feat: automate healthchecks

Signed-off-by: Subash Kotha <[email protected]>

Author: subashkotha

cmd/nerdctl/container/container_health_check_test.go

@@ -602,3 +602,122 @@ func TestContainerHealthCheckAdvance(t *testing.T) {
 
 	testCase.Run(t)
 }
+
+func TestHealthCheck_SystemdIntegration_Basic(t *testing.T) {
+	testCase := nerdtest.Setup()
+	testCase.Require = require.Not(nerdtest.Docker)
+
+	testCase.SubTests = []*test.Case{
+		//{
+		//	Description: "Basic healthy container with systemd-triggered healthcheck",
+		//	Setup: func(data test.Data, helpers test.Helpers) {
+		//		helpers.Ensure("run", "-d", "--name", data.Identifier(),
+		//			"--health-cmd", "echo healthy",
+		//			"--health-interval", "2s",
+		//			testutil.CommonImage, "sleep", "30")
+		//		// Wait for a couple of healthchecks to execute
+		//		time.Sleep(5 * time.Second)
+		//	},
+		//	Cleanup: func(data test.Data, helpers test.Helpers) {
+		//		helpers.Anyhow("rm", "-f", data.Identifier())
+		//	},
+		//	Expected: func(data test.Data, helpers test.Helpers) *test.Expected {
+		//		return &test.Expected{
+		//			ExitCode: 0,
+		//			Output: expect.All(func(stdout, _ string, t *testing.T) {
+		//				inspect := nerdtest.InspectContainer(helpers, data.Identifier())
+		//				h := inspect.State.Health
+		//				assert.Assert(t, h != nil, "expected health state to be present")
+		//				assert.Equal(t, h.Status, "healthy")
+		//				assert.Assert(t, len(h.Log) > 0, "expected at least one health check log entry")
+		//			}),
+		//		}
+		//	},
+		//},
+		//{
+		//	Description: "Kill stops healthcheck execution",
+		//	Setup: func(data test.Data, helpers test.Helpers) {
+		//		helpers.Ensure("run", "-d", "--name", data.Identifier(),
+		//			"--health-cmd", "echo healthy",
+		//			"--health-interval", "1s",
+		//			testutil.CommonImage, "sleep", "30")
+		//		time.Sleep(5 * time.Second)               // Wait for at least one health check to execute
+		//		helpers.Ensure("kill", data.Identifier()) // Kill the container
+		//		time.Sleep(3 * time.Second)               // Wait to allow any potential extra healthchecks (shouldn't happen)
+		//	},
+		//	Cleanup: func(data test.Data, helpers test.Helpers) {
+		//		helpers.Anyhow("rm", "-f", data.Identifier())
+		//	},
+		//	Expected: func(data test.Data, helpers test.Helpers) *test.Expected {
+		//		return &test.Expected{
+		//			ExitCode: 0,
+		//			Output: expect.All(func(stdout, _ string, t *testing.T) {
+		//				inspect := nerdtest.InspectContainer(helpers, data.Identifier())
+		//				h := inspect.State.Health
+		//				assert.Assert(t, h != nil, "expected health state to be present")
+		//				assert.Assert(t, len(h.Log) > 0, "expected at least one health check log entry")
+		//
+		//				// Get container FinishedAt timestamp
+		//				containerEnd, err := time.Parse(time.RFC3339Nano, inspect.State.FinishedAt)
+		//				assert.NilError(t, err, "parsing container FinishedAt")
+		//
+		//				// Assert all healthcheck log start times are before container finished
+		//				for _, entry := range h.Log {
+		//					assert.NilError(t, err, "parsing healthcheck Start time")
+		//					assert.Assert(t, entry.Start.Before(containerEnd), "healthcheck ran after container was killed")
+		//				}
+		//			}),
+		//		}
+		//	},
+		//},
+
+		// {
+		// 	Description: "Pause/unpause halts and resumes healthcheck execution",
+		// 	Setup: func(data test.Data, helpers test.Helpers) {
+		// 		data.Labels().Set("cID", data.Identifier())
+		// 		helpers.Ensure("run", "-d", "--name", data.Identifier(),
+		// 			"--health-cmd", "echo healthy",
+		// 			"--health-interval", "1s",
+		// 			testutil.CommonImage, "sleep", "30")
+		// 		time.Sleep(4 * time.Second)
+
+		// 		// Inspect using raw command
+		// 		helpers.Command("container", "inspect", data.Labels().Get("cID")).
+		// 			Run(&test.Expected{
+		// 				ExitCode: expect.ExitCodeNoCheck,
+		// 				Output: func(stdout string, _ string, t *testing.T) {
+		// 					var dc []dockercompat.Container
+		// 					err := json.Unmarshal([]byte(stdout), &dc)
+		// 					assert.NilError(t, err)
+		// 					assert.Equal(t, len(dc), 1)
+		// 					h := dc[0].State.Health
+		// 					assert.Assert(t, h != nil, "expected health state to be present")
+		// 					data.Labels().Set("healthStatus", h.Status)
+		// 					data.Labels().Set("logCount", strconv.Itoa(len(h.Log)))
+		// 					fmt.Printf("📋 Setup Inspect: Status=%s, LogCount=%s\n", h.Status, strconv.Itoa(len(h.Log)))
+		// 				},
+		// 			})
+		// 	},
+		// 	Cleanup: func(data test.Data, helpers test.Helpers) {
+		// 		helpers.Anyhow("rm", "-f", data.Identifier())
+		// 	},
+		// 	Expected: func(data test.Data, helpers test.Helpers) *test.Expected {
+		// 		return &test.Expected{
+		// 			ExitCode: 0,
+		// 			Output: expect.All(func(stdout, _ string, t *testing.T) {
+		// 				before := data.Labels().Get("logCountBeforePause")
+		// 				after := data.Labels().Get("logCountAfterUnpause")
+
+		// 				beforeCount, _ := strconv.Atoi(before)
+		// 				afterCount, _ := strconv.Atoi(after)
+
+		// 				assert.Assert(t, afterCount > beforeCount,
+		// 					"expected more healthchecks after unpause (got %d → %d)", beforeCount, afterCount)
+		// 			}),
+		// 		}
+		// 	},
+		// },
+	}
+
+	testCase.Run(t)
+}

cmd/nerdctl/container/container_run.go

@@ -19,6 +19,7 @@ package container
 import (
 	"errors"
 	"fmt"
+	"github.com/containerd/nerdctl/v2/pkg/healthcheck"
 	"runtime"
 	"strings"
 
@@ -439,6 +440,14 @@ func runAction(cmd *cobra.Command, args []string) error {
 		return err
 	}
 
+	// Setup container healthchecks.
+	if err := healthcheck.CreateTimer(ctx, c); err != nil {
+		return fmt.Errorf("failed to create healthcheck timer: %w", err)
+	}
+	if err := healthcheck.StartTimer(ctx, c); err != nil {
+		return fmt.Errorf("failed to start healthcheck timer: %w", err)
+	}
+
 	if createOpt.Detach {
 		fmt.Fprintln(createOpt.Stdout, id)
 		return nil

pkg/cmd/container/kill.go

@@ -35,6 +35,7 @@ import (
 	"github.com/containerd/nerdctl/v2/pkg/api/types"
 	"github.com/containerd/nerdctl/v2/pkg/clientutil"
 	"github.com/containerd/nerdctl/v2/pkg/containerutil"
+	"github.com/containerd/nerdctl/v2/pkg/healthcheck"
 	"github.com/containerd/nerdctl/v2/pkg/idutil/containerwalker"
 	"github.com/containerd/nerdctl/v2/pkg/labels"
 	"github.com/containerd/nerdctl/v2/pkg/netutil"
@@ -111,6 +112,11 @@ func killContainer(ctx context.Context, container containerd.Container, signal s
 		return err
 	}
 
+	// Clean up healthcheck systemd units
+	if err := healthcheck.RemoveTransientHealthCheckFiles(ctx, container); err != nil {
+		log.G(ctx).Warnf("failed to clean up healthcheck units for container %s: %s", container.ID(), err)
+	}
+
 	// signal will be sent once resume is finished
 	if paused {
 		if err := task.Resume(ctx); err != nil {

pkg/cmd/container/remove.go

@@ -21,6 +21,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"github.com/containerd/nerdctl/v2/pkg/healthcheck"
 	"os"
 	"syscall"
 
@@ -179,6 +180,11 @@ func RemoveContainer(ctx context.Context, c containerd.Container, globalOptions
 		// Otherwise, nil the error so that we do not write the error label on the container
 		retErr = nil
 
+		// Clean up healthcheck systemd units
+		if err := healthcheck.RemoveTransientHealthCheckFiles(ctx, c); err != nil {
+			log.G(ctx).WithError(err).Warnf("failed to clean up healthcheck units for container %q", id)
+		}
+
 		// Now, delete the actual container
 		var delOpts []containerd.DeleteOpts
 		if _, err := c.Image(ctx); err == nil {

pkg/containerutil/containerutil.go

@@ -48,6 +48,7 @@ import (
 	"github.com/containerd/nerdctl/v2/pkg/consoleutil"
 	"github.com/containerd/nerdctl/v2/pkg/errutil"
 	"github.com/containerd/nerdctl/v2/pkg/formatter"
+	"github.com/containerd/nerdctl/v2/pkg/healthcheck"
 	"github.com/containerd/nerdctl/v2/pkg/ipcutil"
 	"github.com/containerd/nerdctl/v2/pkg/labels"
 	"github.com/containerd/nerdctl/v2/pkg/labels/k8slabels"
@@ -283,6 +284,15 @@ func Start(ctx context.Context, container containerd.Container, isAttach bool, i
 	if err := task.Start(ctx); err != nil {
 		return err
 	}
+
+	// If container has health checks configured, create and start systemd timer/service files.
+	if err := healthcheck.CreateTimer(ctx, container); err != nil {
+		return fmt.Errorf("failed to create healthcheck timer: %w", err)
+	}
+	if err := healthcheck.StartTimer(ctx, container); err != nil {
+		return fmt.Errorf("failed to start healthcheck timer: %w", err)
+	}
+
 	if !isAttach {
 		return nil
 	}
@@ -351,6 +361,11 @@ func Stop(ctx context.Context, container containerd.Container, timeout *time.Dur
 		}
 	}()
 
+	// Clean up healthcheck units if configured.
+	if err := healthcheck.RemoveTransientHealthCheckFiles(ctx, container); err != nil {
+		return fmt.Errorf("failed to clean up healthcheck units for container %s", container.ID())
+	}
+
 	if timeout == nil {
 		t, ok := l[labels.StopTimeout]
 		if !ok {
@@ -489,6 +504,11 @@ func Pause(ctx context.Context, client *containerd.Client, id string) error {
 		return err
 	}
 
+	// Clean up healthcheck units if configured.
+	if err := healthcheck.RemoveTransientHealthCheckFiles(ctx, container); err != nil {
+		return fmt.Errorf("failed to clean up healthcheck units for container %s", container.ID())
+	}
+
 	switch status.Status {
 	case containerd.Paused:
 		return fmt.Errorf("container %s is already paused", id)
@@ -516,6 +536,14 @@ func Unpause(ctx context.Context, client *containerd.Client, id string) error {
 		return err
 	}
 
+	// Recreate healthcheck related systemd timer/service files.
+	if err := healthcheck.CreateTimer(ctx, container); err != nil {
+		return fmt.Errorf("failed to create healthcheck timer: %w", err)
+	}
+	if err := healthcheck.StartTimer(ctx, container); err != nil {
+		return fmt.Errorf("failed to start healthcheck timer: %w", err)
+	}
+
 	switch status.Status {
 	case containerd.Paused:
 		return task.Resume(ctx)

pkg/healthcheck/healthcheck_integration_test.go

@@ -0,0 +1,67 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package healthcheck
+
+import (
+	"github.com/containerd/nerdctl/mod/tigron/expect"
+	"github.com/containerd/nerdctl/mod/tigron/require"
+	"github.com/containerd/nerdctl/mod/tigron/test"
+	"github.com/containerd/nerdctl/v2/pkg/testutil"
+	"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest"
+	"gotest.tools/v3/assert"
+	"testing"
+	"time"
+)
+
+func TestHealthCheck_SystemdIntegration_Basic(t *testing.T) {
+	testCase := nerdtest.Setup()
+	testCase.Require = require.Not(nerdtest.Docker)
+
+	testCase.SubTests = []*test.Case{
+		{
+			Description: "Basic healthy container with systemd-triggered healthcheck",
+			Setup: func(data test.Data, helpers test.Helpers) {
+				helpers.Ensure("run", "-d", "--name", data.Identifier(),
+					"--health-cmd", "echo healthy",
+					"--health-interval", "2s",
+					testutil.CommonImage, "sleep", "30")
+				// Wait for a couple of healthchecks to execute
+				time.Sleep(10 * time.Second)
+			},
+			Cleanup: func(data test.Data, helpers test.Helpers) {
+				helpers.Anyhow("rm", "-f", data.Identifier())
+			},
+			Command: func(data test.Data, helpers test.Helpers) test.TestableCommand {
+				return helpers.Command("inspect", data.Identifier())
+			},
+			Expected: func(data test.Data, helpers test.Helpers) *test.Expected {
+				return &test.Expected{
+					ExitCode: 0,
+					Output: expect.All(func(stdout, _ string, t *testing.T) {
+						inspect := nerdtest.InspectContainer(helpers, data.Identifier())
+						h := inspect.State.Health
+						assert.Assert(t, h != nil, "expected health state to be present")
+						assert.Equal(t, h.Status, "healthy")
+						assert.Assert(t, len(h.Log) > 0, "expected at least one health check log entry")
+					}),
+				}
+			},
+		},
+	}
+
+	testCase.Run(t)
+}

pkg/healthcheck/healthcheck_manager_darwin.go

@@ -0,0 +1,37 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package healthcheck
+
+import (
+	"context"
+	containerd "github.com/containerd/containerd/v2/client"
+)
+
+// CreateTimer sets up the transient systemd timer and service for healthchecks.
+func CreateTimer(ctx context.Context, container containerd.Container) error {
+	return nil
+}
+
+// StartTimer starts the healthcheck timer unit.
+func StartTimer(ctx context.Context, container containerd.Container) error {
+	return nil
+}
+
+// RemoveTransientHealthCheckFiles stops and cleans up the transient timer and service.
+func RemoveTransientHealthCheckFiles(ctx context.Context, container containerd.Container) error {
+	return nil
+}

pkg/healthcheck/healthcheck_manager_freebsd.go

@@ -0,0 +1,37 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package healthcheck
+
+import (
+	"context"
+	containerd "github.com/containerd/containerd/v2/client"
+)
+
+// CreateTimer sets up the transient systemd timer and service for healthchecks.
+func CreateTimer(ctx context.Context, container containerd.Container) error {
+	return nil
+}
+
+// StartTimer starts the healthcheck timer unit.
+func StartTimer(ctx context.Context, container containerd.Container) error {
+	return nil
+}
+
+// RemoveTransientHealthCheckFiles stops and cleans up the transient timer and service.
+func RemoveTransientHealthCheckFiles(ctx context.Context, container containerd.Container) error {
+	return nil
+}