System DesignAdvancedarticle

System Design: Designing an Online Judge (LeetCode/HackerRank)

How does LeetCode run thousands of user code submissions safely and fast? A technical deep dive into Code Isolation, Sandboxing, and Distributed Judgement.

Sachin SarawgiApril 20, 20263 min read3 minute lesson
#system-design#online-judge#leetcode#sandboxing#docker#gvisor#scalability
On This PageOpen
Back to top

System Design: Designing an Online Judge

An Online Judge system like LeetCode, Codeforces, or HackerRank allows users to submit code, which is then executed and verified against hidden test cases. The core technical challenge is Security (running untrusted code) and Scalability (handling bursts of submissions during contests).

1. Core Requirements

  • Submission: Users can submit code in various languages (Java, Python, C++, etc.).
  • Execution: Running the code against multiple test cases.
  • Verification: Comparing the output with the expected result.
  • Limits: Enforcing Time Limits (TLE) and Memory Limits (MLE).
  • Security: Preventing the user code from accessing the host file system or network.

2. High-Level Architecture

  • Web API: Receives code and queues the submission.
  • Message Queue (Kafka): Buffers submissions to handle traffic spikes.
  • Judge Workers: Pull submissions from the queue and execute them in a secure sandbox.
  • Result Store (Postgres/Redis): Stores submission results and real-time status.

3. Code Isolation (The Security Heart)

Running untrusted user code on your server is dangerous. You must isolate it completely.

  • Option A: Docker Containers. A good starting point, but "Root" in a container can sometimes escape to the host.
  • Option B: gVisor (Google's choice). A user-space kernel that intercepts system calls, providing a much stronger security boundary than standard Docker.
  • Option C: Firecracker (AWS Lambda style). MicroVMs that provide hardware-level isolation with the speed of containers.

4. Enforcing Limits (Resource Management)

  • Time Limits: Use OS-level timers or cgroups to kill the process if it exceeds 1-2 seconds.
  • Memory Limits: Use cgroups to set a hard RAM limit (e.g., 256MB). If exceeded, the process is killed (MLE).
  • Fork Bombs: Limit the number of processes/threads the user code can create to prevent while(true) { fork(); } attacks.

5. Handling Test Cases

For a single problem, there might be 100+ test cases.

  • Input/Output Store: Store large test cases in Amazon S3 and cache them on the Judge Workers to avoid network latency for every submission.
  • Sequential vs. Parallel: To save time, run different test cases for the same submission in parallel across multiple threads/containers.

6. Real-time Status (WebSockets)

Users want to see "Running Test Case 5/100..." in real-time.

  • The Flow: The Judge Worker publishes progress to a Redis Pub/Sub channel. The Web API listens and pushes updates to the client via WebSockets.

Summary

The engineering of an Online Judge is about Defensive Programming. By using advanced sandboxing technologies like gVisor and robust resource management via cgroups, you can build a platform that allows the world to code on your servers with absolute safety and massive scale.

📚

Recommended Resources

Designing Data-Intensive ApplicationsBest Seller

The definitive guide to building scalable, reliable distributed systems by Martin Kleppmann.

View on Amazon
Kafka: The Definitive GuideEditor's Pick

Real-time data and stream processing by Confluent engineers.

View on Amazon
Apache Kafka Series on Udemy

Hands-on Kafka course covering producers, consumers, Kafka Streams, and Connect.

View Course

Practical engineering notes

Get the next backend guide in your inbox

One useful note when a new deep dive is published: system design tradeoffs, Java production lessons, Kafka debugging, database patterns, and AI infrastructure.

No spam. Just practical notes you can use at work.

Sachin Sarawgi

Written by

Sachin Sarawgi

Engineering Manager and backend engineer with 10+ years building distributed systems across fintech, enterprise SaaS, and startups. CodeSprintPro is where I write practical guides on system design, Java, Kafka, databases, AI infrastructure, and production reliability.

LinkedInGitHubMediumMore articles

Share this lesson

Share on XShare on LinkedIn

Keep Learning

Move through the archive without losing the thread.

Previous Article

System Design: Designing a Global Payment Gateway (Stripe Scale)

System Design Masterclass: Designing a Payment Gateway (Stripe) Designing a system to serve photos or short URLs is fundamentally about optimizing for read-latency and disk space. If a user's photo fails to load, they re…

System Design5 min readAdvanced

Next Article

System Design: Designing an Online Auction System (eBay Scale)

System Design: Designing an Online Auction System Designing a high-scale auction system like eBay or a penny auction site is a classic concurrency challenge. The system must handle thousands of users bidding on the same…

System Design3 min readAdvanced

Related Articles

More deep dives chosen from shared tags, category overlap, and reading difficulty.

System DesignAdvanced

System Design: Designing an Ad Click Aggregator

System Design: Designing an Ad Click Aggregator Ad click aggregation is a massive scale data problem. When billions of users click on ads across the web, those clicks must be aggregated, deduplicated, and stored for both…

Apr 20, 20263 min read
Deep Dive
#system-design#ad-aggregator#analytics
System DesignAdvanced

System Design: Designing Airbnb (Hotel/Home Booking)

System Design: Designing Airbnb (Hotel/Home Booking) Designing a platform like Airbnb or Booking.com involves two distinct technical challenges: Search (helping users find the perfect place) and Concurrency (ensuring tha…

Apr 20, 20263 min read
Deep Dive
#system-design#airbnb#booking-system
System DesignAdvanced

System Design: Data Partitioning and Sharding Strategies

System Design: Data Partitioning and Sharding When your database outgrows a single machine, you have two choices: Scale Up (bigger machine) or Scale Out (multiple machines). Sharding (Horizontal Partitioning) is the art…

Apr 20, 20262 min read
Deep Dive
#system-design#sharding#partitioning
System DesignAdvanced

System Design: Designing a Distributed BLOB Store (like S3/GCS)

System Design: Designing a Distributed BLOB Store An object store (BLOB store) is a fundamental building block of cloud infrastructure. Unlike a file system, it provides a simple interface (PUT, GET, DELETE) to store lar…

Apr 20, 20262 min read
Deep Dive
#system-design#object-storage#distributed-systems

More in System Design

Category-based suggestions if you want to stay in the same domain.

System DesignIntermediate

System Design: Designing Stateless Authentication

System Design: Designing Stateless Authentication In a microservices architecture, you can't rely on server-side sessions (stored in memory/database) because every request might hit a different service instance. Stateles…

Apr 22, 20263 min read
Deep DiveBackend Systems Mastery
#system design#authentication#jwt
System DesignBeginner

gRPC vs REST: The Decision-Maker's Guide for Backend Architecture

gRPC vs REST: Which One for Your Microservices? In modern backend architecture, how services talk is as important as what they say. Choosing between REST and gRPC isn't just about syntax; it's about the trade-off between…

Apr 20, 20262 min read
ComparisonBackend Systems Mastery
#grpc#rest#api-design
System DesignBeginner

gRPC vs REST: A Decision-Maker's Guide for Backend Architecture

gRPC vs REST: Which One for Your Microservices? > Prerequisite: Before diving into protocols, ensure you understand the fundamentals of Load Balancing and API Idempotency. Choosing between REST and gRPC is one of the mos…

Apr 20, 20262 min read
ComparisonBackend Systems Mastery
#grpc#rest#api-design
← Back to all articles