feat: improve c2d docker image security (#1302)

ndrpp · web-flow · commit 65a89dc09c5f · 2026-04-02T13:26:59.000+03:00
* feat: improve c2d docker image security

* fix: build issue

* fix: make directories world writable

* fix: use init container to setup permissions before running user image

* fix: add logs to check status of init volume

* fix: try changing permissions at job start

* fix: allow root cache as tmpfs

* fix: use absolute path

* chore: review

* feat: disable readonly root fs
diff --git a/src/components/c2d/compute_engine_docker.ts b/src/components/c2d/compute_engine_docker.ts
@@ -57,6 +57,9 @@ import { dockerRegistrysAuth, dockerRegistryAuth } from '../../@types/OceanNode.
 import { EncryptMethod } from '../../@types/fileObject.js'
 import { ZeroAddress } from 'ethers'
 
+const C2D_CONTAINER_UID = 1000
+const C2D_CONTAINER_GID = 1000
+
 const trivyImage = 'aquasec/trivy:0.69.3' // Use pinned versions for safety
 
 export class C2DEngineDocker extends C2DEngine {
@@ -1469,7 +1472,7 @@ export class C2DEngineDocker extends C2DEngine {
     if (!jobRes[0].isRunning) return null
     try {
       const job = jobRes[0]
-      const container = await this.docker.getContainer(job.jobId + '-algoritm')
+      const container = this.docker.getContainer(job.jobId + '-algoritm')
       const details = await container.inspect()
       if (details.State.Running === false) return null
       return await container.logs({
@@ -1728,6 +1731,8 @@ export class C2DEngineDocker extends C2DEngine {
       // create the container
       const mountVols: any = { '/data': {} }
       const hostConfig: HostConfig = {
+        // limit number of Pids container can spawn, to avoid flooding
+        PidsLimit: 512,
         Mounts: [
           {
             Type: 'volume',
@@ -1769,9 +1774,10 @@ export class C2DEngineDocker extends C2DEngine {
         AttachStdin: false,
         AttachStdout: true,
         AttachStderr: true,
-        Tty: true,
+        Tty: false,
         OpenStdin: false,
         StdinOnce: false,
+        User: `${C2D_CONTAINER_UID}:${C2D_CONTAINER_GID}`,
         Volumes: mountVols,
         HostConfig: hostConfig
       }
@@ -1786,8 +1792,10 @@ export class C2DEngineDocker extends C2DEngine {
         containerInfo.HostConfig.Devices = advancedConfig.Devices
       if (advancedConfig.GroupAdd)
         containerInfo.HostConfig.GroupAdd = advancedConfig.GroupAdd
-      if (advancedConfig.SecurityOpt)
-        containerInfo.HostConfig.SecurityOpt = advancedConfig.SecurityOpt
+      containerInfo.HostConfig.SecurityOpt = [
+        'no-new-privileges',
+        ...(advancedConfig.SecurityOpt ?? [])
+      ]
       if (advancedConfig.Binds) containerInfo.HostConfig.Binds = advancedConfig.Binds
       containerInfo.HostConfig.CapDrop = ['ALL']
       for (const cap of advancedConfig.CapDrop ?? []) {
@@ -1847,7 +1855,7 @@ export class C2DEngineDocker extends C2DEngine {
       let container
       let details
       try {
-        container = await this.docker.getContainer(job.jobId + '-algoritm')
+        container = this.docker.getContainer(job.jobId + '-algoritm')
         details = await container.inspect()
       } catch (e) {
         console.error(
@@ -1952,7 +1960,7 @@ export class C2DEngineDocker extends C2DEngine {
       job.statusText = C2DStatusText.JobSettle
       let container
       try {
-        container = await this.docker.getContainer(job.jobId + '-algoritm')
+        container = this.docker.getContainer(job.jobId + '-algoritm')
       } catch (e) {
         CORE_LOGGER.debug('Could not retrieve container: ' + e.message)
         job.isRunning = false
@@ -2149,7 +2157,7 @@ export class C2DEngineDocker extends C2DEngine {
     this.releaseCpus(job.jobId)
 
     try {
-      const container = await this.docker.getContainer(job.jobId + '-algoritm')
+      const container = this.docker.getContainer(job.jobId + '-algoritm')
       if (container) {
         if (job.status !== C2DStatusNumber.AlgorithmFailed) {
           writeFileSync(
@@ -2875,7 +2883,7 @@ export class C2DEngineDocker extends C2DEngine {
 
       if (existsSync(destination)) {
         // now, upload it to the container
-        const container = await this.docker.getContainer(job.jobId + '-algoritm')
+        const container = this.docker.getContainer(job.jobId + '-algoritm')
 
         try {
           // await container2.putArchive(destination, {
@@ -2963,7 +2971,7 @@ export class C2DEngineDocker extends C2DEngine {
       }
 
       // delete output folders
-      await this.deleteOutputFolder(job)
+      this.deleteOutputFolder(job)
       // delete the job
       await this.db.deleteJob(job.jobId)
       return true
