feat(loader): add cameleer-runtime-loader image (busybox + entrypoint)
Init container that fetches the deployable JAR from a signed URL into the shared /app/jars/ volume before the main runtime container starts. Pairs with the controller (Task 7) and DockerRuntimeOrchestrator (Task 10). - Dockerfile: busybox:1.37-musl, non-root USER (UID 1000) - entrypoint.sh: POSIX sh, set -eu, required env vars (ARTIFACT_URL, ARTIFACT_EXPECTED_SIZE), wget with retries/timeout, size verification - README: build instructions and runtime contract Smoke-tested locally (docker build + happy-path fetch + size-mismatch). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
hsiegeln
14
cameleer-runtime-loader/Dockerfile
Normal file
14
cameleer-runtime-loader/Dockerfile
Normal file
@@ -0,0 +1,14 @@
|
||||
# Tiny init-container image. No app code, no shell-injection surface — script
|
||||
# only sees env vars set by the orchestrator.
|
||||
FROM busybox:1.37-musl
|
||||
|
||||
# Run as non-root (UID 1000 inside the container; with userns_mode this is
|
||||
# remapped to host UID ~101000 — fully unprivileged on the host).
|
||||
RUN adduser -D -u 1000 loader
|
||||
|
||||
COPY entrypoint.sh /usr/local/bin/loader
|
||||
RUN chmod +x /usr/local/bin/loader
|
||||
|
||||
USER loader
|
||||
WORKDIR /app
|
||||
ENTRYPOINT ["/usr/local/bin/loader"]
|
||||
Reference in New Issue
Block a user