Add Dockerfile and docker-compose (#78)

* Prepare templated env vars and args for use

* Fix: mcpd daemon --addr flag defaults to 0.0.0.0 bind address (localhost used when --dev mode is supplied)
* Update daemon context to honour interrupt signal (not just terminate signal)
* Update Environ() on Server to handle merging, filtering*, and expanding env vars (these are supplied to STDIO MCP client's env)
* Args supplied to STDIO MCP client are now resolved (from ${} )

*Filtering: is currently based on the proposed format for the command: mcpd config export

* Dockerfile

* Dockerfile and docker-compose added
* Updated Makefile to make building for linux easier

* Improve end user error information

* docs updates

Author: peteski22

Dockerfile

@@ -0,0 +1,64 @@
+# syntax=docker/dockerfile:1
+
+# ==============================================================================
+# Builder Stage: Fetch uv binaries
+# ==============================================================================
+FROM ghcr.io/astral-sh/uv:0.7.20 AS uv-builder
+
+# ==============================================================================
+# Final Stage: Build the production image.
+# Includes NodeJS to give mcpd access to the npx binary.
+# ==============================================================================
+FROM node:current-alpine3.22
+
+# --- Metadata ---
+# The version label should be dynamically overridden in a CI/CD pipeline
+# (e.g., --label "org.opencontainers.image.version=${GIT_TAG}").
+LABEL org.opencontainers.image.authors="Mozilla AI <[email protected]>"
+LABEL org.opencontainers.image.description="A container for the mcpd application."
+LABEL org.opencontainers.image.version="1.0.0"
+
+ARG MCPD_USER=mcpd
+ARG MCPD_HOME=/home/$MCPD_USER
+
+# Sensible defaults but can be easily overridden by the user with `docker run -e KEY=VALUE`.
+ENV MCPD_API_PORT=8090
+ENV MCPD_LOG_LEVEL=info
+
+#  - Installs 'tini', a lightweight init system to properly manage processes.
+#  - Adds a dedicated non-root group and user for security (using the ARG).
+#  - Creates necessary directories for configs, logs, and user data.
+#  - Sets correct ownership for the non-root user.
+USER root
+RUN apk add --no-cache python3 py3-pip tini && \
+    addgroup -S $MCPD_USER && \
+    adduser -D -S -h $MCPD_HOME -G $MCPD_USER $MCPD_USER && \
+    mkdir -p \
+      $MCPD_HOME/.config/mcpd \
+      /var/log/mcpd \
+      /etc/mcpd && \
+    chown -R $MCPD_USER:$MCPD_USER $MCPD_HOME /var/log/mcpd
+
+# Copy binaries from the dedicated 'uv-builder' stage.
+COPY --from=uv-builder /uv /uvx /usr/local/bin/
+
+# Copy application binary and set ownership to the non-root user.
+# IMPORTANT: Config/secrets are NOT copied. They should be mounted at runtime.
+COPY --chown=$MCPD_USER:$MCPD_USER mcpd /usr/local/bin/mcpd
+
+# Switch to the non-root user before execution.
+USER $MCPD_USER
+WORKDIR $MCPD_HOME
+
+EXPOSE $MCPD_API_PORT
+
+# Use 'tini' as the entrypoint to properly handle process signals (like CTRL+C)
+# and prevent zombie processes, ensuring clean container shutdown.
+ENTRYPOINT ["/sbin/tini", "--"]
+
+CMD mcpd daemon \
+    --addr 0.0.0.0:$MCPD_API_PORT \
+    --log-level $MCPD_LOG_LEVEL \
+    --log-path /var/log/mcpd/mcpd.log \
+    --config-file /etc/mcpd/.mcpd.toml \
+    --runtime-file /home/mcpd/.config/mcpd/secrets.prd.toml

Makefile

@@ -24,6 +24,14 @@ build:
 	@echo "building mcpd (with flags: ${LDFLAGS})..."
 	@go build -o mcpd -ldflags="${LDFLAGS}" .
 
+build-linux:
+	@echo "building mcpd for amd64/linux (with flags: ${LDFLAGS})..."
+	@GOOS=linux GOARCH=amd64 go build -o mcpd -ldflags="${LDFLAGS}" .
+
+build-linux-arm64:
+	@echo "building mcpd for arm64/linux (with flags: ${LDFLAGS})..."
+	@GOOS=linux GOARCH=arm64 go build -o mcpd -ldflags="${LDFLAGS}" .
+
 install: build
 	@# Copy the executable to the install directory
 	@# Requires sudo if INSTALL_DIR is a system path like /usr/local/bin
@@ -60,4 +68,12 @@ docs-cli:
 ## Updates mkdocs.yaml nav to match generated CLI docs
 docs-nav: docs-cli
 	@go run -tags=docsgen_nav ./tools/docsgen/cli/nav.go
-	@echo "navigation updated for MkDocs site"
+	@echo "navigation updated for MkDocs site"
+
+local-up: build-linux
+	@echo "starting mcpd container in detached state"
+	@docker compose up -d --build
+
+local-down:
+	@echo "stopping mcpd container"
+	@docker compose down

cmd/daemon.go

@@ -39,7 +39,7 @@ func NewDaemonCmd(baseCmd *cmd.BaseCmd, opt ...cmdopts.CmdOption) (*cobra.Comman
 	}
 
 	cobraCommand := &cobra.Command{
-		Use:   "daemon",
+		Use:   "daemon [--dev] [--addr]",
 		Short: "Launches an mcpd daemon instance",
 		Long:  "Launches an mcpd daemon instance, which starts MCP servers and provides routing via HTTP API",
 		RunE:  c.run,
@@ -55,9 +55,10 @@ func NewDaemonCmd(baseCmd *cmd.BaseCmd, opt ...cmdopts.CmdOption) (*cobra.Comman
 	cobraCommand.Flags().StringVar(
 		&c.Addr,
 		"addr",
-		"localhost:8090",
+		"0.0.0.0:8090",
 		"Address for the daemon to bind (not applicable in --dev mode)",
 	)
+
 	cobraCommand.MarkFlagsMutuallyExclusive("dev", "addr")
 
 	return cobraCommand, nil
@@ -66,14 +67,22 @@ func NewDaemonCmd(baseCmd *cmd.BaseCmd, opt ...cmdopts.CmdOption) (*cobra.Comman
 // run is configured (via NewDaemonCmd) to be called by the Cobra framework when the command is executed.
 // It may return an error (or nil, when there is no error).
 func (c *DaemonCmd) run(cmd *cobra.Command, args []string) error {
+	logger, err := c.Logger()
+	if err != nil {
+		return err
+	}
+
 	// Validate flags.
 	addr := strings.TrimSpace(c.Addr)
-	if err := daemon.IsValidAddr(addr); err != nil {
-		return err
+
+	// Override address for dev mode.
+	if c.Dev {
+		devAddr := "localhost:8090"
+		logger.Info("Development-focused mode", "addr", addr, "override", devAddr)
+		addr = devAddr
 	}
 
-	logger, err := c.Logger()
-	if err != nil {
+	if err := daemon.IsValidAddr(addr); err != nil {
 		return err
 	}
 
@@ -83,7 +92,11 @@ func (c *DaemonCmd) run(cmd *cobra.Command, args []string) error {
 	}
 
 	// Create the signal handling context for the application.
-	daemonCtx, daemonCtxCancel := signal.NotifyContext(context.Background(), os.Interrupt, syscall.SIGTERM)
+	daemonCtx, daemonCtxCancel := signal.NotifyContext(
+		context.Background(),
+		os.Interrupt,
+		syscall.SIGTERM, syscall.SIGINT,
+	)
 	defer daemonCtxCancel()
 
 	runErr := make(chan error, 1)
@@ -111,7 +124,7 @@ func (c *DaemonCmd) run(cmd *cobra.Command, args []string) error {
 		err := <-runErr // Wait for cleanup and deferred logging.
 		return err      // Graceful Ctrl+C / SIGTERM.
 	case err := <-runErr:
-		logger.Error("error running daemon instance", "error", err)
+		logger.Error("daemon exited with error", "error", err)
 		return err // Propagate daemon failure.
 	}
 }

docker-compose.yaml

@@ -0,0 +1,17 @@
+services:
+  mcpd:
+    build:
+      context: .
+      args:
+        MCPD_API_PORT: ${MCPD_API_PORT:-8090}
+    container_name: mcpd
+    env_file: .env
+    environment:
+      MCPD_API_PORT: ${MCPD_API_PORT:-8090}
+      MCPD_LOG_LEVEL: ${MCPD_LOG_LEVEL:-INFO}
+    ports:
+      - "${MCPD_API_PORT:-8090}:${MCPD_API_PORT:-8090}"
+    volumes:
+      - "${HOME}/.config/mcpd/secrets.dev.toml:/home/mcpd/.config/mcpd/secrets.prd.toml:ro"
+      - "./.mcpd.toml:/etc/mcpd/.mcpd.toml:ro"
+      - "./mcpd-container-logs:/var/log/mcpd"

docs/makefile.md

@@ -12,13 +12,19 @@ The `mcpd` project includes a `Makefile` to streamline common developer tasks.
 !!! note "Environment"
     Most commands assume you have Go installed and available in your `PATH`.
 
-### 🧱 Build Commands
+### 🧱 Build
 
 - **Build the binary**
     ```bash
     make build
     ```
 
+    !!! tip "Architectures and Operating Systems"
+        You can explicitly build the binary for a different architecture (`amd64/arm64`) or operating systems with:
+    
+        * `make build-linux`
+        * `make build-linux-arm64`
+
 - **Remove the compiled binary from the working directory**
     ```bash
     make clean
@@ -29,14 +35,18 @@ The `mcpd` project includes a `Makefile` to streamline common developer tasks.
     sudo make install
     ```
 
+    !!! note "Dependency"
+        The `install` target relies on the standard `build` target.
+
+
 - **Uninstall the binary**
     ```bash
     sudo make uninstall
     ```
 
 ---
 
-### 🧪 Test Commands
+### 🧪 Test
 
 - **Run all Go tests**
     ```bash
@@ -45,7 +55,27 @@ The `mcpd` project includes a `Makefile` to streamline common developer tasks.
 
 ---
 
-## 📝 Documentation Commands
+### 🐳 Run
+
+- **Start `mcpd` in a container**
+    ```bash
+    make local-up
+    ```
+
+    !!! warning "Default files"
+        By default the following files will be mounted to the container:
+        
+        * `.mcpd.toml` - the project configuration file in this repository
+        * `~/.config/mcpd/secrets.dev.toml` - the default location for runtime configuration
+
+- **Stop mcpd**
+    ```bash
+    make local-down
+    ```
+
+---
+
+### 📝 Documentation
 
 These commands manage the [MkDocs](https://www.mkdocs.org) developer documentation site for `mcpd`.
 
@@ -69,24 +99,28 @@ These commands manage the [MkDocs](https://www.mkdocs.org) developer documentati
     make docs
     ```
 
-!!! tip "First time?"
-    The `docs-local` command will create a virtual environment using `uv`, install MkDocs + Material theme, and start the local server at [http://localhost:8000](http://localhost:8000).
+    !!! tip "First time?"
+        The `docs-local` command will create a virtual environment using `uv`, install MkDocs + Material theme, and start the local server at [http://localhost:8000](http://localhost:8000).
 
 ---
 
 ## 🧭 Target Reference
 
 Here’s a complete list of Makefile targets:
 
-| Target         | Description                                   |
-|----------------|-----------------------------------------------|
-| `build`        | Compile the Go binary                         |
-| `install`      | Install binary to system path                 |
-| `uninstall`    | Remove installed binary                       |
-| `clean`        | Remove compiled binary from working directory |
-| `test`         | Run all Go tests                              |
-| `docs-cli`     | Generate Markdown CLI reference docs          |
-| `docs-nav`     | Update CLI doc nav in `mkdocs.yaml`           |
-| `docs-local`   | Serve docs locally via `mkdocs serve`         |
-| `docs`         | Alias for `docs-local` (runs everything)      |
+| Target              | Description                                   |
+|---------------------|-----------------------------------------------|
+| `build`             | Compile the Go binary                         |
+| `build-linux`       | Compile the Go binary for Linux on amd64      |
+| `build-linux-arm64` | Compile the Go binary for Linux on arm64      |
+| `install`           | Install binary to system path                 |
+| `uninstall`         | Remove installed binary                       |
+| `clean`             | Remove compiled binary from working directory |
+| `test`              | Run all Go tests                              |
+| `local-up`          | Start `mcpd` in a Docker container            |
+| `local-down`        | Stop a running `mcpd` Docker container        |
+| `docs-cli`          | Generate Markdown CLI reference docs          |
+| `docs-nav`          | Update CLI doc nav in `mkdocs.yaml`           |
+| `docs-local`        | Serve docs locally via `mkdocs serve`         |
+| `docs`              | Alias for `docs-local` (runs everything)      |
 

docs/requirements.md

@@ -2,11 +2,12 @@
 
 To use `mcpd`, ensure the following tools are installed:
 
-| Tool           | Purpose                                        | Notes                                                             | 
-|----------------|------------------------------------------------|-------------------------------------------------------------------| 
-| `Go >= 1.24.4` | Required for building `mcpd` and running tests | https://go.dev/doc/install                                        | 
-| `uv`           | for running `uvx` Python packages              | https://docs.astral.sh/uv/getting-started/installation/           |
-| `npx`          | for running JavaScript/TypeScript packages     | https://docs.npmjs.com/downloading-and-installing-node-js-and-npm |
+| Tool           | Purpose                                                     | Notes                                                             | 
+|----------------|-------------------------------------------------------------|-------------------------------------------------------------------| 
+| `Docker`       | Required if you want to run `mcpd` in a local container     | https://www.docker.com/products/docker-desktop/                   | 
+| `Go >= 1.24.4` | Required for building `mcpd` and running tests              | https://go.dev/doc/install                                        | 
+| `uv`           | for running `uvx` Python packages in `mcpd`, and local docs | https://docs.astral.sh/uv/getting-started/installation/           |
+| `npx`          | for running JavaScript/TypeScript packages in `mcpd`        | https://docs.npmjs.com/downloading-and-installing-node-js-and-npm |
 
 !!! note "Internet Connectivity"
     `mcpd` requires internet access to contact package registries and to allow MCP servers access to the internet if required when running.

internal/api/servers.go

@@ -163,7 +163,7 @@ func handleServerToolCall(accessor contracts.MCPClientAccessor, server string, t
 	} else if result == nil {
 		return nil, fmt.Errorf("%w: %s/%s: result was nil", errors.ErrToolCallFailedUnknown, server, tool)
 	} else if result.IsError {
-		return nil, fmt.Errorf("%w: %s/%s: %v", errors.ErrToolCallFailedUnknown, server, tool, extractMessage(result.Content))
+		return nil, fmt.Errorf("%w: %s/%s: %v", errors.ErrToolCallFailed, server, tool, extractMessage(result.Content))
 	}
 
 	resp := &ToolCallResponse{}

internal/daemon/daemon.go

@@ -141,22 +141,17 @@ func (d *Daemon) startMCPServer(ctx context.Context, server runtime.Server) erro
 
 	// Strip arbitrary package prefix (e.g. uvx::)
 	packageNameAndVersion := strings.TrimPrefix(server.Package, runtimeBinary+"::")
-	env := server.Environ()
+
 	var args []string
 	// TODO: npx requires '-y' before the package name
 	if runtime.Runtime(runtimeBinary) == runtime.NPX {
 		args = append(args, "y")
 	}
-	args = append([]string{packageNameAndVersion}, server.Args...)
+	args = append([]string{packageNameAndVersion}, server.ResolvedArgs()...)
 
-	logger.Debug(
-		"attempting to start server",
-		"binary", runtimeBinary,
-		"args", args,
-		"environment", env,
-	)
+	logger.Debug("attempting to start server", "binary", runtimeBinary)
 
-	stdioClient, err := client.NewStdioMCPClient(runtimeBinary, env, args...)
+	stdioClient, err := client.NewStdioMCPClient(runtimeBinary, server.Environ(), args...)
 	if err != nil {
 		return fmt.Errorf("error starting MCP server: '%s': %w", server.Name, err)
 	}

internal/daemon/server.go

@@ -115,16 +115,16 @@ func mapError(logger hclog.Logger, err error) huma.StatusError {
 		return huma.Error403Forbidden(err.Error())
 	case stdErrors.Is(err, errors.ErrToolListFailed):
 		logger.Error("Tool list failed", "error", err)
-		return huma.Error502BadGateway("MCP server error listing tools")
+		return huma.Error502BadGateway("MCP server error listing tools", err)
 	case stdErrors.Is(err, errors.ErrToolCallFailed):
 		logger.Error("Tool call failed", "error", err)
-		return huma.Error502BadGateway("MCP server error calling tool")
+		return huma.Error502BadGateway("MCP server error calling tool", err)
 	case stdErrors.Is(err, errors.ErrToolCallFailedUnknown):
 		logger.Error("Tool call failed, unknown error", "error", err)
-		return huma.Error502BadGateway("MCP server unknown error calling tool")
+		return huma.Error502BadGateway("MCP server unknown error calling tool", err)
 	default:
 		logger.Error("Unexpected error interacting with MCP server", "error", err)
-		return huma.Error500InternalServerError("Internal server error")
+		return huma.Error500InternalServerError("Internal server error", err)
 	}
 }
 

internal/runtime/runtimes.go

@@ -21,6 +21,10 @@ const (
 
 // AnyIntersection returns true if any value in a is also in b.
 func AnyIntersection(a []Runtime, b []Runtime) bool {
+	if a == nil || b == nil || len(a) == 0 || len(b) == 0 {
+		return false
+	}
+
 	set := map[Runtime]struct{}{}
 	for _, v := range b {
 		set[v] = struct{}{}