cameleer-runtime-loader/Dockerfile

# Tiny init-container image. No app code, no shell-injection surface — script
# only sees env vars set by the orchestrator.
FROM busybox:1.37-musl

# Run as non-root (UID 1000 inside the container; with userns_mode this is
# remapped to host UID ~101000 — fully unprivileged on the host).
# Pre-create /app/jars owned by `loader` so the orchestrator's named-volume
# mount inherits that ownership at first init — without it the empty named
# volume comes up as root:root 0755 and wget can't write app.jar.
RUN adduser -D -u 1000 loader && mkdir -p /app/jars && chown -R loader:loader /app

COPY entrypoint.sh /usr/local/bin/loader
RUN chmod +x /usr/local/bin/loader

USER loader
WORKDIR /app
ENTRYPOINT ["/usr/local/bin/loader"]
feat(loader): add cameleer-runtime-loader image (busybox + entrypoint) Init container that fetches the deployable JAR from a signed URL into the shared /app/jars/ volume before the main runtime container starts. Pairs with the controller (Task 7) and DockerRuntimeOrchestrator (Task 10). - Dockerfile: busybox:1.37-musl, non-root USER (UID 1000) - entrypoint.sh: POSIX sh, set -eu, required env vars (ARTIFACT_URL, ARTIFACT_EXPECTED_SIZE), wget with retries/timeout, size verification - README: build instructions and runtime contract Smoke-tested locally (docker build + happy-path fetch + size-mismatch). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-04-27 15:51:01 +02:00			`# Tiny init-container image. No app code, no shell-injection surface — script`
			`# only sees env vars set by the orchestrator.`
			`FROM busybox:1.37-musl`

			`# Run as non-root (UID 1000 inside the container; with userns_mode this is`
			`# remapped to host UID ~101000 — fully unprivileged on the host).`
fix(loader): chown /app/jars to loader so volume init gives wget write perms Root cause of "Loader exited 1" with `wget: can't open '/app/jars/app.jar': Permission denied`. DockerRuntimeOrchestrator creates a fresh named volume per replica and mounts it RW at /app/jars. Docker initializes empty named volumes from the image's mountpoint contents — but /app/jars didn't exist in the loader image, so the volume came up as root:root 0755. Loader runs as UID 1000 and can't write to a root-owned dir. Pre-create /app/jars in the image owned by `loader`. Volume init now inherits loader:loader ownership and wget writes app.jar successfully. Verified locally with the full hardening contract (cap_drop ALL, readonly rootfs, /tmp tmpfs, no-new-privileges, apparmor=docker-default). This is the conditional CI build's first real exercise — the loader-build step gated on cameleer-runtime-loader/** changes will fire on this push and produce the fixed `:latest` tag. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-04-27 23:34:03 +02:00			# Pre-create /app/jars owned by `loader` so the orchestrator's named-volume
			`# mount inherits that ownership at first init — without it the empty named`
			`# volume comes up as root:root 0755 and wget can't write app.jar.`
			`RUN adduser -D -u 1000 loader && mkdir -p /app/jars && chown -R loader:loader /app`
feat(loader): add cameleer-runtime-loader image (busybox + entrypoint) Init container that fetches the deployable JAR from a signed URL into the shared /app/jars/ volume before the main runtime container starts. Pairs with the controller (Task 7) and DockerRuntimeOrchestrator (Task 10). - Dockerfile: busybox:1.37-musl, non-root USER (UID 1000) - entrypoint.sh: POSIX sh, set -eu, required env vars (ARTIFACT_URL, ARTIFACT_EXPECTED_SIZE), wget with retries/timeout, size verification - README: build instructions and runtime contract Smoke-tested locally (docker build + happy-path fetch + size-mismatch). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-04-27 15:51:01 +02:00
			`COPY entrypoint.sh /usr/local/bin/loader`
			`RUN chmod +x /usr/local/bin/loader`

			`USER loader`
			`WORKDIR /app`
			`ENTRYPOINT ["/usr/local/bin/loader"]`