catalog / ghcr.io/immich-app/postgres / criteria

immich-app/postgres — validation criteria

Per-image acceptance criteria for the ghcr.io/immich-app/postgres profile (the custom pgvector/vectorchord image immich ships as its database). Validated against …@sha256:bcf63357…, derived by drop-test against immich's own deployment invocation.

Representative workload / correctness check

profiles/workloads/postgres.sh — connect + CREATE/INSERT/SELECT/DROP + a SIGHUP reload. The drop-test correctness check additionally asserts the server (PID 1) runs as the non-root postgres user (uid 999): a health check alone is not enough — postgres can stay "up" while failing to drop root, so the privilege drop must be confirmed.

capabilities — derived by drop-test

App-tier verification

Beyond the per-container drop-test, this hardening was verified at the service level: immich's released stack (immich-server v2.7.5 + valkey + this postgres) was brought up with the DB hardened to this minimum, and immich's real REST API drove admin sign-up → login → upload a photo → read it back → search — all passing. An over-hardening (drop SETUID) makes the DB unhealthy and immich never starts. So the minimum is confirmed against immich's actual usage, not only the drop-test workload. (App-tier verification is not yet a schema field; recorded here.)

filesystem — derived by drop-test

Scope (run_config + out-of-band conditions)