Merge branch 'main' into feat/adapt-node-envs

dnsi0 · dnsi0 · commit a34eb5f935dc · 2026-04-02T13:29:33.000+03:00
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -1 +1 @@
-* @alexcos20 @bogdanfazakas @giurgiur99 @denisiuriet @ndrpp @andreip136
+* @alexcos20 @bogdanfazakas @giurgiur99 @dnsi0 @ndrpp @andreip136
diff --git a/Dockerfile b/Dockerfile
@@ -33,11 +33,8 @@ ENV NODE_ENV=production \
 
 EXPOSE 9000 9001 9002 9003 9005 8000
 
-# GID of the docker group on the host. Needs to match so the node user can access
-# /var/run/docker.sock for compute jobs. Default is 999 (common on Debian/Ubuntu).
-# Override at build time if your host differs: docker build --build-arg DOCKER_GID=$(getent group docker | cut -d: -f3) .
-ARG DOCKER_GID=999
-RUN groupadd -g ${DOCKER_GID} docker && usermod -aG docker node
+# Docker group membership is handled at runtime in docker-entrypoint.sh by
+# inspecting the GID of /var/run/docker.sock, so it works across hosts.
 
 WORKDIR /usr/src/app
 
diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh
@@ -5,4 +5,15 @@ set -e
 # Runs as root, then drops to 'node' user via gosu.
 chown -R node:node /usr/src/app/databases /usr/src/app/c2d_storage /usr/src/app/logs 2>/dev/null || true
 
+# Add node user to the docker group matching the host's /var/run/docker.sock GID,
+# so compute jobs can access the socket regardless of the host's docker GID.
+if [ -S /var/run/docker.sock ]; then
+    SOCK_GID=$(stat -c '%g' /var/run/docker.sock)
+    if ! getent group "$SOCK_GID" > /dev/null 2>&1; then
+        groupadd -g "$SOCK_GID" dockerhost 2>/dev/null || true
+    fi
+    DOCKER_GROUP=$(getent group "$SOCK_GID" | cut -d: -f1)
+    usermod -aG "$DOCKER_GROUP" node
+fi
+
 exec gosu node dumb-init -- "$@"
diff --git a/src/components/c2d/compute_engine_docker.ts b/src/components/c2d/compute_engine_docker.ts
@@ -66,6 +66,9 @@ import { dockerRegistrysAuth, dockerRegistryAuth } from '../../@types/OceanNode.
 import { EncryptMethod } from '../../@types/fileObject.js'
 import { ZeroAddress } from 'ethers'
 
+const C2D_CONTAINER_UID = 1000
+const C2D_CONTAINER_GID = 1000
+
 const trivyImage = 'aquasec/trivy:0.69.3' // Use pinned versions for safety
 
 export class C2DEngineDocker extends C2DEngine {
@@ -1532,7 +1535,7 @@ export class C2DEngineDocker extends C2DEngine {
     if (!jobRes[0].isRunning) return null
     try {
       const job = jobRes[0]
-      const container = await this.docker.getContainer(job.jobId + '-algoritm')
+      const container = this.docker.getContainer(job.jobId + '-algoritm')
       const details = await container.inspect()
       if (details.State.Running === false) return null
       return await container.logs({
@@ -1791,6 +1794,8 @@ export class C2DEngineDocker extends C2DEngine {
       // create the container
       const mountVols: any = { '/data': {} }
       const hostConfig: HostConfig = {
+        // limit number of Pids container can spawn, to avoid flooding
+        PidsLimit: 512,
         Mounts: [
           {
             Type: 'volume',
@@ -1832,9 +1837,10 @@ export class C2DEngineDocker extends C2DEngine {
         AttachStdin: false,
         AttachStdout: true,
         AttachStderr: true,
-        Tty: true,
+        Tty: false,
         OpenStdin: false,
         StdinOnce: false,
+        User: `${C2D_CONTAINER_UID}:${C2D_CONTAINER_GID}`,
         Volumes: mountVols,
         HostConfig: hostConfig
       }
@@ -1849,8 +1855,10 @@ export class C2DEngineDocker extends C2DEngine {
         containerInfo.HostConfig.Devices = advancedConfig.Devices
       if (advancedConfig.GroupAdd)
         containerInfo.HostConfig.GroupAdd = advancedConfig.GroupAdd
-      if (advancedConfig.SecurityOpt)
-        containerInfo.HostConfig.SecurityOpt = advancedConfig.SecurityOpt
+      containerInfo.HostConfig.SecurityOpt = [
+        'no-new-privileges',
+        ...(advancedConfig.SecurityOpt ?? [])
+      ]
       if (advancedConfig.Binds) containerInfo.HostConfig.Binds = advancedConfig.Binds
       containerInfo.HostConfig.CapDrop = ['ALL']
       for (const cap of advancedConfig.CapDrop ?? []) {
@@ -1910,7 +1918,7 @@ export class C2DEngineDocker extends C2DEngine {
       let container
       let details
       try {
-        container = await this.docker.getContainer(job.jobId + '-algoritm')
+        container = this.docker.getContainer(job.jobId + '-algoritm')
         details = await container.inspect()
       } catch (e) {
         console.error(
@@ -2015,7 +2023,7 @@ export class C2DEngineDocker extends C2DEngine {
       job.statusText = C2DStatusText.JobSettle
       let container
       try {
-        container = await this.docker.getContainer(job.jobId + '-algoritm')
+        container = this.docker.getContainer(job.jobId + '-algoritm')
       } catch (e) {
         CORE_LOGGER.debug('Could not retrieve container: ' + e.message)
         job.isRunning = false
@@ -2213,7 +2221,7 @@ export class C2DEngineDocker extends C2DEngine {
     this.releaseCpus(job.jobId)
 
     try {
-      const container = await this.docker.getContainer(job.jobId + '-algoritm')
+      const container = this.docker.getContainer(job.jobId + '-algoritm')
       if (container) {
         if (job.status !== C2DStatusNumber.AlgorithmFailed) {
           writeFileSync(
@@ -2939,7 +2947,7 @@ export class C2DEngineDocker extends C2DEngine {
 
       if (existsSync(destination)) {
         // now, upload it to the container
-        const container = await this.docker.getContainer(job.jobId + '-algoritm')
+        const container = this.docker.getContainer(job.jobId + '-algoritm')
 
         try {
           // await container2.putArchive(destination, {
@@ -3027,7 +3035,7 @@ export class C2DEngineDocker extends C2DEngine {
       }
 
       // delete output folders
-      await this.deleteOutputFolder(job)
+      this.deleteOutputFolder(job)
       // delete the job
       await this.db.deleteJob(job.jobId)
       return true

Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-* @alexcos20 @bogdanfazakas @giurgiur99 @denisiuriet @ndrpp @andreip136`
	`1`	`+* @alexcos20 @bogdanfazakas @giurgiur99 @dnsi0 @ndrpp @andreip136`