fix: replace curl with wget for healthcheck commands in Docker configurations

2026-03-13 14:13:37 +00:00
parent 88a9cdb0ff
commit 4b896c2e3c
6 changed files with 16 additions and 15 deletions
--- a/.docker/compose/docker-compose.local.yml
+++ b/.docker/compose/docker-compose.local.yml
@@ -47,7 +47,7 @@ services:
 #      - <PATH_TO_YOUR_CADDYFILE>:/import/Caddyfile:ro
 #      - <PATH_TO_YOUR_SITES_DIR>:/import/sites:ro # If your Caddyfile imports other files
    healthcheck:
-      test: ["CMD-SHELL", "curl -fsS http://localhost:8080/api/v1/health || exit 1"]
+      test: ["CMD-SHELL", "wget -qO /dev/null http://localhost:8080/api/v1/health || exit 1"]
      interval: 30s
      timeout: 10s
      retries: 3
--- a/.docker/compose/docker-compose.playwright-ci.yml
+++ b/.docker/compose/docker-compose.playwright-ci.yml
@@ -87,7 +87,7 @@ services:
      - playwright_caddy_config:/config
      - /var/run/docker.sock:/var/run/docker.sock:ro # For container discovery in tests
    healthcheck:
-      test: ["CMD", "curl", "-sf", "http://localhost:8080/api/v1/health"]
+      test: ["CMD-SHELL", "wget -qO /dev/null http://localhost:8080/api/v1/health || exit 1"]
      interval: 5s
      timeout: 3s
      retries: 12
--- a/.docker/compose/docker-compose.playwright-local.yml
+++ b/.docker/compose/docker-compose.playwright-local.yml
@@ -52,7 +52,7 @@ services:
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro # For container discovery in tests
    healthcheck:
-      test: ["CMD-SHELL", "curl -fsS http://localhost:8080/api/v1/health || exit 1"]
+      test: ["CMD-SHELL", "wget -qO /dev/null http://localhost:8080/api/v1/health || exit 1"]
      interval: 5s
      timeout: 5s
      retries: 10
--- a/.docker/compose/docker-compose.yml
+++ b/.docker/compose/docker-compose.yml
@@ -52,7 +52,7 @@ services:
      # - ./my-existing-Caddyfile:/import/Caddyfile:ro
      # - ./sites:/import/sites:ro # If your Caddyfile imports other files
    healthcheck:
-      test: ["CMD-SHELL", "curl -fsS http://localhost:8080/api/v1/health || exit 1"]
+      test: ["CMD-SHELL", "wget -qO /dev/null http://localhost:8080/api/v1/health || exit 1"]
      interval: 30s
      timeout: 10s
      retries: 3
--- a/.docker/docker-entrypoint.sh
+++ b/.docker/docker-entrypoint.sh
@@ -365,7 +365,7 @@ echo "Caddy started (PID: $CADDY_PID)"
 echo "Waiting for Caddy admin API..."
 i=1
 while [ "$i" -le 30 ]; do
-    if curl -sf http://127.0.0.1:2019/config/ > /dev/null 2>&1; then
+    if wget -qO /dev/null http://127.0.0.1:2019/config/ 2>/dev/null; then
        echo "Caddy is ready!"
        break
    fi
--- a/21
+++ b/21
@@ -408,11 +408,10 @@ WORKDIR /app
 # Install runtime dependencies for Charon, including bash for maintenance scripts
 # Note: gosu is now built from source (see gosu-builder stage) to avoid CVEs from Debian's pre-compiled version
 # Explicitly upgrade packages to fix security vulnerabilities
-# binutils provides objdump for debug symbol detection in docker-entrypoint.sh
 # hadolint ignore=DL3018
 RUN apk add --no-cache \
-    bash ca-certificates sqlite-libs sqlite tzdata curl gettext libcap libcap-utils \
-    c-ares binutils libc-utils busybox-extras \
+    bash ca-certificates sqlite-libs sqlite tzdata gettext libcap libcap-utils \
+    c-ares busybox-extras \
    && apk upgrade --no-cache zlib

 # Copy gosu binary from gosu-builder (built with Go 1.26+ to avoid stdlib CVEs)
@@ -434,8 +433,9 @@ ARG GEOLITE2_COUNTRY_SHA256=b79afc28a0a52f89c15e8d92b05c173f314dd4f687719f96cf92
 RUN mkdir -p /app/data/geoip && \
        if [ -n "$CI" ]; then \
            echo "⏱️  CI detected - quick download (10s timeout, no retries)"; \
-            if curl -fSL -m 10 "https://github.com/P3TERX/GeoLite.mmdb/raw/download/GeoLite2-Country.mmdb" \
-                -o /app/data/geoip/GeoLite2-Country.mmdb 2>/dev/null; then \
+            if wget -qO /app/data/geoip/GeoLite2-Country.mmdb \
+                -T 10 "https://github.com/P3TERX/GeoLite.mmdb/raw/download/GeoLite2-Country.mmdb" 2>/dev/null \
+                && [ -s /app/data/geoip/GeoLite2-Country.mmdb ]; then \
                echo "✅ GeoIP downloaded"; \
            else \
                echo "⚠️  GeoIP skipped"; \
@@ -443,9 +443,10 @@ RUN mkdir -p /app/data/geoip && \
            fi; \
        else \
            echo "Local - full download (30s timeout, 3 retries)"; \
-            if curl -fSL -m 30 --retry 3 "https://github.com/P3TERX/GeoLite.mmdb/raw/download/GeoLite2-Country.mmdb" \
-                -o /app/data/geoip/GeoLite2-Country.mmdb; then \
-                if echo "${GEOLITE2_COUNTRY_SHA256}  /app/data/geoip/GeoLite2-Country.mmdb" | sha256sum -c -; then \
+            if wget -qO /app/data/geoip/GeoLite2-Country.mmdb \
+                -T 30 -t 4 "https://github.com/P3TERX/GeoLite.mmdb/raw/download/GeoLite2-Country.mmdb"; then \
+                if [ -s /app/data/geoip/GeoLite2-Country.mmdb ] && \
+                   echo "${GEOLITE2_COUNTRY_SHA256}  /app/data/geoip/GeoLite2-Country.mmdb" | sha256sum -c -; then \
                    echo "✅ GeoIP checksum verified"; \
                else \
                    echo "⚠️  Checksum failed"; \
@@ -578,8 +579,8 @@ EXPOSE 80 443 443/udp 2019 8080

 # Security: Add healthcheck to monitor container health
 # Verifies the Charon API is responding correctly
-HEALTHCHECK --interval=30s --timeout=3s --start-period=40s --retries=3 \
-    CMD curl -f http://localhost:8080/api/v1/health || exit 1
+HEALTHCHECK --interval=30s --timeout=10s --start-period=15s --retries=3 \
+    CMD wget -q -O /dev/null http://localhost:8080/api/v1/health || exit 1

 # Create CrowdSec symlink as root before switching to non-root user
 # This symlink allows CrowdSec to use persistent storage at /app/data/crowdsec/config