_NAME) \
-		-u $(id -u):$(id -g) \
 		--network=host \
 		--env-file=.env \
 		-e SSL=true \
@@ -1306,9 +1305,6 @@ container-run-ssl-host: certs container-check-image
 	@sleep 2
 	@echo "✅ Container started with TLS (host networking)"
 
-
-
-
 container-push: container-check-image
 	@echo "📤 Preparing to push image..."
 	@# For Podman, we need to remove localhost/ prefix for push

Makefile

@@ -9,7 +9,7 @@ CairoSVG>=2.8.2
 certifi>=2025.7.14
 cffi>=1.17.1
 charset-normalizer>=3.4.2
-click>=8.2.1
+click>=8.2.2
 colorama>=0.4.6
 csscompressor>=0.9.5
 cssselect2>=0.8.0
@@ -42,7 +42,7 @@ mkdocs-git-authors-plugin>=0.10.0
 mkdocs-git-revision-date-localized-plugin>=1.4.7
 mkdocs-glightbox>=0.4.0
 mkdocs-include-markdown-plugin>=7.1.6
-mkdocs-material>=9.6.15
+mkdocs-material>=9.6.16
 mkdocs-material-extensions>=1.3.1
 mkdocs-mermaid-plugin>=0.1.1
 mkdocs-mermaid2-plugin>=1.2.1
@@ -53,7 +53,7 @@ mkdocs-rss-plugin>=1.17.3
 mkdocs-table-reader-plugin>=3.1.0
 mkdocs-with-pdf>=0.9.3
 natsort>=8.4.0
-numpy>=2.3.1
+numpy>=2.3.2
 nwdiag>=3.0.0
 packaging>=25.0
 paginate>=0.5.7
@@ -64,14 +64,14 @@ platformdirs>=4.3.8
 pycparser>=2.22
 pydyf>=0.11.0
 Pygments>=2.19.2
-pymdown-extensions>=10.16
+pymdown-extensions>=10.16.1
 pyparsing>=3.2.3
 pyphen>=0.17.2
 python-dateutil>=2.9.0.post0
 pytz>=2025.2
 PyYAML>=6.0.2
 pyyaml_env_tag>=1.1
-regex>=2024.11.6
+regex>=2025.7.34
 requests>=2.32.4
 seqdiag>=3.0.0
 six>=1.17.0
@@ -83,7 +83,7 @@ tzdata>=2025.2
 urllib3>=2.5.0
 watchdog>=6.0.0
 wcmatch>=10.1
-weasyprint>=65.1
+weasyprint>=66.0
 webcolors>=24.11.1
 webencodings>=0.5.1
 zipp>=3.23.0

docs/requirements.txt

@@ -2078,7 +2078,7 @@ def masked(self) -> "GatewayRead":
             - The `auth_value` field is only masked if it exists and its value is different from the masking
             placeholder.
             - Other sensitive fields (`auth_password`, `auth_token`, `auth_header_value`) are masked if present.
-            - Fields not related to authentication remain unchanged.
+            - Fields not related to authentication remain unmodified.
         """
         masked_data = self.model_dump()
 

mcpgateway/schemas.py

@@ -0,0 +1 @@
+Plugins will go here..