coredns: fix silently-broken healthcheck (distroless image has no wget)

The original healthcheck `wget -qO- http://127.0.0.1:8080/health` has been failing since day one because the CoreDNS image is distroless — no shell, no HTTP client. The container has been running in "(unhealthy)" status the whole time without anyone noticing because nothing depends_on it. Replace with `/coredns -version`, which is the thinnest honest check the image can support. For deeper liveness/readiness, scrape :8081/health from outside the container.
2026-05-16 14:01:22 -06:00 · 2026-05-16 14:01:22 -06:00 · b78cfb0b45
commit b78cfb0b45
parent 3d47d67e89
1 changed files with 7 additions and 1 deletions
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -60,8 +60,14 @@ services:
      # (ACME registration private key) is sibling to /caddy and is NOT
      # exposed to CoreDNS — only /caddy is mounted.
      - ./caddy-data/caddy:/etc/coredns/certs:ro
+    # CoreDNS's official image is distroless (no shell, no wget/curl), so
+    # the conventional `wget /health` healthcheck silently fails forever
+    # and Docker reports the container as unhealthy. The coredns binary
+    # itself supports a version flag, which exits 0 only if the binary
+    # is runnable — a thin but honest liveness probe. For deeper checks,
+    # query :8081/health from outside the container (curl from the host).
    healthcheck:
-      test: ["CMD", "wget", "-qO-", "http://127.0.0.1:8080/health"]
+      test: ["CMD", "/coredns", "-version"]
      interval: 30s
      timeout: 5s
      retries: 3