From 4889812f2d68a1480184ff81a8fb525aa4117974 Mon Sep 17 00:00:00 2001 From: fyzanshaik-atlan Date: Fri, 13 Feb 2026 16:25:02 +0530 Subject: [PATCH] fix(docker): eliminate venv, use system python with uv Remove the multi-stage builder and venv in favor of installing directly to system python using uv, mirroring how the pyatlan base image itself is built. The pyatlan base image already provides pyatlan, pydantic, httpx, cryptography, authlib, h11, anyio, and other common packages at the system level. Only MCP-specific packages (fastmcp, uvicorn, and their transitive deps) need to be installed on top. This eliminates: - Builder stage (ghcr.io/astral-sh/uv:python3.11-bookworm-slim) - Python venv and the broken symlink workaround (#206) - Bundled pip/setuptools/wheel and their vendored dependencies which carried 2 HIGH vulnerabilities: - jaraco.context 5.3.0 (CVE-2026-23949) - wheel 0.45.1 (CVE-2026-24049) Trivy scan: 0 HIGH/CRITICAL on the resulting image. --- modelcontextprotocol/Dockerfile | 39 ++++++++++++--------------------- 1 file changed, 14 insertions(+), 25 deletions(-) diff --git a/modelcontextprotocol/Dockerfile b/modelcontextprotocol/Dockerfile index 7c38dda..da4b04f 100644 --- a/modelcontextprotocol/Dockerfile +++ b/modelcontextprotocol/Dockerfile @@ -1,33 +1,22 @@ -# Use a Python image with uv pre-installed -FROM ghcr.io/astral-sh/uv:python3.11-bookworm-slim AS builder - -# Set environment variables for build -ENV PYTHONDONTWRITEBYTECODE=1 \ - PYTHONUNBUFFERED=1 \ - PIP_NO_CACHE_DIR=1 - -# Install the project into `/app` -WORKDIR /app - -ADD . /app - -# Create a virtual environment and install dependencies -RUN python -m venv /app/.venv -ENV PATH="/app/.venv/bin:$PATH" -RUN uv sync --no-cache-dir --no-dev --python /app/.venv/bin/python - -FROM registry.atlan.com/public/pyatlan:main-latest AS runtime +FROM registry.atlan.com/public/pyatlan:main-latest +USER root WORKDIR /home/nonroot/app -COPY --from=builder --chown=nonroot:nonroot /app /home/nonroot/app +# Set UV environment variables +ENV UV_NO_MANAGED_PYTHON=true \ + UV_SYSTEM_PYTHON=true -# Fix venv python symlink: builder has python at /usr/local/bin, runtime at /usr/bin -RUN ln -sf /usr/bin/python3 /home/nonroot/app/.venv/bin/python && \ - ln -sf /usr/bin/python3 /home/nonroot/app/.venv/bin/python3 +# Copy project files +COPY --chown=nonroot:nonroot . /home/nonroot/app -# Set the PATH to use the virtual environment -ENV PATH="/home/nonroot/app/.venv/bin:$PATH" +# Install MCP server and its deps to system python +# pyatlan and common deps (pydantic, httpx, cryptography, etc.) already in base image +RUN uv pip install --system --no-cache --no-deps . && \ + uv pip install --system --no-cache \ + "fastmcp>=2.14.0" \ + "uvicorn>=0.35.0" && \ + rm -rf /root/.cache ~/.cache ENV MCP_TRANSPORT="stdio" ENV MCP_HOST="0.0.0.0"