Various fixes to health check scripts

sameersbn / docker-gitlab

Dockerized GitLab

http://www.damagehead.com/docker-gitlab/

MIT License

7.87k stars 2.14k forks source link

Various fixes to health check scripts #3002

Closed kkimurak closed 4 days ago

kkimurak commented 2 weeks ago

close #2992, partially implement #2766

Access to health check resources such as /-/liveness is restricted to IPs specified in gitlab.monitoring.ip_whitelist (GITLAB_MONITORING_IP_WHITELIST). Currently healthcheck may report unhealthy because the name localhost is solved to IPv6 loopback address (::1) that is not listed in the whitelist by default.

This PR fix the issue by using 127.0.0.1 (IPv4 loopback address) instead of localhost for monitoring endpoint url.

Possible alternate designs:

Add IPv6 loopback to whitelist
Disable IPv6 for gitlab container by specifying net.ipv6.conf.all.disable_ipv6=1 in docker-compose.yml for example See https://github.com/sameersbn/docker-gitlab/issues/2766#issuecomment-2098030791

/cc @Gaibhne I have create commit based on your suggestion in #2766 so I have set you an author of the commit. Let me know if you don't like it.

kkimurak commented 2 weeks ago

request for comment: Should this PR contain all suggestion in #2766?

sachilles commented 1 week ago

@kkimurak Yes, this would be nice. However, do you have an idea to adress all issues?

kkimurak commented 1 week ago

@sachilles Ok, I'll try to implement it by the next release. As far as I checked, the suggestion contains everything to do.

sachilles commented 1 week ago

@kkimurak Thank you! But please bear in mind that the reverse proxy can also play an important role in the choice of protocol in the curl command (depending on whether the reverse proxy terminates the SSL connection or not).

kkimurak commented 1 week ago

I've implemented all (4) changes and rebased on the current master (v17.3.3), but I haven't been able to test them yet as my local environment has become very slow. It's taking over 10 hours to build the image..

kkimurak commented 1 week ago

CI failed due to timeout.

kkimurak commented 5 days ago

Now CI looks succeed. It seems like it was automatically restarted after it failed.

sachilles commented 4 days ago

@kkimurak I did the restart of the CI. However, in my setup the healthcheck is working. I'll backport the healthcheck into the 17.x branches and the 16.11.x branch as well.

sachilles commented 4 days ago

Backport is done by cherry-picking the commits.

kkimurak commented 4 days ago

@sachilles Thank you.

sachilles commented 4 days ago

You're welcome.