Create zig runner

Author: vtm9

.dockerignore

@@ -0,0 +1,14 @@
+.git
+.gitignore
+.DS_Store
+zig-cache
+zig-out
+.zig-cache
+.zig-out
+*.tmp
+*.log
+*.swp
+*.swo
+node_modules
+dist
+target

.github/workflows/ci.yml

@@ -0,0 +1,41 @@
+name: CI
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+jobs:
+  integration:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to GHCR
+        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build multi-arch container
+        run: make container-build
+
+      - name: Run integration tests
+        run: make test-integration CONTAINER=docker
+
+      - name: Push container
+        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+        run: make container-push

.gitignore

@@ -0,0 +1,5 @@
+.zig-cache/
+zig-out/
+.DS_Store
+*.tmp
+*.log

.tool-versions

@@ -0,0 +1 @@
+zig 0.15.2

AGENT.md

@@ -0,0 +1,73 @@
+# Code Execution HTTP Service
+
+## Overview
+This service accepts source code and optional test/checker data over HTTP, executes the code in an isolated filesystem jail, and returns the execution result. It is designed to be fast, stateless, and container-friendly.
+
+## HTTP API
+
+### `POST /run`
+Execute user code.
+
+Request JSON:
+- `timeout` (optional string): Execution limit, e.g. `"30s"`. Defaults to 30 seconds.
+- `solution_text` (string): Source code to run.
+- `lang_slug` (string): Language identifier. Supported values:
+  - `clojure`, `cpp`, `csharp`, `dart`, `elixir`, `golang`, `haskell`, `java`, `js`, `kotlin`, `php`, `python`, `ruby`, `rust`, `swift`, `ts`, `zig`
+- `asserts` (optional string): JSON test data, stored as `asserts.json`.
+- `checker_text` (optional string): Checker code. Required for:
+  - `cpp`, `csharp`, `dart`, `java`, `golang`, `haskell`, `kotlin`, `rust`, `swift`, `zig`
+
+Response JSON:
+- `exit_code` (integer or null): Process exit code, if available.
+- `stdout` (string): Captured standard output.
+- `stderr` (string): Captured standard error.
+
+### `GET /health`
+Returns HTTP 200 when the service is ready.
+
+## Execution Flow
+1. Validate request parameters.
+2. Create a temporary filesystem jail using an overlay of the current root.
+3. Write input files into a language-specific working directory:
+   - `solution_text` → language-specific filename (e.g. `solution.py`, `Solution.java`).
+   - `checker_text` (if provided) → language-specific checker file.
+   - `asserts` (if provided) → `asserts.json`.
+4. Execute `make test` inside the jail.
+5. Enforce timeout; on expiration, terminate the process group.
+6. Capture `stdout` and `stderr` and return them with the exit code.
+
+## Files and Layout Expectations
+The service runs `make test` in its working directory. That directory is expected to contain language-specific runner logic. The service writes files into a subdirectory:
+- `check/` for most languages
+- `lib/` for Dart
+
+## Language File Rules
+For each request, the service writes the solution and (if required) checker files into the language directory (`check/` or `lib/`). It then runs `make test`, which is responsible for compiling/executing the solution and checker for that language.
+
+Filename mapping and checker requirement:
+- `clojure`: `solution.clj` (no checker)
+- `cpp`: `solution.cpp` + `checker.cpp` (checker required)
+- `csharp`: `Solution.cs` + `Checker.cs` (checker required)
+- `dart`: `solution.dart` + `checker.dart` (checker required)
+- `elixir`: `solution.exs` (no checker)
+- `golang`: `solution.go` + `checker.go` (checker required)
+- `haskell`: `Solution.hs` + `Checker.hs` (checker required)
+- `java`: `Solution.java` + `Checker.java` (checker required)
+- `js`: `solution.js` (no checker)
+- `kotlin`: `solution.kt` + `checker.kt` (checker required)
+- `php`: `solution.php` (no checker)
+- `python`: `solution.py` (no checker)
+- `ruby`: `solution.rb` (no checker)
+- `rust`: `solution.rs` + `checker.rs` (checker required)
+- `swift`: `solution.swift` + `checker.swift` (checker required)
+- `zig`: `solution.zig` + `checker.zig` (checker required)
+- `ts`: `solution.js` (no checker)
+
+## Isolation and Safety
+- The execution occurs in a chrooted directory backed by an overlay filesystem.
+- On Linux, it creates new namespaces (filesystem, file descriptors, mount, network) before chrooting.
+- The service runs commands in a separate process group for reliable termination.
+
+## Runtime Notes
+- If the process is PID 1 (container init), it spawns a child and acts as a signal reaper to avoid zombie processes.
+- The service is stateless; each request creates a fresh jail and cleans it up after execution.

Containerfile

@@ -0,0 +1,61 @@
+ARG ZIG_VERSION=0.15.2
+ARG ALPINE_VERSION=3.23
+ARG ZIG_URL=
+ARG PORT=4040
+ARG RUN_CONCURRENCY=32
+ARG RUN_OUTPUT_MAX=1048576
+ARG DEBUG=
+ARG ALLOW_SHUTDOWN=
+
+# Build stage
+FROM --platform=$BUILDPLATFORM alpine:${ALPINE_VERSION} AS builder
+WORKDIR /build
+
+ARG ZIG_VERSION
+ARG ZIG_URL
+ARG TARGETPLATFORM
+ARG TARGETARCH
+
+RUN apk add --no-cache curl tar xz make ca-certificates python3
+
+RUN if [ -z "$TARGETARCH" ]; then \
+    case "$(uname -m)" in \
+    x86_64) TARGETARCH="amd64" ;; \
+    aarch64) TARGETARCH="arm64" ;; \
+    esac; \
+    fi && \
+    case "$TARGETARCH" in \
+    amd64) ZIG_ARCH="x86_64" ;; \
+    arm64) ZIG_ARCH="aarch64" ;; \
+    *) echo "Unsupported TARGETARCH: $TARGETARCH" && exit 1 ;; \
+    esac && \
+    if [ -n "$ZIG_URL" ]; then \
+    URL="$ZIG_URL"; \
+    else \
+    URL="$(ZIG_ARCH="$ZIG_ARCH" ZIG_VERSION="$ZIG_VERSION" python3 -c 'import json, os, urllib.request; ver=os.environ["ZIG_VERSION"]; arch=os.environ["ZIG_ARCH"]+"-linux"; data=json.load(urllib.request.urlopen("https://ziglang.org/download/index.json")); print(data[ver][arch]["tarball"])')"; \
+    fi && \
+    curl -fsSL "$URL" -o /tmp/zig.tar.xz && \
+    ZIG_DIR="$(tar -tf /tmp/zig.tar.xz | head -n 1 | cut -d/ -f1)" && \
+    tar -xJf /tmp/zig.tar.xz -C /opt && \
+    mv "/opt/$ZIG_DIR" /opt/zig && \
+    rm /tmp/zig.tar.xz
+
+ENV PATH="/opt/zig:${PATH}"
+
+COPY . .
+RUN zig build -Doptimize=ReleaseSafe
+
+# Runtime stage
+FROM alpine:${ALPINE_VERSION}
+WORKDIR /app
+RUN adduser -S -u 10001 app
+COPY --from=builder /build/zig-out/bin/runner-zig /app/codebattle_runner
+ENV PORT=$PORT \
+    RUN_CONCURRENCY=$RUN_CONCURRENCY \
+    RUN_OUTPUT_MAX=$RUN_OUTPUT_MAX \
+    DEBUG=$DEBUG \
+    ALLOW_SHUTDOWN=$ALLOW_SHUTDOWN
+USER app
+
+EXPOSE 4040
+ENTRYPOINT ["/app/codebattle_runner"]

Makefile

@@ -0,0 +1,84 @@
+IMAGE ?= ghcr.io/hexlet-codebattle/runner-zig
+TAG ?= latest
+PLATFORMS ?= linux/amd64,linux/arm64
+CONTAINER ?= docker
+TEST_IMAGE ?= runner-zig-test
+
+.PHONY: build lint lint-fix test test-container test-integration test-integration-arm test-integration-linux container-build container-push curl-local-health curl-local-test start
+
+## Build multi-arch image directly for GHCR
+build:
+	zig build
+
+## Run Zig formatting check
+lint:
+	zig fmt --check src
+
+## Fix Zig code styling
+lint-fix:
+	zig fmt src
+
+## Run checker (expects check/checker.zig to exist)
+test:
+	zig run check/checker.zig
+
+## Run integration tests inside the builder container
+test-container:
+	$(CONTAINER) build --target builder -t $(TEST_IMAGE) .
+	$(CONTAINER) run --rm $(TEST_IMAGE) zig build test
+
+## Run integration tests against an already-built container (container + HTTP checks)
+test-integration:
+	@container_name="runner-zig-it-$$RANDOM"; \
+	container_started=0; \
+	trap 'if [ $$container_started -eq 1 ]; then $(CONTAINER) stop $$container_name >/dev/null 2>&1 || true; fi' EXIT; \
+	$(CONTAINER) run -d --rm --pull=never --name $$container_name -p 4040:4040 $(IMAGE):$(TAG) >/dev/null && \
+	container_started=1; \
+	for i in 1 2 3 4 5; do \
+		if $(MAKE) --no-print-directory curl-local-health >/dev/null; then break; fi; \
+		sleep 1; \
+	done; \
+	$(MAKE) --no-print-directory curl-local-health && \
+	seq 1 40 | xargs -n1 -P40 sh -c 'curl -sS -o /dev/null -w "%{http_code}\n" http://localhost:4040/run -H "content-type: application/json" -d @test-payload.json'; \
+	if [ $$container_started -eq 1 ]; then $(CONTAINER) stop $$container_name >/dev/null 2>&1 || true; fi
+
+## Build and push multi-arch image (linux/amd64 + linux/arm64) for GHCR
+build-and-push: container-build container-push
+
+## Build multi-arch image (linux/amd64 + linux/arm64) for GHCR
+container-build:
+	$(CONTAINER) build \
+		--platform=linux/amd64 \
+		--file Containerfile \
+		--tag $(IMAGE):$(TAG)-amd64 \
+		.
+	$(CONTAINER) build \
+		--platform=linux/arm64 \
+		--file Containerfile \
+		--tag $(IMAGE):$(TAG)-arm64 \
+		.
+	-@$(CONTAINER) rmi $(IMAGE):$(TAG) >/dev/null 2>&1 || true
+	-@$(CONTAINER) manifest rm $(IMAGE):$(TAG) >/dev/null 2>&1 || true
+	$(CONTAINER) manifest create $(IMAGE):$(TAG)
+	$(CONTAINER) manifest add $(IMAGE):$(TAG) $(IMAGE):$(TAG)-amd64
+	$(CONTAINER) manifest add $(IMAGE):$(TAG) $(IMAGE):$(TAG)-arm64
+
+## Push multi-arch image manifest + all platform layers to GHCR
+container-push:
+	$(CONTAINER) manifest push --all \
+		$(IMAGE):$(TAG) \
+		docker://$(IMAGE):$(TAG)
+
+## Quick local smoke check against the running server
+curl-local-health:
+	@curl -fsS http://localhost:4040/health && echo
+
+## Run a local /run request for zig
+curl-local-test:
+	@curl -sS http://localhost:4040/run \
+		-H 'content-type: application/json' \
+		-d @test-payload.json
+
+## Start the server from the local build output
+start:
+	./zig-out/bin/runner-zig

build.zig

@@ -0,0 +1,36 @@
+const std = @import("std");
+
+pub fn build(b: *std.Build) void {
+    const target = b.standardTargetOptions(.{});
+    const optimize = b.standardOptimizeOption(.{});
+
+    const exe = b.addExecutable(.{
+        .name = "runner-zig",
+        .root_module = b.createModule(.{
+            .root_source_file = b.path("src/main.zig"),
+            .target = target,
+            .optimize = optimize,
+        }),
+    });
+
+    b.installArtifact(exe);
+
+    const run_cmd = b.addRunArtifact(exe);
+    if (b.args) |args| {
+        run_cmd.addArgs(args);
+    }
+
+    const run_step = b.step("run", "Run the HTTP service");
+    run_step.dependOn(&run_cmd.step);
+
+    const tests = b.addTest(.{
+        .root_module = b.createModule(.{
+            .root_source_file = b.path("src/integration_test.zig"),
+            .target = target,
+            .optimize = optimize,
+        }),
+    });
+    const run_tests = b.addRunArtifact(tests);
+    const test_step = b.step("test", "Run integration tests");
+    test_step.dependOn(&run_tests.step);
+}