support rootless healthchecks

Signed-off-by: Arjun Raja Yogidas <[email protected]>

Author: coderbirju

.github/workflows/job-test-in-container.yml

@@ -151,6 +151,27 @@ jobs:
           sudo mkdir -p /etc/docker
           echo '{"ipv6": true, "fixed-cidr-v6": "2001:db8:1::/64", "experimental": true, "ip6tables": true}' | sudo tee /etc/docker/daemon.json
           sudo systemctl restart docker
+      - name: "Debug: DBUS availability in container"
+        run: |
+          echo "=== DBUS Debugging in Container ==="
+          [ "${{ inputs.target }}" == "rootful" ] \
+            && args=(test-integration) \
+            || args=(test-integration-${{ inputs.target }})
+          docker run -t --rm --privileged "${args[@]}" bash -c '
+            echo "--- DBUS Tools Availability ---"
+            which dbus-launch dbus-daemon dbus-send dbus-monitor systemd-run || true
+            echo "--- DBUS Binaries Location ---"
+            ls -la /usr/bin/dbus* 2>/dev/null || echo "No DBUS tools in /usr/bin"
+            ls -la /bin/dbus* 2>/dev/null || echo "No DBUS tools in /bin"
+            echo "--- Systemd Tools ---"
+            which systemctl systemd-run || true
+            echo "--- Environment ---"
+            echo "PATH: $PATH"
+            echo "USER: $(whoami)"
+            echo "UID: $(id -u)"
+            echo "--- Package Info ---"
+            dpkg -l | grep -E "(dbus|systemd)" || true
+          '
       - name: "Run: integration tests"
         run: |
           . ./hack/github/action-helpers.sh

Dockerfile.d/test-integration-rootless.sh

@@ -30,10 +30,40 @@ if [[ "$(id -u)" = "0" ]]; then
 		touch /workaround-issue-622
 	fi
 
+	echo "=== DBUS Debugging as ROOT ==="
+	echo "--- DBUS Tools Availability (root) ---"
+	which dbus-launch dbus-daemon dbus-send dbus-monitor systemd-run || true
+	echo "--- Environment (root) ---"
+	echo "PATH: $PATH"
+	echo "USER: $(whoami)"
+	echo "UID: $(id -u)"
+	echo "DBUS_SESSION_BUS_ADDRESS: ${DBUS_SESSION_BUS_ADDRESS:-unset}"
+	echo "XDG_RUNTIME_DIR: ${XDG_RUNTIME_DIR:-unset}"
+	echo "--- Systemd Status (root) ---"
+	systemctl --user status 2>&1 || echo "systemctl --user failed as root"
+	echo "--- DBUS Launch Test (root) ---"
+	dbus-launch --sh-syntax 2>&1 || echo "dbus-launch failed as root"
+
 	# Switch to the rootless user via SSH
 	systemctl start ssh
 	exec ssh -o StrictHostKeyChecking=no rootless@localhost "$0" "$@"
 else
+	echo "=== DBUS Debugging as ROOTLESS USER ==="
+	echo "--- DBUS Tools Availability (rootless) ---"
+	which dbus-launch dbus-daemon dbus-send dbus-monitor systemd-run || true
+	echo "--- Environment (rootless) ---"
+	echo "PATH: $PATH"
+	echo "USER: $(whoami)"
+	echo "UID: $(id -u)"
+	echo "DBUS_SESSION_BUS_ADDRESS: ${DBUS_SESSION_BUS_ADDRESS:-unset}"
+	echo "XDG_RUNTIME_DIR: ${XDG_RUNTIME_DIR:-unset}"
+	echo "--- Systemd Status (rootless) ---"
+	systemctl --user status 2>&1 || echo "systemctl --user failed as rootless"
+	echo "--- DBUS Launch Test (rootless) ---"
+	dbus-launch --sh-syntax 2>&1 || echo "dbus-launch failed as rootless"
+	echo "--- Systemd User Environment ---"
+	systemctl --user show-environment 2>&1 || echo "systemctl --user show-environment failed"
+
 	containerd-rootless-setuptool.sh install
 	if grep -q "options use-vc" /etc/resolv.conf; then
 		containerd-rootless-setuptool.sh nsenter -- sh -euc 'echo "options use-vc" >>/etc/resolv.conf'
@@ -60,6 +90,16 @@ EOF
 	systemctl --user restart stargz-snapshotter.service
 	export IPFS_PATH="/home/rootless/.local/share/ipfs"
 	containerd-rootless-setuptool.sh install-bypass4netnsd
+
+	echo "=== DBUS Debugging AFTER containerd-rootless-setuptool.sh ==="
+	echo "--- Environment After Setup ---"
+	echo "DBUS_SESSION_BUS_ADDRESS: ${DBUS_SESSION_BUS_ADDRESS:-unset}"
+	echo "XDG_RUNTIME_DIR: ${XDG_RUNTIME_DIR:-unset}"
+	echo "--- Systemd Status After Setup ---"
+	systemctl --user status 2>&1 || echo "systemctl --user still failed after setup"
+	echo "--- DBUS Launch Test After Setup ---"
+	dbus-launch --sh-syntax 2>&1 || echo "dbus-launch still failed after setup"
+
 	# Once ssh-ed, we lost the Dockerfile working dir, so, get back in the nerdctl checkout
 	cd /go/src/github.com/containerd/nerdctl
 	# We also lose the PATH (and SendEnv=PATH would require sshd config changes)

hack/test-integration.sh

@@ -50,7 +50,7 @@ for arg in "$@"; do
 done
 
 if [ "$needsudo" == "true" ] || [ "$needsudo" == "yes" ] || [ "$needsudo" == "1" ]; then
-  gotestsum "${args[@]}" -- -timeout="$timeout" -p 1 -exec sudo -v -run TestHealthCheck_SystemdIntegration_Advanced -args -test.allow-kill-daemon ./cmd/nerdctl/container/
+  gotestsum "${args[@]}" -- -timeout="$timeout" -p 1 -exec sudo -v -run TestHealthCheck_SystemdIntegration_Basic -args -test.allow-kill-daemon ./cmd/nerdctl/container/
 else
-  gotestsum "${args[@]}" -- -timeout="$timeout" -p 1 -v -run TestContainerHealthCheckAdvance -args -test.allow-kill-daemon ./cmd/nerdctl/container/
+  gotestsum "${args[@]}" -- -timeout="$timeout" -p 1 -v -run TestHealthCheck_SystemdIntegration_Basic -args -test.allow-kill-daemon ./cmd/nerdctl/container/
 fi

pkg/healthcheck/healthcheck_manager_linux.go

@@ -50,6 +50,11 @@ func CreateTimer(ctx context.Context, container containerd.Container) error {
 	log.G(ctx).Debugf("Creating healthcheck timer unit: %s", hcName)
 
 	cmd := []string{}
+	if rootlessutil.IsRootless() {
+		cmd = append(cmd, "--user")
+		cmd = append(cmd, fmt.Sprintf("--uid=%d", rootlessutil.ParentEUID()))
+	}
+
 	if path := os.Getenv("PATH"); path != "" {
 		cmd = append(cmd, "--setenv=PATH="+path)
 	}
@@ -62,11 +67,11 @@ func CreateTimer(ctx context.Context, container containerd.Container) error {
 		cmd = append(cmd, "--debug")
 	}
 
-	conn, err := dbus.NewSystemConnectionContext(context.Background())
-	if err != nil {
-		return fmt.Errorf("systemd DBUS connect error: %w", err)
-	}
-	defer conn.Close()
+	// conn, err := dbus.NewSystemConnectionContext(context.Background())
+	// if err != nil {
+	// 	return fmt.Errorf("systemd DBUS connect error: %w", err)
+	// }
+	// defer conn.Close()
 
 	log.G(ctx).Debugf("creating healthcheck timer with: systemd-run %s", strings.Join(cmd, " "))
 	run := exec.Command("systemd-run", cmd...)
@@ -79,29 +84,53 @@ func CreateTimer(ctx context.Context, container containerd.Container) error {
 
 // StartTimer starts the healthcheck timer unit.
 func StartTimer(ctx context.Context, container containerd.Container) error {
+	log.G(ctx).Infof("DEBUG: StartTimer called for container %s", container.ID())
+
 	hc := extractHealthcheck(ctx, container)
 	if hc == nil {
+		log.G(ctx).Infof("DEBUG: No healthcheck found, skipping StartTimer")
 		return nil
 	}
 	if shouldSkipHealthCheckSystemd(hc) {
+		log.G(ctx).Infof("DEBUG: Skipping healthcheck systemd, shouldSkip=true")
 		return nil
 	}
 
 	hcName := hcUnitName(container.ID(), true)
-	conn, err := dbus.NewSystemConnectionContext(context.Background())
+	log.G(ctx).Infof("DEBUG: Starting timer for unit: %s, rootless=%v", hcName, rootlessutil.IsRootless())
+
+	var conn *dbus.Conn
+	var err error
+	if rootlessutil.IsRootless() {
+		log.G(ctx).Infof("DEBUG: Attempting user DBUS connection...")
+		conn, err = dbus.NewUserConnectionContext(ctx)
+	} else {
+		log.G(ctx).Infof("DEBUG: Attempting system DBUS connection...")
+		conn, err = dbus.NewSystemConnectionContext(ctx)
+	}
 	if err != nil {
+		log.G(ctx).Errorf("DEBUG: DBUS connection failed: %v", err)
 		return fmt.Errorf("systemd DBUS connect error: %w", err)
 	}
 	defer conn.Close()
+	log.G(ctx).Infof("DEBUG: DBUS connection successful")
 
 	startChan := make(chan string)
 	unit := hcName + ".service"
+	log.G(ctx).Infof("DEBUG: About to restart unit: %s", unit)
+
 	if _, err := conn.RestartUnitContext(context.Background(), unit, "fail", startChan); err != nil {
+		log.G(ctx).Errorf("DEBUG: RestartUnitContext failed: %v", err)
 		return err
 	}
+
+	log.G(ctx).Infof("DEBUG: Waiting for restart confirmation...")
 	if msg := <-startChan; msg != "done" {
+		log.G(ctx).Errorf("DEBUG: Unexpected restart result: %s", msg)
 		return fmt.Errorf("unexpected systemd restart result: %s", msg)
 	}
+
+	log.G(ctx).Infof("DEBUG: StartTimer completed successfully")
 	return nil
 }
 
@@ -115,44 +144,6 @@ func RemoveTransientHealthCheckFiles(ctx context.Context, container containerd.C
 	return ForceRemoveTransientHealthCheckFiles(ctx, container.ID())
 }
 
-// RemoveTransientHealthCheckFilesByID stops and cleans up the transient timer and service using just the container ID.
-// This function is deprecated and no longer used. Use ForceRemoveTransientHealthCheckFiles instead.
-/*
-func RemoveTransientHealthCheckFilesByID(ctx context.Context, containerID string) error {
-	log.G(ctx).Debugf("Removing healthcheck timer unit: %s", containerID)
-
-	conn, err := dbus.NewSystemConnectionContext(context.Background())
-	if err != nil {
-		return fmt.Errorf("systemd DBUS connect error: %w", err)
-	}
-	defer conn.Close()
-
-	unitName := hcUnitName(containerID, true)
-	timer := unitName + ".timer"
-	service := unitName + ".service"
-
-	// Stop timer
-	tChan := make(chan string)
-	if _, err := conn.StopUnitContext(context.Background(), timer, "ignore-dependencies", tChan); err == nil {
-		if msg := <-tChan; msg != "done" {
-			log.G(ctx).Warnf("timer stop message: %s", msg)
-		}
-	}
-
-	// Stop service
-	sChan := make(chan string)
-	if _, err := conn.StopUnitContext(context.Background(), service, "ignore-dependencies", sChan); err == nil {
-		if msg := <-sChan; msg != "done" {
-			log.G(ctx).Warnf("service stop message: %s", msg)
-		}
-	}
-
-	// Reset failed units
-	_ = conn.ResetFailedUnitContext(context.Background(), service)
-	return nil
-}
-*/
-
 // ForceRemoveTransientHealthCheckFiles forcefully stops and cleans up the transient timer and service
 // using just the container ID. This function is non-blocking and uses timeouts to prevent hanging
 // on systemd operations. It logs errors as warnings but continues cleanup attempts.
@@ -174,7 +165,13 @@ func ForceRemoveTransientHealthCheckFiles(ctx context.Context, containerID strin
 	go func() {
 		defer close(errChan)
 
-		conn, err := dbus.NewSystemConnectionContext(timeoutCtx)
+		var conn *dbus.Conn
+		var err error
+		if rootlessutil.IsRootless() {
+			conn, err = dbus.NewUserConnectionContext(ctx)
+		} else {
+			conn, err = dbus.NewSystemConnectionContext(ctx)
+		}
 		if err != nil {
 			log.G(ctx).Warnf("systemd DBUS connect error during force cleanup: %v", err)
 			errChan <- fmt.Errorf("systemd DBUS connect error: %w", err)
@@ -300,10 +297,10 @@ func shouldSkipHealthCheckSystemd(hc *Healthcheck) bool {
 		return true
 	}
 
-	// Skip healthchecks in rootless environments to avoid systemd DBUS permission issues
-	if rootlessutil.IsRootless() {
-		return true
-	}
+	// Skip healthchecks in environments without dbus-launch to avoid permission issues
+	// if _, err := exec.LookPath("dbus-launch"); err != nil {
+	// 	return true
+	// }
 
 	// Don't proceed if health check is nil, empty, explicitly NONE or interval is 0.
 	if hc == nil || len(hc.Test) == 0 || hc.Test[0] == "NONE" || hc.Interval == 0 {

test-dbus-debug.md

@@ -0,0 +1,86 @@
+# DBUS Debugging Test Plan
+
+## What We Added
+
+### 1. GitHub Workflow Debugging (.github/workflows/job-test-in-container.yml)
+- Added a new step "Debug: DBUS availability in container" before running integration tests
+- Checks DBUS tool availability, binary locations, systemd tools, environment variables, and package info
+- Runs in the same container that will execute the tests
+
+### 2. Rootless Test Script Debugging (Dockerfile.d/test-integration-rootless.sh)
+- Added debugging as ROOT user before switching to rootless
+- Added debugging as ROOTLESS user after SSH switch
+- Added debugging AFTER containerd-rootless-setuptool.sh setup
+- Checks DBUS tools, environment variables, systemd status, and DBUS connectivity
+
+## Expected Output
+
+When the CI runs, we should see:
+
+### Container Level (from GitHub workflow):
+```
+=== DBUS Debugging in Container ===
+--- DBUS Tools Availability ---
+/usr/bin/dbus-launch
+/usr/bin/dbus-daemon
+/usr/bin/dbus-send
+/usr/bin/dbus-monitor
+/usr/bin/systemd-run
+--- DBUS Binaries Location ---
+-rwxr-xr-x 1 root root ... /usr/bin/dbus-launch
+-rwxr-xr-x 1 root root ... /usr/bin/dbus-daemon
+...
+--- Package Info ---
+dbus 1.14.10-4ubuntu4.1
+systemd 255.4-1ubuntu8.4
+...
+```
+
+### Root User Level:
+```
+=== DBUS Debugging as ROOT ===
+--- DBUS Tools Availability (root) ---
+/usr/bin/dbus-launch
+/usr/bin/systemd-run
+...
+--- Environment (root) ---
+PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+USER: root
+UID: 0
+DBUS_SESSION_BUS_ADDRESS: unset
+XDG_RUNTIME_DIR: unset
+```
+
+### Rootless User Level:
+```
+=== DBUS Debugging as ROOTLESS USER ===
+--- DBUS Tools Availability (rootless) ---
+/usr/bin/dbus-launch
+/usr/bin/systemd-run
+...
+--- Environment (rootless) ---
+PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+USER: rootless
+UID: 1000
+DBUS_SESSION_BUS_ADDRESS: unset
+XDG_RUNTIME_DIR: /run/user/1000
+```
+
+## What This Will Tell Us
+
+1. **Are DBUS tools installed?** - We'll see if dbus-launch, dbus-daemon, etc. are available
+2. **Are they in PATH?** - We'll see the exact paths and verify accessibility
+3. **Environment differences** - Compare root vs rootless environment setup
+4. **Systemd user session status** - See if systemd --user works properly
+5. **DBUS connectivity** - Test if dbus-launch can establish connections
+6. **Setup impact** - See how containerd-rootless-setuptool.sh affects DBUS environment
+
+## Next Steps After Getting Debug Output
+
+Based on the debug output, we can:
+1. **If DBUS tools are missing**: Add them to the Dockerfile
+2. **If DBUS tools exist but fail**: Implement graceful fallback in healthcheck code
+3. **If environment is wrong**: Fix environment setup in test script
+4. **If systemd user session fails**: Implement proper session initialization
+
+This debugging will give us the exact information needed to solve the healthcheck timer failures in CI.