Fix

vtm9 · vtm9 · commit d9132edb83a8 · 2026-05-28T00:42:42.000+02:00
diff --git a/apps/runner/images/csharp/Checker.csproj b/apps/runner/images/csharp/Checker.csproj
@@ -1,7 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk">
   <PropertyGroup>
     <OutputType>Exe</OutputType>
-    <TargetFramework>net9.0</TargetFramework>
+    <TargetFramework>net10.0</TargetFramework>
     <RootNamespace>app</RootNamespace>
     <ImplicitUsings>enable</ImplicitUsings>
     <Nullable>enable</Nullable>
diff --git a/apps/runner/images/csharp/Containerfile b/apps/runner/images/csharp/Containerfile
@@ -9,23 +9,23 @@ FROM --platform=$TARGETPLATFORM ${RUNNER_IMAGE} AS runner
 # ---------- .NET SDK base (Debian/glibc) ----------
 FROM --platform=$TARGETPLATFORM mcr.microsoft.com/dotnet/sdk:${DOTNET_TAG}
 
-  # We intentionally do NOT set NUGET_PACKAGES or HOME here.
-  #
-  # At runtime the runner-zig sandbox force-sets HOME=/sandbox and mounts a
-  # fresh tmpfs over /tmp per request. Anything we stash under /tmp (e.g. a
-  # pre-restored package cache) is therefore invisible to user code, which is
-  # exactly what produced the previous "NU1301: Unable to load the service
-  # index for source https://api.nuget.org/v3/index.json" error.
-  #
-  # Instead we pre-restore into ./.nuget/packages under the workdir. The
-  # runner's per-request copyWorkspace step then carries the cache into
-  # /sandbox/.nuget/packages, where dotnet finds it via the default
-  # $HOME/.nuget/packages lookup — no network needed at request time.
-  #
-  # RUN_ENV_ALLOW makes the runner forward the listed DOTNET_* vars into the
-  # sandbox env. Without DOTNET_SKIP_FIRST_TIME_EXPERIENCE at runtime, dotnet
-  # prints the "Welcome to .NET" banner and tries to install the HTTPS dev
-  # cert on every /run.
+# We intentionally do NOT set NUGET_PACKAGES or HOME here.
+#
+# At runtime the runner-zig sandbox force-sets HOME=/sandbox and mounts a
+# fresh tmpfs over /tmp per request. Anything stashed under /tmp (e.g. a
+# pre-restored package cache) is therefore invisible to user code, which is
+# what produced the previous "NU1301: Unable to load the service index for
+# source https://api.nuget.org/v3/index.json" error.
+#
+# Instead we pre-restore into ./.nuget/packages under the workdir. The
+# runner's per-request copyWorkspace step then carries the cache into
+# /sandbox/.nuget/packages, where dotnet finds it via the default
+# $HOME/.nuget/packages lookup — no network needed at request time.
+#
+# RUN_ENV_ALLOW makes the runner forward the listed DOTNET_* vars into the
+# sandbox env. Without DOTNET_SKIP_FIRST_TIME_EXPERIENCE at runtime, dotnet
+# prints the "Welcome to .NET" banner and tries to install the HTTPS dev
+# cert on every /run.
 ENV DOTNET_NOLOGO=1 \
     DOTNET_CLI_TELEMETRY_OPTOUT=1 \
     DOTNET_SKIP_FIRST_TIME_EXPERIENCE=1 \
@@ -34,42 +34,44 @@ ENV DOTNET_NOLOGO=1 \
 
 WORKDIR /usr/src/app
 
-  # System deps
+# System deps
 RUN apt-get update \
   && apt-get install -y --no-install-recommends make curl ca-certificates \
   && rm -rf /var/lib/apt/lists/*
 
-  # Create non-root user + writable workdir. The runner-zig sandbox runs user
-  # code as RUN_UID_BASE+slot (default 10001+slot); matching that here keeps
-  # build-time and runtime UIDs aligned.
+# Create non-root user + writable workdir. UID matches RUN_UID_BASE+slot
+# (default 10001+slot) so build-time and runtime ownership line up.
 RUN groupadd -g 10001 -r runneruser \
   && useradd -r -g runneruser -u 10001 -m -d /home/runneruser -s /usr/sbin/nologin runneruser \
   && chown -R runneruser:runneruser /home/runneruser /usr/src/app
 
 USER runneruser
 
-  # Keep obj/bin project-local so they live inside /sandbox at runtime. The
-  # runner's recursive chown gives the slot UID write access to every
-  # workspace sub-path, so dotnet build can scribble into ./obj freely.
+# Keep obj/bin project-local so they live inside /sandbox at runtime. The
+# runner's umask=0 + 0o700 slot-owned top-level dir give the slot UID write
+# access to every workspace sub-path, so dotnet build can scribble into
+# ./obj freely. NuGetAudit=false silences NU1900 warnings — the audit
+# endpoint can't be reached from the netns-isolated sandbox.
 RUN cat > Directory.Build.props <<'EOF'
-  <Project>
-    <PropertyGroup>
-      <BaseIntermediateOutputPath>obj/</BaseIntermediateOutputPath>
-      <IntermediateOutputPath>obj/</IntermediateOutputPath>
-      <BaseOutputPath>bin/</BaseOutputPath>
-    </PropertyGroup>
-  </Project>
+<Project>
+  <PropertyGroup>
+    <BaseIntermediateOutputPath>obj/</BaseIntermediateOutputPath>
+    <IntermediateOutputPath>obj/</IntermediateOutputPath>
+    <BaseOutputPath>bin/</BaseOutputPath>
+    <NuGetAudit>false</NuGetAudit>
+  </PropertyGroup>
+</Project>
 EOF
 
-  # Restore into the workdir (--packages) so the cache survives the runtime
-  # workspace copy. Layer order: csproj first for better Docker cache reuse
-  # when only source files change.
+# Restore into the workdir (--packages) so the cache survives the runtime
+# workspace copy. Layer order: csproj first for better Docker cache reuse
+# when only source files change.
 COPY --chown=runneruser:runneruser Checker.csproj ./
 RUN dotnet restore --disable-parallel \
-        --packages /usr/src/app/.nuget/packages \
-        --source https://api.nuget.org/v3/index.json
+      --packages /usr/src/app/.nuget/packages \
+      --source https://api.nuget.org/v3/index.json
 
-  # App sources
+# App sources
 COPY --chown=runneruser:runneruser Program.cs .
 COPY --chown=runneruser:runneruser check ./check
 COPY --chown=runneruser:runneruser Makefile .
diff --git a/apps/runner/images/golang/Containerfile b/apps/runner/images/golang/Containerfile
@@ -7,32 +7,35 @@ FROM --platform=$TARGETPLATFORM golang:${GO_TAG}
 
 RUN apk add --no-cache make git
 
-# create app user with a real home
 RUN addgroup -S app -g 10001 \
-  && adduser -S -D -H -h /home/app -s /sbin/nologin -G app -u 10001 app \
-  && mkdir -p /home/app && chown -R app:app /home/app
-
-# make Go caches/modules writable by the app user
-ENV HOME=/home/app \
-  GOCACHE=/home/app/.cache/go-build \
-  GOPATH=/home/app/go \
-  GOMODCACHE=/home/app/go/pkg/mod
-
-RUN mkdir -p "$GOCACHE" "$GOMODCACHE" && chown -R app:app /home/app
+  && adduser -S -D -h /home/app -s /sbin/nologin -G app -u 10001 app
+
+# Go caches must be reachable from inside the runner-zig sandbox. The sandbox
+# masks /tmp (per-request tmpfs) and /app, and force-sets HOME=/sandbox, so
+# anything under /home/app or /tmp disappears at request time. /opt is left
+# alone, so we put the caches there and forward the env vars to user code via
+# RUN_ENV_ALLOW. 0o777 lets every slot UID write — Go uses its own lockfiles,
+# so concurrent writes are safe.
+ENV GOCACHE=/opt/go/cache \
+    GOMODCACHE=/opt/go/mod \
+    RUN_ENV_ALLOW=GOCACHE,GOMODCACHE
+
+RUN mkdir -p /opt/go/cache /opt/go/mod \
+  && chown -R app:app /opt/go \
+  && chmod -R 0777 /opt/go
 
 WORKDIR /usr/src/app
+COPY --chown=app:app check check
+COPY --chown=app:app Makefile .
+
+USER app
 
-# app sources
-COPY check check
-COPY Makefile .
-RUN chown -R app:app /usr/src/app
+# Pre-warm the build cache so request-time `go run` reuses compiled stdlib +
+# checker objects. Only solution.go (which changes per request) gets re-linked.
+# Same explicit-file form as the runtime Makefile so we don't need a go.mod.
+RUN go build -o /tmp/_warm ./check/checker.go ./check/solution.go && rm -f /tmp/_warm
 
-# runner binary (ensure path exists and perms are OK)
-RUN mkdir -p /runner
 COPY --from=runner /app/codebattle_runner /runner/codebattle_runner
-RUN chown -R app:app /runner && chmod +x /runner/codebattle_runner
-
-USER app
 
 EXPOSE 4040
 ENTRYPOINT ["/runner/codebattle_runner"]
diff --git a/apps/runner/images/rust/Containerfile b/apps/runner/images/rust/Containerfile
@@ -7,27 +7,23 @@ FROM --platform=$TARGETPLATFORM rust:${RUST_TAG}
 
 RUN apk add --no-cache make libc-dev
 
-  # rustup/cargo state must be reachable from inside the runner-zig sandbox.
-  # That sandbox shadows /tmp (per-request tmpfs), bind-mounts the workdir to
-  # /sandbox, force-sets HOME=/sandbox, and strips env down to an allowlist.
-  #
-  # - RUSTUP_HOME stays at the rust image default (/usr/local/rustup). /usr is
-  #   not shadowed, so the toolchain remains reachable. Forwarding it via
-  #   RUN_ENV_ALLOW is critical — without it the cargo proxy bails with
-  #   "rustup could not choose a version of cargo to run".
-  # - CARGO_HOME lives under the workdir so it survives the runtime workspace
-  #   copy. The ENV reassignment below switches it to the /sandbox view that
-  #   the slot UID actually sees at request time.
-  # - CARGO_TARGET_DIR is left unset on purpose: cargo defaults to ./target,
-  #   which is /usr/src/app/target at build time and /sandbox/target at
-  #   request time. Both are the same files, just under different absolute
-  #   paths in the two namespaces.
+# rustup + cargo state under /opt so it survives the sandbox masks (which
+# shadow /tmp and /app, force-set HOME=/sandbox, and strip env down to an
+# allowlist). /opt and /usr aren't shadowed, so the toolchain stays
+# reachable and the pre-built cache survives the per-request workspace copy.
+# 0o777 below lets every slot UID write — cargo uses .cargo-lock files so
+# concurrent invocations are safe for shared artifacts.
 ENV RUSTUP_HOME=/usr/local/rustup \
-    CARGO_HOME=/usr/src/app/.cargo \
-    RUN_ENV_ALLOW=RUSTUP_HOME,CARGO_HOME,RUST_BACKTRACE
+    CARGO_HOME=/opt/cargo \
+    CARGO_TARGET_DIR=/opt/cargo-target \
+    RUN_ENV_ALLOW=RUSTUP_HOME,CARGO_HOME,CARGO_TARGET_DIR,RUST_BACKTRACE
+
+RUN mkdir -p /opt/cargo /opt/cargo-target
 
 RUN addgroup -S app -g 10001 \
-  && adduser -S -D -H -h /nonexistent -s /sbin/nologin -G app -u 10001 app
+  && adduser -S -D -h /home/app -s /sbin/nologin -G app -u 10001 app \
+  && chown -R app:app /opt/cargo /opt/cargo-target \
+  && chmod -R 0777 /opt/cargo /opt/cargo-target
 
 WORKDIR /usr/src/app
 RUN chown app:app /usr/src/app
@@ -38,14 +34,11 @@ COPY --chown=app:app Makefile .
 
 USER app
 
-  # Pre-warm the dep cache + target so each /run only recompiles the (tiny)
-  # solution + checker.
+# Pre-build into the shared target dir. Request-time builds only recompile
+# the changed file (solution.rs) and re-link the bin.
 RUN cargo build
 
-  # Switch CARGO_HOME to its runtime view. The workdir is bind-mounted to
-  # /sandbox per request, so /usr/src/app/.cargo appears at /sandbox/.cargo.
-ENV CARGO_HOME=/sandbox/.cargo
+COPY --from=runner /app/codebattle_runner /runner/codebattle_runner
 
 EXPOSE 4040
-COPY --from=runner /app/codebattle_runner /runner/codebattle_runner
 ENTRYPOINT ["/runner/codebattle_runner"]
diff --git a/apps/runner/images/rust/Makefile b/apps/runner/images/rust/Makefile
@@ -1,4 +1,4 @@
 test:
-	cargo run -q --offline --target-dir /tmp/cargo-target
+	cargo run -q --offline
 
 .PHONY: test
