c2efb7fbf7
Root cause of "Loader exited 1" with `wget: can't open '/app/jars/app.jar': Permission denied`. DockerRuntimeOrchestrator creates a fresh named volume per replica and mounts it RW at /app/jars. Docker initializes empty named volumes from the image's mountpoint contents — but /app/jars didn't exist in the loader image, so the volume came up as root:root 0755. Loader runs as UID 1000 and can't write to a root-owned dir. Pre-create /app/jars in the image owned by `loader`. Volume init now inherits loader:loader ownership and wget writes app.jar successfully. Verified locally with the full hardening contract (cap_drop ALL, readonly rootfs, /tmp tmpfs, no-new-privileges, apparmor=docker-default). This is the conditional CI build's first real exercise — the loader-build step gated on cameleer-runtime-loader/** changes will fire on this push and produce the fixed `:latest` tag. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
cameleer-runtime-loader
Init container that fetches the deployable JAR into a shared volume before the
main runtime container starts. Pairs with DockerRuntimeOrchestrator /
(future) K8s init-container deploys.
Build
CI (.gitea/workflows/ci.yml, docker job) builds and pushes this image
automatically on pushes that change anything under cameleer-runtime-loader/.
Manual build for local testing:
docker build -t gitea.siegeln.net/cameleer/cameleer-runtime-loader:<tag> .
docker push gitea.siegeln.net/cameleer/cameleer-runtime-loader:<tag>
Contract
- Env:
ARTIFACT_URL(signed download URL),ARTIFACT_EXPECTED_SIZE(bytes). - Volume: writes
/app/jars/app.jar. - Exit 0 on success; non-zero on fetch/size failure.
- Runs as UID 1000 (loader user), drops all caps, read-only rootfs except
/app/jars.
See docs/superpowers/plans/2026-04-27-init-container-jar-fetch.md.