From c2efb7fbf71d2d76d96f78ab48638f6b01e8179e Mon Sep 17 00:00:00 2001 From: hsiegeln <37154749+hsiegeln@users.noreply.github.com> Date: Mon, 27 Apr 2026 23:34:03 +0200 Subject: [PATCH] fix(loader): chown /app/jars to loader so volume init gives wget write perms MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Root cause of "Loader exited 1" with `wget: can't open '/app/jars/app.jar': Permission denied`. DockerRuntimeOrchestrator creates a fresh named volume per replica and mounts it RW at /app/jars. Docker initializes empty named volumes from the image's mountpoint contents — but /app/jars didn't exist in the loader image, so the volume came up as root:root 0755. Loader runs as UID 1000 and can't write to a root-owned dir. Pre-create /app/jars in the image owned by `loader`. Volume init now inherits loader:loader ownership and wget writes app.jar successfully. Verified locally with the full hardening contract (cap_drop ALL, readonly rootfs, /tmp tmpfs, no-new-privileges, apparmor=docker-default). This is the conditional CI build's first real exercise — the loader-build step gated on cameleer-runtime-loader/** changes will fire on this push and produce the fixed `:latest` tag. Co-Authored-By: Claude Opus 4.7 (1M context) --- cameleer-runtime-loader/Dockerfile | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/cameleer-runtime-loader/Dockerfile b/cameleer-runtime-loader/Dockerfile index 715026f9..31db2ae1 100644 --- a/cameleer-runtime-loader/Dockerfile +++ b/cameleer-runtime-loader/Dockerfile @@ -4,7 +4,10 @@ FROM busybox:1.37-musl # Run as non-root (UID 1000 inside the container; with userns_mode this is # remapped to host UID ~101000 — fully unprivileged on the host). -RUN adduser -D -u 1000 loader +# Pre-create /app/jars owned by `loader` so the orchestrator's named-volume +# mount inherits that ownership at first init — without it the empty named +# volume comes up as root:root 0755 and wget can't write app.jar. +RUN adduser -D -u 1000 loader && mkdir -p /app/jars && chown -R loader:loader /app COPY entrypoint.sh /usr/local/bin/loader RUN chmod +x /usr/local/bin/loader