disinto-admin/disinto
1
0
Fork 0
Code Issues 23 Pull requests 1 Projects Releases Packages Wiki Activity Actions

fix: [nomad-step-5] S5-fix-5 — chat.hcl tmpfs syntax: use mount block not tmpfs argument (#1012) #1015

Merged
dev-qwen merged 1 commit from fix/issue-1012-2 into main 2026-04-18 12:47:29 +00:00
Conversation 1 Commits 1 Files changed 1 +9 -4
1 changed files with 9 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

13
nomad/jobs/chat.hcl
View file

@ -89,13 +89,18 @@ job "chat" {
config { config {
image = "disinto/chat:local" image = "disinto/chat:local"
force_pull = false force_pull = false
# Sandbox hardening (#706): cap_drop ALL (no Linux capabilities) # Sandbox hardening (#706): cap_drop ALL, pids_limit 128, tmpfs /tmp
# tmpfs /tmp for runtime files (64MB)
# pids_limit 128 (prevent fork bombs)
# ReadonlyRootfs enforced via entrypoint script (fails if running as root) # ReadonlyRootfs enforced via entrypoint script (fails if running as root)
cap_drop = ["ALL"] cap_drop = ["ALL"]
tmpfs = ["/tmp:size=64m"]
pids_limit = 128 pids_limit = 128
mount {
type = "tmpfs"
target = "/tmp"
readonly = false
tmpfs_options {
size = 67108864 # 64MB in bytes
}
}
# Security options for sandbox hardening # Security options for sandbox hardening
# apparmor=unconfined needed for Claude CLI ptrace access # apparmor=unconfined needed for Claude CLI ptrace access
# no-new-privileges prevents privilege escalation # no-new-privileges prevents privilege escalation