T6686: adds container health checks

[nvollmar]

Change summary

Adds config options for container health checks

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Code style update (formatting, renaming)
• Refactoring (no functional changes)
• Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
• Other (please describe):

Related Task(s)

https://vyos.dev/T6686

Related PR(s)

• T6686: adds container health check documentation vyos-documentation#1682

How to test / Smoketest result

vyos@vyos:~$ /usr/libexec/vyos/tests/smoke/cli/test_container.py
test_api_socket (__main__.TestContainer.test_api_socket) ... ok
test_basic (__main__.TestContainer.test_basic) ... ok
test_cpu_limit (__main__.TestContainer.test_cpu_limit) ... ok
test_dual_stack_network (__main__.TestContainer.test_dual_stack_network) ... ok
test_healthcheck (__main__.TestContainer.test_healthcheck) ... ok
test_ipv4_network (__main__.TestContainer.test_ipv4_network) ... ok
test_ipv6_network (__main__.TestContainer.test_ipv6_network) ... ok
test_name_server (__main__.TestContainer.test_name_server) ... ok
test_network_mtu (__main__.TestContainer.test_network_mtu) ... ok
test_no_name_server (__main__.TestContainer.test_no_name_server) ... ok
test_uid_gid (__main__.TestContainer.test_uid_gid) ... ok

Checklist:

• I have read the CONTRIBUTING document
• I have linked this PR to one or more Phabricator Task(s)
• I have run the components SMOKETESTS if applicable
• My commit headlines contain a valid Task id
• My change requires a change to the documentation
• I have updated the documentation accordingly

[github-actions]

All contributors have signed the CLA ✍️ ✅
_{Posted by the CLA Assistant Lite bot.}

[github-actions]

👍
No issues in PR Title / Commit Title

[nvollmar]

I have read the CLA Document and I hereby sign the CLA

[nvollmar]

@c-po @sever-sever This would be ready for a review

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[sever-sever]

@nvollmar rebase please and fix conflicts

<<<<<<< T6686
    return f'{container_base_cmd} {healthcheck} --net {networks} {ip_param} {entrypoint} {image} {command} {command_arguments}'.strip()
=======
        addr_info = ''.join(container_config['network'][network]['address'])

    mac_address = f'--mac-address {gen_mac(name, addr_info, host_ident)}'

    return f'{container_base_cmd} --no-healthcheck --net {networks} {ip_param} {mac_address} {entrypoint} {image} {command} {command_arguments}'.strip()
>>>>>>> current

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.

[nvollmar]

@sever-sever rebased

[sever-sever]

CI cannot build the packet

 dpkg-buildpackage: info: host architecture amd64
dpkg-checkbuilddeps: error: Unmet build dependencies: python3-nose
dpkg-buildpackage: warning: build dependencies/conflicts unsatisfied; aborting
dpkg-buildpackage: warning: (Use -d flag to override.)

Could you rebase, please?

[sever-sever]

The default behaviour is changed,
If we do not have any health-check option, we used --no-healthcheck, but now it will be ''

[nvollmar]

The issue here is, the --no-healthcheck was only added when using container networking, when host networking was used (see line 491) it wasn't.
So far I never encountered a container which defined health checks in the image by itself. I'd argue changing the default behaviour here to make it consistent regardless of which networking is used would be preferable.

[github-actions]

CI integration ❌ failed!

Details

CI logs

• CLI Smoketests (no interfaces) ❌ failed
• CLI Smoketests VPP 👍 passed
• CLI Smoketests (interfaces only) 👍 passed
• Config tests 👍 passed
• Config tests VPP 👍 passed
• RAID1 tests 👍 passed
• TPM tests 👍 passed

[c-po]

Suggested change

	<leafNode name="disable">
	<properties>
	<help>Disable health check if container has one defined</help>
	<valueless/>
	</properties>
	</leafNode>
	#include <include/generic-disable-node.xml.i>

We have a generic XML building block for the disable CLI option.

[c-po]

An interval that is not defined on the CLI should count as disabled

[nvollmar]

The situation is a bit more complex. Container can define health checks including intervals etc. Podman by default will run them as defined by the image.

So all the config options here are overrides if the image defines them already. And the disable option is there to explicitly also disable pre-defined health checks.

[c-po]

Not a fan of multiple units. Is there a real reason to run a health-check only once an hour? We should use a seconds base - meaning a value of 3600 would be once an hour.

[c-po]

Please change this to seconds only. We should not make the CLI overly complex. Base units are fine.

[c-po]

Suggested change

	<help>The number of retries before container is consider unhealthy</help>
	<help>Number of retries before container is consider unhealthy</help>
	<valueHelp>
	<format>u32:1-255</format>
	<description>Update interval in minutes</description>
	</valueHelp>

Please add a <valueHelp> definition for the retry cound and allowed range.

[c-po]

A value of 0 should be explicitly stated as "no retry"