Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Podman fails to recognize HEALTHCHECK in certain BuildKit images #18904

Open
0xF4CED opened this issue Jun 15, 2023 · 8 comments
Open

Podman fails to recognize HEALTHCHECK in certain BuildKit images #18904

0xF4CED opened this issue Jun 15, 2023 · 8 comments
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@0xF4CED
Copy link
Contributor

0xF4CED commented Jun 15, 2023

Issue Description

When pulling (some) images that were built with BuiltKit, podman fails to parse/store the declared healtcheck configuration of the dockerimage correctly. Tested with docker.io/adguard/adguardhome@sha256:fc01fa555e6b324378176dff676c7791b2bb6ebfcf63bd2599db568287de7230
This appears to be (almost) identical to the previously resolved issue #12226, possibly indicating a regression or incomplete fix.

Steps to reproduce the issue

podman pull docker.io/adguard/adguardhome@sha256:fc01fa555e6b324378176dff676c7791b2bb6ebfcf63bd2599db568287de7230
podman run --privileged --rm --name dinp --replace -d docker.io/docker
podman exec dinp docker pull docker.io/adguard/adguardhome@sha256:fc01fa555e6b324378176dff676c7791b2bb6ebfcf63bd2599db568287de7230
diff --color <(podman image inspect adguard/adguardhome | grep -i -A3 healthcheck) <(podman exec dinp docker inspect adguard/adguardhome | grep -A8 Healthcheck)

Describe the results you received

<                     "created_by": "HEALTHCHECK &{[\"CMD\" \"/opt/adguardhome/scripts/healthcheck.sh\"] \"30s\" \"10s\" \"0s\" '\\x03'}",
<                     "comment": "buildkit.dockerfile.v0",
<                     "empty_layer": true
<                },
---
>             "Healthcheck": {
>                 "Test": [
>                     "CMD",
>                     "/opt/adguardhome/scripts/healthcheck.sh"
>                 ],
>                 "Interval": 30000000000,
>                 "Timeout": 10000000000,
>                 "Retries": 3
>             },

Describe the results you expected

Podman should properly parse and store the healthcheck that is specified in the dockerimage.

podman info output

Details
host:
  arch: amd64
  buildahVersion: 1.30.0
  cgroupControllers:
  - cpu
  - io
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.7-2.fc38.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.7, commit: '
  cpuUtilization:
    idlePercent: 81.04
    systemPercent: 6.34
    userPercent: 12.63
  cpus: 4
  databaseBackend: boltdb
  distribution:
    distribution: fedora
    variant: silverblue
    version: "38"
  eventLogger: journald
  hostname: fedora
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  kernel: 6.3.7-200.fc38.x86_64
  linkmode: dynamic
  logDriver: journald
  memFree: 1171042304
  memTotal: 8250187776
  networkBackend: netavark
  ociRuntime:
    name: crun
    package: crun-1.8.5-1.fc38.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 1.8.5
      commit: b6f80f766c9a89eb7b1440c0a70ab287434b17ed
      rundir: /run/user/1000/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
  os: linux
  remoteSocket:
    exists: true
    path: /run/user/1000/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.2.0-12.fc38.x86_64
    version: |-
      slirp4netns version 1.2.0
      commit: 656041d45cfca7a4176f6b7eed9e4fe6c11e8383
      libslirp: 4.7.0
      SLIRP_CONFIG_VERSION_MAX: 4
      libseccomp: 2.5.3
  swapFree: 8249143296
  swapTotal: 8249143296
  uptime: 0h 8m 56.00s
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - docker.io
  - quay.io
store:
  configFile: /var/home/podmanuser/.config/containers/storage.conf
  containerStore:
    number: 1
    paused: 0
    running: 0
    stopped: 1
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /var/home/podmanuser/.local/share/containers/storage
  graphRootAllocated: 498403901440
  graphRootUsed: 44006096896
  graphStatus:
    Backing Filesystem: btrfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 60
  runRoot: /run/user/1000/containers
  transientStore: false
  volumePath: /var/home/podmanuser/.local/share/containers/storage/volumes
version:
  APIVersion: 4.5.1
  Built: 1685123928
  BuiltTime: Fri May 26 19:58:48 2023
  GitCommit: ""
  GoVersion: go1.20.4
  Os: linux
  OsArch: linux/amd64
  Version: 4.5.1

Podman in a container

No

Privileged Or Rootless

Rootless

Upstream Latest Release

Yes

Additional environment details

No response

Additional information

When pulling the image with docker, saving the image and loading it into podman, everything works as expected.

podman exec dinp docker save adguard/adguardhome | podman load
podman inspect adguardhome:latest | grep -A8 Healthcheck
"Healthcheck": {
               "Test": [
                    "CMD",
                    "/opt/adguardhome/scripts/healthcheck.sh"
               ],
               "Interval": 30000000000,
               "Timeout": 10000000000,
               "Retries": 3
          }

Image details:

adguardhome Dockerfile , adguardhome buildscript

HEALTHCHECK \
	--interval=30s \
	--timeout=10s \
	--retries=3 \
	CMD [ "/opt/adguardhome/scripts/healthcheck.sh" ]
@0xF4CED 0xF4CED added the kind/bug Categorizes issue or PR as related to a bug. label Jun 15, 2023
@rhatdan
Copy link
Member

rhatdan commented Jun 20, 2023

Did you store it in Docker format? I am not sure HEALTHCHECK is stored in OCI Format?

@0xF4CED
Copy link
Contributor Author

0xF4CED commented Jun 20, 2023

HEALTHCHECK is only a part of the Docker image spec and not OCI. The image in my example is in the Docker format.
#12239 introduced support for health checks from image configurations. However, in certain cases, podman pull fails to parse or store the health check configuration.
I think the problem is easier to understand when following the steps in Steps to reproduce and Additional information, that I provided above.

@flouthoc
Copy link
Collaborator

@salevdns As far as I can see #12239 only corrected to get Imageconfig for images when it is in docker format, and I think it works in case of podman exec dinp docker save adguard/adguardhome | podman load cause docker save is saving in doceker format.

Is expectation here is to check if image metadata somehow contains Healthcheck if yes, include it in OCI's image's reserved field Healthcheck and podman must implement it while running the image ?

@0xF4CED
Copy link
Contributor Author

0xF4CED commented Jul 26, 2023

I am not sure tbh. To me it looks like it should be stored in the docker format when pulling.

@github-actions
Copy link

A friendly reminder that this issue had no activity for 30 days.

@rhatdan
Copy link
Member

rhatdan commented Sep 14, 2023

@flouthoc @iamkirkbater Any update on this?

@olifre
Copy link

olifre commented Jan 3, 2024

In case it helps, I created a minimal test container in my accidentally reported duplicate issue:

I observed the same problem pulling that one, and also the official iobroker container which is built from this Dockerfile. Pulling the same containers with Docker and running them there reveals a working healthcheck.

mguaylam added a commit to mguaylam/communautofinder_telegrambot that referenced this issue Jul 12, 2024
OCI does not support HEALTHCHECK yet : opencontainers/image-spec#749 might need to try docker format : containers/podman#18904
mguaylam pushed a commit to mguaylam/communautofinder_telegrambot that referenced this issue Jul 14, 2024
- Change dependencies.
- Change library.
- Adding logging.
- Add healthcheck.
- Provide environment thru os env.
- Create Buildah pipeline : OCI does not support HEALTHCHECK yet : opencontainers/image-spec#749 forced to docker format : containers/podman#18904
- Update README.
@FyiurAmron
Copy link

FWIW, I started getting this with Kaniko some time ago for no apparent reason. Older versions of Kaniko+podman had healthchecks working normally, and, as expected, Kaniko+docker works without any problems. Forced me to switch back to docker for the time being :/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Development

No branches or pull requests

5 participants