search

dperson / openvpn-client

GNU Affero General Public License v3.0
1.06k stars 587 forks source link

Health check strategy with Docker-Compose #315

Open davidmpa opened 4 years ago

davidmpa commented 4 years ago

I am trying to build a custom torrent container torrent that depends on this openvpn-client vpn, but only want it to start after vpn status is healthy.

If I write depends_on: vpn in the docker compose file, my custom container still starts up before VPN is ready.

I have read this article but openvpn-client doesn't seem to expose a port that accepts TCP connections that I can use to check.

Is there a way to postpone the start of torrent after vpn is healthy?

arpitgupta commented 4 years ago

@davidmpa i have similar setup and do not need to wait for the vpn container to be healthy most of the times. Some times i do need to restart the container using the vpn client container.

vpn client container can expose any port you need, you just need to make sure you have explicitly done that in your compose file.

Wait for solution as i understand it will require a custom docker image of your torrent container. Either it has a custom start script which is waiting for the network to be up before it starts the torrent service or use the docker image with one of the other tools they suggested. So i personally decided i would just restart the containers as needed vs maintaining a customer docker image for all the services i wanted to route through the vpn container.

I also use custom health check commands to make sure the container is connected to vpn, that way any container that is unhealthy i just restart.

davidmpa commented 4 years ago

@arpitgupta Could you share the custom health check command you are using to make sure the container is connected to vpn?

arpitgupta commented 4 years ago

@davidmpa yup. Though i am using an end point that is provided by the vpn provider (https://am.i.mullvad.net/api) i am using. If you have something similar from your vpn provider you could tune it accordingly. Or you could write something that checks the external ip of your container and make sure it is not the same as your ISP ip. Though the latter approach would require more hand holding if the ISP ip changes.

healthcheck:
      test: ["CMD-SHELL", "curl -f https://am.i.mullvad.net/connected | grep -i 'you are connected to mullvad'"]
      interval: 1m
      timeout: 10s
      retries: 5
      start_period: 40s
gynnantonix commented 4 years ago

I have a similar healthcheck strategy. I have a Dockerfile that extends the vpn-client container with, among other things, a custom HEALTHCHECK script that looks like this:

if [[ ! `curl -m 10 -s https://api.nordvpn.com/vpn/check/full | jq -r '.["status"]'` == "Protected" ]] ; then
    exit 1;
fi
exit 0

My provider is NordVPN and they provide this API. I imagine other providers do, too?