MCP Directory

MCP Server for Docker: Options & Config

Two questions hide inside "MCP server for Docker" — running a server as a container, and giving an agent Docker itself. Here's both, with real configs.

Hua·June 30, 2026·6 min read
Wide view of container ships and cranes at Hamburg port under a cloudy sky.
Photo by Wolfgang Weiser on Pexels

"MCP server for Docker" means one of two things, and the config is different for each. Either you want to run an MCP server as a Docker container — pinned image, no npx on your PATH — or you want to give the agent control over Docker itself: list containers, read logs, run images. This piece covers both, names the servers worth using, and gives you a config you can paste.

First, a fact that shapes everything below: about 90% of MCP servers run locally over stdio. Docker doesn't change that. A containerized server still speaks stdio to your client — the client just runs docker run instead of npx. Same protocol, different launcher.

Running an MCP server as a Docker container

Use Docker as the launcher when you want a pinned, reproducible server that doesn't depend on Node or Python being installed on the host. The client runs docker run with -i (interactive stdin) so the container can speak stdio, and you swap the ephemeral flags in.

The cleanest example is GitHub MCP Server, GitHub's official server. It ships as a container image, so the config is just docker run plus your token:

{
  "mcpServers": {
    "github": {
      "command": "docker",
      "args": ["run", "-i", "--rm", "-e", "GITHUB_PERSONAL_ACCESS_TOKEN", "ghcr.io/github/github-mcp-server"],
      "env": { "GITHUB_PERSONAL_ACCESS_TOKEN": "ghp_..." }
    }
  }
}

Two flags matter here. -i keeps stdin open — drop it and the server can't receive messages. --rm deletes the container on exit so you're not leaking stopped containers every restart. That's the whole trick; the JSON shape is identical to any other stdio server, only the command changed.

Servers that already ship as Docker images

A handful of the better-maintained servers are distributed as images first, npx second — which is a decent maintenance signal on its own. These are worth reaching for when you want reproducibility over convenience.

ServerWhat it doesRuns in Docker
GitHub MCP ServerRepos, issues, PRs, Actions; officialYes — official image
OpenMemory MCPLocal-first agent memory + dashboardYes — Docker is the primary install
Grafana MCP ServerDashboards, Prometheus/Loki queries, alertsYes — official image
Terraform MCP ServerRegistry providers, modules, IaC lookupsYes — official image
Postgres MCP ProRead/write Postgres, EXPLAIN, index tuningYes — image or uvx

OpenMemory MCP is the interesting one: it's Mem0's memory layer, and Docker isn't an alternative install — it's the intended one, because the server ships alongside a dashboard and a vector store that are painful to wire up by hand. When a project's docs lead with docker compose up, take the hint.

Giving an agent control over Docker itself

This is the other reading of the query, and it's the one to be careful with. A Docker-control MCP server exposes tools like list_containers, get_logs, run_container, and exec. Read-only introspection (list, inspect, logs) is genuinely useful for debugging — "why did this container crash" is a great agent task.

The write side is where I'd stop and think. A tool that runs docker run or exec on the model's say-so is, effectively, arbitrary code execution: the container can mount host paths, hit your network, and the agent can be steered there by anything it reads. If you use one, prefer a server that separates read tools from write tools, and don't hand it a socket with more reach than the task needs.

Most Docker-control servers today are community builds rather than an official Docker product, so vet the repo the way you'd vet any community vs. official server: is it maintained, is it read-only by default, what does it actually expose.

Docker as launcher vs. Docker as target

The distinction is worth making explicit because it changes what you're risking.

Docker as launcherDocker as target
What runs in a containerThe MCP serverThe workloads the agent manages
Config commanddocker run ... <image>npx/docker for the control server
Main benefitReproducible, no host runtimeAgent can inspect/operate containers
Main riskAlmost none — same as any stdio serverWrite tools = code execution surface
Skip it whenYou already have Node/uv and want speedYou only need read-only introspection

Running a server in Docker is close to free risk. Letting an agent operate Docker is a real decision. Don't let the shared keyword blur them.

Watch the tool budget either way

Whichever path you take, containerizing a server doesn't shrink its tool list. Every server you add dumps its tools into the client's active set, and selection quality degrades past ~40 active tools — the average server is ~12 tools, so four servers is the realistic ceiling, not forty.

Docker changes the launcher, not the arithmetic. If you're stacking GitHub, a Docker-control server, and Postgres MCP Pro in one project, you're already near the line. Scope servers per-project and browse by capability rather than installing everything that looks handy.

Start from the best MCP servers if you want the maintained shortlist, or the alternatives view when a server exists but isn't the one you want to run.

FAQ

Do I need Docker to run MCP servers?

No. Docker is optional — about 90% of MCP servers run locally over stdio, and most launch fine with npx or uvx if you have Node or uv installed. Use Docker when you want a pinned, reproducible server without depending on the host runtime, or when a server (like OpenMemory MCP) ships Docker as its primary install.

How do I run an MCP server in a Docker container?

Set the client's command to docker and pass run -i --rm plus the image name as args, with any credentials in env. The -i flag keeps stdin open so the container can speak stdio; --rm cleans up on exit. The JSON shape is identical to any stdio server — only the command changes from npx to docker.

Is there an MCP server that controls Docker itself?

Yes — Docker-control MCP servers expose tools like list_containers, get_logs, and run_container. Read-only introspection is safe and useful for debugging. Be cautious with write tools (run/exec): they're effectively arbitrary code execution, most are community builds, so prefer a maintained, read-only-by-default server.

Which official MCP servers ship as Docker images?

GitHub MCP Server, Grafana MCP Server, and Terraform MCP Server all publish official container images, and OpenMemory MCP treats Docker as its primary install. Postgres MCP Pro offers both an image and a uvx path. Shipping an image first is a decent maintenance signal.

Does running a server in Docker use more of my tool budget?

No — containerizing a server changes only how it launches, not how many tools it exposes. The client still sees the same tool list, and selection degrades past ~40 active tools. Since the average server is ~12 tools, four servers stays the realistic ceiling whether they run via Docker or npx.

Put this into practice

Browse MCP servers by capability, or check your own setup's tool budget and security.

More essays