From a8c0ec9ed32a079e48e5ba2b5d9cdbd4efb29a27 Mon Sep 17 00:00:00 2001
From: Roman Pytkov <mr.pytkov@gmail.com>
Date: Wed, 5 Nov 2025 22:01:57 +0300
Subject: [PATCH] Enables cgroup support for isolate

Configures isolate to use cgroups for improved resource management.

Adds the `--cg` flag to the isolate init and cleanup commands,
leveraging cgroups for better resource isolation during code execution testing.

Makes isolate configuration file explicit.
---
 src/LiquidCode.Tester.Worker/Dockerfile                    | 7 ++++---
 .../Services/Isolate/IsolateService.cs                     | 4 ++--
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/src/LiquidCode.Tester.Worker/Dockerfile b/src/LiquidCode.Tester.Worker/Dockerfile
index 2434eac..d16b3e3 100644
--- a/src/LiquidCode.Tester.Worker/Dockerfile
+++ b/src/LiquidCode.Tester.Worker/Dockerfile
@@ -87,9 +87,10 @@ RUN useradd -m -u 1001 -s /bin/bash workeruser && \
     chmod 755 /var/local/lib/isolate && \
     chown -R workeruser:workeruser /var/local/lib/isolate
 
-# Configure isolate directories (defaults in isolate binary already match these paths)
-# The binary falls back to /var/local/lib/isolate for boxes and /sys/fs/cgroup for cgroups,
-# so no explicit config file is required here.
+# Configure isolate directories and control-group root
+RUN printf "box_root = /var/local/lib/isolate\nlock_root = /run/isolate/locks\ncg_root = /sys/fs/cgroup\nfirst_uid = 60000\nfirst_gid = 60000\nnum_boxes = 1000\n" > /usr/local/etc/isolate.conf && \
+    ln -sf /usr/local/etc/isolate.conf /usr/local/etc/isolate && \
+    mkdir -p /run/isolate/locks
 
 # Copy published app
 COPY --from=publish /app/publish .
diff --git a/src/LiquidCode.Tester.Worker/Services/Isolate/IsolateService.cs b/src/LiquidCode.Tester.Worker/Services/Isolate/IsolateService.cs
index 13f4229..e34cac5 100644
--- a/src/LiquidCode.Tester.Worker/Services/Isolate/IsolateService.cs
+++ b/src/LiquidCode.Tester.Worker/Services/Isolate/IsolateService.cs
@@ -24,7 +24,7 @@ public class IsolateService
     {
         _logger.LogDebug("Initializing isolate box {BoxId}", boxId);
 
-        var result = await RunIsolateCommandAsync($"--box-id={boxId} --init");
+    var result = await RunIsolateCommandAsync($"--box-id={boxId} --cg --init");
 
         if (result.ExitCode != 0)
         {
@@ -90,7 +90,7 @@ public class IsolateService
     {
         _logger.LogDebug("Cleaning up isolate box {BoxId}", boxId);
 
-        var result = await RunIsolateCommandAsync($"--box-id={boxId} --cleanup");
+    var result = await RunIsolateCommandAsync($"--box-id={boxId} --cg --cleanup");
 
         if (result.ExitCode != 0)
         {