fix: address PR #14 review feedback

- docker-compose.yml: remove unused GRADER_BACKEND env var, fix duplicate
  volumes key by merging into one list, tag sample-grader with
  image: grader-base:local so conf.d/600.json reference resolves
- Dockerfile: standardise CMD config path to /etc/xqueue-watcher to match
  docker-compose and Kubernetes manifests
- metrics.py: remove OTEL_METRIC_EXPORT_INTERVAL from docstring since it is
  not wired up in _build_meter_provider()
- containergrader.py: add pod template metadata labels so the NetworkPolicy
  podSelector (app.kubernetes.io/component=xqueue-grader) actually matches
  grading pods; set automount_service_account_token=False on the grading pod
  spec to reduce blast radius if the NetworkPolicy is misconfigured; add
  _parse_memory_bytes() helper and use it for the Docker backend mem_limit
  so Kubernetes-style strings like '256Mi' are converted to bytes rather
  than passed raw (which Docker does not accept)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: blarghmatey

Dockerfile

@@ -32,8 +32,8 @@ RUN uv sync --frozen --no-dev
 
 USER app
 
-CMD ["xqueue-watcher", "-d", "/edx/etc/xqueue_watcher"]
+CMD ["xqueue-watcher", "-d", "/etc/xqueue-watcher"]
 
 FROM base AS edx.org
 USER app
-CMD ["xqueue-watcher", "-d", "/edx/etc/xqueue_watcher"]
+CMD ["xqueue-watcher", "-d", "/etc/xqueue-watcher"]

docker-compose.yml

@@ -27,23 +27,19 @@ services:
       - ./conf.d:/etc/xqueue-watcher/conf.d:rw
       # Mount local grader scripts for rapid iteration.
       - ./data:/graders:rw
-    environment:
-      # Use docker backend so grading containers run locally via the Docker socket.
-      GRADER_BACKEND: docker
-    # Give xqueue-watcher access to the Docker socket so it can spawn grader containers.
-    # Remove this if you don't need the docker backend locally.
-    volumes:
+      # Give xqueue-watcher access to the Docker socket so it can spawn grader containers.
       - /var/run/docker.sock:/var/run/docker.sock
     extra_hosts:
       - "host.docker.internal:host-gateway"
-    command: python -m xqueue_watcher -d /etc/xqueue-watcher
+    command: xqueue-watcher -d /etc/xqueue-watcher
 
   # sample-grader: an example grader image for local testing.
   # Course teams replace this with their own image.
   sample-grader:
     build:
       context: .
       dockerfile: grader_support/Dockerfile.base
+    image: grader-base:local
     # This service is not started automatically — it exists so `docker compose build`
     # builds the base image that course grader images extend.
     profiles: ["build-only"]

xqueue_watcher/containergrader.py

@@ -169,8 +169,15 @@ def _build_k8s_job(self, job_name, grader_path, code, seed, grader_config=None):
                 active_deadline_seconds=self.timeout,
                 ttl_seconds_after_finished=300,
                 template=k8s_client.V1PodTemplateSpec(
+                    metadata=k8s_client.V1ObjectMeta(
+                        labels={
+                            "app.kubernetes.io/component": "xqueue-grader",
+                            "app.kubernetes.io/managed-by": "xqueue-watcher",
+                        }
+                    ),
                     spec=k8s_client.V1PodSpec(
                         restart_policy="Never",
+                        automount_service_account_token=False,
                         security_context=k8s_client.V1PodSecurityContext(
                             run_as_non_root=True,
                             run_as_user=1000,
@@ -301,7 +308,7 @@ def _run_docker(self, grader_path, code, seed, grader_config=None):
                 working_dir="/grader",
                 environment=env,
                 volumes={grader_dir: {"bind": "/graders", "mode": "ro"}},
-                mem_limit=self.memory_limit,
+                mem_limit=_parse_memory_bytes(self.memory_limit),
                 nano_cpus=int(_parse_cpu_millis(self.cpu_limit) * 1_000_000),
                 network_disabled=True,
                 read_only=True,
@@ -393,3 +400,27 @@ def _parse_cpu_millis(cpu_str):
     if cpu_str.endswith("m"):
         return float(cpu_str[:-1])
     return float(cpu_str) * 1000
+
+
+def _parse_memory_bytes(memory_str):
+    """Convert a Kubernetes/Docker memory string to bytes for the Docker API.
+
+    Handles IEC binary suffixes (Ki, Mi, Gi, Ti) and SI decimal suffixes
+    (K, M, G, T).  Plain integers are returned unchanged.
+
+    Examples:
+        "256Mi" -> 268435456
+        "1Gi"   -> 1073741824
+        "512M"  -> 512000000
+        "1024"  -> 1024
+    """
+    s = str(memory_str).strip()
+    iec = {"Ti": 1024**4, "Gi": 1024**3, "Mi": 1024**2, "Ki": 1024}
+    si  = {"T": 1000**4,  "G": 1000**3,  "M": 1000**2,  "K": 1000}
+    for suffix, factor in iec.items():
+        if s.endswith(suffix):
+            return int(float(s[: -len(suffix)]) * factor)
+    for suffix, factor in si.items():
+        if s.endswith(suffix):
+            return int(float(s[: -len(suffix)]) * factor)
+    return int(s)

xqueue_watcher/metrics.py

@@ -13,8 +13,6 @@
     Service name attached to every metric (default: ``xqueue-watcher``).
 ``OTEL_RESOURCE_ATTRIBUTES``
     Additional resource attributes as ``key=value,...`` pairs.
-``OTEL_METRIC_EXPORT_INTERVAL``
-    Export interval in milliseconds (SDK default: 60 000).
 """
 
 import os