Do not recreate network and IPC namespaces for each judge

Public [1] and private reports suggest doing so is causing scalability
issues with current Ubuntu LTS (22.04) kernel (5.15).

Note that the safety of this change depends on Identity::dynamic
(which implies `RemoveIPC=true`) or we'd leave some attack vectors.

Cargo.toml

@@ -28,5 +28,5 @@ optional = true
 hustoj = ["dep:sqlx"]
 
 [dependencies.systemd-run]
-version = "0.5.0"
+version = "0.6.0"
 features = [ "systemd_249", "unified_cgroup" ]

etc/systemd/system/opoj-empty-ns@.service

@@ -0,0 +1,11 @@
+# This file need to be copied to
+# opoj-empty-ns-0.service, opoj-empty-ns-1.service, ... for each
+# possible runner_id and adjusted.
+
+[Unit]
+Description=Empty namespace holder (runner %I)
+
+[Service]
+ExecStart=/bin/sleep infinity
+PrivateIPC=true
+PrivateNetwork=true

etc/systemd/system/opoj-x.slice

@@ -16,6 +16,7 @@
 
 [Unit]
 Description=Slice for OJ (runner X)
+[email protected]
 
 [Slice]
 # Normally we expect solutions judged with one CPU core.

mocktest/code/aplusb/net.py

@@ -0,0 +1,10 @@
+from urllib.request import urlopen
+
+urlopen("https://acm.xidian.edu.cn/")
+
+try:
+    while True:
+        a, b = map(int, input().split())
+        print(a + b)
+except EOFError:
+    pass

mocktest/etc/judge3.toml

@@ -56,6 +56,11 @@ src_name = "main.cc"
 cmd_compile = ["/usr/bin/g++", "main.cc", "-o", "main", "-fmax-errors=256"]
 cmd_run = ["/tmp/main"]
 
+[language."python"]
+src_name = "main.py"
+cmd_compile = ["/usr/bin/python3", "-m", "py_compile", "main.py"]
+cmd_run = ["/usr/bin/python3", "/tmp/main.py"]
+
 # An example for HustOJ configuration.
 #[hust]
 #db_url = "mysql://user:passwd@localhost/jol?socket=/run/mysqld/mysqld.sock"

mocktest/test19.toml

@@ -0,0 +1,6 @@
+language = "python"
+time_limit = 1
+memory_limit = "256 MiB"
+testcase_dir = "problem/aplusb"
+src = "code/aplusb/net.py"
+expect = "RunError"