catalog / docker.io/library/haproxy / criteria

haproxy — validation criteria

Per-image acceptance criteria for the docker.io/library/haproxy profile. Validated against …@sha256:e271912a… (tag 3.2), derived by drop-test against a reverse-proxy invocation — frontend :8080, one upstream (an in-stack caddy dep). Capabilities trim 14 → 0.

Representative workload / correctness check

profiles/workloads/haproxy.sh — a request on the frontend proxied through to the backend upstream and answered with its content, plus the non-root assert (uid 99). The image ships no default config and a committed spec cannot carry a bind mount, so the derivation's command writes the minimal config to /tmp and execs haproxy on it — recorded honestly in run_config.command; a real deployment bind-mounts its config read-only, which changes nothing about capabilities.

capabilities — derived by drop-test

filesystem — derived by drop-test

Scope (run_config + out-of-band conditions)