iCompaas Support

Profile Applicability:

• Level 1

Description:

The HEALTHCHECK instruction should be added to Docker container images to ensure that health checks are executed against running containers. This helps verify that the containers are still operational and respond correctly.

Rationale:

Adding a HEALTHCHECK to your Docker container ensures that the Docker engine periodically checks the status of the container. If the container is found to be unhealthy, Docker can terminate and recreate the container to maintain operational stability.

Impact:

None: Adding a health check does not interfere with the functionality of the container but ensures availability by verifying the operational status of containers.

Default Value:

By default, HEALTHCHECK is not set in Docker images. Health checks need to be explicitly configured in the Dockerfile.

Pre-requisites:

• Access to the Dockerfile for the container image.

• Administrative privileges to rebuild the Docker image.

Remediation:

Test Plan:

Using AWS Console:

1. Navigate to the EC2 instance running Docker.

2. Verify that the Docker image has a HEALTHCHECK instruction by inspecting the image configuration with the command:
   

   docker inspect --format='{{ .Config.Healthcheck }}' <IMAGE>

   
   

Using AWS CLI:

1. Connect to the EC2 instance running Docker.

2. Run the following command to check if the image has a HEALTHCHECK instruction:
   

   docker inspect --format='{{ .Config.Healthcheck }}' <IMAGE_ID>

Implementation Plan:

Using AWS Console:

1. Edit the Dockerfile for the container image to include a HEALTHCHECK instruction. 

2. Rebuild the container image with the updated Dockerfile:
   

   docker build -t <IMAGE_NAME> .

3. Push the updated image to your repository:
   

   docker push <IMAGE_NAME>

Using AWS CLI:

1. Use SSM to remotely rebuild and push the Docker image with a health check added to the Dockerfile.

2. Execute the following SSM command:
   

   aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["echo \"HEALTHCHECK --interval=5m --timeout=3s CMD curl --fail http://localhost:8080/health || exit 1\" >> Dockerfile && docker build -t <IMAGE_NAME> . && docker push <IMAGE_NAME>"]'

Backout Plan:

Using AWS Console:

1. Edit the Dockerfile to remove or comment out the HEALTHCHECK instruction.

2. Rebuild the image and push it:
   

   docker build -t <IMAGE_NAME> .
   docker push <IMAGE_NAME>

Using AWS CLI:

1. Use SSM to revert the Dockerfile to its previous state by removing the HEALTHCHECK instruction and rebuilding the image.

2. Run the following command:
   

   aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sed -i \"/HEALTHCHECK/d\" Dockerfile && docker build -t <IMAGE_NAME> . && docker push <IMAGE_NAME>"]'

References:

• Docker HEALTHCHECK Documentation

• CIS Docker Benchmark v1.7