Root cause of "Loader exited 1" with `wget: can't open '/app/jars/app.jar':
Permission denied`. DockerRuntimeOrchestrator creates a fresh named volume
per replica and mounts it RW at /app/jars. Docker initializes empty named
volumes from the image's mountpoint contents — but /app/jars didn't exist
in the loader image, so the volume came up as root:root 0755. Loader runs
as UID 1000 and can't write to a root-owned dir.
Pre-create /app/jars in the image owned by `loader`. Volume init now
inherits loader:loader ownership and wget writes app.jar successfully.
Verified locally with the full hardening contract (cap_drop ALL, readonly
rootfs, /tmp tmpfs, no-new-privileges, apparmor=docker-default).
This is the conditional CI build's first real exercise — the loader-build
step gated on cameleer-runtime-loader/** changes will fire on this push
and produce the fixed `:latest` tag.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Init container that fetches the deployable JAR from a signed URL into the
shared /app/jars/ volume before the main runtime container starts. Pairs
with the controller (Task 7) and DockerRuntimeOrchestrator (Task 10).
- Dockerfile: busybox:1.37-musl, non-root USER (UID 1000)
- entrypoint.sh: POSIX sh, set -eu, required env vars (ARTIFACT_URL,
ARTIFACT_EXPECTED_SIZE), wget with retries/timeout, size verification
- README: build instructions and runtime contract
Smoke-tested locally (docker build + happy-path fetch + size-mismatch).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
