Docker MCP Toolkit

Table of contents

Availability: Beta

The Docker MCP Toolkit is a management interface integrated into Docker Desktop that lets you set up, manage, and run containerized MCP servers and connect them to AI agents. It removes friction from tool usage by offering secure defaults, easy setup, and support for a growing ecosystem of LLM-based clients. It is the fastest way from MCP tool discovery to local execution.

Key features

Cross-LLM compatibility: Works with Claude, Cursor, and other MCP clients.
Integrated tool discovery: Browse and launch MCP servers from the Docker MCP Catalog directly in Docker Desktop.
Zero manual setup: No dependency management, runtime configuration, or setup required.
Functions as both an MCP server aggregator and a gateway for clients to access installed MCP servers.

How the MCP Toolkit works

MCP introduces two core concepts: MCP clients and MCP servers.

MCP clients are typically embedded in LLM-based applications, such as the Claude Desktop app. They request resources or actions.
MCP servers are launched by the client to perform the requested tasks, using any necessary tools, languages, or processes.

Docker standardizes the development, packaging, and distribution of applications, including MCP servers. By packaging MCP servers as containers, Docker eliminates issues related to isolation and environment differences. You can run a container directly, without managing dependencies or configuring runtimes.

Depending on the MCP server, the tools it provides might run within the same container as the server or in dedicated containers for better isolation.

Security

The Docker MCP Toolkit combines passive and active measures to reduce attack surfaces and ensure safe runtime behavior.

Passive security

Passive security refers to measures implemented at build-time, when the MCP server code is packaged into a Docker image.

Image signing and attestation: All MCP server images under mcp/ in the MCP Catalog are built by Docker and digitally signed to verify their source and integrity. Each image includes a Software Bill of Materials (SBOM) for full transparency.

Active security

Active security refers to security measures at runtime, before and after tools are invoked, enforced through resource and access limitations.

CPU allocation: MCP tools are run in their own container. They are restricted to 1 CPU, limiting the impact of potential misuse of computing resources.
Memory allocation: Containers for MCP tools are limited to 2 GB.
Filesystem access: By default, MCP Servers have no access to the host filesystem. The user explicitly selects the servers that will be granted file mounts.
Interception of tool requests: Requests to and from tools that contain sensitive information such as secrets are blocked.

OAuth authentication

Some MCP servers require authentication to access external services. The MCP Toolkit handles OAuth flows for supported services, currently limited to GitHub. When you authorize the MCP Toolkit to access your GitHub account, any installed MCP server that needs GitHub access can use those credentials without requiring separate authentication.

To set up OAuth for a service, use the OAuth tab in the MCP Toolkit section in Docker Desktop. Once authorized, the credentials are available to any MCP server that needs them. You can revoke access at any time from the same tab.

Usage examples

Example: Use the GitHub Official MCP server with Ask Gordon

To illustrate how the MCP Toolkit works, here's how to enable the GitHub Official MCP server and use Ask Gordon to interact with your GitHub account:

From the MCP Toolkit menu in Docker Desktop, select the Catalog tab and find the GitHub Official server and add it.
In the server's Config tab, authenticate via OAuth.
In the Clients tab, ensure Gordon is connected.
From the Ask Gordon menu, you can now send requests related to your GitHub account, in accordance to the tools provided by the GitHub Official server. To test it, ask Gordon:
What's my GitHub handle?
Make sure to allow Gordon to interact with GitHub by selecting Always allow in Gordon's answer.

Tip
The Gordon client is enabled by default, which means Gordon can automatically interact with your MCP servers.

Example: Use Claude Desktop as a client

Imagine you have Claude Desktop installed, and you want to use the GitHub MCP server, and the Puppeteer MCP server, you do not have to install the servers in Claude Desktop. You can simply install these 2 MCP servers in the MCP Toolkit, and add Claude Desktop as a client:

From the MCP Toolkit menu, select the Catalog tab and find the Puppeteer server and add it.
Repeat for the GitHub Official server.
From the Clients tab, select Connect next to Claude Desktop. Restart Claude Desktop if it's running, and it can now access all the servers in the MCP Toolkit.
Within Claude Desktop, run a test by submitting the following prompt using the Sonnet 3.5 model:
Take a screenshot of docs.docker.com and then invert the colors

Example: Use Visual Studio Code as a client

You can interact with all your installed MCP servers in Visual Studio Code:

To enable the MCP Toolkit:
1. Insert the following in your Visual Studio Code's User mcp.json:
  "mcp": { "servers": { "MCP_DOCKER": { "command": "docker", "args": [ "mcp", "gateway", "run" ], "type": "stdio" } } }
1. In your terminal, navigate to your project's folder.
2. Run:
  docker mcp client connect vscode
  Note
  This command creates a .vscode/mcp.json file in the current directory. As this is a user-specific file, add it to your .gitignore file to prevent it from being committed to the repository.
  echo ".vscode/mcp.json" >> .gitignore
In Visual Studio Code, open a new Chat and select the Agent mode:
You can also check the available MCP tools:

For more information about the Agent mode, see the Visual Studio Code documentation.