Enables cgroup support for isolate

Configures isolate to use cgroups for improved resource management.

Adds the `--cg` flag to the isolate init and cleanup commands,
leveraging cgroups for better resource isolation during code execution testing.

Makes isolate configuration file explicit.

src/LiquidCode.Tester.Worker/Dockerfile

@@ -87,9 +87,10 @@ RUN useradd -m -u 1001 -s /bin/bash workeruser && \
     chmod 755 /var/local/lib/isolate && \
     chown -R workeruser:workeruser /var/local/lib/isolate
 
-# Configure isolate directories (defaults in isolate binary already match these paths)
+# Configure isolate directories and control-group root
-# The binary falls back to /var/local/lib/isolate for boxes and /sys/fs/cgroup for cgroups,
+RUN printf "box_root = /var/local/lib/isolate\nlock_root = /run/isolate/locks\ncg_root = /sys/fs/cgroup\nfirst_uid = 60000\nfirst_gid = 60000\nnum_boxes = 1000\n" > /usr/local/etc/isolate.conf && \
-# so no explicit config file is required here.
+    ln -sf /usr/local/etc/isolate.conf /usr/local/etc/isolate && \
+    mkdir -p /run/isolate/locks
 
 # Copy published app
 COPY --from=publish /app/publish .

src/LiquidCode.Tester.Worker/Services/Isolate/IsolateService.cs

@@ -24,7 +24,7 @@ public class IsolateService
     {
         _logger.LogDebug("Initializing isolate box {BoxId}", boxId);
 
-        var result = await RunIsolateCommandAsync($"--box-id={boxId} --init");
+    var result = await RunIsolateCommandAsync($"--box-id={boxId} --cg --init");
 
         if (result.ExitCode != 0)
         {
@@ -90,7 +90,7 @@ public class IsolateService
     {
         _logger.LogDebug("Cleaning up isolate box {BoxId}", boxId);
 
-        var result = await RunIsolateCommandAsync($"--box-id={boxId} --cleanup");
+    var result = await RunIsolateCommandAsync($"--box-id={boxId} --cg --cleanup");
 
         if (result.ExitCode != 0)
         {