Jesum Yip
10/16/2023, 4:03 AMcerbos:
image: <http://ghcr.io/cerbos/cerbos:0.29.0|ghcr.io/cerbos/cerbos:0.29.0>
networks:
- apinetwork
ports:
- "3592:3592"
command: ["server", "--config=config/.env.cerbos_config.yaml"]
volumes:
- .:/config
healthcheck:
test: ["CMD", "cerbos", "healthcheck", "--config=config/.env.cerbos_config.yaml", "--kind=http" ,"--insecure" ]
interval: 5s
timeout: 5s
retries: 10
does that look correct? it seems the healthcheck never turns healthy??Jesum Yip
10/16/2023, 4:05 AM{
"log.level": "info",
"@timestamp": "2023-10-16T04:04:06.616Z",
"log.logger": "cerbos.http",
"message": "Starting HTTP server at :3592"
}
Dennis (Cerbos)
Jesum Yip
10/16/2023, 4:15 AMJesum Yip
10/16/2023, 4:16 AMJesum Yip
10/16/2023, 4:16 AMname: humada-apibackend-invicta-io
services:
redis:
image: redis
networks:
- apinetwork
ports:
- "6379:6379"
deploy:
resources:
limits:
memory: 50M
reservations:
memory: 20M
cerbos:
image: <http://ghcr.io/cerbos/cerbos:0.29.0|ghcr.io/cerbos/cerbos:0.29.0>
networks:
- apinetwork
ports:
- "3592:3592"
command: ["server", "--config=config/.env.cerbos_config.yaml"]
volumes:
- .:/config
healthcheck:
test: ["CMD", "cerbos", "healthcheck", "--config=config/.env.cerbos_config.yaml", "--kind=http" ,"--insecure" ]
#test: ["CMD", "cerbos", "healthcheck", "--host-port=cerbos:3592", "--kind=http" ,"--no-tls" ]
interval: 5s
timeout: 5s
retries: 10
test-runtime:
build:
context: .
dockerfile: Dockerfile-test
networks:
- apinetwork
env_file:
- ./.env.secrets
environment:
- PDP_ENDPOINT=<http://cerbos:3592>
- REDISHOST=redis
depends_on:
cerbos:
condition: service_healthy
redis:
condition: service_started
networks:
apinetwork:
driver: bridge
Jesum Yip
10/16/2023, 4:22 AMJesum Yip
10/16/2023, 4:23 AMapinetwork
networkDennis (Cerbos)
cerbos
resolves correctly from outside the cerbos container, but can you try --host-port=:3592
?Jesum Yip
10/16/2023, 4:30 AMJesum Yip
10/16/2023, 4:33 AMcerbos:
image: <http://ghcr.io/cerbos/cerbos:0.29.0|ghcr.io/cerbos/cerbos:0.29.0>
networks:
- apinetwork
ports:
- "3592:3592"
command: ["server", "--config=config/.env.cerbos_config.yaml"]
volumes:
- .:/config
healthcheck:
#test: ["CMD", "cerbos", "healthcheck", "--config=config/.env.cerbos_config.yaml", "--kind=http" ,"--insecure" ]
test: ["CMD", "cerbos", "healthcheck", "--host-port=:3592", "--kind=http" ,"--no-tls" ]
interval: 5s
timeout: 5s
retries: 10
Dennis (Cerbos)
Dennis (Cerbos)
healthcheck
command performs a GET request to the PDP using the URL <http://cerbos:3592/_cerbos/health>
? Can you do this from the outside of the Cerbos container?Jesum Yip
10/16/2023, 4:37 AMJesum Yip
10/16/2023, 4:39 AMJesum Yip
10/16/2023, 4:39 AMJesum Yip
10/16/2023, 4:43 AMJesum Yip
10/16/2023, 4:43 AMJesum Yip
10/16/2023, 4:44 AMJesum Yip
10/16/2023, 4:44 AMJesum Yip
10/16/2023, 4:46 AMDennis (Cerbos)
Jesum Yip
10/16/2023, 4:51 AMDennis (Cerbos)
docker exec <container> ./cerbos healthcheck <args>
might work.Jesum Yip
10/16/2023, 4:59 AMJesum Yip
10/16/2023, 5:00 AMDennis (Cerbos)
docker exec 606e6d394ce3 ./cerbos healthcheck --no-tls --host-port=:3592 --kind=http
cerbos: error: --config and --host-port can’t be used togetherJesum Yip
10/16/2023, 5:02 AMJesum Yip
10/16/2023, 5:03 AMtest: CMD ./cerbos healthcheck --host-port=cerbos:3592 --kind=http --no-tls
you mean like this?Dennis (Cerbos)
Jesum Yip
10/16/2023, 5:04 AMhealthcheck:
test: exit 0
interval: 3s
timeout: 3s
retries: 10
this still causes dependency failed to start: container humada-apibackend-invicta-io-cerbos-1 is unhealthy
😄Jesum Yip
10/16/2023, 5:04 AMJesum Yip
10/16/2023, 5:05 AMexit 0
would cause service to be unhealthy!!Jesum Yip
10/16/2023, 5:08 AMDennis (Cerbos)
CERBOS_CONFIG
environment variable, then it clashes with hostport,cacert,notls
of the healtcheck command.Jesum Yip
10/16/2023, 5:09 AMJesum Yip
10/16/2023, 5:09 AMJesum Yip
10/16/2023, 5:09 AMJesum Yip
10/16/2023, 5:13 AMDennis (Cerbos)
./cerbos
should workDennis (Cerbos)
cerbos
, then it’s worth trying ./cerbos
.Jesum Yip
10/16/2023, 5:15 AMDennis (Cerbos)
docker exec -e CERBOS_CONFIG= 606e6d394ce3 ./cerbos healthcheck --no-tls --host-port=:3592 --kind=http
Jesum Yip
10/16/2023, 5:17 AMtest: ["CMD", "./cerbos", "healthcheck", "--host-port=cerbos:3592", "--kind=http" ,"--no-tls" ]
gives me thisJesum Yip
10/16/2023, 5:17 AMDennis (Cerbos)
Dennis (Cerbos)
Jesum Yip
10/16/2023, 5:18 AMJesum Yip
10/16/2023, 5:19 AMtest: ["CMD", "./cerbos", "healthcheck", "--config=config/.env.cerbos_config.yaml", "--kind=http" ,"--insecure" ]
because the container is started with command: ["server", "--config=config/.env.cerbos_config.yaml"]
Jesum Yip
10/16/2023, 5:19 AMJesum Yip
10/16/2023, 5:20 AMDennis (Cerbos)
Jesum Yip
10/16/2023, 5:23 AMDennis (Cerbos)
CERBOS_CONFIG
can impact the healthcheckJesum Yip
10/16/2023, 5:23 AMDennis (Cerbos)
Jesum Yip
10/16/2023, 5:32 AMJesum Yip
10/16/2023, 5:32 AMDennis (Cerbos)
docker exec -e CERBOS_CONFIG= <container id> ./cerbos healthcheck --no-tls --host-port=:3592 --kind=http
Dennis (Cerbos)
Dennis (Cerbos)
Dennis (Cerbos)
Jesum Yip
10/16/2023, 5:34 AMJesum Yip
10/16/2023, 5:36 AMDennis (Cerbos)
CERBOS_CONFIG=
should be a space after =
Jesum Yip
10/16/2023, 5:38 AMJesum Yip
10/16/2023, 5:39 AMJesum Yip
10/16/2023, 5:39 AMCharith (Cerbos)
CERBOS_CONFIG
environment variable. Cerbos honours the same environment variable as well so you just have to set that and everything should work. No need to explicitly set the command line for Cerbos server or define the healthcheck.Jesum Yip
10/16/2023, 8:31 AMJesum Yip
10/16/2023, 8:32 AMCharith (Cerbos)
depends-on
in Docker compose, the API container shouldn't start until Cerbos is readyJesum Yip
10/16/2023, 8:33 AMJesum Yip
10/16/2023, 8:33 AMJesum Yip
10/16/2023, 8:34 AM