Skip to content

feat: improve c2d docker image security #1302

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ndrpp merged 11 commits into from
Apr 2, 2026
+17 −9
Merged

feat: improve c2d docker image security #1302

Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
95c1541
feat: improve c2d docker image security
ndrpp Mar 27, 2026
e546140
fix: build issue
ndrpp Mar 27, 2026
c2a3c05
fix: make directories world writable
ndrpp Mar 27, 2026
b9d1cd7
fix: use init container to setup permissions before running user image
ndrpp Mar 27, 2026
56ec166
fix: add logs to check status of init volume
ndrpp Mar 27, 2026
3acda9f
fix: try changing permissions at job start
ndrpp Mar 30, 2026
fb7e3a2
fix: allow root cache as tmpfs
ndrpp Mar 30, 2026
079d7a6
fix: use absolute path
ndrpp Mar 30, 2026
125032f
chore: review
ndrpp Mar 30, 2026
92513ee
feat: disable readonly root fs
ndrpp Mar 30, 2026
eac5332
Merge branch 'main' into feat/update-c2d-docker-permissions
ndrpp Apr 2, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 17 additions & 9 deletions src/components/c2d/compute_engine_docker.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,9 @@ import { dockerRegistrysAuth, dockerRegistryAuth } from '../../@types/OceanNode.
import { EncryptMethod } from '../../@types/fileObject.js'
import { ZeroAddress } from 'ethers'

const C2D_CONTAINER_UID = 1000
const C2D_CONTAINER_GID = 1000

const trivyImage = 'aquasec/trivy:0.69.3' // Use pinned versions for safety

export class C2DEngineDocker extends C2DEngine {
Expand Down Expand Up @@ -1469,7 +1472,7 @@ export class C2DEngineDocker extends C2DEngine {
if (!jobRes[0].isRunning) return null
try {
const job = jobRes[0]
const container = await this.docker.getContainer(job.jobId + '-algoritm')
const container = this.docker.getContainer(job.jobId + '-algoritm')
const details = await container.inspect()
if (details.State.Running === false) return null
return await container.logs({
Expand Down Expand Up @@ -1728,6 +1731,8 @@ export class C2DEngineDocker extends C2DEngine {
// create the container
const mountVols: any = { '/data': {} }
const hostConfig: HostConfig = {
// limit number of Pids container can spawn, to avoid flooding
PidsLimit: 512,
Mounts: [
{
Type: 'volume',
Expand Down Expand Up @@ -1769,9 +1774,10 @@ export class C2DEngineDocker extends C2DEngine {
AttachStdin: false,
AttachStdout: true,
AttachStderr: true,
Tty: true,
Tty: false,
OpenStdin: false,
StdinOnce: false,
User: `${C2D_CONTAINER_UID}:${C2D_CONTAINER_GID}`,
Volumes: mountVols,
HostConfig: hostConfig
}
Expand All @@ -1786,8 +1792,10 @@ export class C2DEngineDocker extends C2DEngine {
containerInfo.HostConfig.Devices = advancedConfig.Devices
if (advancedConfig.GroupAdd)
containerInfo.HostConfig.GroupAdd = advancedConfig.GroupAdd
if (advancedConfig.SecurityOpt)
containerInfo.HostConfig.SecurityOpt = advancedConfig.SecurityOpt
containerInfo.HostConfig.SecurityOpt = [
'no-new-privileges',
...(advancedConfig.SecurityOpt ?? [])
]
if (advancedConfig.Binds) containerInfo.HostConfig.Binds = advancedConfig.Binds
containerInfo.HostConfig.CapDrop = ['ALL']
for (const cap of advancedConfig.CapDrop ?? []) {
Expand Down Expand Up @@ -1847,7 +1855,7 @@ export class C2DEngineDocker extends C2DEngine {
let container
let details
try {
container = await this.docker.getContainer(job.jobId + '-algoritm')
container = this.docker.getContainer(job.jobId + '-algoritm')
details = await container.inspect()
} catch (e) {
console.error(
Expand Down Expand Up @@ -1952,7 +1960,7 @@ export class C2DEngineDocker extends C2DEngine {
job.statusText = C2DStatusText.JobSettle
let container
try {
container = await this.docker.getContainer(job.jobId + '-algoritm')
container = this.docker.getContainer(job.jobId + '-algoritm')
} catch (e) {
CORE_LOGGER.debug('Could not retrieve container: ' + e.message)
job.isRunning = false
Expand Down Expand Up @@ -2149,7 +2157,7 @@ export class C2DEngineDocker extends C2DEngine {
this.releaseCpus(job.jobId)

try {
const container = await this.docker.getContainer(job.jobId + '-algoritm')
const container = this.docker.getContainer(job.jobId + '-algoritm')
if (container) {
if (job.status !== C2DStatusNumber.AlgorithmFailed) {
writeFileSync(
Expand Down Expand Up @@ -2875,7 +2883,7 @@ export class C2DEngineDocker extends C2DEngine {

if (existsSync(destination)) {
// now, upload it to the container
const container = await this.docker.getContainer(job.jobId + '-algoritm')
const container = this.docker.getContainer(job.jobId + '-algoritm')

try {
// await container2.putArchive(destination, {
Expand Down Expand Up @@ -2963,7 +2971,7 @@ export class C2DEngineDocker extends C2DEngine {
}

// delete output folders
await this.deleteOutputFolder(job)
this.deleteOutputFolder(job)
// delete the job
await this.db.deleteJob(job.jobId)
return true
Expand Down
Loading