Merge remote-tracking branch 'origin/main' into feature/persistentStorage

Author: alexcos20

.dockerignore

@@ -2,5 +2,17 @@ node_modules
 /dist
 logs
 c2d_storage
-.env.local
-.env
+databases
+.env
+.env.*
+.git
+.github
+docs
+src/test
+*.md
+*.log
+.nyc_output
+coverage
+docker-compose.yml
+elasticsearch-compose.yml
+typesense-compose.yml

.github/CODEOWNERS

@@ -1 +1 @@
-* @alexcos20 @bogdanfazakas @giurgiur99 @denisiuriet @ndrpp @andreip136
+* @alexcos20 @bogdanfazakas @giurgiur99 @dnsi0 @ndrpp @andreip136

Dockerfile

@@ -1,44 +1,53 @@
-FROM ubuntu:22.04 AS base
-RUN apt-get update && apt-get -y install bash curl git wget libatomic1 python3 build-essential
-COPY .nvmrc /usr/src/app/
-RUN rm /bin/sh && ln -s /bin/bash /bin/sh
-ENV NVM_DIR=/usr/local/nvm
-RUN mkdir $NVM_DIR
-ENV NODE_VERSION=v22.15.0
-# Install nvm with node and npm
-RUN curl https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.5/install.sh | bash \
-    && source $NVM_DIR/nvm.sh \
-    && nvm install $NODE_VERSION \
-    && nvm alias default $NODE_VERSION \
-    && nvm use default
-ENV NODE_PATH=$NVM_DIR/$NODE_VERSION/lib/node_modules
-ENV PATH=$NVM_DIR/versions/node/$NODE_VERSION/bin:$PATH
-ENV IPFS_GATEWAY='https://ipfs.io/'
-ENV ARWEAVE_GATEWAY='https://arweave.net/'
-
-FROM base AS builder
-COPY package*.json /usr/src/app/
-COPY scripts/ /usr/src/app/scripts/
-WORKDIR /usr/src/app/
+FROM node:22.15.0-bookworm@sha256:a1f1274dadd49738bcd4cf552af43354bb781a7e9e3bc984cfeedc55aba2ddd8 AS builder
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    python3 \
+    build-essential \
+    libatomic1 \
+    git \
+    && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /usr/src/app
+COPY package*.json ./
+COPY scripts/ ./scripts/
 RUN npm ci
+COPY . .
+RUN npm run build && npm prune --omit=dev
+
+
+FROM node:22.15.0-bookworm-slim@sha256:557e52a0fcb928ee113df7e1fb5d4f60c1341dbda53f55e3d815ca10807efdce AS runner
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    dumb-init \
+    gosu \
+    libatomic1 \
+    && rm -rf /var/lib/apt/lists/*
+
+ENV NODE_ENV=production \
+    IPFS_GATEWAY='https://ipfs.io/' \
+    ARWEAVE_GATEWAY='https://arweave.net/' \
+    P2P_ipV4BindTcpPort=9000 \
+    P2P_ipV4BindWsPort=9001 \
+    P2P_ipV6BindTcpPort=9002 \
+    P2P_ipV6BindWsPort=9003 \
+    P2P_ipV4BindWssPort=9005 \
+    HTTP_API_PORT=8000
+
+EXPOSE 9000 9001 9002 9003 9005 8000
+
+# Docker group membership is handled at runtime in docker-entrypoint.sh by
+# inspecting the GID of /var/run/docker.sock, so it works across hosts.
+
+WORKDIR /usr/src/app
+
+COPY --chown=node:node --from=builder /usr/src/app/dist ./dist
+COPY --chown=node:node --from=builder /usr/src/app/node_modules ./node_modules
+COPY --chown=node:node --from=builder /usr/src/app/schemas ./schemas
+COPY --chown=node:node --from=builder /usr/src/app/package.json ./
+COPY --chown=node:node --from=builder /usr/src/app/config.json ./
+
+RUN mkdir -p databases c2d_storage logs
 
+COPY docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
+RUN chmod +x /usr/local/bin/docker-entrypoint.sh
 
-FROM base AS runner
-COPY . /usr/src/app
-WORKDIR /usr/src/app/
-COPY --from=builder /usr/src/app/node_modules/ /usr/src/app/node_modules/
-RUN npm run build
-ENV P2P_ipV4BindTcpPort=9000
-EXPOSE 9000
-ENV P2P_ipV4BindWsPort=9001
-EXPOSE 9001
-ENV P2P_ipV6BindTcpPort=9002
-EXPOSE 9002
-ENV P2P_ipV6BindWsPort=9003
-EXPOSE 9003
-ENV P2P_ipV4BindWssPort=9005
-EXPOSE 9005
-ENV HTTP_API_PORT=8000
-EXPOSE 8000
-ENV NODE_ENV='production'
-CMD ["npm","run","start"]
+ENTRYPOINT ["/usr/local/bin/docker-entrypoint.sh"]
+CMD ["node", "--max-old-space-size=28784", "--trace-warnings", "--experimental-specifier-resolution=node", "dist/index.js"]

docker-entrypoint.sh

@@ -0,0 +1,19 @@
+#!/bin/sh
+set -e
+
+# Fix ownership of directories that may be mounted as volumes (owned by root).
+# Runs as root, then drops to 'node' user via gosu.
+chown -R node:node /usr/src/app/databases /usr/src/app/c2d_storage /usr/src/app/logs 2>/dev/null || true
+
+# Add node user to the docker group matching the host's /var/run/docker.sock GID,
+# so compute jobs can access the socket regardless of the host's docker GID.
+if [ -S /var/run/docker.sock ]; then
+    SOCK_GID=$(stat -c '%g' /var/run/docker.sock)
+    if ! getent group "$SOCK_GID" > /dev/null 2>&1; then
+        groupadd -g "$SOCK_GID" dockerhost 2>/dev/null || true
+    fi
+    DOCKER_GROUP=$(getent group "$SOCK_GID" | cut -d: -f1)
+    usermod -aG "$DOCKER_GROUP" node
+fi
+
+exec gosu node dumb-init -- "$@"

docs/env.md

@@ -137,6 +137,7 @@ The `DOCKER_COMPUTE_ENVIRONMENTS` environment variable should be a JSON array of
   {
     "socketPath": "/var/run/docker.sock",
     "scanImages": true,
+    "enableNetwork": false,
     "imageRetentionDays": 7,
     "imageCleanupInterval": 86400,
     "resources": [
@@ -195,7 +196,9 @@ The `DOCKER_COMPUTE_ENVIRONMENTS` environment variable should be a JSON array of
 #### Configuration Options
 
 - **socketPath**: Path to the Docker socket (e.g., docker.sock).
-- **scanImages**: If the docker images should be scan for vulnerabilities using trivy. If yes and critical vulnerabilities are found, then C2D job is refused
+- **scanImages**: Whether Docker images should be scanned for vulnerabilities using Trivy. If enabled and critical vulnerabilities are found, the C2D job is rejected.
+- **scanImageDBUpdateInterval**: How often to update the vulnerability database, in seconds. Default: 43200 (12 hours)
+- **enableNetwork**: Whether networking is enabled for algorithm containers. Default: false
 - **imageRetentionDays** - how long docker images are kept, in days. Default: 7
 - **imageCleanupInterval** - how often to run cleanup for docker images, in seconds. Min: 3600 (1hour), Default: 86400 (24 hours)
 - **paymentClaimInterval** - how often to run payment claiming, in seconds. Default: 3600 (1 hour)