Configure HealthCheck with podman update

[Honny1]

New flags in a podman update can change the configuration of HealthCheck when the container is started, without having to restart or recreate the container.

This can help determine why a given container suddenly started failing HealthCheck without interfering with the services it provides. For example, reconfigure HealthCheck to keep logs longer than the usual last X results, store logs to other destinations, etc.

These flags are added to the podman update command:

• --health-cmd string: set a healthcheck command for the container ('none' disables the existing healthcheck)
• --health-interval string: set an interval for the healthcheck (a value of disable results in no automatic timer setup)(Changing this setting resets timer.) (default "30s")
• --health-log-destination string:  set the destination of the HealthCheck log. Directory path, local or events_logger (local use container state file)(Warning: Changing this setting may cause the loss of previous logs.) (default "local")
• --health-max-log-count uint: set maximum number of attempts in the HealthCheck log file. ('0' value means an infinite number of attempts in the log file) (default 5)
• --health-max-log-size uint: set maximum length in characters of stored HealthCheck log. ('0' value means an infinite log length) (default 500)
• --health-on-failure string: action to take once the container turns unhealthy (default "none")
• --health-retries uint: the number of retries allowed before a healthcheck is considered to be unhealthy (default 3)
• --health-start-period string: the initialization time needed for a container to bootstrap (default "0s")
• --health-startup-cmd string: Set a startup healthcheck command for the container
• --health-startup-interval string: Set an interval for the startup healthcheck. Changing this setting resets the timer, depending on the state of the container. (default "30s")
• --health-startup-retries uint: Set the maximum number of retries before the startup healthcheck will restart the container
• --health-startup-success uint: Set the number of consecutive successes before the startup healthcheck is marked as successful and the normal healthcheck begins (0 indicates any success will start the regular healthcheck)
• --health-startup-timeout string: Set the maximum amount of time that the startup healthcheck may take before it is considered failed (default "30s")
• --health-timeout string:  the maximum time allowed to complete the healthcheck before an interval is considered failed (default "30s")
• --no-healthcheck: Disable healthchecks on container

Fixes: https://issues.redhat.com/browse/RHEL-60561

Does this PR introduce a user-facing change?

Configure HealthCheck with podman update

[packit-as-a-service]

Ephemeral COPR build failed. @containers/packit-build please check.

[Luap99]

not really a full review just a quick look:

Can you remove all the flag description from the commit? I do not see how they add any value there. If I want to know what a flag does one should look at the docs or I can see that already in the diff here anyway.

[Luap99]

all these strings seem to be used in many places so can you define them as constants somewhere, ie. libpod/define and then use the constants over the string duplication

[Honny1]

Thanks, I have an idea of how to simplify it overall.

[mheon]

What does this mean?

[Honny1]

My note, I'll delete it.

[mheon]

"Updates the configuration of an existing container, allowing changes to resource limits and healthchecks"

[mheon]

This and startupHealthCheck should be pointers - will make returning nil a lot easier

[mheon]

I think you can JSONDeepCopy this and save a lot of code

[mheon]

Same here, investigate JSONDeepCopy, I don't think this is performance critical at all.

[mheon]

I don't like leaking entities into Libpod. Maybe move UpdateHealthCheckConfig into libpod and make the entities version just contain it?

[mheon]

Actually, no. We should probably move this parsing code out of Libpod. Instead we should accept a manifest.Schema2HealthConfig and define.StartupHealthCheck in Update in libpod, and do all the validation in the frontend.

[mheon]

If you're calling this from Update() this is unnecessary, we only want one and it should be in Update itself

[Luap99]

This comment here still seems to be open, we should not be creating two events

[Honny1]

@mheon and @Luap99 I have edited the PR according to your comments.

[mheon]

noHealthCheck can probably be healthCheckConfig == nil

[mheon]

And I think we might want to compute changedTimer in here, instead of requiring the user pass it in - moving the rest of the parsing out of libpod was good but this was maybe a step too far.

[mheon]

Maybe make a GlobalHealthCheckOptions struct that contains all of these? Arguments list is a little long

[mheon]

Maybe Paused as well? Do we stop the timers when we pause a container?

[Honny1]

I haven't found any code that can stop the timer.

[mheon]

That's interesting. We should talk about this at standup on Monday. Not something we should solve in this PR but it does sound like a bug.

[Honny1]

The timer runs even after the container is paused. Systemctl displays an error for a few seconds:

Nov 15 18:08:33 fedora podman[42]: error: container <id> is not running

I don't see how this is a big problem. We can discuss it on standup, but on Monday, I am going to midterm. I can create an Issue so we don't forget about it and then we can discuss it.

[mheon]

Hm. I think we hit this if we add a startup healthcheck to a running container that did not previously have a startup healthcheck. We probably don't want to do that, so we should set StartupHCPassed to true when adding a startup healthcheck to a running container that doesn't have one already

[mheon]

This can be combined with the following line

[mheon]

This is basically identical to updateHealthCheckConfiguration minus a few variables; can the two be refactored to share code? It seems like everything from line 2805 on is basically identical.

[mheon]

Probably unnecessary; we can just use Update

[TomSweeneyRedHat]

Suggested change

	Changing this setting resets timer.
	Changing this setting resets the timer.

[TomSweeneyRedHat]

Suggested change

	// HealthOnFailure set action to take once the container turns unhealthy.
	// HealthOnFailure set the action to take once the container turns unhealthy.

[TomSweeneyRedHat]

A couple of small nits. Once @mheon 's concerns are addressed, LGTM

[Luap99]

@edsantiago Mind looking at the sys tests?

[Luap99]

there is a lot of duplication here, first you can use elif to avoid one layer of nesting

In general it is hard for the reader to figure out the differences, you should split out the run_podman call and only do the stuff that is different in there, i.e. define a hc_flags arrray where you add the flags too and then to the run_podman call below which would make this a lot simpler.

[edsantiago]

Second, what Paul said

[Luap99]

Adding random sleeps is very bad you tests are adding over 20s of CI time doing nothing but sleeping, this is very wasteful.

Is there a way we can combine the test cases to avoid adding so much sleeps. And if we know one things sleeps means flakes so this is not very good. If there is no way to avoid it then at the very least all these testsshoul dbe run in parallel to not waste so much time

[Luap99]

I have no idea why we decided to send a full specgen when the server does not understand most of it but doesn't the specgen already contain all the healtchcheck settings? So it seems wasteful and confusing to send yet another type? Am I missing something?

[Honny1]

I created another type where I can better distinguish what value has been set as new by the user using pointers. The entire LinuxResources type uses pointers or lists, but the HealthCheck type does not contain pointers, so I can't distinguish whether the user set the default values of the types or not.

The implementation of the podman update replaces LinuxResources from the specgen without caring about the previous configuration or whether the user set the value. This will cause the resource configuration to be overwritten by bad values.

Here is an example:

$ ./bin/podman run -dt --replace --name hc1 quay.io/libpod/alpine:latest top
$ ./bin/podman inspect hc1 --format {{.HostConfig.PidsLimit}}
2048
$ ./bin/podman update hc1 --pids-limit 1024
$ ./bin/podman inspect hc1 --format {{.HostConfig.PidsLimit}}
1024
$ ./bin/podman update hc1 --cpus 2 # Change any other resource.
$ ./bin/podman inspect hc1 --format {{.HostConfig.PidsLimit}}
0  <— this value should be 1024

I think this is a bug. I will create an issue. And I'll fix it in another PR.

[Luap99]

Yes agree that is a bug, I guess using specgen there was a mistake then. The issue is we cannot just break this as they are exposed via API.

[Honny1]

The Podman REST API has never used spacegen for updates.

[edsantiago]

DIE and DRY are critical concepts in software development. I encourage you to develop a mindset where you're looking for duplication and, each time you see it, or each time you find yourself copypasting, taking a step back to ask yourself how you can eliminate it.

Once you clean up all my suggestions below, I bet you might even find more, and I bet you can then find a way to make the test table-driven which is even better.

And then, of course, please add # bats test_tags=ci:parallel

[edsantiago]

Second, what Paul said

[edsantiago]

So much better! Thank you! You are developing good practices. Still needs fixing though. A few recommendations inline, and one suggestion that I didn't take the time to implement.

Thanks again.

[edsantiago]

typo, HealthCheck

[edsantiago]

Thank you for updating and rebasing and for your initiative in cleaning up more than I asked for.

Tests LGTM. One comment inline, not a blocker.

[edsantiago]

I don't understand this new action (splitting into two commands) nor its comment. I will assume it makes sense to everyone else, and won't block on it but will point it out in case others are puzzled by it too.

[Honny1]

Because I found a bug. When you try to change any resource using podman update, it overwrites the current resource configuration. Here is an example:

$ ./bin/podman run -dt --replace --name hc1 quay.io/libpod/alpine:latest top
$ ./bin/podman inspect hc1 --format {{.HostConfig.PidsLimit}}
2048
$ ./bin/podman update hc1 --pids-limit 1024
$ ./bin/podman inspect hc1 --format {{.HostConfig.PidsLimit}}
1024
$ ./bin/podman update hc1 --cpus 2 # Change any other resource.
$ ./bin/podman inspect hc1 --format {{.HostConfig.PidsLimit}}
0  <— this value should be 1024

I want to make sure this is not happening for Healtcheck as well.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: edsantiago, Honny1

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [edsantiago]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[Honny1]

@mheon @TomSweeneyRedHat @Luap99 I have updated the PR according to your comments.

[Luap99]

I need some more time to undersatnd this.

[Luap99]

This comment here still seems to be open, we should not be creating two events

[Luap99]

why is this accepting interfaces, this makes API design super fragile and error prone. We should not be mixing so many types. reflection is difficult to understand and use correctly.

[Luap99]

Wait this is no longer true now, if you call this from outside podman healtchcheck run we have big problems espically for the system service as this overwrites the global exit code on signals.

[Luap99]

That is extremely ugly, setting a container to not valid like this is not sane if the pointer is shared acorrs several threads another container may see a invalid container and bail out. I don't think we that is a huge risk as we not really share these structs at the same time but still.

And calling CtrCreateOption function somehwere else is just not nice to read. Please just split out the validation bits into another function and then call it from here and WithHealthCheckLogDestination()

[Luap99]

can you just call (ic *ContainerEngine) ContainerUpdate() from like many other endpoints do to avoid duplication

[Luap99]

this entire flow makes updates not atomic which seems bad. Every time you call into libpod we have to lock again. sync the state again and then do whatever we do save the db config and state again. Doing this multiple times is slow and not atomic which means ugly race conditions most likely.

I rather have this moved into one libpod function that acts under one lock.

[Luap99]

cobra imports should not be in specgen, cli parts should all stay under cmd/podman.
I See noe reason why the function is here.

[Luap99]

all these errors must be handled and returned.

[Luap99]

I don't get why we loop here at all over all flags? Can't we just access all the flags directly if we have to list out all name anyway.

[Honny1]

Visit visits only those flags that have been set.

[Luap99]

you can use .Changed() on a flag to know if was set or not

[Honny1]

/packit rebuild-failed