jedarden/ai-code-battle
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
ai-code-battle/cmd/acb-evolver/Dockerfile
jedarden d3d655b9c9 Evolver: Fix nsjail integration for complete sandbox coverage 
- Add /opt to nsjail bindmounts so Rust toolchain (/opt/rust) is accessible
  during sandboxed validation of Rust bots
- Explicitly enable Alpine community repository in Dockerfile to ensure
  nsjail package can be installed (nsjail lives in community, not main)
- nsjail integration was already optional (falls back to plain exec if
  unavailable), but these changes ensure it actually works when enabled

This addresses bead bf-3f29: nsjail was listed in apk add but /opt wasn't
bindmounted, causing Rust validation to fail when UseNsjail=true.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-22 15:18:21 -04:00

102 lines
3.4 KiB
Docker
Raw Blame History

# AI Code Battle Evolver Container
# Runs the autonomous evolution pipeline: generates candidate bots via LLM,
# validates them (syntax → schema → sandbox), runs arena tournaments,
# and promotes winners to the live bot fleet.
#
# Needs multiple language runtimes for the 3-stage validation pipeline.
# Build stage
FROM golang:1.25-alpine AS builder
WORKDIR /build
# Install git for module downloads
RUN apk --no-cache add git
# Copy go.mod and go.sum first for caching
COPY go.mod go.sum ./
RUN go mod download
# Copy engine package
COPY engine/ ./engine/
COPY metrics/ ./metrics/
# Copy bots (used as seed programs)
COPY bots/ ./bots/
# Copy evolver source
COPY cmd/acb-evolver/ ./cmd/acb-evolver/
# Copy map evolver source
COPY cmd/acb-map-evolver/ ./cmd/acb-map-evolver/
# Build the evolver binary
RUN CGO_ENABLED=0 GOOS=linux go build -ldflags="-s -w" -o /acb-evolver ./cmd/acb-evolver
# Build the map evolver binary
RUN CGO_ENABLED=0 GOOS=linux go build -ldflags="-s -w" -o /acb-map-evolver ./cmd/acb-map-evolver
# Runtime stage — needs language runtimes for validation sandbox
FROM golang:1.25-alpine
WORKDIR /app
# Install language runtimes for bot validation:
# - go (included in base image)
# - python3, nodejs (typescript), rust (rustup), java, php
# - nsjail for sandbox isolation during validation
# - ca-certificates for HTTPS (LLM calls, K8s API)
#
# Note: nsjail is in the community repository, ensure it's enabled
RUN grep -q '^https.*\/community$' /etc/apk/repositories || \
echo "https://dl-cdn.alpinelinux.org/alpine/v$(. /etc/os-release && echo $VERSION_ID | cut -d. -f1,2)/community" >> /etc/apk/repositories && \
apk --no-cache add \
ca-certificates \
tzdata \
python3 \
py3-pip \
nodejs \
npm \
openjdk-17-jdk \
nsjail \
curl \
bash
# Create non-root user first (before Rust installation)
RUN addgroup -g 1000 acb && adduser -D -u 1000 -G acb acb
# Install Rust toolchain (rustc) for validating Rust bots
# Install to /opt/rust so it's accessible to all users
RUN mkdir -p /opt/rust && \
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain stable --profile minimal --no-modify-path && \
cp -r /root/.cargo/* /opt/rust/ && \
rm -rf /root/.cargo && \
chown -R acb:acb /opt/rust
# Install TypeScript compiler globally
RUN npm install -g typescript ts-node
# Copy binaries from builder
COPY --from=builder /acb-evolver /app/acb-evolver
COPY --from=builder /acb-map-evolver /app/acb-map-evolver
# Set PATH to include Rust binaries and switch to non-root user
ENV PATH="/opt/rust/bin:${PATH}"
USER acb
# Environment variables (set at runtime)
# ACB_DATABASE_URL - PostgreSQL connection string
# ACB_LLM_URL - LLM proxy base URL (e.g., http://zai-proxy:8080)
# ACB_LLM_API_KEY - LLM API key (optional, for ZAI proxy)
# ACB_ENCRYPTION_KEY - AES-256-GCM key for bots table shared secrets
# ACB_KUBECTL_SERVER - kubectl API server URL for bot deployment
# ACB_REGISTRY - Container registry for evolved bot images
# ACB_REPO_DIR - Path to declarative-config repo for K8s manifest writes
# ACB_R2_ENDPOINT - R2 endpoint for live.json upload
# ACB_R2_BUCKET - R2 bucket name
# ACB_R2_ACCESS_KEY - R2 access key
# ACB_R2_SECRET_KEY - R2 secret key
# ACB_EVOLUTION_OUT - Output path for live.json (default: evolution/live.json)
ENTRYPOINT ["/app/acb-evolver"]
CMD ["run"]
Reference in a new issue View git blame Copy permalink