catalog / docker.io/adguard/adguardhome / criteria

adguardhome — validation criteria

Per-image acceptance criteria for the docker.io/adguard/adguardhome profile, DNS-only scope. Validated against …@sha256:1ea34eaf… (tag v0.107.78), derived by drop-test against the default invocation. Capabilities trim 14 → 2.

Representative workload / correctness check

profiles/workloads/adguardhome.sh — drive the REST install/configure (admin + DNS:53 + web:80 in one call, a real persistent config write), add a local DNS rewrite (csd.test → 127.0.0.1) so resolution is answered by AGH itself with no upstream in the trial loop (the pihole lesson), then assert nslookup csd.test returns 127.0.0.1 (matching the answer line, not the :53 server line). Curl sidecar for the API; in-image nslookup for resolution.

capabilities — derived by drop-test

The clean contrast with pihole (both DNS, different architecture)

AdGuardHome is a single Go binary that stays root — no FTL-style file-capability + user drop. Consequences vs pihole's 6-cap profile: - No SETFCAP (no setcap step), no SETUID/SETGID (no privilege drop). - no-new-privileges stays compatible — pihole must omit nnp because its file-cap acquisition needs it; AdGuard has no such step, so this profile keeps nnp. Two DNS servers, two low-port strategies, side by side.

filesystem — derived by drop-test

Coverage & confidence (moderate)

Per ADR-018, moderate — the workload is DNS-only. AdGuard's DHCP server adds NET_ADMIN (broadcast/interface handling), an optional feature the workload does not drive, so coverage: partial. DNS-only deployments match the derived minimum; DHCP deployments need NET_ADMIN.

Scope (run_config + out-of-band conditions)