1 files changed, 13 insertions, 9 deletions

diff --git a/src/zencompute/runners/linuxrunner.cpp b/src/zencompute/runners/linuxrunner.cpp
index e79a6c90f..be4274823 100644
--- a/src/zencompute/runners/linuxrunner.cpp
+++ b/src/zencompute/runners/linuxrunner.cpp
@@ -195,7 +195,7 @@ namespace {
 			WriteErrorAndExit(ErrorPipeFd, "bind mount /lib failed", errno);
 		}
 
-		// /lib64 (optional — not all distros have it)
+		// /lib64 (optional - not all distros have it)
 		{
 			struct stat St;
 			if (stat("/lib64", &St) == 0 && S_ISDIR(St.st_mode))
@@ -208,7 +208,7 @@ namespace {
 			}
 		}
 
-		// /etc (required — for resolv.conf, ld.so.cache, etc.)
+		// /etc (required - for resolv.conf, ld.so.cache, etc.)
 		if (MkdirIfNeeded(BuildPath("etc"), 0755) != 0)
 		{
 			WriteErrorAndExit(ErrorPipeFd, "mkdir sandbox/etc failed", errno);
@@ -218,7 +218,7 @@ namespace {
 			WriteErrorAndExit(ErrorPipeFd, "bind mount /etc failed", errno);
 		}
 
-		// /worker — bind-mount worker directory (contains the executable)
+		// /worker - bind-mount worker directory (contains the executable)
 		if (MkdirIfNeeded(BuildPath("worker"), 0755) != 0)
 		{
 			WriteErrorAndExit(ErrorPipeFd, "mkdir sandbox/worker failed", errno);
@@ -331,6 +331,8 @@ LinuxProcessRunner::LinuxProcessRunner(ChunkResolver&				Resolver,
 	{
 		ZEN_INFO("namespace sandboxing enabled for child processes");
 	}
+
+	StartMonitorThread();
 }
 
 SubmitResult
@@ -428,11 +430,12 @@ LinuxProcessRunner::SubmitAction(Ref<RunnerAction> Action)
 
 	if (ChildPid == 0)
 	{
-		// Child process
+		// Child process - lower priority so workers don't starve the main server
+		nice(5);
 
 		if (m_Sandboxed)
 		{
-			// Close read end of error pipe — child only writes
+			// Close read end of error pipe - child only writes
 			close(ErrorPipe[0]);
 
 			SetupNamespaceSandbox(SandboxPathStr.c_str(), CurrentUid, CurrentGid, WorkerPathStr.c_str(), ErrorPipe[1]);
@@ -459,7 +462,7 @@ LinuxProcessRunner::SubmitAction(Ref<RunnerAction> Action)
 
 	if (m_Sandboxed)
 	{
-		// Close write end of error pipe — parent only reads
+		// Close write end of error pipe - parent only reads
 		close(ErrorPipe[1]);
 
 		// Read from error pipe. If execve succeeded, pipe was closed by O_CLOEXEC
@@ -479,7 +482,8 @@ LinuxProcessRunner::SubmitAction(Ref<RunnerAction> Action)
 			// Clean up the sandbox in the background
 			m_DeferredDeleter.Enqueue(Action->ActionLsn, std::move(Prepared->SandboxPath));
 
-			ZEN_ERROR("Sandbox setup failed for action {}: {}", Action->ActionLsn, ErrBuf);
+			Action->FailureReason = fmt::format("sandbox setup failed: {}", ErrBuf);
+			ZEN_ERROR("action {} ({}): {}", Action->ActionId, Action->ActionLsn, Action->FailureReason);
 
 			Action->SetActionState(RunnerAction::State::Failed);
 			return SubmitResult{.IsAccepted = false};
@@ -675,7 +679,7 @@ ReadProcStatCpuTicks(pid_t Pid)
 
 	Buf[Len] = '\0';
 
-	// Skip past "pid (name) " — find last ')' to handle names containing spaces or parens
+	// Skip past "pid (name) " - find last ')' to handle names containing spaces or parens
 	const char* P = strrchr(Buf, ')');
 	if (!P)
 	{
@@ -705,7 +709,7 @@ LinuxProcessRunner::SampleProcessCpu(RunningAction& Running)
 
 	if (CurrentOsTicks == 0)
 	{
-		// Process gone or /proc entry unreadable — record timestamp without updating usage
+		// Process gone or /proc entry unreadable - record timestamp without updating usage
 		Running.LastCpuSampleTicks = NowTicks;
 		Running.LastCpuOsTicks	   = 0;
 		return;