# Tiny init-container image. No app code, no shell-injection surface — script
# only sees env vars set by the orchestrator.
FROM busybox:1.37-musl

# Run as non-root (UID 1000 inside the container; with userns_mode this is
# remapped to host UID ~101000 — fully unprivileged on the host).
# Pre-create /app/jars owned by `loader` so the orchestrator's named-volume
# mount inherits that ownership at first init — without it the empty named
# volume comes up as root:root 0755 and wget can't write app.jar.
RUN adduser -D -u 1000 loader && mkdir -p /app/jars && chown -R loader:loader /app

COPY entrypoint.sh /usr/local/bin/loader
RUN chmod +x /usr/local/bin/loader

USER loader
WORKDIR /app
ENTRYPOINT ["/usr/local/bin/loader"]