From c775af786b4759ca7a6b3d4491fc574fa5f4899a Mon Sep 17 00:00:00 2001 From: ndrpp Date: Wed, 25 Mar 2026 16:42:02 +0200 Subject: [PATCH 01/13] feat: improve dockerfile - use smaller docker images for builder & runner - use node user instead of root to limit permissions - use dumb init for better process & signal handling - pin docker images to commit sha's --- Dockerfile | 86 ++++++++++++++++++++++++++++-------------------------- 1 file changed, 45 insertions(+), 41 deletions(-) diff --git a/Dockerfile b/Dockerfile index 6ba093edb..df1ab1fe0 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,44 +1,48 @@ -FROM ubuntu:22.04 AS base -RUN apt-get update && apt-get -y install bash curl git wget libatomic1 python3 build-essential -COPY .nvmrc /usr/src/app/ -RUN rm /bin/sh && ln -s /bin/bash /bin/sh -ENV NVM_DIR=/usr/local/nvm -RUN mkdir $NVM_DIR -ENV NODE_VERSION=v22.15.0 -# Install nvm with node and npm -RUN curl https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.5/install.sh | bash \ - && source $NVM_DIR/nvm.sh \ - && nvm install $NODE_VERSION \ - && nvm alias default $NODE_VERSION \ - && nvm use default -ENV NODE_PATH=$NVM_DIR/$NODE_VERSION/lib/node_modules -ENV PATH=$NVM_DIR/versions/node/$NODE_VERSION/bin:$PATH -ENV IPFS_GATEWAY='https://ipfs.io/' -ENV ARWEAVE_GATEWAY='https://arweave.net/' - -FROM base AS builder -COPY package*.json /usr/src/app/ -COPY scripts/ /usr/src/app/scripts/ -WORKDIR /usr/src/app/ +FROM node:22.15.0-bookworm@sha256:a1f1274dadd49738bcd4cf552af43354bb781a7e9e3bc984cfeedc55aba2ddd8 AS builder +RUN apt-get update && apt-get install -y --no-install-recommends \ + python3 \ + build-essential \ + libatomic1 \ + git \ + && rm -rf /var/lib/apt/lists/* + +WORKDIR /usr/src/app +COPY package*.json ./ +COPY scripts/ ./scripts/ RUN npm ci +COPY . . +RUN npm run build && npm prune --omit=dev + + +FROM node:22.15.0-bookworm-slim@sha256:557e52a0fcb928ee113df7e1fb5d4f60c1341dbda53f55e3d815ca10807efdce AS runner +RUN apt-get update && apt-get install -y --no-install-recommends \ + dumb-init \ + libatomic1 \ + && rm -rf /var/lib/apt/lists/* + +ENV NODE_ENV=production \ + IPFS_GATEWAY='https://ipfs.io/' \ + ARWEAVE_GATEWAY='https://arweave.net/' \ + P2P_ipV4BindTcpPort=9000 \ + P2P_ipV4BindWsPort=9001 \ + P2P_ipV6BindTcpPort=9002 \ + P2P_ipV6BindWsPort=9003 \ + P2P_ipV4BindWssPort=9005 \ + HTTP_API_PORT=8000 + +EXPOSE 9000 9001 9002 9003 9005 8000 + +ARG DOCKER_GID=999 +RUN groupadd -g ${DOCKER_GID} docker && usermod -aG docker node + +WORKDIR /usr/src/app +RUN chown node:node /usr/src/app + +COPY --chown=node:node --from=builder /usr/src/app/node_modules ./node_modules +COPY --chown=node:node --from=builder /usr/src/app/dist ./dist +COPY --chown=node:node --from=builder /usr/src/app/schemas ./schemas +USER node -FROM base AS runner -COPY . /usr/src/app -WORKDIR /usr/src/app/ -COPY --from=builder /usr/src/app/node_modules/ /usr/src/app/node_modules/ -RUN npm run build -ENV P2P_ipV4BindTcpPort=9000 -EXPOSE 9000 -ENV P2P_ipV4BindWsPort=9001 -EXPOSE 9001 -ENV P2P_ipV6BindTcpPort=9002 -EXPOSE 9002 -ENV P2P_ipV6BindWsPort=9003 -EXPOSE 9003 -ENV P2P_ipV4BindWssPort=9005 -EXPOSE 9005 -ENV HTTP_API_PORT=8000 -EXPOSE 8000 -ENV NODE_ENV='production' -CMD ["npm","run","start"] +ENTRYPOINT ["dumb-init", "--"] +CMD ["node", "--max-old-space-size=28784", "--trace-warnings", "--experimental-specifier-resolution=node", "dist/index.js"] From 00757a54ad621a3a24ef5a76bb2b77d8312dc272 Mon Sep 17 00:00:00 2001 From: ndrpp Date: Wed, 25 Mar 2026 18:03:41 +0200 Subject: [PATCH 02/13] fix: copy all dir contents to runner --- Dockerfile | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index df1ab1fe0..f16e2a29f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -38,9 +38,7 @@ RUN groupadd -g ${DOCKER_GID} docker && usermod -aG docker node WORKDIR /usr/src/app RUN chown node:node /usr/src/app -COPY --chown=node:node --from=builder /usr/src/app/node_modules ./node_modules -COPY --chown=node:node --from=builder /usr/src/app/dist ./dist -COPY --chown=node:node --from=builder /usr/src/app/schemas ./schemas +COPY --chown=node:node --from=builder /usr/src/app/ . USER node From b99979ed279b93aba48c37394247b7e330567b69 Mon Sep 17 00:00:00 2001 From: ndrpp Date: Wed, 25 Mar 2026 18:16:13 +0200 Subject: [PATCH 03/13] fix: create storage dirs manually --- Dockerfile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index f16e2a29f..51e7fd6d7 100644 --- a/Dockerfile +++ b/Dockerfile @@ -36,7 +36,8 @@ ARG DOCKER_GID=999 RUN groupadd -g ${DOCKER_GID} docker && usermod -aG docker node WORKDIR /usr/src/app -RUN chown node:node /usr/src/app +RUN mkdir databases c2d_storage logs & \ + chown node:node /usr/src/app COPY --chown=node:node --from=builder /usr/src/app/ . From fe29d4643f8003dc18d42ba0004c2776cec2b71c Mon Sep 17 00:00:00 2001 From: ndrpp Date: Thu, 26 Mar 2026 09:46:20 +0200 Subject: [PATCH 04/13] fix: check with root permissions --- Dockerfile | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/Dockerfile b/Dockerfile index 51e7fd6d7..f64d40640 100644 --- a/Dockerfile +++ b/Dockerfile @@ -32,16 +32,16 @@ ENV NODE_ENV=production \ EXPOSE 9000 9001 9002 9003 9005 8000 -ARG DOCKER_GID=999 -RUN groupadd -g ${DOCKER_GID} docker && usermod -aG docker node +#ARG DOCKER_GID=999 +#RUN groupadd -g ${DOCKER_GID} docker && usermod -aG docker node WORKDIR /usr/src/app -RUN mkdir databases c2d_storage logs & \ - chown node:node /usr/src/app +#RUN chown node:node /usr/src/app -COPY --chown=node:node --from=builder /usr/src/app/ . +#COPY --chown=node:node --from=builder /usr/src/app/ . +COPY --from=builder /usr/src/app/ . -USER node +#USER node ENTRYPOINT ["dumb-init", "--"] CMD ["node", "--max-old-space-size=28784", "--trace-warnings", "--experimental-specifier-resolution=node", "dist/index.js"] From b02569178c67cdf8eb7eddf989d53c042dfa28e8 Mon Sep 17 00:00:00 2001 From: ndrpp Date: Thu, 26 Mar 2026 10:19:45 +0200 Subject: [PATCH 05/13] fix: update permissions for database dirs --- Dockerfile | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/Dockerfile b/Dockerfile index f64d40640..873696a32 100644 --- a/Dockerfile +++ b/Dockerfile @@ -32,16 +32,17 @@ ENV NODE_ENV=production \ EXPOSE 9000 9001 9002 9003 9005 8000 -#ARG DOCKER_GID=999 -#RUN groupadd -g ${DOCKER_GID} docker && usermod -aG docker node +ARG DOCKER_GID=999 +RUN groupadd -g ${DOCKER_GID} docker && usermod -aG docker node WORKDIR /usr/src/app -#RUN chown node:node /usr/src/app -#COPY --chown=node:node --from=builder /usr/src/app/ . -COPY --from=builder /usr/src/app/ . +COPY --chown=node:node --from=builder /usr/src/app/ . -#USER node +RUN mkdir -p databases c2d_storage logs && \ + chown node:node databases c2d_storage logs + +USER node ENTRYPOINT ["dumb-init", "--"] CMD ["node", "--max-old-space-size=28784", "--trace-warnings", "--experimental-specifier-resolution=node", "dist/index.js"] From 7d22ad1099dde38e390e14ac88c7bca48896d69f Mon Sep 17 00:00:00 2001 From: ndrpp Date: Thu, 26 Mar 2026 10:38:52 +0200 Subject: [PATCH 06/13] fix: directory permissions for node user --- Dockerfile | 9 +++++---- docker-entrypoint.sh | 8 ++++++++ 2 files changed, 13 insertions(+), 4 deletions(-) create mode 100644 docker-entrypoint.sh diff --git a/Dockerfile b/Dockerfile index 873696a32..e0a6980c3 100644 --- a/Dockerfile +++ b/Dockerfile @@ -17,6 +17,7 @@ RUN npm run build && npm prune --omit=dev FROM node:22.15.0-bookworm-slim@sha256:557e52a0fcb928ee113df7e1fb5d4f60c1341dbda53f55e3d815ca10807efdce AS runner RUN apt-get update && apt-get install -y --no-install-recommends \ dumb-init \ + gosu \ libatomic1 \ && rm -rf /var/lib/apt/lists/* @@ -39,10 +40,10 @@ WORKDIR /usr/src/app COPY --chown=node:node --from=builder /usr/src/app/ . -RUN mkdir -p databases c2d_storage logs && \ - chown node:node databases c2d_storage logs +RUN mkdir -p databases c2d_storage logs -USER node +COPY docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh +RUN chmod +x /usr/local/bin/docker-entrypoint.sh -ENTRYPOINT ["dumb-init", "--"] +ENTRYPOINT ["/usr/local/bin/docker-entrypoint.sh"] CMD ["node", "--max-old-space-size=28784", "--trace-warnings", "--experimental-specifier-resolution=node", "dist/index.js"] diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh new file mode 100644 index 000000000..d98a570a7 --- /dev/null +++ b/docker-entrypoint.sh @@ -0,0 +1,8 @@ +#!/bin/sh +set -e + +# Fix ownership of directories that may be mounted as volumes (owned by root). +# Runs as root, then drops to 'node' user via gosu. +chown node:node /usr/src/app/databases /usr/src/app/c2d_storage /usr/src/app/logs 2>/dev/null || true + +exec gosu node dumb-init -- "$@" From 454e3936273d382bef9bbb20efb9f0aa6f18f358 Mon Sep 17 00:00:00 2001 From: ndrpp Date: Thu, 26 Mar 2026 11:02:08 +0200 Subject: [PATCH 07/13] fix: recursive chown for databases dir --- docker-entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index d98a570a7..46f21fdbb 100644 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -3,6 +3,6 @@ set -e # Fix ownership of directories that may be mounted as volumes (owned by root). # Runs as root, then drops to 'node' user via gosu. -chown node:node /usr/src/app/databases /usr/src/app/c2d_storage /usr/src/app/logs 2>/dev/null || true +chown -R node:node /usr/src/app/databases /usr/src/app/c2d_storage /usr/src/app/logs 2>/dev/null || true exec gosu node dumb-init -- "$@" From 9869208a2404399282889a217a0070655907048f Mon Sep 17 00:00:00 2001 From: ndrpp Date: Thu, 26 Mar 2026 11:21:55 +0200 Subject: [PATCH 08/13] fix: update get version method to work for node dist/index.js run --- src/components/Indexer/index.ts | 3 ++- src/components/core/utils/statusHandler.ts | 3 ++- src/utils/version.ts | 7 +++++++ 3 files changed, 11 insertions(+), 2 deletions(-) create mode 100644 src/utils/version.ts diff --git a/src/components/Indexer/index.ts b/src/components/Indexer/index.ts index fd9e94476..17460bf83 100644 --- a/src/components/Indexer/index.ts +++ b/src/components/Indexer/index.ts @@ -38,6 +38,7 @@ import { create256Hash } from '../../utils/crypt.js' import { getDatabase, isReachableConnection } from '../../utils/database.js' import { sleep } from '../../utils/util.js' import { isReindexingNeeded } from './version.js' +import { getPackageVersion } from '../../utils/version.js' import { DB_EVENTS, ES_CONNECTION_EVENTS } from '../database/ElasticsearchConfigHelper.js' /** @@ -535,7 +536,7 @@ export class OceanIndexer { * Checks if reindexing is needed and triggers it for all chains */ public async checkAndTriggerReindexing(): Promise { - const currentVersion = process.env.npm_package_version + const currentVersion = getPackageVersion() const dbActive = this.getDatabase() if (!dbActive || !(await isReachableConnection(dbActive.getConfig().url))) { INDEXER_LOGGER.error(`Giving up reindexing. DB is not online!`) diff --git a/src/components/core/utils/statusHandler.ts b/src/components/core/utils/statusHandler.ts index 2b7d73c9c..dca790bce 100644 --- a/src/components/core/utils/statusHandler.ts +++ b/src/components/core/utils/statusHandler.ts @@ -14,6 +14,7 @@ import { typesenseSchemas } from '../../database/TypesenseSchemas.js' import { SupportedNetwork } from '../../../@types/blockchain.js' import { getAdminAddresses } from '../../../utils/auth.js' import HumanHasher from 'humanhash' +import { getPackageVersion } from '../../../utils/version.js' function getSupportedStorageTypes(config: OceanNodeConfig): StorageTypes { return { @@ -126,7 +127,7 @@ export async function status( publicKey: publicKeyHex, friendlyName: new HumanHasher().humanize(publicKeyHex), address: oceanNode.getKeyManager().getEthAddress(), - version: process.env.npm_package_version, + version: getPackageVersion(), http: config.hasHttp, p2p: config.hasP2P, provider: [], diff --git a/src/utils/version.ts b/src/utils/version.ts new file mode 100644 index 000000000..470f95abe --- /dev/null +++ b/src/utils/version.ts @@ -0,0 +1,7 @@ +import { createRequire } from 'module' + +const require = createRequire(import.meta.url) + +export function getPackageVersion(): string { + return process.env.npm_package_version ?? require('../../package.json').version +} From 8e0289ee488e3410fb47db67d7f2d9934fcccc9f Mon Sep 17 00:00:00 2001 From: ndrpp Date: Thu, 26 Mar 2026 11:54:34 +0200 Subject: [PATCH 09/13] fix: change permissions for jobs dir so child containers can write --- src/components/c2d/compute_engine_docker.ts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/components/c2d/compute_engine_docker.ts b/src/components/c2d/compute_engine_docker.ts index aec1d59bf..503b87ab8 100755 --- a/src/components/c2d/compute_engine_docker.ts +++ b/src/components/c2d/compute_engine_docker.ts @@ -35,6 +35,7 @@ import { createWriteStream, existsSync, mkdirSync, + chmodSync, rmSync, writeFileSync, appendFileSync, @@ -2643,6 +2644,7 @@ export class C2DEngineDocker extends C2DEngine { if (!existsSync(dir)) { mkdirSync(dir, { recursive: true }) } + chmodSync(dir, 0o777) } return true } catch (e) { From 6847317abac7f9211cff21c886e1409e671ab572 Mon Sep 17 00:00:00 2001 From: ndrpp Date: Thu, 26 Mar 2026 12:19:25 +0200 Subject: [PATCH 10/13] feat: make image smaller by removing unneeded stuff --- .dockerignore | 16 ++++++++++++++-- Dockerfile | 6 +++++- 2 files changed, 19 insertions(+), 3 deletions(-) diff --git a/.dockerignore b/.dockerignore index 386c86a71..891c644f7 100644 --- a/.dockerignore +++ b/.dockerignore @@ -2,5 +2,17 @@ node_modules /dist logs c2d_storage -.env.local -.env \ No newline at end of file +databases +.env +.env.* +.git +.github +docs +src/test +*.md +*.log +.nyc_output +coverage +docker-compose.yml +elasticsearch-compose.yml +typesense-compose.yml diff --git a/Dockerfile b/Dockerfile index e0a6980c3..b5a144f48 100644 --- a/Dockerfile +++ b/Dockerfile @@ -38,7 +38,11 @@ RUN groupadd -g ${DOCKER_GID} docker && usermod -aG docker node WORKDIR /usr/src/app -COPY --chown=node:node --from=builder /usr/src/app/ . +COPY --chown=node:node --from=builder /usr/src/app/dist ./dist +COPY --chown=node:node --from=builder /usr/src/app/node_modules ./node_modules +COPY --chown=node:node --from=builder /usr/src/app/schemas ./schemas +COPY --chown=node:node --from=builder /usr/src/app/package.json ./ +COPY --chown=node:node --from=builder /usr/src/app/config.json ./ RUN mkdir -p databases c2d_storage logs From 451b027d72f58e75daceff51aadf4f672c647ca4 Mon Sep 17 00:00:00 2001 From: ndrpp Date: Thu, 26 Mar 2026 12:37:06 +0200 Subject: [PATCH 11/13] docs: explain the assignment of node user to docker group --- Dockerfile | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Dockerfile b/Dockerfile index b5a144f48..67e813964 100644 --- a/Dockerfile +++ b/Dockerfile @@ -33,6 +33,9 @@ ENV NODE_ENV=production \ EXPOSE 9000 9001 9002 9003 9005 8000 +# GID of the docker group on the host. Needs to match so the node user can access +# /var/run/docker.sock for compute jobs. Default is 999 (common on Debian/Ubuntu). +# Override at build time if your host differs: docker build --build-arg DOCKER_GID=$(getent group docker | cut -d: -f3) . ARG DOCKER_GID=999 RUN groupadd -g ${DOCKER_GID} docker && usermod -aG docker node From c7ceb5ae6d107541eed67e590805391a5d8691a9 Mon Sep 17 00:00:00 2001 From: ndrpp Date: Thu, 26 Mar 2026 14:26:19 +0200 Subject: [PATCH 12/13] ci: add faster failure for test_integration & system to check error --- .github/workflows/ci.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6f1fa84bd..a41742ab9 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -138,10 +138,11 @@ jobs: - name: Wait for contracts deployment working-directory: ${{ github.workspace }}/barge run: | - for i in $(seq 1 250); do + for i in $(seq 1 20); do sleep 5 [ -f "$HOME/.ocean/ocean-contracts/artifacts/ready" ] && break - done + done + [ -f "$HOME/.ocean/ocean-contracts/artifacts/ready" ] || exit 1 - name: docker logs run: docker logs ocean-ocean-contracts-1 && docker logs ocean-typesense-1 if: ${{ failure() }} @@ -236,10 +237,11 @@ jobs: - name: Wait for contracts deployment and C2D cluster to be ready working-directory: ${{ github.workspace }}/barge run: | - for i in $(seq 1 250); do + for i in $(seq 1 20); do sleep 10 [ -f "$HOME/.ocean/ocean-contracts/artifacts/ready" ] && break done + [ -f "$HOME/.ocean/ocean-contracts/artifacts/ready" ] || exit 1 - name: docker logs run: docker logs ocean-contracts-1 && docker logs ocean-typesense-1 From 30ebd222db3de62329b2bc2270a8dce9cef59646 Mon Sep 17 00:00:00 2001 From: ndrpp Date: Thu, 26 Mar 2026 14:45:37 +0200 Subject: [PATCH 13/13] Revert "ci: add faster failure for test_integration & system to check error" This reverts commit c7ceb5ae6d107541eed67e590805391a5d8691a9. --- .github/workflows/ci.yml | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a41742ab9..6f1fa84bd 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -138,11 +138,10 @@ jobs: - name: Wait for contracts deployment working-directory: ${{ github.workspace }}/barge run: | - for i in $(seq 1 20); do + for i in $(seq 1 250); do sleep 5 [ -f "$HOME/.ocean/ocean-contracts/artifacts/ready" ] && break - done - [ -f "$HOME/.ocean/ocean-contracts/artifacts/ready" ] || exit 1 + done - name: docker logs run: docker logs ocean-ocean-contracts-1 && docker logs ocean-typesense-1 if: ${{ failure() }} @@ -237,11 +236,10 @@ jobs: - name: Wait for contracts deployment and C2D cluster to be ready working-directory: ${{ github.workspace }}/barge run: | - for i in $(seq 1 20); do + for i in $(seq 1 250); do sleep 10 [ -f "$HOME/.ocean/ocean-contracts/artifacts/ready" ] && break done - [ -f "$HOME/.ocean/ocean-contracts/artifacts/ready" ] || exit 1 - name: docker logs run: docker logs ocean-contracts-1 && docker logs ocean-typesense-1