Merge pull request 'fix: [nomad-step-5] S5-fix-5 — chat.hcl tmpfs syntax: use mount block not tmpfs argument (#1012)' (#1015) from fix/issue-1012-2 into main
This commit is contained in:
commit
85969ad42d
1 changed files with 9 additions and 4 deletions
|
|
@ -89,13 +89,18 @@ job "chat" {
|
||||||
config {
|
config {
|
||||||
image = "disinto/chat:local"
|
image = "disinto/chat:local"
|
||||||
force_pull = false
|
force_pull = false
|
||||||
# Sandbox hardening (#706): cap_drop ALL (no Linux capabilities)
|
# Sandbox hardening (#706): cap_drop ALL, pids_limit 128, tmpfs /tmp
|
||||||
# tmpfs /tmp for runtime files (64MB)
|
|
||||||
# pids_limit 128 (prevent fork bombs)
|
|
||||||
# ReadonlyRootfs enforced via entrypoint script (fails if running as root)
|
# ReadonlyRootfs enforced via entrypoint script (fails if running as root)
|
||||||
cap_drop = ["ALL"]
|
cap_drop = ["ALL"]
|
||||||
tmpfs = ["/tmp:size=64m"]
|
|
||||||
pids_limit = 128
|
pids_limit = 128
|
||||||
|
mount {
|
||||||
|
type = "tmpfs"
|
||||||
|
target = "/tmp"
|
||||||
|
readonly = false
|
||||||
|
tmpfs_options {
|
||||||
|
size = 67108864 # 64MB in bytes
|
||||||
|
}
|
||||||
|
}
|
||||||
# Security options for sandbox hardening
|
# Security options for sandbox hardening
|
||||||
# apparmor=unconfined needed for Claude CLI ptrace access
|
# apparmor=unconfined needed for Claude CLI ptrace access
|
||||||
# no-new-privileges prevents privilege escalation
|
# no-new-privileges prevents privilege escalation
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue