fix: [nomad-step-5] S5-fix-5 — chat.hcl tmpfs syntax: use mount block not tmpfs argument (#1012 )

2026-04-18 12:38:07 +00:00
1 changed files with 4 additions and 3 deletions
--- a/nomad/jobs/chat.hcl
+++ b/nomad/jobs/chat.hcl
@ -93,13 +93,14 @@ job "chat" {
        # tmpfs /tmp for runtime files (64MB)
        # pids_limit 128 (prevent fork bombs)
        # ReadonlyRootfs enforced via entrypoint script (fails if running as root)
-        cap_drop   = ["ALL"]
-        tmpfs      = ["/tmp:size=64m"]
-        pids_limit = 128
        # Security options for sandbox hardening
        # apparmor=unconfined needed for Claude CLI ptrace access
        # no-new-privileges prevents privilege escalation
+        cap_drop    = ["ALL"]
+        pids_limit  = 128
        security_opt = ["apparmor=unconfined", "no-new-privileges"]
+        # tmpfs mount via volumes config (Nomad Docker driver)
+        volumes = ["tmpfs:/tmp:size=64m"]
      }

      # ── Volume mounts ──────────────────────────────────────────────────────