About docker HEALTHCHECK
#183
Comments
|
I'm not sure I understand the question. How is curl related to HEALTHCHECK? What do you mean by "multibuild"? Can you share an example of what you're trying to do without distroless/bazel? |
|
Closing. Please reopen with more info. |
|
I just stumbled upon the We are deploying our docker images using Our healthcheck_command is: I would like to use the distroless images (for several reasons), but how would the healthcheck work with a |
|
@Junkern For now we solved it by making a service (Kubernetes) call an endpoint of the api |
|
After the reading of this blog post https://blog.sixeyed.com/docker-healthchecks-why-not-to-use-curl-or-iwr/, I create a custom tool write in |
|
@pwob @Junkern You can add 84kB busybox wget to the image and use it instead of curl: FROM busybox AS builder
ARG BUSYBOX_VERSION=1.31.0-i686-uclibc
ADD https://busybox.net/downloads/binaries/$BUSYBOX_VERSION/busybox_WGET /wget
RUN chmod a+x /wget
FROM gcr.io/distroless/java
COPY --from=builder /wget /usr/bin/wget@barmic Custom healthcheck in higher language (go, java, ...) even built into native binary is at least several MB large and probably overkill for simple HTTP check. |
|
@verglor My go binary is huge indeed (about 7MB), but comparing to JDK isn't noticeable (~3% of total size) and ensure that can't be used to call another service. If I want reduce the size I can use java, I have already the JDK so one executable class/jar should fit in some KB. |
|
The solution of @verglor unfortunately doesn't work in distroless/java: In the Dockerfile I have the following added: The CMD expects as Entrypoint /bin/sh probably? |
|
Hi @madduci, Could the way you define Dockerfile reference. HEALTHCHECK:
Can you try this (does it work for your case): ? |
|
Hi @madduci, Regarding my previous comment - it looks like HEALTHECHECK should return predefined exit codes: Dockerfile reference. HEALTHCHECK:
This means that we cannot rely on exit code of wget and should treat any non-zero exit code of wget as 1. This definitely requires either a custom binary or a shell script (or a shell style |
|
Hi @mabrarov , thank you for your reply, your suggestion works. It's interesting how with docker-compose, I'm able to write the following: and it just works. I guess, as I wrote the command in my previous comment, it is assuming that "CMD-SHELL" (a wrapper operation around |
|
Since my last comment, I change of method. Now I use a custom java tool: https://gist.github.com/barmic/a12c5256f735f4748e3a6f511367407e This give a very simple tool of 4KB without security issue. |
|
There can be issues with custom Java tool:
|
|
1s to start a jvm? Never in my case (it's about 10 times more quick). I don't know how can compute the load (part of memory page will be shared between 2 jvm, evaluate CPU load will depende of env and CPU,…) probably it can be possible to disable some startup work. You can control the env of this tool as you want, it's not a problem. For my case, the security issue is widely more important than CPU consuming. |
|
Hi @barmic,
Have you tried to limit CPU resource for container which uses custom Java tool for health check?
|
|
FYI, With powerman/dockerize 0.14.0+ (refer to dockerize#103) it's possible to use Dockerize for Docker health check this way: I use Dockerize for Docker health check in mabrarov/docker-compose-init-container where Dockerize fits well into a case when Distroless Java image is used. |
Followed implementation stated here: GoogleContainerTools/distroless#183 (comment) Fixes fbonalair#6
Currently only `CMD-SHELL` health checks are supported which require a shell on the docker container to run. `distroless` docker images like [mockserver](https://hub.docker.com/r/mockserver/mockserver/) don't have a shell so that mechanism doesn't work, see GoogleContainerTools/distroless#183. To support docker containers without a shell the health check needs to be in the format ``` test: ['CMD', '/path/to/program', 'arg1', 'arg2', 'arg3'] ``` Fixes testcontainers#342
|
The strategy to have a healthcheck standalone file to validate my app works very well I based on this post: https://mflash.dev/post/2021/03/01/java-based-health-check-for-docker/ // myapp/src/main/resources/healthcheck/HealthCheck.java
import java.io.IOException;
import java.net.URI;
import java.net.http.HttpClient;
import java.net.http.HttpRequest;
import java.net.http.HttpResponse.BodyHandlers;
public class HealthCheck {
public static void main(String[] args) throws InterruptedException, IOException {
var client = HttpClient.newHttpClient();
var request = HttpRequest.newBuilder().uri(URI.create("http://localhost/healthcheck")).build();
var response = client.send(request, BodyHandlers.ofString());
if (response.statusCode() != 200) {
throw new RuntimeException("Healthcheck failed");
}
}
}Here is the snippet to the Dockerfile where I'm using the healthcheck file FROM gcr.io/distroless/java11-debian11
COPY myapp/src/main/resources/healthcheck/ .
HEALTHCHECK --interval=15s --timeout=10s --start-period=45s --retries=3 CMD ["java", "HealthCheck.java", "||", "exit", "1"] |
For me this shorter version worked for FROM mockserver/mockserver:5.15.0
COPY --from=busybox:1.36.0-musl /bin/wget /usr/bin/wget |
How do you guys enabled healthcheck in multibuild docker using distroless? Currently it is not working for us because obviously
curlis not available in distroless image.The text was updated successfully, but these errors were encountered: