shim: avoid re-downloading runner/shim binaries on forced re-install

[peterschmidt85]

Bounds the wasted egress from the runner/shim re-install loop (#3953): the shim re-downloaded the full binaries on every server-issued install (force=true), and a transient HTTP error during bootstrap could brick the instance. Two changes, both in the download path.

downloadFile — cache + revalidate instead of always re-downloading

runner/internal/shim/components/utils.go. Installing url into path now:

1. force=false and path exists → return (unchanged).
2. Resolve a per-URL cache file next to the binary: <path>.<sha256(url)[:16]>.cache (+ a .etag sidecar). Keying by URL means different versions get separate caches instead of overwriting one slot.
3. ensureCached GETs url with If-None-Match: <stored etag>:
   • 304 Not Modified → cache is current, no body transferred;
   • 200 → stream into the cache (temp file + atomic rename) and store the response ETag.
4. Install the cached bytes into path: copy → chmod → atomic rename. Skipped if path already matches the cache (same size). If chmod/rename fails, the next call retries from the cache — no re-download.
5. pruneCaches keeps the newest maxCachedVersions (5) and deletes older ones, so disk stays bounded.

Net: a repeated/forced install of an unchanged version is a 304 with no transfer; two servers alternating between versions download each version once, then 304.

Bootstrap curl — fail instead of saving an error page

src/dstack/_internal/core/backends/base/compute.py. The shim-bootstrap curl gains -f and chains mv, so a transient 403/5xx is no longer written to dstack-shim and then executed (/usr/local/bin/dstack-shim: 2: Syntax error: newline unexpected); it fails cleanly.

Tests

runner/internal/shim/components/utils_test.go (pass under -race):

• unchanged artifact under force → body served once;
• changed ETag → re-downloaded and updated;
• force=false + existing file → no request;
• two alternating versions → each downloaded exactly once (guards the per-URL-cache regression).

Validated end-to-end (AWS)

Two servers on one DB + backend, one real eu-west-1 instance, custom-versioned builds on the staging bucket, measured via S3 request metrics:

• Both shims carry this fix (0.20.30 ↔ 0.20.31): 22 conditional GETs over 25 min of continuous flip-flop → 1 real transfer (~17 MB warmup), the rest 304. Steady-state egress ≈ 0 (unfixed: ~430 MB and growing).
• Mixed (unfixed 0.20.29 shim ↔ fixed 0.20.31): ~454 MB in 11 min, climbing — see scope below.

Scope — what this does NOT fix (tracked in #3953)

This PR bounds the egress, not the loop:

• With two servers expecting different versions the version never converges, so the server keeps issuing installs and the shim still restarts every ~30s — now at zero bytes, but the churn remains.
• Because the fix lives in the shim binary, a mixed fleet whose in-control shim predates this PR still re-downloads — the older binary has no cache (the ~454 MB case above).

Fully stopping the loop needs a server-side guard (no-downgrade on comparable versions + an attempt cap/backoff). That's deferred: dstack's version space (real semver vs CI build-numbers like 27305 vs dev/None) has no reliable ordering yet, so the server can't safely decide which version wins. See #3953.

🤖 Generated with Claude Code

[r4victor]

Same-size adjacent Go builds are unlikely but not impossible.

Suggested fix: after a successful rename in installFile, write the cache's urlKey to a <path>.installed marker and replace sameSize with a marker comparison.

[r4victor]

I don't quite like putting these helper-files in /usr/local/bin. How about using a shimHomeDir subdir?

[r4victor]

See tests only work with different lengths!

[r4victor]

Not sure if && is needed since commands are chained with &&. Adding -f should be sufficient

[r4victor]

Nice overall