Skip to content

feat(snuba): healthcheck adjustments preparing for distroless#4352

Merged
aldy505 merged 7 commits into
masterfrom
feat/snuba-distroless
May 28, 2026
Merged

feat(snuba): healthcheck adjustments preparing for distroless#4352
aldy505 merged 7 commits into
masterfrom
feat/snuba-distroless

Conversation

@oioki
Copy link
Copy Markdown
Member

@oioki oioki commented May 27, 2026
edited
Loading

The snuba-api and consumer healthchecks shell out to /bin/bash, /bin/sh (via CMD-SHELL), and rm — none of which ship in the distroless snuba image. Setting SNUBA_IMAGE=ghcr.io/getsentry/snuba:nightly-distroless today produces:

OCI runtime exec failed: exec failed: ... "/bin/sh": no such file or directory

Replaces both healthchecks with Python scripts that use only python3 (already on PATH in both the regular and distroless image variants):

  • snuba/healthcheck/api.py — GETs /health and asserts the body contains "ok". Same semantics as the previous bash + /dev/tcp probe.
  • inline python script — deletes /tmp/health.txt, equivalent to the previous rm.

Both print a single-line stderr message on failure (e.g. snuba /health unreachable: [Errno 111] Connection refused) instead of a multi-line Python traceback, so docker inspect output stays readable while services are coming up.

Scripts are mounted via a single volumes: on x-snuba-defaults, so every snuba-* service inherits the mount automatically. The existing CA-cert override mechanism appends to the volumes list, so the two mounts coexist without conflict.

This was tested on our self-hosted instance, snuba-api and snuba-errors-consumer containers.

Benefits:

  1. Less packages => more secure
  2. Substantial decrease in image size:
ghcr.io/getsentry/snuba:nightly              abe01615a1a7       1.25GB             0B
ghcr.io/getsentry/snuba:nightly-distroless   5e219ac03d79        521MB             0B   U
  1. Extra benefit is pythonic healthchecks produce human-readable responses, see at the bottom.

Cons:

  1. Here be dragons
snuba-api 
$ docker inspect sentry-self-hosted-snuba-api-1 | jq -r '.[0].State.Health.Log'
[
  {
    "Start": "2026-05-28T09:49:06.850261615-07:00",
    "End": "2026-05-28T09:49:23.917876298-07:00",
    "ExitCode": 1,
    "Output": "snuba api unreachable at http://127.0.0.1:1218/health: [Errno 111] Connection refused\n"
  },
  {
    "Start": "2026-05-28T09:49:53.918966729-07:00",
    "End": "2026-05-28T09:49:59.879922084-07:00",
    "ExitCode": 1,
    "Output": "snuba api unreachable at http://127.0.0.1:1218/health: [Errno 111] Connection refused\n"
  },
  {
    "Start": "2026-05-28T09:50:29.882185641-07:00",
    "End": "2026-05-28T09:50:34.125341371-07:00",
    "ExitCode": 1,
    "Output": "snuba api unreachable at http://127.0.0.1:1218/health: [Errno 111] Connection refused\n"
  },
  {
    "Start": "2026-05-28T09:51:04.126660248-07:00",
    "End": "2026-05-28T09:51:04.486342517-07:00",
    "ExitCode": 0,
    "Output": ""
  },
  {
    "Start": "2026-05-28T09:51:34.487846543-07:00",
    "End": "2026-05-28T09:51:34.702643283-07:00",
    "ExitCode": 0,
    "Output": ""
  }
]
snuba-errors-consumer 
$ docker inspect sentry-self-hosted-snuba-errors-consumer-1 | jq -r '.[0].State.Health.Log'
[
  {
    "Start": "2026-05-28T09:50:26.350838447-07:00",
    "End": "2026-05-28T09:50:29.240829374-07:00",
    "ExitCode": 1,
    "Output": "consumer heartbeat file missing: /tmp/health.txt\n"
  },
  {
    "Start": "2026-05-28T09:50:34.246044319-07:00",
    "End": "2026-05-28T09:50:40.073553928-07:00",
    "ExitCode": 1,
    "Output": "consumer heartbeat file missing: /tmp/health.txt\n"
  },
  {
    "Start": "2026-05-28T09:50:45.074577311-07:00",
    "End": "2026-05-28T09:50:45.750771059-07:00",
    "ExitCode": 1,
    "Output": "consumer heartbeat file missing: /tmp/health.txt\n"
  },
  {
    "Start": "2026-05-28T09:50:50.751778994-07:00",
    "End": "2026-05-28T09:50:51.063516212-07:00",
    "ExitCode": 1,
    "Output": "consumer heartbeat file missing: /tmp/health.txt\n"
  },
  {
    "Start": "2026-05-28T09:50:56.071875071-07:00",
    "End": "2026-05-28T09:50:56.422598864-07:00",
    "ExitCode": 0,
    "Output": ""
  }
]

@oioki oioki requested review from aldy505 and hubertdeng123 May 27, 2026 20:01
cursor[bot]
cursor Bot reviewed May 27, 2026
View reviewed changes
Comment thread docker-compose.yml Outdated
aldy505
aldy505 requested changes May 28, 2026
View reviewed changes
Comment thread .env Outdated
SENTRY_TASKWORKER_CONCURRENCY=4
SENTRY_IMAGE=ghcr.io/getsentry/sentry:nightly
SNUBA_IMAGE=ghcr.io/getsentry/snuba:nightly
SNUBA_IMAGE=ghcr.io/getsentry/snuba:nightly-distroless
Copy link
Copy Markdown
Collaborator

@aldy505 aldy505 May 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nope, this is going to problematic, as the monthly release would become ghcr.io/getsentry/snuba:26.6.0-distroless, which may not exist.

Comment thread snuba/api_healthcheck.py Outdated
Comment on lines +17 to +18
URL = "http://127.0.0.1:1218/health"
TIMEOUT = 2
Copy link
Copy Markdown
Collaborator

@aldy505 aldy505 May 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It'd be best if this two is configurable through environment variables or other means. Editing the file here right away is a no-go, users shouldn't get into git conflict troubles.

@oioki oioki changed the title feat(snuba): switch to distroless + healthcheck adjustments feat(snuba): healthcheck adjustments preparing for distroless May 28, 2026
cursor[bot]
cursor Bot reviewed May 28, 2026
View reviewed changes
Comment thread snuba/api_healthcheck.py
cursor[bot]
cursor Bot reviewed May 28, 2026
View reviewed changes
Copy link
Copy Markdown

@cursor cursor Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

There are 2 total unresolved issues (including 1 from previous review).

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit 2503d4e. Configure here.

Comment thread docker-compose.yml Outdated
@oioki oioki requested a review from aldy505 May 28, 2026 13:07
@aldy505 aldy505 merged commit f33377e into master May 28, 2026
20 checks passed
@aldy505 aldy505 deleted the feat/snuba-distroless branch May 28, 2026 15:29
@oioki
Copy link
Copy Markdown
Member Author

oioki commented May 28, 2026

Tested on our self-hosted instance by switching snuba tag from :nightly to :nightly-distroless in .env file, all snuba components are "healthy".

@sentry-release-bot sentry-release-bot Bot mentioned this pull request Jun 2, 2026
Closed
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

@aldy505 aldy505 aldy505 approved these changes

@hubertdeng123 hubertdeng123 Awaiting requested review from hubertdeng123

Assignees

No one assigned

Labels

None yet

Projects

Self-hosted Sentry
Archived in project

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@oioki @aldy505