1Password/connect

Health Check for docker-compose best practice?

JAForbes opened this issue · 3 comments

Hi, I wanted to add a health check for connect-api but there's no sh or bash on the image:

OCI runtime exec failed: exec failed: unable to start container process: exec: "sh": executable file not found in $PATH: unknown

And docker health checks largely rely on running a command, primarily curl.

I was just going to extend the base image to have net-tools but wanted to check if I was missing something obvious first.

I realise this is a docs repo, but didn't know where else to ask. Either way it would be good to document how to have a good local development workflow with 1password connect. I strung something workable together but little things like this make me wonder if work has already been done that I'm not aware of.

We do have a health check endpoint that you can reach at /health https://developer.1password.com/docs/connect/connect-api-reference/#server-health . Does this suit your use case or do specifically want a docker health check?

The issue I'm hitting is that you need curl, or some other command line tool to hit that health endpoint via docker-composes provided health check API. And the 1password connect containers are so heavily optimized that they do not have curl, or even a shell available to execute the health check. Therefore I can't curl /health because when I attempt to, I hit this error:

OCI runtime exec failed: exec failed: unable to start container process: exec: "sh": executable file not found in $PATH: unknown

If there was a simple example of running the health check against 1password connect within docker-compose that would be super helpful!

The /health endpoint is great, but currently not useable for healthchecks in a docker-compose setting.

Docker (compose) healthchecks can only be constructed using a binary that is part of the container, e.g. curl or some other executable, with or without a parent shell, see the docker compose service: healthcheck: {} documentation and the docker HEALTHCHECK instruction.

The connect-api container lacks a binary that can be used for this; these are the only binaries in the 1.7.2 image:

-rwxr-xr-x 0/0        28678632 2023-08-21 20:05 bin/connect-api
-rwxr-xr-x 0/0            6277 2023-05-26 21:30 usr/bin/c_rehash
-rwxr-xr-x 0/0          736792 2023-05-26 21:30 usr/bin/openssl
-rwxr-xr-x 0/0             106 2023-04-18 19:29 usr/sbin/tzconfig

The connect-sync 1.7.2 container is the same story:

-rwxr-xr-x 0/0        21195768 2023-08-21 20:05 bin/connect-sync
-rwxr-xr-x 0/0            6277 2023-05-26 21:30 usr/bin/c_rehash
-rwxr-xr-x 0/0          736792 2023-05-26 21:30 usr/bin/openssl
-rwxr-xr-x 0/0             106 2023-04-18 19:29 usr/sbin/tzconfig

The openssl binary can create network connections via s_client -connect but you need a shell to be able to turn that into a HTTP client capable of accessing the /health endpoint.

I understand and really appreciate the security consious nature of the sparse docker container, but can 1Password please include a binary that makes health checks possible? It could even be a dedicated stripped-down executable that can only access the healthpoint on localhost:${OP_HTTP_PORT:-8080} and reports the status through an exit code. Or, it could be a /bin/connect-api command-line option, like --help and --version are. The docker image could then even define it as the official image healthcheck through the HEALTHCHECK instruction.