make network access configurable

docs/env.md

@@ -137,6 +137,7 @@ The `DOCKER_COMPUTE_ENVIRONMENTS` environment variable should be a JSON array of
   {
     "socketPath": "/var/run/docker.sock",
     "scanImages": true,
+    "enableNetwork": false,
     "imageRetentionDays": 7,
     "imageCleanupInterval": 86400,
     "resources": [
@@ -195,7 +196,9 @@ The `DOCKER_COMPUTE_ENVIRONMENTS` environment variable should be a JSON array of
 #### Configuration Options
 
 - **socketPath**: Path to the Docker socket (e.g., docker.sock).
-- **scanImages**: If the docker images should be scan for vulnerabilities using trivy. If yes and critical vulnerabilities are found, then C2D job is refused
+- **scanImages**: Whether Docker images should be scanned for vulnerabilities using Trivy. If enabled and critical vulnerabilities are found, the C2D job is rejected.
+- **scanImageDBUpdateInterval**: How often to update the vulnerability database, in seconds. Default: 43200 (12 hours)
+- **enableNetwork**: Whether networking is enabled for algorithm containers. Default: false
 - **imageRetentionDays** - how long docker images are kept, in days. Default: 7
 - **imageCleanupInterval** - how often to run cleanup for docker images, in seconds. Min: 3600 (1hour), Default: 86400 (24 hours)
 - **paymentClaimInterval** - how often to run payment claiming, in seconds. Default: 3600 (1 hour)

src/@types/C2D/C2D.ts

@@ -161,6 +161,7 @@ export interface C2DDockerConfig {
   paymentClaimInterval?: number // Default: 3600 seconds (1 hours)
   scanImages?: boolean
   scanImageDBUpdateInterval?: number // Default: 12 hours
+  enableNetwork?: boolean // whether network is enabled for algorithm containers
 }
 
 export type ComputeResultType =

src/components/c2d/compute_engine_docker.ts

@@ -79,6 +79,7 @@ export class C2DEngineDocker extends C2DEngine {
   private cpuAllocations: Map<string, number[]> = new Map()
   private envCpuCores: number[] = []
   private cpuOffset: number
+  private enableNetwork: boolean
 
   public constructor(
     clusterConfig: C2DClusterInfo,
@@ -104,6 +105,7 @@ export class C2DEngineDocker extends C2DEngine {
     this.paymentClaimInterval = clusterConfig.connection.paymentClaimInterval || 3600 // 1 hour
     this.scanImages = clusterConfig.connection.scanImages || false // default is not to scan images for now, until it's prod ready
     this.scanImageDBUpdateInterval = clusterConfig.connection.scanImageDBUpdateInterval
+    this.enableNetwork = clusterConfig.connection.enableNetwork ?? false
     if (
       clusterConfig.connection.protocol &&
       clusterConfig.connection.host &&
@@ -1721,7 +1723,6 @@ export class C2DEngineDocker extends C2DEngine {
       // create the container
       const mountVols: any = { '/data': {} }
       const hostConfig: HostConfig = {
-        NetworkMode: 'none', // no network inside the container
         Mounts: [
           {
             Type: 'volume',
@@ -1731,6 +1732,9 @@ export class C2DEngineDocker extends C2DEngine {
           }
         ]
       }
+      if (!this.enableNetwork) {
+        hostConfig.NetworkMode = 'none' // no network inside the container
+      }
       // disk
       // if (diskSize && diskSize > 0) {
       //  hostConfig.StorageOpt = {

src/utils/config/schemas.ts

@@ -183,7 +183,10 @@ export const C2DDockerConfigSchema = z.array(
       fees: z.record(z.string(), z.array(ComputeEnvFeesSchema)).optional(),
       free: ComputeEnvironmentFreeOptionsSchema.optional(),
       imageRetentionDays: z.number().int().min(1).optional().default(7),
-      imageCleanupInterval: z.number().int().min(3600).optional().default(86400) // min 1 hour, default 24 hours
+      imageCleanupInterval: z.number().int().min(3600).optional().default(86400), // min 1 hour, default 24 hours
+      scanImages: z.boolean().optional().default(false),
+      scanImageDBUpdateInterval: z.number().int().min(3600).optional().default(43200), // default 43200 (12 hours)
+      enableNetwork: z.boolean().optional().default(false)
     })
     .refine(
       (data) =>