Don’t exactly know what the problem is, but it seems that healthcheck curl commands to https://example.com/ currently fail, probably because of a ssl failure. This causes container that rely on this to fail. Just wanted to let you guys know.
You must log in or # to comment.
Wat? Why are people health checking their containers by curl’ing example.com and not the service actually running in the container? Did they not understand that they’re supposed to change the curl URL to point at their actual service?
I honestly didn’t know this was the case. Still learning on this journey of self hosting. What exactly do I use for the health check then?
Still learning on this journey of self hosting
No worries mate. I bet if we all posted some of the boners even seasoned selfhosters have pulled, it would make a hilarious book for nerds and geeks. Sometimes I think, ‘gosh I sure am glad there wasn’t anyone around to see that!’
The purpose of the health check is to allow docker itself to talk to whatever service is running on the container to make sure it’s always responding happily, connected to everything it needs to be connected to for proper operation, and is not overloaded or stuck somehow.
Docker does this by pretending to be a web browser, and going to the specified “health check URL”. The key thing I think you’re missing here is that the health check URL is supposed to be a URL that, ideally, runs on your container and does some meaningful checks on the health of your service, or at the very least, proves that when you connect to it, it is able to serve up a working static page or login page or something (which doesn’t actually prove it’s working completely, but is often good enough)
Now, you’re probably wondering why this isn’t automatic, and the answer is because there’s no standard “health check URL” that fits all services. Not all services even respond to URLs at all, and the ones that do may have different URLs for their health checks, they may need different hostnames to be used, etc.
By setting health check URL to example.com, basically what you’re doing is constantly testing whether the real-world website https://example.com/ way over there somewhere is working, and as long as it is, docker assumes your container is fine. Which it might be, or it might not be, it has no idea and you have no idea, because it’s not even attempting to connect to the container at all, it’s going to the URL you specified, which is way out there on the internet somewhere, and this effectively does nothing useful for you.
It’s understandable why you probably thought this made sense, that it was testing network connectivity or something, but that is not the purpose of the health check URL, and if you don’t have a meaningful URL to check, you can probably just omit or disable the healthcheck in this case. Docker only uses it to decide if it needs to restart the container or alert you of the failure.
Thank you so much for your detailed answer. That brought me up to speed. I just never questioned it and, as you said, assumed that it was to test network connectivity.
It also finally explains the issues with those containers I kept having every few months. It always fixed itself before I had the time to actually look into it, but it has always been bugging me. This time I was able to actually catch it.
I’ll update the health checks to the proper URL im using, or should I use localhost:port?
Anyway, thanks again!
If the container you’re hosting has a http web service on say port 8080, then you’d want to curl something at http://localhost:8080/. The particular URL/path you hit will depend on the app. If the app is particularly cloud-y, it might even have a specific endpoint for health checking by a container platform. If you share the name of the app I might be able to point you in the right direction.
Ah, that makes sense, thanks for clearing it up for me. It’s several containers but now that I know what I’m looking for, I’ll be able to figure it out. I was just living in blissful ignorance until now.
I mean, this is exactly why example.com exists. But I bet ICANN didn’t expect this level of meta abstraction to the absurdity. 😅
We provide a web service on the example domain hosts to provide basic information on the purpose of the domain. These web services are provided as best effort, but are not designed to support production applications. While incidental traffic for incorrectly configured applications is expected, please do not design applications that require the example domains to have operating HTTP service.
Why are you relying on example.com as a health check? To be really blunt about it, if you’re using it then you’ve misconfigured your stuff.
From their docs:
These web services are provided as best effort, but are not designed to support production applications. While incidental traffic for incorrectly configured applications is expected, please do not design applications that require the example domains to have operating HTTP service.
Example.com recently had an issue where its traffic was found being routed to the wrong place (its traffic should get discarded).
I use it for email accounts on test data in environments with a live mail server configured. The point of this domain is that it doesn’t work.
The certificate of example.com refreshed just a few hours ago, if verification fails on your system check your clock (do time and timezone match?)
Yeah saw that and checked the time, both on the host and container. Both are accurate.
I fixed a test site earlier this week, where someone had decided to test against these for their docker CI.
example.org had an invalid certificate chain.
lol
good one
