search

bitnami / containers

Bitnami container images
https://bitnami.com
Other
3.4k stars 4.86k forks source link

[bitnami/openldap] Difficulty writing robust readiness checks for OpenLDAP image #73310

Open jmaicher opened 3 weeks ago

jmaicher commented 3 weeks ago

Name and Version

bitnami/openldap:2.6.8

What is the problem this feature will solve?

The entrypoint of the OpenLDAP image calls a setup script that starts the LDAP server (slapd) and stops it at the end of the initialization/seeding. The run script, which is the default command, then starts the LDAP server again. This makes it difficult to write robust readiness checks because the LDAP server is started briefly as part of the setup, may respond as expected, and then becomes unavailable again.

Example readiness check, which tends to be flaky:

docker exec <CONTAINER ID> sh -c "ldapsearch -x -H ldap://localhost:1389 -D cn=admin,dc=example,dc=org -w admin -b dc=example,dc=org"

What is the feature you are proposing to solve the problem?

A stable indicator that the initialization is complete and the server has been started by the run script. As a workaround, it is possible to use a user script in docker-entrypoint-initdb.d/ that is run after initialization to set such an indicator, or use /bitnami/openldap/data/.user_scripts_initialized, which is created after all user scripts have been run.

What alternatives have you considered?

No response

javsalgar commented 3 weeks ago

Hi,

In systems like Kubernetes there is a value called ~initialStartupSeconds~ initialDelaySeconds, which performs a wait prior to executing the checks. I'm not sure how this could be implemented in Docker. I'm afraid that we need to start the server in order to execute the initialization commands so that's something we currently cannot change unless you override the entrypoint command.

jmaicher commented 3 weeks ago

Thanks, you probably mean initialDelaySeconds, but in our case it doesn't run on k8s, but via compose as part of CI with custom readiness checks via docker exec. Sure, we can sleep, but that might not be reliable, e.g. if the container hangs on initialization for whatever reason.

mistotebe commented 2 weeks ago

I don't believe the container should be starting OpenLDAP on the usual interfaces for the initial config, ldapi:// might be enough as all scripts are run locally anyway. Also readiness-wise, OpenLDAP will report via NOTIFY_SOCKET (systemd-style).

javsalgar commented 2 weeks ago

Thanks for the input @mistotebe. I will forward it to the engineering team for consideration but as it is not a critical feature we cannot guarantee an ETA. However, if you want to speed up the process, you can submit a PR and the team will take a look.