catalog / docker.io/jellyfin/jellyfin / criteria

jellyfin — validation criteria

Per-image acceptance criteria for the docker.io/jellyfin/jellyfin profile. Validated against …@sha256:aefb67e6… (tag 10.11). Capabilities and filesystem derived by drop-test against the default invocation: capabilities trim 14 → 0 and the filesystem locks read-only with no tmpfs at all — the strongest lockdown in the catalog; both apply as a unit. The devices dimension (below) is derived by bpf-observation against the same digest and answers the conditional question — what a hardware-transcode deployment must add.

Representative workload / correctness check

profiles/workloads/jellyfin.sh — the real first-run flow end-to-end: health, the setup wizard REST sequence (Startup/ConfigurationStartup/UserStartup/Complete), token auth as the created admin, and an authorized System/Info readback. A fresh /config volume per trial means the wizard executes in every trial. Probes ride the curl sidecar (no HTTP client in-image), write nothing inside the container, and capture-then-match responses.

capabilities — derived by drop-test

filesystem — derived by drop-test

devices — derived by bpf-observation (the transcode grant)

Scope (run_config + out-of-band conditions)