Skip to main content
Glama

Server Configuration

Describes the environment variables required to run the server.

NameRequiredDescriptionDefault
DOCKER_HOSTNoDocker daemon endpoint (e.g., tcp://..., unix://..., ssh://...). Used when DOCKER_MCP_SERVER_HOSTS is not set.
SSH_AUTH_SOCKNoPath to SSH agent socket for SSH-based remote daemon connections.
DOCKER_CONTEXTNoName of Docker context to use for resolving the default daemon.
DOCKER_CERT_PATHNoPath to directory containing TLS certificates (ca.pem, cert.pem, key.pem).
DOCKER_TLS_VERIFYNoSet to '1' to enable TLS verification for the Docker daemon connection.
DOCKER_MCP_SERVER_HOSTSNoComma-separated list of name=endpoint pairs for multiple daemons. e.g., 'local=auto, prod=ssh://user@host(ro)'
DOCKER_MCP_SERVER_DISABLENoComma-separated list of domains to disable (e.g., 'swarm,buildx,scout').
DOCKER_MCP_SERVER_READONLYNoSet to '1', 'true', 'yes', or 'on' to register only read-only tools.
DOCKER_MCP_SERVER_NO_LABELSNoSet to '1' to disable provenance labels on created Docker objects.
DOCKER_MCP_SERVER_NO_DESTRUCTIVENoSet to '1', 'true', 'yes', or 'on' to register everything except destructive tools.
DOCKER_MCP_SERVER_REGISTRY_PASSWORDNoPassword or token for private registry authentication.
DOCKER_MCP_SERVER_REGISTRY_USERNAMENoUsername for private registry authentication (fallback when not provided in tool call).
DOCKER_MCP_SERVER_ALLOW_SELF_TERMINATENoSet to '1' to allow destructive actions on the server's own container (bypasses self-termination guard).

Capabilities

Features and capabilities supported by this server

CapabilityDetails
tools
{
  "listChanged": false
}
prompts
{
  "listChanged": false
}
resources
{
  "subscribe": false,
  "listChanged": false
}
experimental
{}

Tools

Functions exposed to the LLM to take actions

NameDescription
buildx_buildA

Build an image with BuildKit via docker buildx build.

Replaces the legacy image_build tool when you need any of: multi-platform output (platforms), modern cache export (cache_from/cache_to), SBOM or provenance attestations, build secrets, or multi-stage builds with target. Always runs with --progress=plain so output is captured rather than redrawn on a TTY.

args: context - Build context: a filesystem path or Git/HTTP URL (verbatim; no ~/glob expansion). The - stdin-tarball form is NOT supported (stdin isn't forwarded — it'd block on the server's own stdin); serve a pre-packed tarball over HTTP instead. tags - Image references to apply (-t, repeatable) platforms - Target platforms, e.g. ["linux/amd64", "linux/arm64"] file - Dockerfile path (relative to context unless absolute) build_args - Build-time variables (each becomes --build-arg KEY=VALUE) build_contexts - Additional named build contexts (e.g. {"deps": "./vendor"}) labels - Labels to set on the resulting image (each becomes --label KEY=VALUE) annotations - OCI manifest annotations (passed verbatim, repeatable) target - Target build stage to stop at push - Push the result to the registry (mutually exclusive with load) load - Load the result into the local image store (single-platform builds only) output - Custom --output specs (e.g. ["type=tar,dest=out.tar"]) no_cache - Do not use cache when building no_cache_filter - Stage names to exclude from caching pull - Always attempt to pull a newer version of each base image cache_from - Cache import specs, e.g. ["type=registry,ref=user/img:cache"] cache_to - Cache export specs builder - Override the active builder sbom - Shorthand for --attest=type=sbom; pass "true" or a config string provenance - Shorthand for --attest=type=provenance; pass "true", "false", or a config string attest - Custom attestation specs (repeatable) secret - Secret specs (e.g. ["id=npmrc,src=/home/user/.npmrc"] or ["id=npmrc,env=NPM_TOKEN"]). ~ in src= is NOT expanded (by this tool or the CLI) — use an absolute path. ssh - SSH agent socket/key specs (e.g. ["default"], using $SSH_AUTH_SOCK) timeout_seconds - Subprocess timeout (default 1800s) returns: dict - {"returncode": int, "stdout": str, "stderr": str, "truncated": bool}

buildx_bakeA

Build multiple targets defined in a bake file (HCL, JSON, or compose).

args: targets - Bake targets to build (default: the default group) files - Bake file paths (-f, repeatable) set_overrides - Per-target overrides, e.g. ["app.platform=linux/amd64"] push - Push results to the registry load - Load results into the local image store no_cache - Do not use cache when building pull - Always pull a newer base image builder - Override the active builder cwd - Working directory containing the bake file (defaults to the server's cwd) timeout_seconds - Subprocess timeout (default 1800s) returns: dict - {"returncode": int, "stdout": str, "stderr": str, "truncated": bool}

buildx_imagetools_inspectA

Inspect a manifest in a registry without pulling.

Replaces docker manifest inspect. The standalone docker manifest command is in maintenance mode and lacks support for OCI image indexes, attestations, and annotations — buildx imagetools inspect is the path forward and handles both single-platform manifests and multi-platform manifest lists / OCI indexes. Uses the docker CLI's credential store; registry_manifest answers the same question over direct HTTPS with no daemon or plugin.

args: image - Image reference, e.g. "alpine:3.19" or "ghcr.io/org/repo@sha256:..." raw - Return the raw manifest bytes (a JSON document) instead of the human-rendered tree format - Go template format string (mutually exclusive with raw) builder - Override the active builder returns: dict - {"returncode": int, "stdout": str, "stderr": str, "truncated": bool}. When raw=True or format="{{json .}}", stdout is a JSON document the caller can parse.

buildx_imagetools_createA

Create a manifest list / OCI image index from existing per-platform tags.

Replaces docker manifest create + docker manifest push — builds the index and pushes it in one operation. Source tags must already be pushed; this only stitches them together.

args: target - Tag for the new manifest list (-t) sources - Source image references to combine append - Append to the existing manifest at target rather than replacing dry_run - Print the resulting manifest without pushing annotations - OCI annotations (repeatable; passed verbatim) platforms - Filter source platforms when combining descriptor_files - Files to read source descriptors from, instead of refs builder - Override the active builder timeout_seconds - Subprocess timeout (default 600s) returns: dict - {"returncode": int, "stdout": str, "stderr": str, "truncated": bool}

buildx_listA

List builder instances.

returns: list - One dict per builder (parsed from --format '{{json .}}'). If the captured stdout was truncated by MAX_CLI_OUTPUT_BYTES the last (likely partial) record is dropped before parsing.

buildx_history_listA

List recent build records (BuildKit build history), parsed from --format '{{json .}}'.

Each record is a past build with its ref, name, status, step counts, and timestamps — useful for finding a build to drill into with buildx_history_inspect. Requires buildx >= v0.13 (older versions have no history subcommand and this raises with the CLI's "unknown command" error).

args: builder - Builder instance to read history from (defaults to the active builder) returns: list - One dict per build record (ref, name, status, total/completed/cached steps, times)

buildx_history_inspectA

Inspect a single build record by ref, parsed from --format json.

Returns the full record for one build — duration, materials, attestations, error (if any) — for debugging a failed or slow build found via buildx_history_list. Requires buildx >= v0.13.

args: ref - Build record ref. Pass the ref field from buildx_history_list directly — it reports a qualified "//", but history inspect only accepts the bare id, so this reduces it to the id and (unless builder is given) targets the builder named in the ref. Empty/omitted inspects the most recent build; the ^N syntax (e.g. "^0" = latest) is also valid. builder - Builder instance the build ran on (defaults to the one in ref, else active) returns: dict - The parsed build record (or {"raw": } if the output isn't a JSON object)

buildx_inspectA

Inspect a builder instance.

args: name - Builder name (defaults to the active builder) bootstrap - Boot the builder if it isn't already running returns: dict - {"returncode": int, "stdout": str, "stderr": str, "truncated": bool}. stdout is human-readable; parse with the agent or call buildx_list for JSON.

buildx_duA

Report BuildKit cache disk usage as a list of records.

A large cache can easily generate more output than MAX_CLI_OUTPUT_BYTES; if that happens the captured stdout is truncated and this tool drops the final (partial) record before parsing. For an exhaustive accounting on a busy builder, run docker buildx du --format '{{json .}}' on the host directly.

args: builder - Override the active builder returns: list - One dict per cache record (parsed from --format '{{json .}}')

buildx_pruneA

Remove BuildKit cache entries.

Destructive: this tool always passes --force because no interactive prompt is available under MCP. Pair with buildx_du first to inventory what would be removed.

args: all - Include internal/frontend images filters - Filter by attributes (e.g. {"until": "24h", "type": "exec.cachemount"}) reserved_space - Amount of disk to always keep (e.g. "10GB") max_used_space - Maximum disk space the cache may use (e.g. "20GB") min_free_space - Target amount of free disk after pruning (e.g. "5GB") builder - Override the active builder timeout_seconds - Subprocess timeout (default 600s) returns: dict - {"returncode": int, "stdout": str, "stderr": str, "truncated": bool}

buildx_createA

Create a new BuildKit builder instance.

Needed when the default docker driver falls short: multi-platform builds and cache export require a docker-container (or kubernetes/remote) builder. Pass use=True to make it the default for later buildx_build calls (else switch with buildx_use); bootstrap=True starts the builder now rather than on first build. Does not raise on a non-zero CLI exit — inspect returncode/stderr in the result.

args: name - Name for the new builder (defaults to a generated name) driver - BuildKit driver (e.g. "docker-container", "kubernetes", "remote") driver_opts - Driver-specific options (each becomes --driver-opt KEY=VALUE) use - Set the new builder as the current one bootstrap - Boot the builder immediately platforms - Platforms the builder advertises config - Path to a buildkitd config file node_name - Node name within the builder (for multi-node builders) append - Append a node to an existing builder named name returns: dict - {"returncode": int, "stdout": str, "stderr": str, "truncated": bool}

buildx_useA

Select the active builder for subsequent buildx operations.

Without default or global_default the switch applies only to the current CLI session. default persists the choice for the current Docker context; global_default persists across all Docker contexts. Use buildx_list to see available builders and their current status. To avoid switching the global default, pass a specific builder name directly via buildx_build's builder parameter instead.

args: name - Builder name to activate (from buildx_list) default - Persist as default builder for the current Docker context global_default - Persist as default builder across all Docker contexts returns: dict - {"returncode": int, "stdout": str, "stderr": str, "truncated": bool}

buildx_removeA

Remove a builder instance.

args: name - Builder name to remove (mutually exclusive with all_inactive) all_inactive - Remove every inactive builder keep_state - Keep the BuildKit state volume keep_daemon - Keep the BuildKit daemon process running force - Force removal even if the builder is in use returns: dict - {"returncode": int, "stdout": str, "stderr": str, "truncated": bool}

system_pingA

Check that the Docker server is responsive.

returns: bool - True if the daemon responded successfully

system_versionA

Return Docker server version information.

returns: dict - Version information from the Docker daemon

system_infoA

Return system-wide Docker information.

returns: dict - System information from the Docker daemon

system_dfA

Summarize Docker disk usage: layer storage plus per-object sizes for images, containers, volumes, build cache.

Equivalent to docker system df. Use it to find what to reclaim before image_prune / container_prune / volume_prune / buildx_prune; use system_info for daemon config and counts rather than sizes. The reply enumerates every object on the daemon, so expect a large payload on busy hosts.

returns: dict - {"LayersSize", "Images", "Containers", "Volumes", "BuildCache"} with per-object size fields

host_listA

List the Docker hosts configured via DOCKER_MCP_SERVER_HOSTS.

With a single host (or the var unset) this is the one resolved daemon; with several it is the set the host argument selects from. The default entry is the one used when host is omitted.

returns: list[dict] - one per host: name; url (resolved daemon URL, null = docker-py platform default); read_only; tls (whether a per-host cert dir is configured); default (the omitted-host fallback)

system_loginA

Authenticate with a Docker registry.

Security: the password is sent as a tool argument, which many MCP clients log verbatim. Prefer running docker login once on the host so the docker module reuses the credentials cached in ~/.docker/config.json, and avoid calling this tool from an agent loop.

args: username - Registry username password - Registry password or token email - Registry account email registry - URL to the registry (defaults to Docker Hub) reauth - Force re-authentication even if valid credentials exist dockercfg_path - Path to a custom dockercfg file returns: dict - The server response from the login request

system_logoutA

Clear cached registry credentials from this server's in-memory Docker client.

docker-py / the Engine have no true logout: system_login validates against the registry (the daemon's /auth is stateless) and caches credentials in-process. This drops that in-memory cache; it does NOT contact the daemon or touch the host's ~/.docker/config.json. With no registry, clears every cached credential; pass one to clear just that entry (key must match system_login; Docker Hub is cached under "docker.io"). system_close/system_reconnect also clear it by discarding the client.

Reaches into a private docker-py attribute (api._auth_configs); degrades to clearing nothing if that internal shape changes.

args: registry - Registry key to clear, or None to clear every cached credential returns: dict - {"cleared": []}

system_eventsA

Stream real-time events from the Docker server, bounded by limit events or timeout_seconds.

Returns when limit events are collected or timeout_seconds elapses, whichever comes first (limit caps memory; timeout_seconds caps how long the call blocks — without it a quiet daemon would block indefinitely, since the stream only yields on an actual event).

Caveat for ssh:// daemons: docker-py can't cancel an SSH stream, so the timeout_seconds watchdog can't interrupt a fully idle stream — bound with until/limit (or a non-SSH endpoint).

"Wait for the next matching event" idiom: pass limit=1 with filters narrowed to what you care about (e.g. {"type": "container", "event": "health_status"}) and a generous timeout_seconds. This blocks until that one event arrives (or the timeout elapses, returning an empty list) instead of re-polling a snapshot on a timer — there's no separate wait tool for this since the filtering this call already does covers it.

args: since - Show events created since this timestamp until - Show events created until this timestamp filters - Filters to apply to the event stream limit - Max events to return (default 100) timeout_seconds - Max wall-clock seconds before returning what was collected (default 30) returns: list - A list of decoded event dicts (length <= limit)

system_closeA

Close and drop pooled Docker client connection(s); each is rebuilt lazily on next use.

Use this to force a stale or errored connection to be discarded. Prefer system_reconnect when you want to immediately re-establish the connection rather than wait for the next tool call to trigger a lazy rebuild. With host omitted every pooled client is closed (unlike other tools, where omitting it means the default host). Closing clients does not affect running containers.

returns: bool - True once closed

system_reconnectA

Rebuild a pooled Docker client from its configured endpoint, to recover a wedged connection.

Validates the rebuilt client before swapping in (and only then closes the old one), so a failed rebuild leaves the working client in place. Rebuilds the default host's client when host is omitted. It CANNOT retarget to a different daemon — to add or change a daemon, edit DOCKER_MCP_SERVER_HOSTS and restart.

returns: dict - the rebuilt host's version info (same shape as system_version), confirming connectivity

compose_upA

Bring up a Docker Compose project, detached.

Always runs detached (-d) so it can't block the server. Use compose_ps to confirm services are running, or wait=True to block until they're healthy.

args: project_dir - Dir with the compose file (default: server cwd; paths verbatim, no shell expansion) files - Explicit compose file paths (repeatable, -f) project_name - Compose project name override profiles - Profiles to activate services - Specific services to bring up (default: all) build - Build images before starting pull - Pull strategy: "always", "missing", "never", or "policy" (compose default) remove_orphans - Remove containers for services not in the compose file wait - Block until services are healthy (adds --wait) timeout_seconds - Subprocess timeout (default 600s) returns: dict - {"returncode": int, "stdout": str, "stderr": str, "truncated": bool}

compose_downA

Stop and remove containers, networks (and optionally volumes) for a compose project.

args: project_dir - Dir with the compose file (default: server cwd) files - Explicit compose file paths (repeatable, -f) project_name - Compose project name override profiles - Profiles to consider volumes - Also remove named volumes declared by the project (destructive) remove_orphans - Remove containers not declared in the compose file timeout_seconds - Subprocess timeout (default 300s) returns: dict - {"returncode": int, "stdout": str, "stderr": str, "truncated": bool}

compose_psA

List containers in a compose project, parsed from --format json.

args: project_dir - Dir with the compose file (default: server cwd) files - Explicit compose file paths (repeatable, -f) project_name - Compose project name override services - Restrict output to these services all - Include stopped containers as well returns: dict - {"services": list[dict], "raw": }; on non-zero exit services is an empty list and the caller should inspect raw.stderr.

compose_logsA

Fetch a bounded slice of logs from a compose project (never follows).

args: project_dir - Dir with the compose file (default: server cwd) files - Explicit compose file paths (repeatable, -f) project_name - Compose project name override services - Restrict to these services (default: all) tail - Lines per container (default 200), or the literal "all" (still capped at MAX_CLI_OUTPUT_BYTES) since - Show logs since this timestamp/duration (e.g. "10m", "2024-01-01T00:00:00") until - Show logs before this timestamp/duration timestamps - Include per-line timestamps returns: dict - {"returncode": int, "stdout": str, "stderr": str, "truncated": bool}

compose_configA

Render the canonical compose configuration after merges, profiles, and variable substitution.

args: project_dir - Dir with the compose file (default: server cwd) files - Explicit compose file paths (repeatable, -f) project_name - Compose project name override profiles - Profiles to activate before rendering services_only - List service names only (--services) format - "yaml" (default) or "json" returns: dict - {"config": str|dict|None, "raw": }; config is a parsed dict when format="json" and parsing succeeds, otherwise the rendered text from stdout.

compose_buildA

Build images for a compose project.

args: project_dir - Dir with the compose file (default: server cwd) files - Explicit compose file paths (repeatable, -f) project_name - Compose project name override services - Specific services to build (default: all) pull - Always attempt to pull a newer base image no_cache - Do not use cache when building timeout_seconds - Subprocess timeout (default 1800s) returns: dict - {"returncode": int, "stdout": str, "stderr": str, "truncated": bool}

compose_pullA

Pre-fetch images for a compose project's services without starting them.

Use this to stage images before an outage window, to refresh cached images before compose_up, or to verify images are accessible without starting containers. For registry-authenticated pulls ensure the daemon is logged in first with system_login. compose_up --pull always does the same as part of startup; use this tool when you want to separate the pull step.

args: project_dir - Dir with the compose file (default: server cwd) files - Explicit compose file paths (repeatable, -f; overrides auto-discovery) project_name - Override the compose project name services - Pull only these services; omit to pull all ignore_pull_failures - Continue if an individual image pull fails timeout_seconds - Subprocess timeout (default 1800s for large image pulls) returns: dict - {"returncode": int, "stdout": str, "stderr": str, "truncated": bool}

compose_restartA

Stop then start services without recreating containers or applying config changes.

Use this to bounce a service (e.g. to pick up a runtime file change or clear an in-memory state). If the compose file has changed (new image, environment, volumes, ports) use compose_up instead — it recreates affected containers to apply the diff. stop_timeout_seconds controls the SIGTERM grace period before Docker sends SIGKILL.

args: project_dir - Dir with the compose file (default: server cwd) files - Explicit compose file paths (repeatable, -f) project_name - Override the compose project name services - Restart only these services; omit to restart all stop_timeout_seconds - Seconds to wait for graceful stop before SIGKILL timeout_seconds - Subprocess timeout (default 300s) returns: dict - {"returncode": int, "stdout": str, "stderr": str, "truncated": bool}

compose_stopA

Stop services in a compose project without removing their containers.

Unlike compose_down, containers/networks/volumes survive — use compose_start to bring them back.

args: project_dir - Dir with the compose file (default: server cwd) files - Explicit compose file paths (repeatable, -f) project_name - Compose project name override services - Specific services to stop (default: all) stop_timeout_seconds - Grace period before SIGKILL (passed as --timeout) timeout_seconds - Subprocess timeout (default 300s) returns: dict - {"returncode": int, "stdout": str, "stderr": str, "truncated": bool}

compose_startA

Start existing (stopped) containers of a compose project.

Counterpart to compose_stop: starts existing containers without recreating them. Use compose_up to (re)create containers from the compose file.

args: project_dir - Dir with the compose file (default: server cwd) files - Explicit compose file paths (repeatable, -f) project_name - Compose project name override services - Specific services to start (default: all) timeout_seconds - Subprocess timeout (default 600s) returns: dict - {"returncode": int, "stdout": str, "stderr": str, "truncated": bool}

compose_runA

Run a one-off command against a compose service.

Always passes -T (no TTY under MCP). Defaults to detached with --rm so the call returns promptly.

args: service - Service name from the compose file command - Command + args to run (exec-form; no shell unless you invoke one) project_dir - Dir with the compose file (default: server cwd) files - Explicit compose file paths (repeatable, -f) project_name - Compose project name override detach - Run detached (default True) rm - Remove the container after the run (default True) no_deps - Don't start linked services workdir - Working directory inside the container user - User to run as inside the container (uid or name) env - Environment variables to set inside the container name - Optional container name timeout_seconds - Subprocess timeout (default 600s) returns: dict - {"returncode": int, "stdout": str, "stderr": str, "truncated": bool}

compose_execA

Run a command inside an already-running compose service container (see also container_exec).

Always passes -T (no TTY). Pass an exec-form argv (e.g. ["python", "-V"]); a ["sh", "-c", "..."] form interprets shell metacharacters in untrusted substrings.

args: service - Service name from the compose file command - Argv to execute inside the container project_dir - Dir with the compose file (default: server cwd) files - Explicit compose file paths (repeatable, -f) project_name - Compose project name override index - Container index when the service has multiple replicas (default 1) workdir - Working directory inside the container user - User to run as inside the container (uid or name) env - Environment variables to set for the exec session timeout_seconds - Subprocess timeout (default 60s) returns: dict - {"returncode": int, "stdout": str, "stderr": str, "truncated": bool}

compose_imagesA

List the images used by a compose project's services, parsed from --format json.

Answers "what image and tag does each service container actually run?" — the containers must exist (compose_up/compose_create first). Use compose_ps for container state and image_list for daemon-wide images. Raises RuntimeError if the CLI call fails.

args: project_dir - Dir with the compose file (default: server cwd) files - Explicit compose file paths (repeatable, -f) project_name - Compose project name override services - Restrict to these services (default: all) returns: list - One dict per container image (service, container, repository, tag, id, size)

compose_portA

Resolve the host binding for a service's container port.

The compose equivalent of docker port: which host address/port a service's private port is published on. published is None when the port isn't published.

args: service - Service name from the compose file private_port - The container-internal port to look up protocol - "tcp" (default) or "udp" index - Container index when the service has multiple replicas (default 1) project_dir - Dir with the compose file (default: server cwd) files - Explicit compose file paths (repeatable, -f) project_name - Compose project name override returns: dict - {"service", "private_port", "protocol", "published": "host:port"|None, "host": str|None, "port": int|None, "bindings": list[str]}. published/host/port describe the first binding; bindings lists every line (a port can be published on more than one address, e.g. IPv4 and IPv6).

compose_waitA

Block until the named service containers stop, then return their exit codes.

For one-shot / batch services. A long-running service that never exits blocks until timeout_seconds, then the subprocess is killed (TimeoutExpired) — bound it sensibly. Exit codes are on stdout.

args: services - One or more services to wait on. At least one is required. project_dir - Dir with the compose file (default: server cwd) files - Explicit compose file paths (repeatable, -f) project_name - Compose project name override timeout_seconds - Subprocess timeout (default 300s) returns: dict - {"returncode": int, "stdout": str, "stderr": str, "truncated": bool}

compose_topA

Show the running processes of a compose project's containers.

Output is the ps-style process table per service (not JSON); read it from stdout.

args: services - Restrict to these services (default: all) project_dir - Dir with the compose file (default: server cwd) files - Explicit compose file paths (repeatable, -f) project_name - Compose project name override returns: dict - {"returncode": int, "stdout": str, "stderr": str, "truncated": bool}

compose_cpA

Copy files/folders between a service container and the server host's filesystem.

Exactly one of source/dest is SERVICE:PATH; the other is a path on the host running this MCP server, read/written as the server's user (same host exposure as the file-path archive tools — see SECURITY.md). Copying to stdout (dest="-") is unsupported; use the container-archive tools.

args: source - SERVICE:SRC_PATH or a host path dest - SERVICE:DEST_PATH or a host path (not "-") index - Container index when the service has multiple replicas (default 1) all_containers - Copy to/from all containers of the service (--all) project_dir - Dir with the compose file (default: server cwd) files - Explicit compose file paths (repeatable, -f) project_name - Compose project name override timeout_seconds - Subprocess timeout (default 300s) returns: dict - {"returncode": int, "stdout": str, "stderr": str, "truncated": bool}

compose_killA

Send a signal to a compose project's containers (default SIGKILL).

args: services - Restrict to these services (default: all) signal - Signal to send (default "SIGKILL"; e.g. "SIGTERM", "SIGHUP") remove_orphans - Also remove containers for services not in the compose file project_dir - Dir with the compose file (default: server cwd) files - Explicit compose file paths (repeatable, -f) project_name - Compose project name override returns: dict - {"returncode": int, "stdout": str, "stderr": str, "truncated": bool}

compose_pauseA

Pause the containers of a compose project (freezes their processes in place).

Paused containers stop consuming CPU but keep memory, network endpoints, and state; resume with compose_unpause. To actually stop containers (each one's configured stop signal, freeing resources) use compose_stop; to stop and delete them use compose_down. Does not raise on a non-zero CLI exit — inspect returncode/stderr in the result.

args: services - Restrict to these services (default: all) project_dir - Dir with the compose file (default: server cwd) files - Explicit compose file paths (repeatable, -f) project_name - Compose project name override returns: dict - {"returncode": int, "stdout": str, "stderr": str, "truncated": bool}

compose_unpauseA

Unpause the containers of a compose project (resumes paused processes).

args: services - Restrict to these services (default: all) project_dir - Dir with the compose file (default: server cwd) files - Explicit compose file paths (repeatable, -f) project_name - Compose project name override returns: dict - {"returncode": int, "stdout": str, "stderr": str, "truncated": bool}

compose_listA

List compose projects known to the daemon (across all directories).

args: all - Include stopped projects returns: list - One dict per project (parsed from --format json)

config_createA

Create an immutable Swarm config object; requires a swarm manager.

Configs store non-sensitive configuration files (nginx.conf, app.yaml, etc.) and mount them into service containers at a specified path. Unlike secrets, config data is not encrypted at rest — use secret_create for credentials or keys. data is raw bytes; encode strings first (e.g. "my config".encode()). Once created, a config is immutable: to update it, create a new config with a new name and update the service to reference it, then remove the old config with config_remove.

args: name - Unique config name within the swarm data - Raw bytes content of the config file labels - Labels to set on the config templating - Templating driver config (e.g. {"Name": "golang"} for Go template syntax) returns: dict - The created config's attrs including its id

config_inspectA

Get a swarm config's full inspect payload by id or name.

Requires a swarm manager. Unlike a secret, a config's payload IS readable after creation: Spec.Data in the result holds the base64-encoded contents. Use config_list to enumerate configs; use this to read one config's contents and metadata.

args: id_or_name - The config id or name returns: dict - The config's attrs (ID, CreatedAt, UpdatedAt, Spec{Name, Labels, Data base64})

config_listA

List swarm configs; requires a swarm manager.

Unlike secrets, config attrs include the actual config data (Spec.Data, base64-encoded) since configs are not treated as sensitive. Valid filter keys: id, name, names, label (key or key=value).

args: filters - Narrow the list; omit to return every config returns: list - A list of config attrs dicts

config_removeA

Remove a swarm config.

args: id_or_name - The config id or name returns: bool - True after removal

container_runB

Run a container from an image.

args: image - The image to run command - The command to run in the container name - Name to assign to the container detach - Run in the background and return container info environment - Environment variables to set ports - Port mappings, e.g. {'2222/tcp': 3333} volumes - Volumes to mount network - Name of the network to attach hostname - Optional hostname for the container user - Username or UID to run as working_dir - Working directory inside the container entrypoint - Entrypoint to override the image default restart_policy - Restart policy, e.g. {'Name': 'on-failure', 'MaximumRetryCount': 3} labels - Labels to set on the container remove - Remove the container when it exits (only with detach=False) auto_remove - Enable auto-removal of the container on daemon side privileged - Give extended privileges to the container tty - Allocate a pseudo-TTY stdin_open - Keep STDIN open mem_limit - Memory limit cpu_count - Number of CPUs extra_kwargs - Additional keyword arguments forwarded to ContainerCollection.run (call docs_lookup(section="containers") for the full accepted set) returns: dict | str - Container attrs when detach=True, otherwise stdout/stderr as a string

container_createA

Create a container from an image without starting it.

Use this when you need to configure a container (with extra_kwargs) before its first start, or want creation and start as separate observable steps. For the common case of create-then-start-immediately use container_run instead — it does both in one call. Start the created container with container_start. Common extra_kwargs keys: name (str), environment (list of "KEY=VAL" or dict), ports (dict, e.g. {"80/tcp": 8080}), volumes (dict, e.g. {"/host/path": {"bind": "/container/path", "mode": "rw"}}), labels (dict). For anything else docker-py's ContainerCollection.create accepts, call docs_lookup(section="containers") rather than guessing a key name.

args: image - Image to create the container from, e.g. "nginx:alpine" command - Override the image's default command; string or list of strings extra_kwargs - Additional docker-py ContainerCollection.create keyword arguments returns: dict - The created container's attrs (not yet running)

container_inspectA

Return the full inspect detail for a single container.

Use this when you need complete information about one container — config, state, network settings, mounts, environment variables, and resource limits. For a quick overview of many containers use container_list instead (returns a summary per container). For just logs or stats use container_logs / container_stats.

args: id_or_name - Container id (full or short) or name returns: dict - Full container inspect attrs (equivalent to docker inspect)

container_listA

List containers.

args: all - Show all containers, including stopped ones since - Only show containers created after this id or name before - Only show containers created before this id or name limit - Maximum number of results filters - Filter by attributes (e.g. status, label) sparse - Skip inspect calls and return less detail ignore_removed - Ignore containers removed during listing managed_only - Only return containers created by this MCP server (filters on the docker-mcp-server.managed label); combines with any filters given returns: list - A list of container attrs dicts

container_pruneA

Remove all stopped containers to reclaim disk space.

Only removes containers that are not running — running containers are never affected. Use container_list(all=True) to preview what would be removed before calling this. Valid filter keys: until (RFC3339 timestamp or duration like "24h" — removes containers stopped before that point), label (key or key=value). For a broader cleanup of containers plus unused images, networks, and volumes see the prune_managed prompt.

args: filters - Narrow which stopped containers to remove; omit to remove all stopped returns: dict - {"ContainersDeleted": [...], "SpaceReclaimed": }

container_startA

Start an existing stopped container.

Use this to restart a container that was previously created or stopped without removing it. To create and start a new container in one step use container_run instead. Calling on an already-running container has no effect (the daemon returns 304 and no error is raised). To stop then start a running container use container_restart.

args: id_or_name - Container id (full or short) or name returns: dict - The container's full attrs after starting

container_stopA

Gracefully stop a running container (its configured stop signal, then SIGKILL after a timeout).

Prefer this over container_kill for a clean shutdown: the main process receives the container's stop signal (STOPSIGNAL, default SIGTERM) and has stop_timeout_seconds to exit before the daemon force-kills it. Use container_restart to stop and start again in one call, or container_pause to freeze processes without stopping. When the server runs containerized it refuses to stop its own container.

args: id_or_name - The container id or name stop_timeout_seconds - Seconds between the stop signal and SIGKILL (default 10) returns: dict - The container's attrs after the stop (exit code under State.ExitCode)

container_restartA

Restart a container.

args: id_or_name - The container id or name stop_timeout_seconds - Seconds to wait for graceful stop before SIGKILL and restart returns: dict - The container's attrs after restart

container_killA

Send a signal to a running container (default SIGKILL — immediate, no graceful shutdown).

Use it to force-kill a container that ignores container_stop, or with signal to poke a process without stopping it (e.g. SIGHUP for a config reload). For a normal shutdown prefer container_stop, which sends the container's configured stop signal first. Fails with a conflict error if the container is not running. When the server runs containerized it refuses to signal its own container.

args: id_or_name - The container id or name signal - Signal name or number as a string (e.g. "SIGHUP", "9"); default SIGKILL returns: dict - The container's attrs after the signal

container_pauseA

Suspend all processes in a container using the kernel freezer cgroup.

Unlike sending SIGSTOP, the freezer cgroup suspends processes without their being able to observe or intercept the suspension. A paused container keeps its resources (memory, open file descriptors) but consumes no CPU. Resume with container_unpausecontainer_exec fails against a paused container until it is unpaused.

args: id_or_name - The container id or name returns: dict - The container's attrs after pause

container_unpauseA

Resume all processes in a paused container (the reverse of container_pause).

Only valid on a paused container — it fails if the container is merely stopped; use container_start for stopped containers. Processes continue from where they were frozen.

args: id_or_name - The container id or name returns: dict - The container's attrs after unpause (State.Paused becomes false)

container_removeA

Remove a container.

args: id_or_name - The container id or name volumes - Also remove anonymous volumes (the CLI's --volumes) link - Remove the specified link force - Force remove a running container returns: bool - True after removal completes

container_logsA

Get the logs of a container: a one-shot snapshot by default, or a bounded live tail with follow=True.

Follow mode returns when limit_lines lines are collected, timeout_seconds elapses, or the container exits, whichever comes first — so the agent can watch live output without blocking forever. limit_lines/timeout_seconds apply only in follow mode; until only in snapshot mode.

Caveat for ssh:// daemons: docker-py can't cancel an SSH stream, so in follow mode the timeout_seconds watchdog can't interrupt a fully silent container — use the snapshot mode there if you need a hard time bound.

args: id_or_name - The container id or name stdout - Include stdout stderr - Include stderr timestamps - Include timestamps tail - Number of lines from the end (default 200), or the literal "all" for everything since - Only return logs created after this unix timestamp until - Only return logs created before this unix timestamp (snapshot mode only) follow - Follow the live log stream instead of returning a snapshot limit_lines - Follow mode: max lines to collect before returning (default 200) timeout_seconds - Follow mode: max wall-clock seconds before returning what was collected (default 30) returns: str - Decoded log output (up to limit_lines lines in follow mode)

container_statsA

Get one point-in-time resource-usage snapshot for a container (non-streaming).

Returns the raw engine stats payload; CPU percent must be computed from the delta between cpu_stats and precpu_stats. For a pre-computed human-readable summary prefer the docker-stats://{id_or_name} resource; for a process listing use container_top.

args: id_or_name - The container id or name returns: dict - Engine stats payload (read, cpu_stats, precpu_stats, memory_stats, networks, pids_stats, ...)

container_topA

List the processes running inside a container (the daemon runs ps on the host).

Works on any running container without executing anything in it, so it needs no shell or ps binary in the image — unlike container_exec with ps. Use container_stats for resource usage rather than process lists. Fails if the container is not running.

args: id_or_name - The container id or name ps_args - Extra ps arguments (e.g. "aux"); default is the daemon's standard ps invocation returns: dict - {"Titles": [ps column names], "Processes": [[one row of values per process]]}

container_execA

Run a command inside a running container (for a compose service, prefer compose_exec).

Security: when any element of cmd is agent-controlled, use an exec-form argv list that does not invoke a shell (e.g. ["python", "-V"], ["ls", path]). A string cmd, or a shell form like ["sh", "-c", template], interprets shell metacharacters in the untrusted parts.

args: id_or_name - The container id or name cmd - Command to execute (prefer exec-form argv, no shell, when any element is agent-controlled) stdout - Attach to stdout stderr - Attach to stderr stdin - Attach to stdin tty - Allocate a pseudo-TTY privileged - Run with extended privileges user - User to run the command as detach - Detach from the exec environment - Environment variables workdir - Working directory inside the container demux - Return stdout and stderr separately returns: dict - Mapping with exit_code and output keys

container_commitA

Snapshot a container's current filesystem state as a new image.

Useful for capturing a debugging state or saving manual changes made inside a container. For repeatable builds use a Dockerfile instead. The container is paused by default during the snapshot to ensure filesystem consistency — set pause=False only if the container cannot be paused. changes accepts Dockerfile instructions to apply on top of the snapshot, e.g. ["CMD ["python", "app.py"]", "ENV FOO=bar"].

args: id_or_name - Container id or name to snapshot repository - Repository name for the new image, e.g. "myorg/myimage" tag - Tag for the new image (default: "latest") message - Commit message stored in the image metadata author - Author string stored in the image metadata pause - Pause the container during commit for consistency (default True) changes - Dockerfile instructions (CMD, ENV, EXPOSE, etc.) to apply to the image conf - Additional image configuration overrides as a dict returns: dict - The new image's attrs

container_diffA

List filesystem changes a container has made relative to its image.

Use it to audit what a container wrote before container_commit or container_archive_get, or to debug unexpected writes. Only the writable container layer is compared — files in volumes and bind mounts never show up.

args: id_or_name - The container id or name returns: list - Dicts of {"Path", "Kind"}; Kind 0=modified, 1=added, 2=deleted

container_renameA

Rename a container in place; its id, state, and configuration are unchanged.

Use it to free up or claim a container name (names are unique per daemon) — e.g. before starting a replacement under the old name. Fails with a conflict error if the new name is already taken. Not related to image_tag, which names images.

args: id_or_name - The container id or name name - The new name; must not be in use by any other container returns: dict - The container's attrs after the rename

container_updateA

Update resource limits on a container without recreating it.

Changes take effect immediately on Linux (cgroups); not all fields are updatable on every platform. Common updates keys: mem_limit (bytes, e.g. 134217728 for 128 MB), memswap_limit (memory+swap in bytes; -1 = unlimited), cpu_shares (relative weight, default 1024), cpu_period / cpu_quota (microseconds for CFS throttling), cpuset_cpus (e.g. "0-1"), restart_policy (dict with Name such as "on-failure"/"always"/"unless-stopped" and optional MaximumRetryCount). To change image, env, or volumes the container must be recreated.

args: id_or_name - Container id or name to update updates - Resource fields to update; see description for valid keys returns: dict - The container's full attrs after the update

container_waitA

Block until a container reaches a condition: stopped, "healthy", or its logs contain a pattern.

One contract for every mode: never raises on timeout — the result always carries met (condition reached) and timed_out. The stop conditions ("not-running"/"next-exit"/"removed") use the daemon's blocking wait and fill status_code/error (the container's exit info); "healthy" polls the container's HEALTHCHECK every poll_intervals and fills health/status; "log-match" polls recent logs every poll_intervals for pattern and fills matched_line.

Health semantics: with no HEALTHCHECK defined, once the container is running the tool returns promptly with health: null and met: false (false = "not confirmed healthy", not "unhealthy" — check health to tell them apart). A container that exits before becoming healthy returns its terminal status and met: false.

Log-match semantics: pattern is matched as a plain substring by default — safe against any input, including adversarial ones. Pass regex=True to match pattern as a regular expression (via re.search) instead; only do this with patterns you trust, since a regex with catastrophic backtracking run against attacker-influenced log content can exhaust CPU (ReDoS). Checks stdout and stderr, most recent lines first within each poll. If the container exits/dies before the pattern ever appears, returns promptly with met=false (not timed_out) — no further logs can arrive, so there's nothing to keep polling for.

args: id_or_name - The container id or name until - Condition to wait for: "not-running" (default), "next-exit", "removed", "healthy", or "log-match" (requires pattern) timeout_seconds - Max seconds to wait before returning with timed_out=true (default 600) poll_interval - "healthy"/"log-match" only: seconds between re-checks (default 2, > 0); capped by the time left so a large value can't push the total wait past the timeout pattern - "log-match" only: substring (or, with regex=True, a regular expression) to look for in the container's logs regex - "log-match" only: treat pattern as a regular expression instead of a plain substring returns: dict - {"container", "until", "met", "timed_out", "status_code", "error", "health", "status", "matched_line", "waited_seconds"}; stop modes fill status_code/error, "healthy" fills health ("starting"/"healthy"/"unhealthy", or null with no healthcheck) and status, "log-match" fills matched_line when met and status if the container exited without matching.

container_exportA

Export a container's filesystem as a tar archive: to a file on the server host, or in band.

With dest_path the archive streams straight to disk (no byte cap), so it handles large containers — the file is written by the server's user, ~ is expanded, and an existing file is refused unless overwrite=True. Without dest_path the tar bytes are returned in band, capped at max_bytes (default 32 MiB) because MCP base64-encodes them — a fallback for when no writable host path exists (e.g. a containerized server without a bind mount).

args: id_or_name - The container id or name dest_path - Destination path on the server host; omit to return the bytes in band overwrite - Replace dest_path if it already exists (default False) max_bytes - In-band mode: abort with ValueError beyond this many bytes (default 32 MiB) returns: bytes | dict - the tar bytes (in band), or {"path": , "bytes_written": int}

container_archive_getA

Retrieve a file or directory from a container as a tar archive, returned in band.

For large paths prefer container_archive_get_to_file, which streams to a host path; the in-band bytes here are capped (default 32 MiB) because MCP base64-encodes them.

args: id_or_name - The container id or name path - Path inside the container max_bytes - Abort with ValueError if the archive exceeds this many bytes (defaults to 32 MiB) returns: dict - Mapping with archive (bytes) and stat (dict) keys

container_archive_get_to_fileA

Retrieve a file or directory from a container as a tar archive written to a file on the server host.

Streams straight to disk (no in-band byte cap). The file is written by the server's user; ~ is expanded and an existing file is refused unless overwrite=True.

args: id_or_name - The container id or name path - Path inside the container dest_path - Destination path on the server host for the tarball overwrite - Replace dest_path if it already exists (default False) returns: dict - {"path": , "bytes_written": int, "stat": dict}

container_archive_putA

Upload a tar archive to a path inside a container, from in-band bytes or a file on the server host.

Pass exactly one of data (tar bytes in band) or from_file (a path on the server host, streamed straight to the daemon — preferred for large archives, since in-band bytes are base64-encoded by MCP). from_file is read by the server's user; ~ is expanded.

args: id_or_name - The container id or name path - Destination path inside the container (must already exist) data - Tar archive bytes; exactly one of data/from_file from_file - Path on the server host to the tar archive to upload; exactly one of data/from_file returns: bool - True if the upload succeeded

context_listA

List Docker CLI contexts known to the host running this MCP server.

Contexts are a CLI concept (stored in the docker config dir) letting one CLI target multiple daemons. This server uses whatever DOCKER_HOST / current-context resolved to at startup, so changing contexts only affects future subprocess-based tools, not the docker-py SDK client.

returns: list - One dict per context with at least name, description, dockerEndpoint, and current

context_inspectA

Return the full configuration for a single Docker context.

args: name - Context name (use the Name field from context_list) returns: dict - The parsed docker context inspect entry for that context

context_createA

Create a new Docker CLI context pointing at a daemon endpoint.

args: name - Name for the new context (must not already exist) docker_host - Daemon URL, e.g. "tcp://10.0.0.5:2376" or "unix:///var/run/docker.sock" description - Optional human description shown in context ls tls_ca - Path on the local host to the CA cert (for TLS daemons) tls_cert - Path on the local host to the client cert tls_key - Path on the local host to the client key skip_tls_verify - Disable TLS verification (insecure; for testing only) returns: dict - {"returncode": int, "stdout": str, "stderr": str, "truncated": bool}

context_useA

Set the active Docker context for the CLI on the host running this MCP server.

Note: this does not retarget the long-lived docker-py client — SDK-backed tools keep using the endpoint they connected to at startup. To retarget those, restart the server with a different DOCKER_HOST / DOCKER_CONTEXT.

args: name - Existing context name to set as default returns: dict - {"returncode": int, "stdout": str, "stderr": str, "truncated": bool}

context_removeA

Remove a Docker CLI context.

args: name - Context name to remove force - Force removal even if the context is the current one returns: dict - {"returncode": int, "stdout": str, "stderr": str, "truncated": bool}

image_buildA

Build an image from a Dockerfile using the daemon's classic builder.

Use this for simple single-platform builds from a local context. For multi-platform builds, BuildKit cache export/import, or advanced build features prefer buildx_build. path must be a directory accessible on the host running this server (it is the build context sent to the daemon). dockerfile is relative to path; omit to use the default Dockerfile.

args: path - Build context directory path on the server host tag - Name and optional tag in "name:tag" format to apply to the built image quiet - Suppress verbose build output (final image id still returned) nocache - Ignore the layer cache and rebuild all layers rm - Remove intermediate containers on success (default True) pull - Always pull a newer version of each FROM base image before building forcerm - Remove intermediate containers even on build failure dockerfile - Dockerfile filename relative to path (default: "Dockerfile") buildargs - Build-time variables passed as --build-arg; dict of str→str container_limits - Resource limits for the build container, e.g. {"memory": 134217728} shmsize - Size of /dev/shm in bytes for build steps that need shared memory labels - Labels to set on the resulting image (dict of str→str) cache_from - List of image references to use as layer cache sources target - Stop at this named build stage (multi-stage Dockerfiles) network_mode - Network mode for RUN instructions during build (e.g. "host", "none") squash - Squash all new layers into one (experimental; requires daemon flag) extra_hosts - Additional /etc/hosts entries during build; dict of hostname→ip platform - Target platform, e.g. "linux/amd64" (single platform only; use buildx for multi) isolation - Windows isolation technology ("default", "process", "hyperv") use_config_proxy - Forward proxy env vars from Docker client config to build returns: dict - The built image's attrs

image_inspectA

Return the full inspect detail for a single local image.

Includes config (env, entrypoint, exposed ports), size, layer digests (RootFS.Layers), and all tags/digests referencing it (RepoTags/RepoDigests). For a quick overview of many images use image_list instead. For the per-layer build history (which command produced each layer) use image_history. Only inspects images already present locally — for a remote image's manifest without pulling it use image_registry_data or registry_manifest.

args: id_or_name - Image name (with optional tag/digest) or id returns: dict - Full image inspect attrs (equivalent to docker inspect on an image)

image_registry_dataA

Get registry data for an image without pulling it, via the daemon's distribution endpoint.

Uses the daemon (and its cached credentials) to resolve the remote descriptor and platform list. For direct registry access without a daemon use registry_manifest.

Security: auth_config carries registry credentials, which many MCP clients log verbatim. Prefer docker login on the host so the docker module reuses credentials cached in ~/.docker/config.json, and leave auth_config unset.

args: repository - Image reference auth_config - Optional registry authentication config returns: dict - Registry data attrs

image_listA

List images on the server.

args: repository - Only show images of this repository all - Show intermediate image layers filters - Filter by attributes (label, dangling, before, since, etc.) returns: list - A list of image attrs dicts

image_pullA

Pull an image from a registry to the daemon's local store.

args: repository - The image repository tag - The image tag (ignored when all_tags=True) all_tags - Pull all tags from the repository platform - Platform in os/arch format returns: dict | list - Pulled image attrs (or a list of attrs if all_tags=True)

image_pushA

Push an image or repository to a registry.

Security: auth_config carries registry credentials, which many MCP clients log verbatim. Prefer docker login on the host so the docker module reuses credentials cached in ~/.docker/config.json, and leave auth_config unset.

args: repository - The image repository tag - The tag to push auth_config - Optional registry authentication config returns: str - Push output as a string

image_removeA

Remove a local image by name or id.

Fails without force if the image is tagged by multiple names (untag first with image_tag) or if stopped containers reference it. Running containers always block removal regardless of force. noprune keeps untagged parent layers that would otherwise be removed as a side-effect; leave False unless you need to preserve the parent layers for another purpose.

args: id_or_name - Image name (with optional tag/digest) or id to remove force - Remove even if referenced by stopped containers or multiple tags noprune - Do not delete untagged intermediate parent layers returns: bool - True after removal completes

image_searchA

Search Docker Hub for public images matching a term.

Searches Docker Hub only — not GHCR, ECR, or other registries. For listing tags on a specific image from any OCI registry use registry_tags instead. Each result dict includes name, description, star_count, is_official, and is_automated.

args: term - Search keyword, e.g. "nginx" or "python" limit - Maximum number of results to return (Docker Hub default is 25) returns: list - List of matching image dicts from Docker Hub

image_pruneA

Remove unused local images to reclaim disk space.

Without filters removes only "dangling" images — untagged layers not referenced by any tag or container. To remove all images not used by any container (including tagged ones) pass filters={"dangling": False}. Valid filter keys: dangling (bool as string "true"/"false"), until (RFC3339 timestamp or duration like "24h"), label (key or key=value). Use system_df first to see how much space is reclaimable.

args: filters - Narrow which images to remove; omit to remove dangling images only returns: dict - {"ImagesDeleted": [...], "SpaceReclaimed": }

image_loadA

Load an image from a tarball produced by image_save, from in-band bytes or a file on the server host.

Pass exactly one of data (tarball bytes in band) or from_file (a path on the server host, streamed straight to the daemon — preferred for anything but small images, since in-band bytes are base64-encoded by MCP). from_file is read by the server's user; ~ is expanded.

args: data - Tarball contents; exactly one of data/from_file from_file - Path to a tarball produced by docker save / image_save; exactly one of data/from_file returns: list - A list of loaded image attrs dicts

image_saveA

Save an image as a tar archive: to a file on the server host, or in band.

With dest_path the archive streams straight to disk (no byte cap), so it handles large images — the file is written by the server's user, ~ is expanded, and an existing file is refused unless overwrite=True. Without dest_path the tar bytes are returned in band, capped at max_bytes (default 32 MiB) because MCP base64-encodes them — a fallback for when no writable host path exists (e.g. a containerized server without a bind mount).

args: id_or_name - Image name or id dest_path - Destination path on the server host; omit to return the bytes in band named - Whether to retain repository/tag names in the saved archive overwrite - Replace dest_path if it already exists (default False) max_bytes - In-band mode: abort with ValueError beyond this many bytes (default 32 MiB) returns: bytes | dict - the tarball bytes (in band), or {"path": , "bytes_written": int}

image_tagA

Tag an image into a repository.

args: id_or_name - The source image name or id repository - Target repository name tag - Optional tag for the new image force - Force the tag returns: bool - True if the image was tagged

image_historyA

Return the layer history of an image.

Useful for auditing what commands built each layer and diagnosing image size. Each entry includes Id (layer digest or "" for imported layers), Created (unix timestamp), CreatedBy (the Dockerfile command that produced the layer, e.g. a RUN or COPY), Size (bytes added by that layer), and Comment. For full image metadata use image_inspect instead.

args: id_or_name - Image name (with optional tag/digest) or id returns: list - Layer history entries, newest first

network_createA

Create a network.

The daemon default driver is bridge (single-host); use overlay for swarm-wide networks. Creating a network attaches nothing — connect containers afterwards with network_connect or at start via container_run(network=...). Created networks are stamped with provenance labels (find them later via network_list(managed_only=True)).

args: name - The name of the network driver - Driver name (daemon default bridge; overlay for swarm scope) options - Driver-specific options dict ipam - IPAM configuration as a dict (engine shape: {"Driver", "Config": [{"Subnet", "Gateway", ...}]}) check_duplicate - Reject creation if a duplicate name exists (deprecated: recent daemons always check) internal - Restrict external access labels - Labels to set on the network enable_ipv6 - Enable IPv6 networking attachable - Allow standalone containers to attach (swarm overlay networks) scope - Network scope: "local", "global", or "swarm" ingress - Make this an ingress network for swarm routing-mesh returns: dict - The created network's attrs (Id, Name, Driver, Scope, IPAM)

network_inspectA

Return the full inspect detail for a single network.

Includes the connected containers (Containers, keyed by container id, with each entry's assigned IP), IPAM config, and driver options. For a quick overview of many networks use network_list instead — its default (non-greedy) response omits the per-network Containers detail for speed.

args: id_or_name - The network id or name returns: dict - Full network inspect attrs (equivalent to docker network inspect)

network_listA

List networks.

Valid filter keys: driver (driver name), label (key or key=value), type ("custom" or "builtin"). names/ids are a separate shorthand for filtering by exact name/id, applied in addition to filters. Set greedy to fetch each network's attrs individually (adds the connected-containers detail that network_inspect returns, at the cost of one extra daemon call per network) — leave it False for a fast summary list.

args: names - Filter by exact network names ids - Filter by exact network ids filters - Additional server-side filters; see description for valid keys greedy - Fetch extended per-network details (including connected containers) managed_only - Only return networks created by this MCP server (filters on the docker-mcp-server.managed label); combines with any filters given returns: list - A list of network attrs dicts

network_pruneA

Remove networks that have no active container endpoints.

Built-in networks (bridge, host, none) are never removed. Only networks with zero connected containers are eligible. Valid filter keys: until (RFC3339 timestamp or duration — removes networks created before that point), label (key or key=value).

args: filters - Narrow which networks to remove; omit to remove all unused custom networks returns: dict - {"NetworksDeleted": [...]}

network_removeA

Remove a single custom network by id or name.

Fails if any container is still attached (disconnect with network_disconnect or stop the containers first). Built-in networks (bridge, host, none) can never be removed and return an error regardless of attachment state. For bulk cleanup of every unused custom network at once use network_prune instead.

args: id_or_name - The network id or name returns: bool - True after removal

network_connectA

Attach a running container to an additional network without restarting it.

Use this to give a container access to services on a network it was not started with. aliases sets extra DNS names for this container within the network (other containers can reach it by those names in addition to its container name). ipv4_address / ipv6_address assign a specific IP on the network; omit to let the driver assign one. links is a legacy feature (deprecated; prefer DNS aliases). Use network_disconnect to undo.

args: id_or_name - Network id or name to connect the container to container - Container id or name to attach aliases - Additional DNS names for this container within the network links - Legacy container links (deprecated) ipv4_address - Static IPv4 address to assign on this network ipv6_address - Static IPv6 address to assign on this network link_local_ips - Link-local IP addresses to assign driver_opt - Driver-specific endpoint options returns: bool - True after the container is connected

network_disconnectA

Disconnect a container from a network.

The container keeps running with its other network attachments; only this endpoint is removed (the reverse of network_connect). A network with connected containers cannot be deleted, so disconnect them before network_remove.

args: id_or_name - The network id or name container - The container id or name to disconnect force - Force the disconnect; use to clear a stale endpoint (e.g. from a deleted container) returns: bool - True after the container is disconnected

node_inspectA

Get a swarm node's full inspect payload by id or name.

Must run against a swarm manager. Shows role, availability, status, and manager reachability — use node_list to enumerate nodes first, or the docker://nodes resource for a fleet summary; service_ps(filters={"node": ...}) shows what a service runs on one node.

args: id_or_name - The node id or hostname (as shown by node_list) returns: dict - The node's attrs (Spec{Role, Availability}, Status, ManagerStatus for managers)

node_listA

List swarm nodes.

args: filters - Filter by attributes (id, name, membership, role) returns: list - A list of node attrs dicts

Prompts

Interactive templates invoked by user choice

NameDescription
lookup_docker_docsRead the Docker SDK for Python documentation for a section before writing code that uses it.
verify_docker_methodVerify that a specific Docker SDK method exists before relying on it.
deploy_containerDeploy a containerized application end-to-end: image, network, volume, container.
troubleshoot_containerTroubleshoot a misbehaving container by gathering logs, state, and stats.
monitor_container_fleetSweep every running container for health and resource pressure (read-only monitoring).
triage_incidentTriage a host-wide incident from symptoms when you don't yet know which container is at fault.
migrate_containerReplace a running container with a new image while preserving its configuration.
clean_environmentReclaim disk space by pruning unused docker resources.
prune_managedTear down only the resources this MCP server created, leaving everything else untouched.
inspect_stackInspect every docker resource that shares a label.
plan_compose_stackPlan a multi-container application from an informal description.
deploy_compose_projectBring up a Docker Compose project and verify it's healthy.
troubleshoot_compose_projectDiagnose a misbehaving Docker Compose project.
audit_docker_contextsReview this server's configured hosts and Docker contexts, and the daemon it targets.
audit_swarm_healthAudit the health of a docker swarm: nodes, services, and task convergence.
find_latest_image_tagFind the latest tag for an image without pulling it.
plan_multiarch_buildPlan and run a multi-platform image build with buildx.
audit_image_cvesAudit an image's CVE posture with Docker Scout.
compare_image_versionsCompare two image versions and report the CVE delta.
recommend_base_imageRecommend a safer base image via Docker Scout.
inspect_multiarch_manifestInspect a multi-arch manifest list / OCI image index without pulling.
create_multiarch_manifestCreate a multi-arch manifest list from existing per-platform tags.
migrate_from_docker_manifestTranslate `docker manifest …` commands into buildx imagetools equivalents.
review_dockerfileReview a Dockerfile for security, correctness, and cache-efficiency issues.
audit_container_securityAudit running containers for risky runtime configuration (privilege, host access).
debug_container_networkingDiagnose why one container cannot reach another over the network.
investigate_disk_usageInvestigate what is consuming docker disk space before pruning.
backup_volumeBack up a named volume's contents to a tar file on the server host.
restore_volumeRestore a named volume's contents from a tar file on the server host.
deploy_swarm_stackDeploy a Compose file to a swarm as a stack and verify the rollout.

Resources

Contextual data attached and managed by the client

NameDescription
list_docs_sections List the available documentation sections. The response keeps the original `base_url` and `sections` (a list of section names) fields for backward compatibility with clients that parsed the pre-extension shape. Sections served from external URLs (compose, context, registry specs) appear in `sections` alongside the SDK ones; their absolute URLs live in `section_urls`. returns: str - JSON describing each section's source URL and how to read it
get_tool_catalog List every tool this server knows about with its domain, mutation category, and whether the active env switches actually registered it. Read this to see the blast radius of a tool before calling it (READ_ONLY / MUTATING / DESTRUCTIVE) and to confirm which whole domains the operator disabled via DOCKER_MCP_SERVER_DISABLE (or the read-only switches) — a tool absent from the live tool list but present here as `registered: false` was filtered out by configuration, not missing by mistake. returns: str - JSON with `switches`, per-domain counts, and a per-tool list
get_hosts_resource The Docker hosts configured via DOCKER_MCP_SERVER_HOSTS — the same data as the `host_list` tool: each host's name, resolved daemon URL, read_only / tls flags, and which one is the default used when a tool's `host` argument is omitted. The resolved default is observable here but is not itself a selectable label. returns: str - JSON list, one object per configured host
list_container_resources Index every container with the resource URIs for reading its logs and live stats. Lists all containers (running and stopped). Each entry carries a `logs` URI (readable in any state — useful for diagnosing why a container exited) and, for running containers only, a `stats` URI (a stopped container has no live cgroup to sample). Exited containers include their `exit_code` as a triage signal. returns: str - JSON object {"containers": [{id, name, image, status, exit_code?, logs, stats?}, ...]}
list_service_resources Index every swarm service with the resource URIs for reading its logs and task/rollout status. returns: str - JSON object {"services": [{id, name, image, mode, desired_replicas, logs, tasks}, ...]}
list_node_resources Index every swarm node with its state, availability, role, and (for managers) reachability. Index only — no per-node child resource. Watch this to notice a node flapping between ready/down, or an unexpected availability/role change, without re-querying `node_list`. returns: str - JSON object {"nodes": [{id, hostname, state, availability, role, manager_reachability}, ...]}

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/GavinLucas/docker-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server