🐛 fix(healthcheck): restore curl compatibility and deprecation schedule (#287)

Author: s-b-e-n-s-o-n

CHANGELOG.md

@@ -10,6 +10,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Fixed
+
+- **Custom healthcheck backward compatibility restored** — The built-in `/bin/healthcheck` remains the default image probe and now handles TLS backends, while `curl` is again present in the Docker image for user-defined custom `healthcheck:` overrides during the v1.5.x deprecation window. v1.6.0 is the final warning release, and removal is now scheduled for v1.7.0. ([Discussion #287](https://github.com/CodesWhat/drydock/discussions/287))
+
 ## [1.5.0-rc.7] — 2026-04-08
 
 ### Added
@@ -145,7 +149,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - **Centralized rollback container guard** — `-old-{timestamp}` container rejection moved from Docker trigger to base Trigger class, covering all trigger types.
 - **Container list query internals modularized** — Extracted query-validation logic and split tests by concern.
 - **Container list filtering performance** — Status/kind filters avoid unnecessary full-collection loads; age/created sorting precomputes values.
-- **Healthcheck execution path optimized** — Default HEALTHCHECK probe replaced with a 65KB static C binary (`/bin/healthcheck`). curl is retained for backward compatibility with user-defined HEALTHCHECK overrides and will be removed in v1.6.0.
+- **Healthcheck execution path optimized** — Default HEALTHCHECK probe replaced with a 65KB static C binary (`/bin/healthcheck`). curl is retained for backward compatibility with user-defined HEALTHCHECK overrides during the deprecation window and is now scheduled for removal in v1.7.0, with v1.6.0 as the final warning release.
 - **Watcher event logging noise reduced** — First event-stream reconnect downgraded from `warn` to `info`.
 - **CI workflows renamed** — Dropped numeric prefixes from workflow filenames for clarity.
 - **Smoke load test profile removed** — Replaced with the ci profile for meaningful regression detection.

DEPRECATIONS.md

@@ -116,12 +116,12 @@ Legacy `WUD_*` environment variables are accepted as fallbacks for their `DD_*`
 | | |
 | --- | --- |
 | **Deprecated in** | v1.5.0 |
-| **Removed in** | v1.6.0 |
+| **Removed in** | v1.7.0 |
 | **Affects** | Custom `healthcheck:` overrides in compose files that use `curl` |
 
-The official Docker image previously included `curl` for custom healthcheck overrides. The built-in `HEALTHCHECK` now uses a lightweight static binary (`/bin/healthcheck`).
+The official Docker image keeps `curl` available in v1.5.x and v1.6.x for backward compatibility with custom healthcheck overrides. The default built-in `HEALTHCHECK` uses the lightweight static binary (`/bin/healthcheck`) instead.
 
-**Migration:** Remove custom `healthcheck:` blocks from your drydock compose service — the image handles it automatically. If you need custom intervals, use `test: /bin/healthcheck ${DD_SERVER_PORT:-3000}`. See [Monitoring](https://getdrydock.com/docs/monitoring).
+**Migration:** Custom `curl`-based healthcheck overrides remain supported in v1.5.x. v1.6.0 is the final warning release. Removal is scheduled for v1.7.0. Prefer the built-in image healthcheck, or switch custom intervals to `test: /bin/healthcheck ${DD_SERVER_PORT:-3000}`. See [Monitoring](https://getdrydock.com/docs/monitoring).
 
 ---
 

Dockerfile

@@ -17,6 +17,7 @@ HEALTHCHECK --interval=30s --timeout=5s CMD ["sh", "-c", "if [ -n \"$DD_SERVER_E
 # Install system packages, trivy, and cosign
 RUN apk add --no-cache \
     bash=5.3.3-r1 \
+    curl=8.14.1-r2 \
     git=2.52.0-r0 \
     jq=1.8.1-r0 \
     openssl=3.5.5-r0 \
@@ -70,11 +71,11 @@ ENV DD_LOG_FORMAT=text
 
 # Remove unnecessary network utilities (busybox symlinks) and npm to reduce attack surface.
 # curl is kept for backward compatibility with user-defined HEALTHCHECK overrides;
-# it will be removed in v1.6.0 — use the built-in /bin/healthcheck binary instead.
+# v1.6.0 is the final warning release, and removal is scheduled for v1.7.0.
 RUN rm -f /usr/bin/wget /usr/bin/nc \
     && rm -rf /usr/local/lib/node_modules/npm /usr/local/bin/npm /usr/local/bin/npx
 
-# Copy healthcheck binary (65KB static, replaces curl for HEALTHCHECK probe)
+# Copy healthcheck binary (65KB static, default HEALTHCHECK probe)
 COPY --from=healthcheck-build /bin/healthcheck /bin/healthcheck
 
 # Default entrypoint
@@ -90,4 +91,4 @@ COPY --from=app-build /home/node/app/dist ./dist
 COPY --from=app-build /home/node/app/package.json ./package.json
 
 # Copy ui
-COPY --from=ui-build /home/node/ui/dist/ ./ui
+COPY --from=ui-build /home/node/ui/dist/ ./ui

app/api/openapi/schemas.ts

@@ -191,6 +191,15 @@ export const openApiSchemas = {
     required: ['total', 'env', 'label'],
     additionalProperties: false,
   },
+  CurlHealthcheckOverrideCompatibility: {
+    type: 'object',
+    properties: {
+      detected: { type: 'boolean' },
+      commandPreview: { type: 'string' },
+    },
+    required: ['detected'],
+    additionalProperties: false,
+  },
   ServerInfoResponse: {
     type: 'object',
     properties: {
@@ -213,8 +222,11 @@ export const openApiSchemas = {
         type: 'object',
         properties: {
           legacyInputs: { $ref: '#/components/schemas/LegacyInputSummary' },
+          curlHealthcheckOverride: {
+            $ref: '#/components/schemas/CurlHealthcheckOverrideCompatibility',
+          },
         },
-        required: ['legacyInputs'],
+        required: ['legacyInputs', 'curlHealthcheckOverride'],
         additionalProperties: true,
       },
     },

app/api/server.test.ts

@@ -30,6 +30,12 @@ vi.mock('../prometheus/compatibility.js', () => ({
   })),
 }));
 
+vi.mock('../compatibility/curl-healthcheck.js', () => ({
+  getCurlHealthcheckOverrideCompatibility: vi.fn(async () => ({
+    detected: false,
+  })),
+}));
+
 // Mock express modules
 vi.mock('express', () => ({
   default: {
@@ -60,6 +66,9 @@ describe('Server Router', () => {
 
   test('should call getServerConfiguration when route handler is called', async () => {
     const { getServerConfiguration } = await import('../configuration/index.js');
+    const { getCurlHealthcheckOverrideCompatibility } = await import(
+      '../compatibility/curl-healthcheck.js'
+    );
     const router = serverRouter.init();
 
     // Get the route handler function
@@ -69,9 +78,10 @@ describe('Server Router', () => {
       json: vi.fn(),
     };
 
-    routeHandler({}, mockRes);
+    await routeHandler({}, mockRes);
 
     expect(getServerConfiguration).toHaveBeenCalled();
+    expect(getCurlHealthcheckOverrideCompatibility).toHaveBeenCalled();
     expect(mockRes.status).toHaveBeenCalledWith(200);
     expect(mockRes.json).toHaveBeenCalledWith({
       configuration: {
@@ -88,6 +98,9 @@ describe('Server Router', () => {
           env: { total: 1, keys: ['WUD_SERVER_PORT'] },
           label: { total: 2, keys: ['wud.watch'] },
         },
+        curlHealthcheckOverride: {
+          detected: false,
+        },
       },
     });
   });
@@ -113,7 +126,7 @@ describe('Server Router', () => {
       json: vi.fn(),
     };
 
-    routeHandler({}, mockRes);
+    await routeHandler({}, mockRes);
 
     const payload = mockRes.json.mock.calls[0][0];
     expect(payload.configuration.tls).toEqual({
@@ -140,7 +153,7 @@ describe('Server Router', () => {
       json: vi.fn(),
     };
 
-    routeHandler({}, mockRes);
+    await routeHandler({}, mockRes);
 
     const payload = mockRes.json.mock.calls[0][0];
     expect(payload.configuration.tls).toBe(false);

app/api/server.ts

@@ -1,5 +1,6 @@
 import express from 'express';
 import nocache from 'nocache';
+import { getCurlHealthcheckOverrideCompatibility } from '../compatibility/curl-healthcheck.js';
 import { getServerConfiguration, getWebhookConfiguration } from '../configuration/index.js';
 import logger from '../log/index.js';
 import { sanitizeLogParam } from '../log/sanitize.js';
@@ -15,9 +16,10 @@ const log = logger.child({ component: 'server' });
  * @param req
  * @param res
  */
-function getServer(req, res) {
+async function getServer(req, res) {
   const serverConfig = getServerConfiguration();
   const webhookConfig = getWebhookConfiguration();
+  const curlHealthcheckOverride = await getCurlHealthcheckOverrideCompatibility();
   const { tls, ...serverConfigWithoutTls } = serverConfig;
   const sanitizedTlsConfig =
     tls && typeof tls === 'object'
@@ -34,6 +36,7 @@ function getServer(req, res) {
     },
     compatibility: {
       legacyInputs: getLegacyInputSummary(),
+      curlHealthcheckOverride,
     },
   });
 }

app/compatibility/curl-healthcheck.test.ts

@@ -0,0 +1,107 @@
+const mockExistsSync = vi.hoisted(() => vi.fn());
+const mockProbeSocketApiVersion = vi.hoisted(() => vi.fn());
+const mockDisableSocketRedirects = vi.hoisted(() => vi.fn());
+const mockInspect = vi.hoisted(() => vi.fn());
+const mockGetContainer = vi.hoisted(() => vi.fn(() => ({ inspect: mockInspect })));
+const mockDockerode = vi.hoisted(() =>
+  vi.fn(function MockDockerode() {
+    return {
+      getContainer: mockGetContainer,
+    };
+  }),
+);
+
+vi.mock('node:fs', () => ({
+  default: {
+    existsSync: (...args: unknown[]) => mockExistsSync(...args),
+  },
+}));
+
+vi.mock('dockerode', () => ({
+  default: mockDockerode,
+}));
+
+vi.mock('../watchers/providers/docker/socket-version-probe.js', () => ({
+  probeSocketApiVersion: (...args: unknown[]) => mockProbeSocketApiVersion(...args),
+}));
+
+vi.mock('../watchers/providers/docker/disable-socket-redirects.js', () => ({
+  disableSocketRedirects: (...args: unknown[]) => mockDisableSocketRedirects(...args),
+}));
+
+describe('curl healthcheck compatibility', () => {
+  const originalHostname = process.env.HOSTNAME;
+
+  beforeEach(() => {
+    vi.clearAllMocks();
+    process.env.HOSTNAME = 'drydock-self';
+    mockExistsSync.mockReturnValue(true);
+    mockProbeSocketApiVersion.mockResolvedValue('1.44');
+    mockInspect.mockResolvedValue({
+      Config: {
+        Healthcheck: {
+          Test: ['CMD-SHELL', 'curl --fail http://localhost:3000/health || exit 1'],
+        },
+      },
+    });
+  });
+
+  afterAll(() => {
+    if (originalHostname === undefined) {
+      delete process.env.HOSTNAME;
+    } else {
+      process.env.HOSTNAME = originalHostname;
+    }
+  });
+
+  test('detects a custom curl healthcheck override on the current container', async () => {
+    const { getCurlHealthcheckOverrideCompatibility } = await import('./curl-healthcheck.js');
+
+    const result = await getCurlHealthcheckOverrideCompatibility();
+
+    expect(result).toEqual({
+      detected: true,
+      commandPreview: 'CMD-SHELL curl --fail http://localhost:3000/health || exit 1',
+    });
+    expect(mockDockerode).toHaveBeenCalledWith({
+      socketPath: '/var/run/docker.sock',
+      version: 'v1.44',
+    });
+    expect(mockGetContainer).toHaveBeenCalledWith(expect.any(String));
+    expect(mockDisableSocketRedirects).toHaveBeenCalled();
+  });
+
+  test('returns not detected when hostname is not a valid container identifier', async () => {
+    const { getCurlHealthcheckOverrideCompatibility } = await import('./curl-healthcheck.js');
+    const originalHostname = process.env.HOSTNAME;
+    process.env.HOSTNAME = 'pod/name';
+
+    try {
+      await expect(getCurlHealthcheckOverrideCompatibility()).resolves.toEqual({
+        detected: false,
+      });
+      expect(mockDockerode).not.toHaveBeenCalled();
+    } finally {
+      if (originalHostname === undefined) {
+        delete process.env.HOSTNAME;
+      } else {
+        process.env.HOSTNAME = originalHostname;
+      }
+    }
+  });
+
+  test('returns not detected when the healthcheck does not use curl', async () => {
+    mockInspect.mockResolvedValue({
+      Config: {
+        Healthcheck: {
+          Test: ['CMD', '/bin/healthcheck', '3000'],
+        },
+      },
+    });
+    const { getCurlHealthcheckOverrideCompatibility } = await import('./curl-healthcheck.js');
+
+    await expect(getCurlHealthcheckOverrideCompatibility()).resolves.toEqual({
+      detected: false,
+    });
+  });
+});

app/compatibility/curl-healthcheck.ts

@@ -0,0 +1,92 @@
+import fs from 'node:fs';
+import Dockerode from 'dockerode';
+import { disableSocketRedirects } from '../watchers/providers/docker/disable-socket-redirects.js';
+import { probeSocketApiVersion } from '../watchers/providers/docker/socket-version-probe.js';
+
+const DEFAULT_SOCKET_PATH = '/var/run/docker.sock';
+const SELF_CONTAINER_IDENTIFIER_PATTERN = /^[a-zA-Z0-9][a-zA-Z0-9_.-]*$/;
+const CURL_HEALTHCHECK_PATTERN = /(^|[\s"'`])(?:\/usr\/bin\/)?curl(?=$|[\s"'`])/i;
+const COMMAND_PREVIEW_MAX_LENGTH = 160;
+
+type HealthcheckInspect = {
+  Config?: {
+    Healthcheck?: {
+      Test?: unknown;
+    };
+  };
+};
+
+export interface CurlHealthcheckOverrideCompatibility {
+  detected: boolean;
+  commandPreview?: string;
+}
+
+export function getSelfContainerIdentifier(hostname = process.env.HOSTNAME): string | null {
+  const normalizedHostname = hostname?.trim();
+  if (!normalizedHostname || !SELF_CONTAINER_IDENTIFIER_PATTERN.test(normalizedHostname)) {
+    return null;
+  }
+  return normalizedHostname;
+}
+
+export function getHealthcheckCommandPreview(test: unknown): string | undefined {
+  if (!Array.isArray(test) || test.length === 0) {
+    return undefined;
+  }
+
+  const command = test
+    .filter((part): part is string => typeof part === 'string' && part.trim().length > 0)
+    .join(' ')
+    .trim();
+
+  if (!command) {
+    return undefined;
+  }
+
+  if (command.length <= COMMAND_PREVIEW_MAX_LENGTH) {
+    return command;
+  }
+
+  return `${command.slice(0, COMMAND_PREVIEW_MAX_LENGTH - 1)}…`;
+}
+
+export function usesCurlHealthcheckOverride(test: unknown): boolean {
+  const command = getHealthcheckCommandPreview(test);
+  return typeof command === 'string' && CURL_HEALTHCHECK_PATTERN.test(command);
+}
+
+export async function getCurlHealthcheckOverrideCompatibility(): Promise<CurlHealthcheckOverrideCompatibility> {
+  const selfContainerIdentifier = getSelfContainerIdentifier();
+  if (!selfContainerIdentifier || !fs.existsSync(DEFAULT_SOCKET_PATH)) {
+    return { detected: false };
+  }
+
+  try {
+    const apiVersion = await probeSocketApiVersion(DEFAULT_SOCKET_PATH);
+    const dockerOptions: Dockerode.DockerOptions = {
+      socketPath: DEFAULT_SOCKET_PATH,
+    };
+    if (apiVersion) {
+      dockerOptions.version = `v${apiVersion}`;
+    }
+
+    const dockerApi = new Dockerode(dockerOptions);
+    disableSocketRedirects(dockerApi);
+
+    const inspect = (await dockerApi
+      .getContainer(selfContainerIdentifier)
+      .inspect()) as HealthcheckInspect;
+    const healthcheckTest = inspect?.Config?.Healthcheck?.Test;
+
+    if (!usesCurlHealthcheckOverride(healthcheckTest)) {
+      return { detected: false };
+    }
+
+    return {
+      detected: true,
+      commandPreview: getHealthcheckCommandPreview(healthcheckTest),
+    };
+  } catch {
+    return { detected: false };
+  }
+}