Docker & Containerization

Relevant source files

• .devcontainer/Dockerfile
• .devcontainer/README.md
• .devcontainer/devcontainer.json
• .devcontainer/docker-compose.yml
• .devcontainer/post-create.sh
• .devcontainer/sim-commands.sh
• .dockerignore
• .github/workflows/docs-embeddings.yml
• .github/workflows/i18n.yml
• .github/workflows/migrations.yml
• .github/workflows/publish-cli.yml
• .github/workflows/publish-ts-sdk.yml
• .github/workflows/test-build.yml
• apps/docs/package.json
• apps/docs/tsconfig.json
• apps/sim/next.config.ts
• apps/sim/package.json
• apps/sim/tsconfig.json
• bun.lock
• docker-compose.local.yml
• docker-compose.prod.yml
• docker/app.Dockerfile
• docker/db.Dockerfile
• docker/realtime.Dockerfile
• helm/sim/README.md
• helm/sim/examples/values-aws.yaml
• helm/sim/examples/values-azure.yaml
• helm/sim/examples/values-copilot.yaml
• helm/sim/examples/values-development.yaml
• helm/sim/examples/values-external-db.yaml
• helm/sim/examples/values-gcp.yaml
• helm/sim/examples/values-production.yaml
• helm/sim/examples/values-whitelabeled.yaml
• helm/sim/templates/_helpers.tpl
• helm/sim/templates/certificate-postgresql.yaml
• helm/sim/templates/configmap-branding.yaml
• helm/sim/templates/deployment-app.yaml
• helm/sim/templates/deployment-copilot.yaml
• helm/sim/templates/deployment-ollama.yaml
• helm/sim/templates/deployment-realtime.yaml
• helm/sim/templates/deployment-worker.yaml
• helm/sim/templates/external-secret-app.yaml
• helm/sim/templates/ingress-internal.yaml
• helm/sim/templates/ingress.yaml
• helm/sim/templates/job-copilot-migrations.yaml
• helm/sim/templates/poddisruptionbudget.yaml
• helm/sim/templates/secrets-app.yaml
• helm/sim/templates/secrets-copilot.yaml
• helm/sim/templates/statefulset-copilot-postgres.yaml
• helm/sim/templates/statefulset-postgresql.yaml
• helm/sim/values.schema.json
• helm/sim/values.yaml
• package.json
• packages/tsconfig/base.json
• packages/tsconfig/library.json
• packages/tsconfig/nextjs.json

This document describes the Docker containerization strategy for the Sim platform, including multi-stage build configurations, Docker Compose orchestration, and resource requirements. The platform is designed to run as a set of distributed services, separating the web application, real-time collaboration, and background processing.

Docker Architecture Overview

The Sim platform uses a multi-container architecture orchestrated via Docker Compose. The architecture separates the frontend/API layer, real-time collaboration layer, background workers, database, and one-shot migration tasks.

System Component Mapping

The following diagram maps high-level system components to their respective Docker services and internal code entities.

Sources: docker-compose.prod.yml1-134 docker/app.Dockerfile1-145 apps/sim/package.json21-22

Multi-Stage Build Strategy

All Dockerfiles use multi-stage builds to optimize image size and build caching. The application image (docker/app.Dockerfile) uses a four-stage process: base, deps, builder, and runner.

Build Pipeline Logic

Key Implementation Details:

• Base Environment: Uses oven/bun:1.3.11-slim foundation, installing Node.js 22, Python 3, and ffmpeg to support multimedia processing blocks docker/app.Dockerfile4-12
• Hoisted Linker: The --linker=hoisted flag is used during bun install to ensure a flat node_modules structure, which is required for Docker multi-stage builds and avoids symlink resolution issues docker/app.Dockerfile29-33
• Isolated-VM: The isolated-vm native module is rebuilt for the Node.js runtime (v22) to ensure stability for sandboxed code execution in Custom Tools docker/app.Dockerfile34
• Standalone Output: Next.js is configured to build in standalone mode when DOCKER_BUILD=1 is set, significantly reducing the final image size apps/sim/next.config.ts77 docker/app.Dockerfile73
• Python Guardrails: A virtual environment is created in the runner stage to handle PII validation and guardrails, installing dependencies from requirements.txt docker/app.Dockerfile124-132

Sources: docker/app.Dockerfile1-145 apps/sim/next.config.ts75-77 docker/realtime.Dockerfile1-84

Docker Compose Configurations

1. Production (docker-compose.prod.yml)

Uses pre-built images from the GitHub Container Registry (ghcr.io). It enforces strict health checks to ensure the database is ready before migrations run, and migrations finish before the application services start.

Service	Image	Role	Health Check / Dependency
simstudio	ghcr.io/simstudioai/simstudio:latest	Next.js Web App	Depends on db, migrations, realtime docker-compose.prod.yml29-35
sim-worker	ghcr.io/simstudioai/simstudio:latest	BullMQ Worker	Command: bun apps/sim/worker/index.ts docker-compose.prod.yml43-45
realtime	ghcr.io/simstudioai/realtime:latest	Socket.io Server	Port 3002, depends on db docker-compose.prod.yml80-98
migrations	ghcr.io/simstudioai/migrations:latest	Drizzle Migrator	Command: bun run db:migrate docker-compose.prod.yml107-115
db	pgvector/pgvector:pg17	Vector Database	pg_isready check docker-compose.prod.yml118-133

2. Local Development (docker-compose.local.yml)

Builds images locally from source using the respective Dockerfiles in the docker/ directory. It mirrors the production structure but sets NODE_ENV=development and uses local build contexts docker-compose.local.yml1-132

Sources: docker-compose.prod.yml1-137 docker-compose.local.yml1-132

Resource Requirements

The platform requires significant memory for LLM orchestration, vector operations, and sandboxed execution.

Service	Memory Limit	CPU Limit	Purpose
simstudio	8GB	2000m	Web UI and API requests helm/sim/values.yaml31-33
sim-worker	4GB	1000m	Background workflow execution docker-compose.prod.yml50
realtime	1GB	500m	Collaborative editing and state sync docker-compose.prod.yml88

Technical Note: The 8GB limit for simstudio is critical because the Next.js standalone server and its internal caches require substantial overhead, especially when handling large file uploads or complex workflow validations docker-compose.prod.yml10

Sources: docker-compose.prod.yml7-10 helm/sim/values.yaml29-36

CI/CD Build Pipeline

The GitHub Actions workflows automate the validation and preparation of Docker-ready artifacts.

Implementation Details:

• Build Validation: The test-build.yml workflow ensures the application can be built in a standalone configuration, mirroring the Docker builder stage .github/workflows/test-build.yml128-140
• Schema Integrity: Before any Docker image is deployed, the migrations check ensures that the Drizzle schema and generated migrations are in sync by running drizzle-kit generate and checking for git diffs .github/workflows/test-build.yml115-126
• Feature Flag Safety: The pipeline includes a specific step to prevent hardcoded boolean feature flags, ensuring all flags are derived from environment variables for container portability .github/workflows/test-build.yml58-91

Sources: .github/workflows/test-build.yml1-146 apps/sim/package.json19-20

Security & Runtime Configuration

Containers are configured with security best practices to minimize the attack surface:

• Non-Root Execution: The runner stage in app.Dockerfile creates a nextjs user (UID 1001) and group, ensuring the process does not run as root docker/app.Dockerfile99-101
• Environment Isolation: Dummy DATABASE_URL and NEXT_PUBLIC_APP_URL are provided during the builder stage to allow build-time code evaluation without requiring a live database connection docker/app.Dockerfile79-85
• Worker Concurrency: The sim-worker container allows fine-grained control over job concurrency per queue type (e.g., WORKER_CONCURRENCY_WORKFLOW=50) via environment variables docker-compose.prod.yml59-65

Sources: docker/app.Dockerfile90-145 docker-compose.prod.yml51-65