imp(worker): host nw mode with ability to switch networking config (#577)

* host nw mode with ability to switch networking config

Author: JannikSt

crates/worker/src/cli/command.rs

@@ -113,6 +113,10 @@ pub enum Commands {
         /// Storage path for worker data (overrides automatic selection)
         #[arg(long)]
         storage_path: Option<String>,
+
+        /// Disable host network mode
+        #[arg(long, default_value = "false")]
+        disable_host_network_mode: bool,
     },
     Check {},
 
@@ -192,6 +196,7 @@ pub async fn execute_command(
             loki_url: _,
             log_level: _,
             storage_path,
+            disable_host_network_mode,
         } => {
             if *disable_state_storing && !(*no_auto_recover) {
                 Console::user_error(
@@ -449,6 +454,7 @@ pub async fn execute_command(
                     .address()
                     .to_string(),
                 state.get_p2p_seed(),
+                *disable_host_network_mode,
             ));
 
             let bridge_cancellation_token = cancellation_token.clone();

crates/worker/src/docker/docker_manager.rs

@@ -46,6 +46,15 @@ pub struct ContainerDetails {
 pub struct DockerManager {
     docker: Docker,
     storage_path: String,
+    /// Controls whether to use host network mode for containers.
+    ///
+    /// Currently defaults to host mode (when false) to work around performance issues
+    /// with Docker bridge networking on certain cloud providers. This is a trade-off
+    /// between security isolation and performance.
+    ///
+    /// TODO: Investigate root cause of bridge network performance degradation and
+    /// implement a more optimal solution that maintains security isolation.
+    disable_host_network_mode: bool,
 }
 
 impl DockerManager {
@@ -128,7 +137,7 @@ impl DockerManager {
     }
 
     /// Create a new DockerManager instance
-    pub fn new(storage_path: String) -> Result<Self, DockerError> {
+    pub fn new(storage_path: String, disable_host_network_mode: bool) -> Result<Self, DockerError> {
         let docker = match Docker::connect_with_unix_defaults() {
             Ok(docker) => docker,
             Err(e) => {
@@ -159,6 +168,7 @@ impl DockerManager {
         Ok(Self {
             docker,
             storage_path,
+            disable_host_network_mode,
         })
     }
 
@@ -385,6 +395,12 @@ impl DockerManager {
             Some(binds)
         };
 
+        let network_mode = if self.disable_host_network_mode {
+            "bridge".to_string()
+        } else {
+            "host".to_string()
+        };
+
         let host_config = if gpu.is_some() {
             let gpu = gpu.unwrap();
             let device_ids = match &gpu.indices {
@@ -399,6 +415,7 @@ impl DockerManager {
             };
 
             Some(HostConfig {
+                network_mode: Some(network_mode),
                 extra_hosts: Some(vec!["host.docker.internal:host-gateway".into()]),
                 device_requests: Some(vec![DeviceRequest {
                     driver: Some("nvidia".into()),
@@ -417,6 +434,7 @@ impl DockerManager {
             })
         } else {
             Some(HostConfig {
+                network_mode: Some(network_mode),
                 extra_hosts: Some(vec!["host.docker.internal:host-gateway".into()]),
                 binds: volume_binds,
                 restart_policy: Some(bollard::models::RestartPolicy {

crates/worker/src/docker/service.rs

@@ -31,6 +31,7 @@ const TASK_PREFIX: &str = "prime-task";
 const RESTART_INTERVAL_SECONDS: i64 = 10;
 
 impl DockerService {
+    #[allow(clippy::too_many_arguments)]
     pub fn new(
         cancellation_token: CancellationToken,
         gpu: Option<GpuSpecs>,
@@ -39,8 +40,10 @@ impl DockerService {
         storage_path: String,
         node_address: String,
         p2p_seed: Option<u64>,
+        disable_host_network_mode: bool,
     ) -> Self {
-        let docker_manager = Arc::new(DockerManager::new(storage_path).unwrap());
+        let docker_manager =
+            Arc::new(DockerManager::new(storage_path, disable_host_network_mode).unwrap());
         Self {
             docker_manager,
             cancellation_token,
@@ -429,6 +432,7 @@ mod tests {
             "/tmp/test-storage".to_string(),
             Address::ZERO.to_string(),
             None,
+            false,
         );
         let task = Task {
             image: "ubuntu:latest".to_string(),
@@ -477,6 +481,7 @@ mod tests {
             "/tmp/test-storage".to_string(),
             Address::ZERO.to_string(),
             Some(12345), // p2p_seed for testing
+            false,
         );
 
         // Test command argument replacement