From b78cfb0b452b168d3246a2e17a858822551e99c0 Mon Sep 17 00:00:00 2001 From: Ryan Malloy Date: Sat, 16 May 2026 14:01:22 -0600 Subject: [PATCH] coredns: fix silently-broken healthcheck (distroless image has no wget) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The original healthcheck `wget -qO- http://127.0.0.1:8080/health` has been failing since day one because the CoreDNS image is distroless — no shell, no HTTP client. The container has been running in "(unhealthy)" status the whole time without anyone noticing because nothing depends_on it. Replace with `/coredns -version`, which is the thinnest honest check the image can support. For deeper liveness/readiness, scrape :8081/health from outside the container. --- docker-compose.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/docker-compose.yml b/docker-compose.yml index 13dc2b6..a635d5a 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -60,8 +60,14 @@ services: # (ACME registration private key) is sibling to /caddy and is NOT # exposed to CoreDNS — only /caddy is mounted. - ./caddy-data/caddy:/etc/coredns/certs:ro + # CoreDNS's official image is distroless (no shell, no wget/curl), so + # the conventional `wget /health` healthcheck silently fails forever + # and Docker reports the container as unhealthy. The coredns binary + # itself supports a version flag, which exits 0 only if the binary + # is runnable — a thin but honest liveness probe. For deeper checks, + # query :8081/health from outside the container (curl from the host). healthcheck: - test: ["CMD", "wget", "-qO-", "http://127.0.0.1:8080/health"] + test: ["CMD", "/coredns", "-version"] interval: 30s timeout: 5s retries: 3