Skip to content

fix(docker): add HEALTHCHECK instruction to Dockerfile #1485

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
dknos wants to merge 4 commits into
base: main
Choose a base branch
from
+22 −0
Open

fix(docker): add HEALTHCHECK instruction to Dockerfile #1485

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
27f1319
fix(docker): add HEALTHCHECK instruction to Dockerfile
miyoungc Apr 5, 2026
8d48ef6
fix(docker): add HEALTHCHECK to Dockerfile.base and start-period grace
miyoungc Apr 5, 2026
0a43ca7
fix(docker): clarify HEALTHCHECK override contract and add probe to t…
miyoungc Apr 6, 2026
0e2fb12
fix(docker): remove redundant || exit 1 from sandbox HEALTHCHECK
miyoungc Apr 6, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ WORKDIR /opt/nemoclaw
RUN npm install && npm run build

# Stage 2: Runtime image — pull cached base from GHCR
# hadolint ignore=DL3006
FROM ${BASE_IMAGE}

# Harden: remove unnecessary build tools and network probes from base image (#830)
Expand Down Expand Up @@ -142,6 +143,7 @@ json.dump(config, open(path, 'w'), indent=2); \
os.chmod(path, 0o600)"

# Install NemoClaw plugin into OpenClaw
# hadolint ignore=SC2015
RUN openclaw doctor --fix > /dev/null 2>&1 || true \
&& openclaw plugins install /opt/nemoclaw > /dev/null 2>&1 || true

Expand Down Expand Up @@ -169,6 +171,12 @@ RUN sha256sum /sandbox/.openclaw/openclaw.json > /sandbox/.openclaw/.config-hash
&& chmod 444 /sandbox/.openclaw/.config-hash \
&& chown root:root /sandbox/.openclaw/.config-hash

# Health check: poll the gateway's /health endpoint so Docker (and Compose)
# can detect and restart unhealthy containers in standalone deployments.
# Ref: https://github.com/NVIDIA/NemoClaw/issues/1430
HEALTHCHECK --interval=30s --timeout=5s --start-period=45s --retries=3 \
CMD curl -sf http://127.0.0.1:18789/health || exit 1

Comment on lines +174 to +179
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot Apr 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "Dockerfiles present:"
fd -i '^Dockerfile(\.base)?$' | sort

echo
echo "HEALTHCHECK declarations by file:"
fd -i '^Dockerfile(\.base)?$' --exec rg -n '^\s*HEALTHCHECK\b' {}

Repository: NVIDIA/NemoClaw

Length of output: 199

Add HEALTHCHECK to Dockerfile.base as well.

Issue #1430 requires HEALTHCHECK in both Dockerfile and Dockerfile.base. The change currently only addresses Dockerfile. Add the same HEALTHCHECK directive to Dockerfile.base at the appropriate location.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@Dockerfile` around lines 174 - 179, The Dockerfile change added a HEALTHCHECK
block (HEALTHCHECK --interval=30s --timeout=5s --retries=3 \ CMD curl -sf
http://127.0.0.1:18789/health || exit 1) but the same directive must also be
added to Dockerfile.base; open Dockerfile.base and add an identical HEALTHCHECK
directive (same interval, timeout, retries and CMD curl -sf
http://127.0.0.1:18789/health || exit 1) at the analogous location where health
checks are defined in Dockerfile (near the end or after the service start/EXPOSE
steps) so both images include the same container health probe.

# Entrypoint runs as root to start the gateway as the gateway user,
# then drops to sandbox for agent commands. See nemoclaw-start.sh.
ENTRYPOINT ["/usr/local/bin/nemoclaw-start"]
Expand Down
9 changes: 9 additions & 0 deletions Dockerfile.base
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -121,3 +121,12 @@ RUN mkdir -p /sandbox/.openclaw-data/agents/main/agent \
# When bumping the openclaw version, rebuild this base image.
RUN npm install -g openclaw@2026.3.11 \
&& pip3 install --no-cache-dir --break-system-packages "pyyaml==6.0.3"

# Baseline health check — validates the Node.js runtime only.
# The base image doesn't run services, so a process-level check is the
# best we can do here. **Child images that expose services MUST override
# this** with a service-specific probe (e.g., curl the gateway /health
# endpoint). The production Dockerfile already does so; any new child
# Dockerfile should add its own HEALTHCHECK instruction as well.
HEALTHCHECK --interval=30s --timeout=5s --start-period=45s --retries=3 \
CMD node -e "process.exit(0)" || exit 1
5 changes: 5 additions & 0 deletions test/Dockerfile.sandbox
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -86,4 +86,9 @@ RUN mkdir -p /sandbox/openclaw-state/extensions /sandbox/openclaw-state/skills /
&& printf '%s\n' '---' 'name: override-hook' 'description: Override hook fixture' '---' > /sandbox/openclaw-state/hooks/demo-hook/HOOK.md \
&& printf '%s\n' 'export default async function overrideHook() {}' > /sandbox/openclaw-state/hooks/demo-hook/handler.js

# Test image: no long-running service, so just verify the runtime works.
# Overrides any inherited HEALTHCHECK to avoid false-positive probes.
HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
CMD node -e "process.exit(0)" || exit 1

ENTRYPOINT ["/bin/bash"]