Php: Add the HEALTHCHECK instruction to the relevant dockerfiles

The HEALTHCHECK feature itself was added in Docker 1.12.

I made a comment previously on the cassandra repo for this same request: https://github.com/docker-library/cassandra/pull/76#issuecomment-246054271.

Another note specifically for the php images is that we cannot design a generally useful HEATHCHECK since we wouldn't know what URL to hit to test if the service is "healthy" for the apache versions and there isn't a simple way to even try to hit the FCGI service in fpm, regardless of the URL concern. The most that we could provide via a general heathcheck is "is it up" and that is what the container itself already provides, since the only thing running in the container is the service and if the service is not running the container stops.

@yosifkit The service may be running, but not responding to requests.
Here is how I implemented a healthcheck for PHP-FPM on Alpine:
https://github.com/twinscom/dockerfiles/blob/2af2d1039c561cdf2197d021d424359e1a433faa/php/latest/Dockerfile#L51-L58
The /ping URL was chosen arbitrarily and it responds with a 404 HTTP error, but it doesn't matter since the goal is only to check whether PHP-FPM is responding to requests.

fpm has the configuration ping.path and ping.response that can help here:

ping.path = /ping
ping.response = pong

See http://php.net/manual/en/install.fpm.configuration.php

There is one problem. Your log will be full of lines like this:

127.0.0.1 -  18/Apr/2017:10:29:37 +0000 "GET /ping" 200

:disappointed:

There is one problem. Your log will be full of lines like this:

Is it problem for somebody?
How ofter it should be run? 1, 5, 30, 60 seconds?

For me it is not problem to have it in log every 5 seconds. If it is for somebody, it is easy to cancel it or change timeout by compose.

How about to implement it like this, release, wait if somebody will open issue about annoying lines in logs an discuss better way there?

There is one problem. Your log will be full of lines...

For nginx.

location ~ ^/(status|ping)$ {
     access_log off;
}

For php-fpm.

• Turn OFF access logging. In production, your php-fpm access log is mirroring your nginx log, thus, you do not need your php-fpm access log. You do, however, still need your php-fpm ERROR log.

For added security, spawn a new management server which is not exposed (this should be sufficient.)

However, for even MORE security, limit it to only the HEALTHCHECK. Docker's HEALTHCHECK comes from the host docker process via the primary network interface of the container. From the container's eyes, it appears as if it's coming from the "Gateway".

You can use docker network inspect [NETWORK] | grep Gateway to find the gateway of that device for smaller environments. For larger more automated ones, you already know how to get your gateway. ;)

server {
    listen       12345;
    server_name  _;

    access_log off;

    location / {
        return 500;
    }

    location ~ ^/(status|ping)$ {
        allow 127.0.0.1;
        # !! Be sure to change this !! #
        allow **HOSTS_ALLOWED**;
        deny all;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $fastcgi_script_name;
        fastcgi_pass php-fpm:9000;
    }
}

Closing given @yosifkit's comment above.

The information (and solutions) provided here should serve as a good reference for future travelers! :+1: :heart:

@tianon @yosifkit I've came into this and I have a suggestion.
At work we've been using this healthcheck for fpm that I've created: https://github.com/renatomefi/php-fpm-healthcheck
We could run it in a simple ping mode but tell people how to configure it towards something more specific for their case, for instance they can check if the queue in the pool is more than 5 then makes it unhealthy, something on that line. Would you be interested?
I could open a PR which downloads its latest version and configure the fpm only images, also add some documentation with some suggestions.
Please let me know if it makes any sense to you!