catalog / docker.io/library/httpd / criteria

httpd — validation criteria

Per-image acceptance criteria for the docker.io/library/httpd profile (the official Apache httpd image). Validated against …@sha256:305fd832… (tag 2.4), derived by drop-test against the default invocation. Capabilities trim 14 → 3.

Representative workload / correctness check

profiles/workloads/httpd.shGET / must return the default page body ("It works!"), fetched from a curl sidecar sharing the target's netns (the image ships no HTTP client). The drop-test correctness check additionally asserts a worker process (a non-PID-1 httpd) runs as the non-root www-data user (uid 33).

The uid assert is mandatory, and this derivation proved why: with SETGID dropped, httpd logged the failed drop but kept serving with root workers — the evidence line reads httpd workers running as ROOT: uid=0. A content-only check false-passes and would derive the drop as safe while silently removing Apache's privilege separation. This is the master/worker variant of the redis sharp edge.

capabilities — derived by drop-test

filesystem — derived by drop-test

Scope (run_config + out-of-band conditions)