Docker Multi-Stage Builds for ChatGPT Apps: Complete Optimization Guide
Building production-ready Docker images for ChatGPT applications requires more than basic containerization. Multi-stage builds, advanced BuildKit features, and layer caching strategies can reduce image sizes by 70-90%, improve build speeds by 60%, and enhance security through minimal attack surfaces. This comprehensive guide covers enterprise-grade Docker optimization patterns specifically designed for ChatGPT MCP servers, widget applications, and OAuth services.
Whether you're deploying Node.js MCP servers, Python-based AI services, or React widget applications, you'll learn how to create optimized Docker images that build faster, deploy quicker, and run more securely. We'll explore multi-stage build architectures, BuildKit secret management, vulnerability scanning automation, and production deployment workflows that scale from development to enterprise production environments.
Understanding Multi-Stage Build Patterns
Multi-stage Docker builds separate the build environment from the runtime environment, eliminating unnecessary build tools, development dependencies, and source files from your final production image. For ChatGPT applications, this separation is critical because MCP servers require TypeScript compilation, widget apps need webpack bundling, and both benefit from dependency pruning.
The builder stage contains all development tools: compilers, bundlers, testing frameworks, and development dependencies. This stage performs compilation, runs tests, and generates production artifacts. The runtime stage starts fresh with a minimal base image and copies only compiled artifacts and production dependencies from the builder stage.
Node.js MCP Server Multi-Stage Architecture
For TypeScript-based MCP servers, the builder stage compiles TypeScript to JavaScript, installs all dependencies including devDependencies, runs linters and tests, and generates production bundles. The runtime stage uses a minimal Node.js image, copies only compiled JavaScript and production node_modules, and runs with a non-root user for security.
# Multi-Stage Dockerfile for Node.js MCP Server
# Stage 1: Builder - Compile TypeScript and Install Dependencies
FROM node:20-alpine AS builder
# Install build dependencies
RUN apk add --no-cache \
python3 \
make \
g++ \
git
# Set working directory
WORKDIR /build
# Copy package files first for layer caching
COPY package.json package-lock.json ./
# Install ALL dependencies (including devDependencies)
RUN npm ci --include=dev
# Copy source code
COPY tsconfig.json ./
COPY src/ ./src/
# Run linting and type checking
RUN npm run lint
RUN npm run type-check
# Compile TypeScript to JavaScript
RUN npm run build
# Run tests
RUN npm run test
# Prune devDependencies for production
RUN npm prune --production
# Stage 2: Runtime - Minimal Production Image
FROM node:20-alpine AS runtime
# Install runtime dependencies only
RUN apk add --no-cache \
dumb-init \
curl
# Create non-root user
RUN addgroup -g 1001 -S nodejs && \
adduser -S nodejs -u 1001
# Set working directory
WORKDIR /app
# Copy package files
COPY --from=builder /build/package*.json ./
# Copy production dependencies from builder
COPY --from=builder /build/node_modules ./node_modules
# Copy compiled JavaScript
COPY --from=builder /build/dist ./dist
# Copy runtime configuration
COPY config/ ./config/
# Change ownership to non-root user
RUN chown -R nodejs:nodejs /app
# Switch to non-root user
USER nodejs
# Expose MCP server port
EXPOSE 3000
# Health check
HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
CMD curl -f http://localhost:3000/health || exit 1
# Use dumb-init to handle signals properly
ENTRYPOINT ["/usr/bin/dumb-init", "--"]
# Start MCP server
CMD ["node", "dist/index.js"]
# Build metadata
LABEL org.opencontainers.image.title="ChatGPT MCP Server"
LABEL org.opencontainers.image.description="Production-optimized MCP server for ChatGPT apps"
LABEL org.opencontainers.image.version="1.0.0"
LABEL org.opencontainers.image.authors="engineering@makeaihq.com"
Python MCP Server Multi-Stage Architecture
Python-based MCP servers benefit from multi-stage builds by separating pip installation, dependency compilation, and virtual environment setup from the minimal runtime environment. The builder stage compiles C extensions, installs all dependencies including build tools, and creates a clean virtual environment. The runtime stage copies only the virtual environment without pip, setuptools, or wheel.
# Multi-Stage Dockerfile for Python MCP Server
# Stage 1: Builder - Install Dependencies and Compile Extensions
FROM python:3.11-slim AS builder
# Install build dependencies
RUN apt-get update && apt-get install -y --no-install-recommends \
gcc \
g++ \
make \
libffi-dev \
libssl-dev \
git \
&& rm -rf /var/lib/apt/lists/*
# Create virtual environment
RUN python -m venv /opt/venv
ENV PATH="/opt/venv/bin:$PATH"
# Upgrade pip and install build tools
RUN pip install --no-cache-dir --upgrade pip setuptools wheel
# Copy requirements first for layer caching
WORKDIR /build
COPY requirements.txt requirements-dev.txt ./
# Install production dependencies
RUN pip install --no-cache-dir -r requirements.txt
# Install development dependencies for testing
RUN pip install --no-cache-dir -r requirements-dev.txt
# Copy source code
COPY src/ ./src/
COPY tests/ ./tests/
COPY setup.py pyproject.toml ./
# Run linting and type checking
RUN pylint src/
RUN mypy src/
# Run tests
RUN pytest tests/ -v --cov=src --cov-report=term
# Install package in editable mode
RUN pip install -e .
# Stage 2: Runtime - Minimal Production Image
FROM python:3.11-slim AS runtime
# Install runtime dependencies only
RUN apt-get update && apt-get install -y --no-install-recommends \
curl \
dumb-init \
&& rm -rf /var/lib/apt/lists/*
# Create non-root user
RUN useradd -m -u 1001 -s /bin/bash python
# Copy virtual environment from builder
COPY --from=builder /opt/venv /opt/venv
# Set PATH to use virtual environment
ENV PATH="/opt/venv/bin:$PATH"
ENV PYTHONUNBUFFERED=1
ENV PYTHONDONTWRITEBYTECODE=1
# Set working directory
WORKDIR /app
# Copy application code
COPY --from=builder /build/src ./src
COPY config/ ./config/
# Change ownership to non-root user
RUN chown -R python:python /app
# Switch to non-root user
USER python
# Expose MCP server port
EXPOSE 8000
# Health check
HEALTHCHECK --interval=30s --timeout=3s --start-period=10s --retries=3 \
CMD curl -f http://localhost:8000/health || exit 1
# Use dumb-init for proper signal handling
ENTRYPOINT ["/usr/bin/dumb-init", "--"]
# Start Python MCP server
CMD ["python", "-m", "uvicorn", "src.main:app", "--host", "0.0.0.0", "--port", "8000"]
# Build metadata
LABEL org.opencontainers.image.title="Python ChatGPT MCP Server"
LABEL org.opencontainers.image.description="Production-optimized Python MCP server"
LABEL org.opencontainers.image.version="1.0.0"
Multi-stage builds typically reduce final image sizes by 70-85% for Node.js applications and 60-75% for Python applications. A typical Node.js MCP server drops from 1.2GB to 180MB, while Python servers reduce from 980MB to 220MB. This reduction dramatically improves deployment speeds, reduces bandwidth costs, and minimizes attack surface area for security compliance.
Learn more about building ChatGPT apps with no-code tools, explore ChatGPT app deployment strategies, or discover MCP server optimization patterns.
Layer Caching Optimization Strategies
Docker layer caching is the most powerful optimization technique for reducing build times. When Docker builds an image, it caches each layer (each Dockerfile instruction) and reuses cached layers if the instruction and its context haven't changed. For ChatGPT applications with frequent code changes but stable dependencies, proper layer ordering can reduce build times from 8 minutes to 45 seconds.
The golden rule of layer caching: order Dockerfile instructions from least frequently changed to most frequently changed. Dependencies change infrequently, configuration files change occasionally, and source code changes constantly. By copying package files first, installing dependencies in a separate layer, and copying source code last, you ensure that dependency installation layers remain cached across most builds.
Advanced BuildKit Features for ChatGPT Apps
BuildKit is Docker's next-generation build system that adds powerful features: secret mounting, SSH forwarding, cache mounts, and parallel build stages. For ChatGPT applications requiring private npm packages, GitHub dependencies, or API keys during build time, BuildKit secrets prevent credential leakage into image layers.
# Advanced BuildKit Features for ChatGPT App
# syntax=docker/dockerfile:1.4
# Stage 1: Builder with BuildKit Features
FROM node:20-alpine AS builder
# Install build dependencies
RUN apk add --no-cache git openssh-client
WORKDIR /build
# Mount SSH keys for private repositories
# Keys are never stored in image layers
RUN --mount=type=ssh \
git config --global url."git@github.com:".insteadOf "https://github.com/"
# Copy package files
COPY package.json package-lock.json ./
# Mount npm authentication token as secret
# Secret is never stored in image layers
RUN --mount=type=secret,id=npm_token \
echo "//registry.npmjs.org/:_authToken=$(cat /run/secrets/npm_token)" > .npmrc && \
npm ci && \
rm -f .npmrc
# Use cache mount for npm cache directory
# Persists across builds for faster dependency installation
RUN --mount=type=cache,target=/root/.npm \
npm ci
# Copy source code
COPY tsconfig.json ./
COPY src/ ./src/
# Build with parallel compilation
RUN npm run build -- --parallel
# Stage 2: Runtime
FROM node:20-alpine AS runtime
RUN addgroup -g 1001 -S nodejs && \
adduser -S nodejs -u 1001
WORKDIR /app
COPY --from=builder /build/package*.json ./
COPY --from=builder /build/node_modules ./node_modules
COPY --from=builder /build/dist ./dist
USER nodejs
EXPOSE 3000
CMD ["node", "dist/index.js"]
# Build metadata
LABEL org.opencontainers.image.title="ChatGPT App with BuildKit"
LABEL org.opencontainers.image.description="Advanced BuildKit features for secure builds"
.dockerignore for Build Context Optimization
The .dockerignore file excludes unnecessary files from the build context, reducing context size and preventing cache invalidation from irrelevant file changes. For ChatGPT applications, exclude node_modules, .git, test files, documentation, and local configuration files.
# .dockerignore for ChatGPT MCP Server
# Dependencies (will be installed in container)
node_modules/
npm-debug.log
yarn-error.log
package-lock.json.bak
# Version control
.git/
.gitignore
.gitattributes
# IDE and editor files
.vscode/
.idea/
*.swp
*.swo
*~
.DS_Store
# Testing
coverage/
.nyc_output/
test-results/
*.test.js
*.spec.js
__tests__/
__mocks__/
# Documentation
README.md
CHANGELOG.md
docs/
*.md
# CI/CD
.github/
.gitlab-ci.yml
.travis.yml
Jenkinsfile
# Local development
.env.local
.env.development
docker-compose.yml
docker-compose.override.yml
# Build artifacts (will be rebuilt)
dist/
build/
out/
.next/
# Temporary files
tmp/
temp/
*.tmp
*.log
Cache mount persistence combined with proper .dockerignore configuration reduces build context upload time by 85-95%. A typical ChatGPT application build context drops from 450MB to 12MB, eliminating node_modules, .git history, and test artifacts from the build environment.
Explore ChatGPT app CI/CD best practices, learn about Docker security hardening, or discover container orchestration strategies.
Security Hardening for Production ChatGPT Apps
Security hardening transforms standard Docker images into production-grade containers that pass enterprise compliance audits and minimize vulnerability exposure. For ChatGPT applications handling user data, OAuth tokens, and API credentials, security hardening is non-negotiable. Three critical security layers: minimal base images, non-root users, and vulnerability scanning automation.
Distroless images from Google remove all shell access, package managers, and unnecessary utilities, creating the smallest possible attack surface. These images contain only your application and its runtime dependencies—no bash, no apt, no package manager. For ChatGPT MCP servers, distroless Node.js images reduce CVE exposure by 78% compared to standard Alpine images.
Docker Compose Production Configuration
Production Docker Compose configurations orchestrate multi-container ChatGPT applications with proper networking, secrets management, health checks, and resource limits. This configuration deploys an MCP server, Redis cache, PostgreSQL database, and nginx reverse proxy with production-grade settings.
# docker-compose.production.yml
# Production Docker Compose for ChatGPT App
version: '3.9'
services:
mcp-server:
build:
context: .
dockerfile: Dockerfile
target: runtime
args:
- NODE_ENV=production
image: chatgpt-mcp-server:latest
container_name: mcp-server
restart: unless-stopped
# Security: Run as non-root user
user: "1001:1001"
# Security: Read-only root filesystem
read_only: true
# Security: Drop all capabilities
cap_drop:
- ALL
# Security: No new privileges
security_opt:
- no-new-privileges:true
# Resource limits
deploy:
resources:
limits:
cpus: '2.0'
memory: 1G
reservations:
cpus: '0.5'
memory: 256M
# Environment variables
environment:
- NODE_ENV=production
- PORT=3000
- REDIS_URL=redis://redis:6379
- DATABASE_URL=postgresql://postgres:5432/chatgpt
# Secrets management
secrets:
- openai_api_key
- jwt_secret
- oauth_client_secret
# Health check
healthcheck:
test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:3000/health"]
interval: 30s
timeout: 3s
retries: 3
start_period: 40s
# Logging configuration
logging:
driver: "json-file"
options:
max-size: "10m"
max-file: "3"
# Networks
networks:
- backend
- frontend
# Volumes (writable directories)
volumes:
- /tmp
- /var/tmp
# Dependencies
depends_on:
redis:
condition: service_healthy
postgres:
condition: service_healthy
redis:
image: redis:7-alpine
container_name: redis-cache
restart: unless-stopped
command: redis-server --appendonly yes --requirepass ${REDIS_PASSWORD}
healthcheck:
test: ["CMD", "redis-cli", "ping"]
interval: 10s
timeout: 3s
retries: 5
networks:
- backend
volumes:
- redis-data:/data
postgres:
image: postgres:15-alpine
container_name: postgres-db
restart: unless-stopped
environment:
- POSTGRES_DB=chatgpt
- POSTGRES_USER=postgres
- POSTGRES_PASSWORD_FILE=/run/secrets/db_password
secrets:
- db_password
healthcheck:
test: ["CMD-SHELL", "pg_isready -U postgres"]
interval: 10s
timeout: 5s
retries: 5
networks:
- backend
volumes:
- postgres-data:/var/lib/postgresql/data
nginx:
image: nginx:alpine
container_name: nginx-proxy
restart: unless-stopped
ports:
- "80:80"
- "443:443"
networks:
- frontend
volumes:
- ./nginx.conf:/etc/nginx/nginx.conf:ro
- ./ssl:/etc/nginx/ssl:ro
depends_on:
- mcp-server
networks:
backend:
driver: bridge
frontend:
driver: bridge
volumes:
redis-data:
driver: local
postgres-data:
driver: local
secrets:
openai_api_key:
file: ./secrets/openai_api_key.txt
jwt_secret:
file: ./secrets/jwt_secret.txt
oauth_client_secret:
file: ./secrets/oauth_client_secret.txt
db_password:
file: ./secrets/db_password.txt
Build Optimization Script
Automated build scripts standardize Docker image creation with consistent tagging, BuildKit features, caching strategies, and registry pushing. This production script builds multi-architecture images, implements layer caching, and integrates vulnerability scanning.
#!/usr/bin/env bash
# build-optimized.sh
# Production Docker Build Script for ChatGPT Apps
set -euo pipefail
# Configuration
IMAGE_NAME="chatgpt-mcp-server"
REGISTRY="ghcr.io/makeaihq"
VERSION="${VERSION:-$(git describe --tags --always --dirty)}"
BUILD_DATE="$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
GIT_SHA="$(git rev-parse --short HEAD)"
# BuildKit configuration
export DOCKER_BUILDKIT=1
export BUILDKIT_PROGRESS=plain
# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m' # No Color
log_info() {
echo -e "${GREEN}[INFO]${NC} $1"
}
log_warn() {
echo -e "${YELLOW}[WARN]${NC} $1"
}
log_error() {
echo -e "${RED}[ERROR]${NC} $1"
}
# Validate prerequisites
validate_prerequisites() {
log_info "Validating prerequisites..."
if ! command -v docker &> /dev/null; then
log_error "Docker not found. Please install Docker."
exit 1
fi
if ! docker buildx version &> /dev/null; then
log_error "Docker Buildx not found. Please enable BuildKit."
exit 1
fi
log_info "Prerequisites validated."
}
# Create builder instance
create_builder() {
log_info "Creating BuildKit builder instance..."
if docker buildx inspect chatgpt-builder &> /dev/null; then
log_info "Builder 'chatgpt-builder' already exists."
else
docker buildx create \
--name chatgpt-builder \
--driver docker-container \
--bootstrap
fi
docker buildx use chatgpt-builder
}
# Build multi-architecture image
build_image() {
log_info "Building Docker image: ${REGISTRY}/${IMAGE_NAME}:${VERSION}"
docker buildx build \
--platform linux/amd64,linux/arm64 \
--target runtime \
--tag "${REGISTRY}/${IMAGE_NAME}:${VERSION}" \
--tag "${REGISTRY}/${IMAGE_NAME}:latest" \
--label "org.opencontainers.image.created=${BUILD_DATE}" \
--label "org.opencontainers.image.version=${VERSION}" \
--label "org.opencontainers.image.revision=${GIT_SHA}" \
--label "org.opencontainers.image.title=${IMAGE_NAME}" \
--label "org.opencontainers.image.description=ChatGPT MCP Server" \
--cache-from type=registry,ref="${REGISTRY}/${IMAGE_NAME}:buildcache" \
--cache-to type=registry,ref="${REGISTRY}/${IMAGE_NAME}:buildcache",mode=max \
--secret id=npm_token,src=.npmrc \
--ssh default \
--push \
.
log_info "Build completed successfully."
}
# Scan image for vulnerabilities
scan_image() {
log_info "Scanning image for vulnerabilities..."
if ! command -v trivy &> /dev/null; then
log_warn "Trivy not found. Skipping vulnerability scan."
return 0
fi
trivy image \
--severity HIGH,CRITICAL \
--exit-code 1 \
"${REGISTRY}/${IMAGE_NAME}:${VERSION}"
log_info "Vulnerability scan completed."
}
# Generate SBOM (Software Bill of Materials)
generate_sbom() {
log_info "Generating SBOM..."
if ! command -v syft &> /dev/null; then
log_warn "Syft not found. Skipping SBOM generation."
return 0
fi
syft "${REGISTRY}/${IMAGE_NAME}:${VERSION}" \
-o spdx-json \
> "sbom-${VERSION}.spdx.json"
log_info "SBOM generated: sbom-${VERSION}.spdx.json"
}
# Main execution
main() {
log_info "Starting optimized Docker build..."
validate_prerequisites
create_builder
build_image
scan_image
generate_sbom
log_info "Build pipeline completed successfully."
log_info "Image: ${REGISTRY}/${IMAGE_NAME}:${VERSION}"
}
main "$@"
Non-root user execution prevents privilege escalation attacks, reduces container breakout risk, and satisfies compliance requirements. Read-only root filesystems prevent runtime file modifications, ensuring immutable infrastructure patterns. Combined with capability dropping and security options, these configurations achieve SOC 2 Type II and ISO 27001 compliance for ChatGPT applications.
Discover ChatGPT app security best practices, learn about OAuth security patterns, or explore container security scanning automation.
BuildKit Advanced Features for ChatGPT Applications
BuildKit introduces features that transform Docker builds from simple layer stacking into sophisticated build pipelines with secret management, parallel execution, and intelligent caching. For ChatGPT applications requiring private dependencies, GitHub authentication, and API keys during build time, BuildKit secrets prevent credential leakage while maintaining fast builds.
Secret mounting allows passing sensitive data to build steps without storing credentials in image layers or build history. Unlike ARG instructions that embed secrets in layers, BuildKit secrets exist only in memory during build execution and leave no trace in the final image. This enables pulling private npm packages, cloning private GitHub repositories, and authenticating with internal registries without credential exposure.
Security Scanner Integration
Automated vulnerability scanning integrates directly into CI/CD pipelines, blocking deployments of images with high-severity CVEs. This GitHub Actions workflow builds Docker images, scans for vulnerabilities with Trivy, generates SBOMs, and fails the pipeline if critical vulnerabilities are detected.
# .github/workflows/docker-security-scan.yml
# Automated Security Scanning for ChatGPT Docker Images
name: Docker Security Scan
on:
push:
branches: [main, develop]
pull_request:
branches: [main]
schedule:
# Scan daily at 2 AM UTC
- cron: '0 2 * * *'
env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}/mcp-server
jobs:
build-and-scan:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
security-events: write
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Log in to Container Registry
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
tags: |
type=ref,event=branch
type=ref,event=pr
type=semver,pattern={{version}}
type=sha,prefix={{branch}}-
- name: Build Docker image
uses: docker/build-push-action@v5
with:
context: .
push: false
load: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
secrets: |
npm_token=${{ secrets.NPM_TOKEN }}
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
exit-code: '1'
- name: Upload Trivy results to GitHub Security
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: 'trivy-results.sarif'
- name: Generate SBOM with Syft
uses: anchore/sbom-action@v0
with:
image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}
format: spdx-json
output-file: sbom.spdx.json
- name: Scan SBOM with Grype
uses: anchore/scan-action@v3
with:
sbom: sbom.spdx.json
fail-build: true
severity-cutoff: high
- name: Push Docker image
if: github.event_name != 'pull_request'
uses: docker/build-push-action@v5
with:
context: .
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
Cache mounts persist directories across builds without adding them to the final image. For ChatGPT applications, cache mounts dramatically speed up pip installations, npm ci commands, and go mod downloads by reusing package manager caches. A cache mount for /root/.npm reduces npm ci time from 3 minutes to 12 seconds on subsequent builds.
SSH forwarding enables authenticated Git operations during build time without embedding SSH keys in Dockerfiles or build context. This allows pulling private GitHub repositories for MCP server dependencies while maintaining zero-trust security—SSH keys exist only in the build agent's SSH socket and never touch the Docker image.
Learn about CI/CD pipeline optimization, discover GitHub Actions for ChatGPT deployments, or explore automated security testing.
Layer Cache Analysis and Optimization
Understanding which layers invalidate most frequently enables strategic Dockerfile restructuring for maximum cache hit rates. Layer cache analysis tools examine build logs, identify cache miss patterns, and recommend Dockerfile reordering for optimal caching. For ChatGPT applications with multiple microservices, shared base images and layer analysis reduce total build time by 75%.
The Docker BuildKit build log includes cache hit/miss information for every layer. Parsing this log reveals which instructions consistently miss cache, indicating candidates for reordering or extraction into earlier layers. Common culprits: COPY commands that include frequently-changed files, RUN commands with timestamp-dependent operations, and apt-get update without proper pinning.
Layer Cache Analyzer Script
This Python script analyzes Docker build logs to identify cache miss patterns, calculate cache hit rates per layer, and recommend Dockerfile optimizations for improved build performance.
#!/usr/bin/env python3
"""
layer_cache_analyzer.py
Analyze Docker build logs for cache efficiency
"""
import re
import sys
from collections import defaultdict
from typing import Dict, List, Tuple
class LayerCacheAnalyzer:
def __init__(self, log_file: str):
self.log_file = log_file
self.layers: List[Dict] = []
self.cache_stats = defaultdict(lambda: {'hits': 0, 'misses': 0})
def parse_build_log(self) -> None:
"""Parse Docker build log and extract layer information."""
with open(self.log_file, 'r') as f:
content = f.read()
# Extract layer information
layer_pattern = r'#(\d+) \[(.*?)\] (.*?)(?:\n|$)'
cache_pattern = r'CACHED|DONE'
for match in re.finditer(layer_pattern, content, re.MULTILINE):
layer_num = match.group(1)
stage = match.group(2)
instruction = match.group(3)
is_cached = 'CACHED' in instruction
layer_info = {
'number': layer_num,
'stage': stage,
'instruction': instruction,
'cached': is_cached
}
self.layers.append(layer_info)
# Update cache statistics
if is_cached:
self.cache_stats[instruction]['hits'] += 1
else:
self.cache_stats[instruction]['misses'] += 1
def calculate_cache_rate(self) -> float:
"""Calculate overall cache hit rate."""
total = len(self.layers)
cached = sum(1 for layer in self.layers if layer['cached'])
return (cached / total * 100) if total > 0 else 0
def identify_cache_busters(self) -> List[Tuple[str, int]]:
"""Identify instructions that frequently miss cache."""
busters = []
for instruction, stats in self.cache_stats.items():
total = stats['hits'] + stats['misses']
miss_rate = (stats['misses'] / total * 100) if total > 0 else 0
if miss_rate > 50 and total > 3:
busters.append((instruction, miss_rate))
return sorted(busters, key=lambda x: x[1], reverse=True)
def generate_recommendations(self) -> List[str]:
"""Generate Dockerfile optimization recommendations."""
recommendations = []
# Analyze COPY instructions
copy_layers = [l for l in self.layers if 'COPY' in l['instruction']]
if copy_layers:
non_cached_copies = [l for l in copy_layers if not l['cached']]
if len(non_cached_copies) / len(copy_layers) > 0.6:
recommendations.append(
"High COPY cache miss rate detected. Consider:\n"
" - Use .dockerignore to exclude frequently-changed files\n"
" - Separate package files (package.json) from source code\n"
" - Order COPY instructions from least to most frequently changed"
)
# Analyze RUN instructions
run_layers = [l for l in self.layers if 'RUN' in l['instruction']]
apt_get_layers = [l for l in run_layers if 'apt-get update' in l['instruction']]
if apt_get_layers:
recommendations.append(
"apt-get update detected. Ensure:\n"
" - Combine apt-get update && apt-get install in single RUN\n"
" - Pin package versions for reproducible builds\n"
" - Add --no-install-recommends to reduce image size"
)
# Check for npm/pip installations
npm_layers = [l for l in run_layers if 'npm install' in l['instruction']]
if npm_layers and not any('package.json' in l['instruction'] for l in copy_layers):
recommendations.append(
"npm install without prior package.json COPY detected.\n"
" - COPY package*.json before RUN npm install\n"
" - This enables layer caching when only code changes"
)
return recommendations
def print_report(self) -> None:
"""Print comprehensive cache analysis report."""
print("=" * 80)
print("Docker Layer Cache Analysis Report")
print("=" * 80)
print()
cache_rate = self.calculate_cache_rate()
print(f"Overall Cache Hit Rate: {cache_rate:.2f}%")
print(f"Total Layers: {len(self.layers)}")
print(f"Cached Layers: {sum(1 for l in self.layers if l['cached'])}")
print()
print("-" * 80)
print("Cache Busters (Instructions with >50% Miss Rate)")
print("-" * 80)
busters = self.identify_cache_busters()
if busters:
for instruction, miss_rate in busters:
print(f" [{miss_rate:.1f}% miss] {instruction[:60]}...")
else:
print(" No significant cache busters found.")
print()
print("-" * 80)
print("Optimization Recommendations")
print("-" * 80)
recommendations = self.generate_recommendations()
if recommendations:
for i, rec in enumerate(recommendations, 1):
print(f"{i}. {rec}")
print()
else:
print(" No specific recommendations. Build is well-optimized!")
print("=" * 80)
def main():
if len(sys.argv) != 2:
print("Usage: python layer_cache_analyzer.py <docker-build.log>")
sys.exit(1)
analyzer = LayerCacheAnalyzer(sys.argv[1])
analyzer.parse_build_log()
analyzer.print_report()
if __name__ == "__main__":
main()
Shared base images across multiple ChatGPT microservices enable layer reuse between services. If your MCP server, widget application, and OAuth service all start from the same Node.js 20 Alpine base, Docker caches that base layer once and reuses it across all three services. This reduces total storage from 540MB (3 × 180MB) to 220MB (180MB shared + 40MB per service).
Image Signing Workflow
Production Docker images require cryptographic signing to ensure integrity and authenticity. This Cosign-based workflow signs images with Sigstore, publishes signatures to registries, and enforces signature verification during deployment.
#!/usr/bin/env bash
# sign-and-verify-image.sh
# Image Signing and Verification with Cosign
set -euo pipefail
# Configuration
IMAGE="${1:-ghcr.io/makeaihq/mcp-server:latest}"
KEY_PATH="${COSIGN_KEY_PATH:-.cosign/cosign.key}"
PUB_KEY_PATH="${COSIGN_PUB_KEY_PATH:-.cosign/cosign.pub}"
# Colors
GREEN='\033[0;32m'
RED='\033[0;31m'
NC='\033[0m'
log() {
echo -e "${GREEN}[INFO]${NC} $1"
}
error() {
echo -e "${RED}[ERROR]${NC} $1"
exit 1
}
# Install Cosign if not available
install_cosign() {
if ! command -v cosign &> /dev/null; then
log "Installing Cosign..."
curl -sSfL https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64 \
-o /usr/local/bin/cosign
chmod +x /usr/local/bin/cosign
fi
}
# Generate key pair if not exists
generate_keys() {
if [[ ! -f "$KEY_PATH" ]]; then
log "Generating Cosign key pair..."
mkdir -p .cosign
cosign generate-key-pair
mv cosign.key cosign.pub .cosign/
fi
}
# Sign image
sign_image() {
log "Signing image: $IMAGE"
cosign sign \
--key "$KEY_PATH" \
--tlog-upload=true \
"$IMAGE"
log "Image signed successfully."
}
# Verify signature
verify_signature() {
log "Verifying image signature..."
if cosign verify --key "$PUB_KEY_PATH" "$IMAGE"; then
log "Signature verified successfully."
else
error "Signature verification failed!"
fi
}
# Generate SBOM attestation
generate_sbom_attestation() {
log "Generating SBOM attestation..."
syft "$IMAGE" -o spdx-json > /tmp/sbom.spdx.json
cosign attest \
--key "$KEY_PATH" \
--predicate /tmp/sbom.spdx.json \
--type spdx \
"$IMAGE"
log "SBOM attestation created."
}
# Verify attestation
verify_attestation() {
log "Verifying SBOM attestation..."
cosign verify-attestation \
--key "$PUB_KEY_PATH" \
--type spdx \
"$IMAGE" | jq .
}
# Main execution
main() {
install_cosign
generate_keys
sign_image
verify_signature
generate_sbom_attestation
verify_attestation
}
main
Explore Docker image optimization strategies, learn about container registry best practices, or discover image signing and verification.
CI/CD Integration and Automated Deployment
Continuous integration and deployment pipelines automate Docker image building, testing, scanning, and deployment. For ChatGPT applications requiring rapid iteration cycles, automated pipelines reduce deployment time from 45 minutes (manual) to 6 minutes (automated) while maintaining security and quality gates.
GitHub Actions provides native Docker support with BuildKit integration, multi-architecture builds, and registry authentication. This workflow builds ChatGPT MCP server images on every push, scans for vulnerabilities, runs integration tests, and deploys to production on main branch merges.
CI/CD Docker Build Pipeline
This comprehensive GitHub Actions workflow implements enterprise-grade CI/CD for ChatGPT Docker images with multi-stage builds, vulnerability scanning, integration testing, and automated deployment.
# .github/workflows/docker-cicd.yml
# Complete CI/CD Pipeline for ChatGPT Docker Images
name: Docker CI/CD
on:
push:
branches: [main, develop]
tags: ['v*']
pull_request:
branches: [main]
env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}
jobs:
build:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
id-token: write
outputs:
image-tag: ${{ steps.meta.outputs.tags }}
image-digest: ${{ steps.build.outputs.digest }}
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Log in to Container Registry
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract Docker metadata
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
tags: |
type=ref,event=branch
type=ref,event=pr
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=sha,prefix={{branch}}-
- name: Build and push Docker image
id: build
uses: docker/build-push-action@v5
with:
context: .
platforms: linux/amd64,linux/arm64
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
secrets: |
npm_token=${{ secrets.NPM_TOKEN }}
test:
needs: build
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Pull Docker image
run: docker pull ${{ needs.build.outputs.image-tag }}
- name: Run integration tests
run: |
docker run --rm \
-e NODE_ENV=test \
-v $PWD/tests:/app/tests \
${{ needs.build.outputs.image-tag }} \
npm run test:integration
scan:
needs: build
runs-on: ubuntu-latest
steps:
- name: Run Trivy scan
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ needs.build.outputs.image-tag }}
format: 'table'
exit-code: '1'
severity: 'CRITICAL,HIGH'
deploy:
needs: [build, test, scan]
if: github.ref == 'refs/heads/main'
runs-on: ubuntu-latest
steps:
- name: Deploy to production
run: |
echo "Deploying ${{ needs.build.outputs.image-tag }}"
# Add your deployment commands here
Registry Push Automation
Automated registry pushing with retry logic, multi-registry support, and tag management ensures reliable image distribution across development, staging, and production environments.
#!/usr/bin/env bash
# push-to-registries.sh
# Multi-Registry Push Automation
set -euo pipefail
# Configuration
IMAGE_NAME="${IMAGE_NAME:-chatgpt-mcp-server}"
VERSION="${VERSION:-latest}"
MAX_RETRIES=3
# Registries
REGISTRIES=(
"ghcr.io/makeaihq"
"docker.io/makeaihq"
"gcr.io/gbp2026-5effc"
)
# Colors
GREEN='\033[0;32m'
RED='\033[0;31m'
YELLOW='\033[1;33m'
NC='\033[0m'
log_info() { echo -e "${GREEN}[INFO]${NC} $1"; }
log_warn() { echo -e "${YELLOW}[WARN]${NC} $1"; }
log_error() { echo -e "${RED}[ERROR]${NC} $1"; }
# Push with retry
push_with_retry() {
local registry=$1
local tag="${registry}/${IMAGE_NAME}:${VERSION}"
for i in $(seq 1 $MAX_RETRIES); do
log_info "Pushing to $tag (attempt $i/$MAX_RETRIES)"
if docker push "$tag"; then
log_info "Successfully pushed to $tag"
return 0
else
log_warn "Push failed, retrying..."
sleep $((i * 5))
fi
done
log_error "Failed to push to $tag after $MAX_RETRIES attempts"
return 1
}
# Tag and push to all registries
main() {
local local_tag="${IMAGE_NAME}:${VERSION}"
local failed_registries=()
for registry in "${REGISTRIES[@]}"; do
remote_tag="${registry}/${IMAGE_NAME}:${VERSION}"
log_info "Tagging $local_tag as $remote_tag"
docker tag "$local_tag" "$remote_tag"
if ! push_with_retry "$registry"; then
failed_registries+=("$registry")
fi
done
if [ ${#failed_registries[@]} -gt 0 ]; then
log_error "Failed registries: ${failed_registries[*]}"
exit 1
fi
log_info "All pushes completed successfully"
}
main "$@"
Integration testing within Docker containers validates ChatGPT MCP server functionality before deployment. Tests verify API endpoints, OAuth flows, widget rendering, and database connections using the actual production image, ensuring environment parity between testing and production.
Explore ChatGPT app testing strategies, learn about zero-downtime deployments, or discover Kubernetes deployment patterns.
Start Building Optimized ChatGPT Apps Today
Multi-stage Docker builds, BuildKit features, and layer caching optimization transform ChatGPT application deployment from slow, insecure, and bloated to fast, hardened, and efficient. By implementing these production-grade patterns, you achieve 70-90% smaller images, 60% faster builds, and enterprise-level security compliance for your MCP servers and widget applications.
Ready to deploy production-optimized ChatGPT apps? Start building with MakeAIHQ.com's no-code platform and leverage automated Docker image generation, pre-optimized multi-stage builds, and integrated security scanning. Our platform generates production-ready MCP servers with all optimization patterns built-in—no Docker expertise required.
Want to learn more? Explore our comprehensive guides on ChatGPT app deployment best practices, container orchestration strategies, and cloud-native architecture patterns. Start your free trial today and deploy your first optimized ChatGPT app in under 48 hours.