Container: Application Containers in EUDI Wallet Infrastructure

An application container is a lightweight, portable, self-sufficient package that bundles an application with all its dependencies -- libraries, runtime, configuration files, and system tools. Unlike virtual machines, containers share the host operating system kernel and isolate the application at the process level, making them fast to start, efficient in resource usage, and consistent across environments. In the EUDI Wallet ecosystem, containerization is the standard deployment model for backend services including credential issuance, verification, revocation, and trust registry services.

Containers use operating system-level virtualization to isolate applications. On Linux, this is achieved through namespaces (which isolate the process view of the system) and cgroups (which limit resource usage). Each container has its own filesystem, network stack, and process space, but shares the host kernel with other containers.

A container image is a read-only template that defines what the container contains. Images are built in layers, where each layer represents a filesystem change (adding files, installing software, setting configuration). Docker is the most widely used container runtime, though alternatives like containerd and Podman are also common. Images are stored in registries (such as Docker Hub, GitHub Container Registry, or private registries) and pulled to hosts where containers run.

Container orchestration platforms like Kubernetes manage the lifecycle of containers at scale. They handle scheduling (deciding which host runs which container), scaling (adding or removing container instances based on demand), networking (routing traffic between containers and to the outside world), and resilience (restarting failed containers automatically).

The EUDI Wallet backend consists of several services that are naturally suited to containerized deployment:

• •Credential Issuance Service: Handles the OpenID4VCI protocol for issuing verifiable credentials to wallets. Runs as a stateless container that can be horizontally scaled to handle issuance surges (e.g., when a new credential type launches).
• •Verification/Relying Party Service: Processes credential presentations from wallets. Must handle high throughput with low latency, making containers ideal for scaling to meet demand at airports, banks, or government portals.
• •Status List / Revocation Service: Publishes credential revocation status. Runs as a lightweight container behind a CDN, serving status list tokens to wallets and verifiers checking credential validity.
• •Trust Registry Service: Maintains the registry of trusted issuers, verifiers, and wallet providers. Containerized for consistent deployment across member state infrastructure.

Container security is critical for EUDI Wallet services that handle sensitive identity data. Key security practices include:

• •Image scanning: All container images are scanned for known vulnerabilities before deployment. Only images from trusted, signed registries are permitted.
• •Minimal base images: Containers use minimal base images (like distroless or Alpine) to reduce the attack surface. Fewer installed packages means fewer potential vulnerabilities.
• •Runtime security: Containers run with least-privilege settings -- non-root users, read-only filesystems, dropped capabilities. Network policies restrict container-to-container communication to only what is necessary.
• •Secrets management: Cryptographic keys and other secrets are never baked into container images. They are injected at runtime through secure mechanisms like Kubernetes Secrets or external vaults (HashiCorp Vault, AWS Secrets Manager).