feat: improve c2d docker image security

src/components/c2d/compute_engine_docker.ts

@@ -54,6 +54,10 @@ import { getOceanTokenAddressForChain } from '../../utils/address.js'
 import { dockerRegistrysAuth, dockerRegistryAuth } from '../../@types/OceanNode.js'
 import { EncryptMethod } from '../../@types/fileObject.js'
 import { ZeroAddress } from 'ethers'
+import { chmodSync } from 'node:fs'
+
+const C2D_CONTAINER_UID = 1000
+const C2D_CONTAINER_GID = 1000
 
 export class C2DEngineDocker extends C2DEngine {
   private envs: ComputeEnvironment[] = []
@@ -656,7 +660,7 @@ export class C2DEngineDocker extends C2DEngine {
 
   private async cleanUpUnknownLocks(chain: string, currentTimestamp: bigint) {
     try {
-      const nodeAddress = await this.getKeyManager().getEthAddress()
+      const nodeAddress = this.getKeyManager().getEthAddress()
       const jobIds: any[] = []
       const tokens: string[] = []
       const payer: string[] = []
@@ -1411,7 +1415,7 @@ export class C2DEngineDocker extends C2DEngine {
     if (!jobRes[0].isRunning) return null
     try {
       const job = jobRes[0]
-      const container = await this.docker.getContainer(job.jobId + '-algoritm')
+      const container = this.docker.getContainer(job.jobId + '-algoritm')
       const details = await container.inspect()
       if (details.State.Running === false) return null
       return await container.logs({
@@ -1637,6 +1641,8 @@ export class C2DEngineDocker extends C2DEngine {
       const mountVols: any = { '/data': {} }
       const hostConfig: HostConfig = {
         NetworkMode: 'none', // no network inside the container
+        // limit number of Pids container can spawn, to avoid flooding
+        PidsLimit: 512,
         Mounts: [
           {
             Type: 'volume',
@@ -1675,9 +1681,10 @@ export class C2DEngineDocker extends C2DEngine {
         AttachStdin: false,
         AttachStdout: true,
         AttachStderr: true,
-        Tty: true,
+        Tty: false,
         OpenStdin: false,
         StdinOnce: false,
+        User: `${C2D_CONTAINER_UID}:${C2D_CONTAINER_GID}`,
         Volumes: mountVols,
         HostConfig: hostConfig
       }
@@ -1692,8 +1699,10 @@ export class C2DEngineDocker extends C2DEngine {
         containerInfo.HostConfig.Devices = advancedConfig.Devices
       if (advancedConfig.GroupAdd)
         containerInfo.HostConfig.GroupAdd = advancedConfig.GroupAdd
-      if (advancedConfig.SecurityOpt)
-        containerInfo.HostConfig.SecurityOpt = advancedConfig.SecurityOpt
+      containerInfo.HostConfig.SecurityOpt = [
+        'no-new-privileges',
+        ...(advancedConfig.SecurityOpt ?? [])
+      ]
       if (advancedConfig.Binds) containerInfo.HostConfig.Binds = advancedConfig.Binds
       containerInfo.HostConfig.CapDrop = ['ALL']
       for (const cap of advancedConfig.CapDrop ?? []) {
@@ -1753,7 +1762,7 @@ export class C2DEngineDocker extends C2DEngine {
       let container
       let details
       try {
-        container = await this.docker.getContainer(job.jobId + '-algoritm')
+        container = this.docker.getContainer(job.jobId + '-algoritm')
         details = await container.inspect()
       } catch (e) {
         console.error(
@@ -1855,7 +1864,7 @@ export class C2DEngineDocker extends C2DEngine {
       job.statusText = C2DStatusText.JobSettle
       let container
       try {
-        container = await this.docker.getContainer(job.jobId + '-algoritm')
+        container = this.docker.getContainer(job.jobId + '-algoritm')
       } catch (e) {
         CORE_LOGGER.debug('Could not retrieve container: ' + e.message)
         job.isRunning = false
@@ -2044,7 +2053,7 @@ export class C2DEngineDocker extends C2DEngine {
     this.releaseCpus(job.jobId)
 
     try {
-      const container = await this.docker.getContainer(job.jobId + '-algoritm')
+      const container = this.docker.getContainer(job.jobId + '-algoritm')
       if (container) {
         if (job.status !== C2DStatusNumber.AlgorithmFailed) {
           writeFileSync(
@@ -2748,7 +2757,7 @@ export class C2DEngineDocker extends C2DEngine {
 
       if (existsSync(destination)) {
         // now, upload it to the container
-        const container = await this.docker.getContainer(job.jobId + '-algoritm')
+        const container = this.docker.getContainer(job.jobId + '-algoritm')
 
         try {
           // await container2.putArchive(destination, {
@@ -2810,6 +2819,8 @@ export class C2DEngineDocker extends C2DEngine {
         if (!existsSync(dir)) {
           mkdirSync(dir, { recursive: true })
         }
+        // update directory permissions to allow read/write from job containers
+        chmodSync(dir, 0o777)
       }
       return true
     } catch (e) {
@@ -2834,7 +2845,7 @@ export class C2DEngineDocker extends C2DEngine {
       }
 
       // delete output folders
-      await this.deleteOutputFolder(job)
+      this.deleteOutputFolder(job)
       // delete the job
       await this.db.deleteJob(job.jobId)
       return true