healthcheck feature

Signed-off-by: Samuel Archambault <samuel.archambault@getmaintainx.com>

Author: Samuel Archambault

.cirrus.yml

@@ -62,7 +62,7 @@ fedora_packaging_task:
             image: "${PRIOR_FEDORA_CONTAINER_FQIN}"
 
     script:
-        - dnf install -y rpm-build libseccomp-devel
+        - dnf install -y rpm-build libseccomp-devel json-c-devel
         - cd $CIRRUS_WORKING_DIR
         - make
         - make -f .rpmbuild/Makefile
@@ -83,7 +83,7 @@ build_task:
         memory: 4
 
     script:
-        - dnf install -y make glib2-devel git gcc pkg-config systemd-devel libseccomp-devel
+        - dnf install -y make glib2-devel git gcc pkg-config systemd-devel libseccomp-devel json-c-devel
         - cd $CIRRUS_WORKING_DIR
         - make
         - make test

Makefile

@@ -5,7 +5,7 @@ LIBEXECDIR ?= ${PREFIX}/libexec
 PKG_CONFIG ?= pkg-config
 HEADERS := $(wildcard src/*.h)
 
-OBJS := src/conmon.o src/cmsg.o src/ctr_logging.o src/utils.o src/cli.o src/globals.o src/cgroup.o src/conn_sock.o src/oom.o src/ctrl.o src/ctr_stdio.o src/parent_pipe_fd.o src/ctr_exit.o src/runtime_args.o src/close_fds.o src/seccomp_notify.o
+OBJS := src/conmon.o src/cmsg.o src/ctr_logging.o src/utils.o src/cli.o src/globals.o src/cgroup.o src/conn_sock.o src/oom.o src/ctrl.o src/ctr_stdio.o src/parent_pipe_fd.o src/ctr_exit.o src/runtime_args.o src/close_fds.o src/seccomp_notify.o src/healthcheck.o
 
 MAKEFILE_PATH := $(dir $(abspath $(lastword $(MAKEFILE_LIST))))
 
@@ -25,10 +25,10 @@ else
 	$(eval GIT_BRANCH_CLEAN := unknown)
 endif
 
-override LIBS += $(shell $(PKG_CONFIG) --libs glib-2.0)
+override LIBS += $(shell $(PKG_CONFIG) --libs glib-2.0) -lpthread $(shell $(PKG_CONFIG) --libs json-c)
 
 CFLAGS ?= -std=c99 -Os -Wall -Wextra -Werror
-override CFLAGS += $(shell $(PKG_CONFIG) --cflags glib-2.0) -DVERSION=\"$(VERSION)\" -DGIT_COMMIT=\"$(GIT_COMMIT)\"
+override CFLAGS += $(shell $(PKG_CONFIG) --cflags glib-2.0) $(shell $(PKG_CONFIG) --cflags json-c) -DVERSION=\"$(VERSION)\" -DGIT_COMMIT=\"$(GIT_COMMIT)\"
 
 # Conditionally compile journald logging code if the libraries can be found
 # if they can be found, set USE_JOURNALD macro for use in conmon code.

meson.build

@@ -34,6 +34,7 @@ add_project_arguments('-Os', '-Wall', '-Werror',
                       language : 'c')
 
 glib = dependency('glib-2.0')
+json_c = dependency('json-c')
 seccomp = dependency('libseccomp', version : '>= 2.5.2')
 if seccomp.found()
   add_project_arguments('-DUSE_SECCOMP=1', language : 'c')
@@ -87,7 +88,7 @@ executable('conmon',
             'src/utils.h',
             'src/seccomp_notify.c',
             'src/seccomp_notify.h'],
-           dependencies : [glib, libdl, sd_journal, seccomp],
+           dependencies : [glib, json_c, libdl, sd_journal, seccomp],
            install : true,
            install_dir : get_option('bindir'),
 )

nix/derivation.nix

@@ -19,6 +19,7 @@ with pkgs; stdenv.mkDerivation rec {
   ] ++ [
     pkgsStatic.glib
     libseccomp
+    json_c
   ] ++ lib.optionals enableSystemd [
     # Only include systemd for dynamic builds, not static builds
     # Static builds will use PKG_CONFIG_PATH approach instead

rpm/conmon.spec

@@ -29,6 +29,7 @@ Source0: %{url}/archive/v%{version}.tar.gz
 %if %{with docs}
 BuildRequires: go-md2man
 %endif
+BuildRequires: json-c-devel
 BuildRequires: gcc
 BuildRequires: git-core
 BuildRequires: glib2-devel

src/cli.c

@@ -57,6 +57,7 @@ char *opt_sdnotify_socket = NULL;
 gboolean opt_full_attach_path = FALSE;
 char *opt_seccomp_notify_socket = NULL;
 char *opt_seccomp_notify_plugins = NULL;
+gboolean opt_enable_healthcheck = FALSE;
 GOptionEntry opt_entries[] = {
 	{"api-version", 0, 0, G_OPTION_ARG_NONE, &opt_api_version, "Conmon API version to use", NULL},
 	{"bundle", 'b', 0, G_OPTION_ARG_STRING, &opt_bundle_path, "Location of the OCI Bundle path", NULL},
@@ -117,6 +118,8 @@ GOptionEntry opt_entries[] = {
 	 "Path to the socket where the seccomp notification fd is received", NULL},
 	{"seccomp-notify-plugins", 0, 0, G_OPTION_ARG_STRING, &opt_seccomp_notify_plugins,
 	 "Plugins to use for managing the seccomp notifications", NULL},
+	{"enable-healthcheck", 0, 0, G_OPTION_ARG_NONE, &opt_enable_healthcheck,
+	 "Enable healthcheck functionality (for non-systemd environments)", NULL},
 	{NULL, 0, 0, 0, NULL, NULL, NULL}};
 
 

src/cli.h

@@ -47,6 +47,7 @@ extern gboolean opt_sync;
 extern char *opt_sdnotify_socket;
 extern char *opt_seccomp_notify_socket;
 extern char *opt_seccomp_notify_plugins;
+extern gboolean opt_enable_healthcheck;
 extern GOptionEntry opt_entries[];
 extern gboolean opt_full_attach_path;
 

src/conmon.c

@@ -20,6 +20,7 @@
 #include "close_fds.h"
 #include "seccomp_notify.h"
 #include "runtime_args.h"
+#include "healthcheck.h"
 
 #include <sys/stat.h>
 #include <locale.h>
@@ -46,14 +47,18 @@ int main(int argc, char *argv[])
 	_cleanup_close_ int dev_null_r_cleanup = -1;
 	_cleanup_close_ int dev_null_w_cleanup = -1;
 	_cleanup_close_ int dummyfd = -1;
-
 	int initialize_ec = initialize_cli(argc, argv);
 	if (initialize_ec >= 0) {
 		exit(initialize_ec);
 	}
 
 	process_cli();
 
+	/* Initialize healthcheck subsystem - always initialize for automatic discovery */
+	if (!healthcheck_init()) {
+		pexit("Failed to initialize healthcheck subsystem");
+	}
+
 	attempt_oom_adjust(-1000);
 
 	/* ignoring SIGPIPE prevents conmon from being spuriously killed */
@@ -396,7 +401,6 @@ int main(int argc, char *argv[])
 	}
 
 	container_pid = atoi(contents);
-	ndebugf("container PID: %d", container_pid);
 
 	g_hash_table_insert(pid_to_handler, (pid_t *)&container_pid, container_exit_cb);
 
@@ -408,6 +412,38 @@ int main(int argc, char *argv[])
 	if ((opt_api_version >= 1 || !opt_exec) && sync_pipe_fd >= 0)
 		write_or_close_sync_fd(&sync_pipe_fd, container_pid, NULL);
 
+	/* Configure healthcheck - automatic discovery from OCI config.json */
+	/* Only start healthcheck timers if explicitly enabled via CLI flag */
+	if (opt_bundle_path != NULL && opt_enable_healthcheck) {
+		healthcheck_config_t config;
+		memset(&config, 0, sizeof(config));
+
+		if (healthcheck_discover_from_oci_config(opt_bundle_path, &config)) {
+			healthcheck_timer_t *timer = healthcheck_timer_new(opt_cid, &config);
+			if (timer != NULL) {
+				if (healthcheck_timer_start(timer)) {
+					if (active_healthcheck_timers != NULL) {
+						hash_table_put(active_healthcheck_timers, opt_cid, timer);
+						ninfof("Started healthcheck for container %s", opt_cid);
+					} else {
+						nwarnf("Active healthcheck timers table is NULL");
+						healthcheck_timer_free(timer);
+					}
+				} else {
+					nwarnf("Failed to start healthcheck for container %s", opt_cid);
+					healthcheck_timer_free(timer);
+				}
+			} else {
+				nwarnf("Failed to create healthcheck timer for container %s", opt_cid);
+			}
+		} else {
+			nwarnf("Failed to discover healthcheck config from OCI bundle");
+		}
+
+		/* Always free the config, regardless of success or failure */
+		healthcheck_config_free(&config);
+	}
+
 #ifdef __linux__
 	setup_oom_handling(container_pid);
 #endif
@@ -495,6 +531,9 @@ int main(int argc, char *argv[])
 	g_source_remove(signal_fd_tag);
 	close(signal_fd);
 
+	/* Cleanup healthcheck timers */
+	healthcheck_cleanup();
+
 	/*
 	 * Podman injects some fd's into the conmon process so that exposed ports are kept busy while
 	 * the container runs.  Close them before we notify the container exited, so that they can be