-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HEALTHCHECK Instructions? #915
Comments
Can't see what health checks have got to do with security hardening. They are an operations feature to ensure your application is running. Unless they think that your application not running may have been caused by hackers and so qualifies somehow as a security event. Also be aware that defining health checks in a container image itself only really pertains to Docker's container run time. They aren't used by other container platforms such as Kubernetes. In Kubernetes health checks are defined in the separate deployment configuration of Kubernetes where they more rightly belong. So not sure if it really belongs in the container image itself. It should be really part of how you deploy things in the container platform. |
Thanks @GrahamDumpleton, that's fair enough. Thanks for the feedback. FYI, below is the "rationale" from the CISP guideline: An important security control is that of availability. Adding the HEALTHCHECK instruction to your container image ensures that the Docker engine periodically checks the running container instances against that instruction to ensure that containers are still operational. |
Hello @rwmajor2 It's a late answer however I hope it could be useful to someone. Standard HTTP probeAs far as I know there is currently no specific "health" end point available on Jupyter, it seems to be confirmed by this issue jupyter/notebook#1857. # I'm using wget since curl is not available
HEALTHCHECK CMD wget -q --spider http://127.0.0.1:8888 > /dev/null || exit 1 This will always return $ wget -q --spider http://127.0.0.1:8888/
# [W 12:07:40.913 NotebookApp] 405 HEAD / (127.0.0.1) 0.72ms referer=None
$ echo $?
# 8 An alternativeAs an alternative it's possible to check if the Jupyter process is running through HEALTHCHECK CMD pgrep "jupyter" > /dev/null || exit 1 Here is the result $ docker ps
# CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
# 162adb12d75d jupyter/base-notebook "tini -g -- start-no…" 29 seconds ago Up 28 seconds (health: starting) 0.0.0.0:8888->8888/tcp vibrant_agnesi
$ docker ps
# CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
# 162adb12d75d jupyter/base-notebook "tini -g -- start-no…" 34 seconds ago Up 33 seconds (healthy) 0.0.0.0:8888->8888/tcp vibrant_agnesi You can change the Hope it helps. Please tell us if this is the case. |
We used to do |
I think this is actually possible in a reliable way! jupyter/notebook#1857 (comment) It should be something like this: I checked that Also, I'm not sure we should add this to our docker files at this point - people might using custom command, which do not actually launch jupyter subcommand. |
Ah, so |
Thanks, fixed 👍 |
This change doesn't seem to work when the image is used in Jupyter Hub. The URL used in the health check fails with a 404. |
I have a general question. We base some of our Docker images on the Docker-stacks Dockerfiles. We are following CISP Docker Security hardening guidelines and one of the checklist items is:
Can anyone provide any suggestions on what this is and how we may implement it in docker-stacks? According to Docker help documentation, a HEALTHCHECK might be something like:
Thoughts?
@GrahamDumpleton
The text was updated successfully, but these errors were encountered: