diff --git a/crates/openshell-driver-podman/src/config.rs b/crates/openshell-driver-podman/src/config.rs index e21c66176..0e29f52dd 100644 --- a/crates/openshell-driver-podman/src/config.rs +++ b/crates/openshell-driver-podman/src/config.rs @@ -126,8 +126,18 @@ pub struct PodmanComputeConfig { /// `template.driver_config`. #[serde(default)] pub enable_bind_mounts: bool, + /// Health check interval in seconds for sandbox containers. + /// + /// Podman runs the health check command at this interval to determine + /// container readiness. Lower values detect readiness faster but + /// increase process churn (each check spawns a conmon subprocess). + /// Set to `0` to disable health checks entirely. + /// Defaults to [`DEFAULT_HEALTH_CHECK_INTERVAL_SECS`] (10 seconds). + pub health_check_interval_secs: u64, } +pub const DEFAULT_HEALTH_CHECK_INTERVAL_SECS: u64 = 10; + impl PodmanComputeConfig { /// Returns `true` when all three TLS paths are configured. #[must_use] @@ -251,6 +261,7 @@ impl Default for PodmanComputeConfig { guest_tls_key: None, sandbox_pids_limit: DEFAULT_SANDBOX_PIDS_LIMIT, enable_bind_mounts: false, + health_check_interval_secs: DEFAULT_HEALTH_CHECK_INTERVAL_SECS, } } } @@ -273,6 +284,10 @@ impl std::fmt::Debug for PodmanComputeConfig { .field("guest_tls_key", &self.guest_tls_key) .field("sandbox_pids_limit", &self.sandbox_pids_limit) .field("enable_bind_mounts", &self.enable_bind_mounts) + .field( + "health_check_interval_secs", + &self.health_check_interval_secs, + ) .finish() } } @@ -314,6 +329,15 @@ mod tests { }); } + #[test] + fn default_config_sets_health_check_interval() { + let cfg = PodmanComputeConfig::default(); + assert_eq!( + cfg.health_check_interval_secs, + DEFAULT_HEALTH_CHECK_INTERVAL_SECS + ); + } + #[test] fn default_config_sets_driver_owned_pids_limit() { let cfg = PodmanComputeConfig::default(); diff --git a/crates/openshell-driver-podman/src/container.rs b/crates/openshell-driver-podman/src/container.rs index 0dd0c42c2..13516a607 100644 --- a/crates/openshell-driver-podman/src/container.rs +++ b/crates/openshell-driver-podman/src/container.rs @@ -880,7 +880,7 @@ pub fn try_build_container_spec_with_token( openshell_core::config::DEFAULT_SSH_PORT ), ], - interval: 3_000_000_000, + interval: config.health_check_interval_secs * 1_000_000_000, timeout: 2_000_000_000, retries: 10, start_period: 5_000_000_000, @@ -1328,6 +1328,19 @@ mod tests { ); } + #[test] + fn container_spec_healthcheck_interval_from_config() { + let sandbox = test_sandbox("test-id", "test-name"); + let mut config = test_config(); + config.health_check_interval_secs = 30; + let spec = build_container_spec(&sandbox, &config); + + let interval = spec["healthconfig"]["Interval"] + .as_u64() + .expect("healthcheck interval should be a u64"); + assert_eq!(interval, 30_000_000_000); + } + #[test] fn container_spec_required_vars_cannot_be_overridden() { use openshell_core::proto::compute::v1::{DriverSandboxSpec, DriverSandboxTemplate}; diff --git a/crates/openshell-driver-podman/src/main.rs b/crates/openshell-driver-podman/src/main.rs index 2d8d4055b..e6ba7b9ff 100644 --- a/crates/openshell-driver-podman/src/main.rs +++ b/crates/openshell-driver-podman/src/main.rs @@ -135,7 +135,7 @@ async fn main() -> Result<()> { guest_tls_cert: args.podman_tls_cert, guest_tls_key: args.podman_tls_key, sandbox_pids_limit: args.sandbox_pids_limit, - enable_bind_mounts: false, + ..PodmanComputeConfig::default() }) .await .into_diagnostic()?; diff --git a/docs/reference/gateway-config.mdx b/docs/reference/gateway-config.mdx index 1ddf70552..024dfcd57 100644 --- a/docs/reference/gateway-config.mdx +++ b/docs/reference/gateway-config.mdx @@ -262,6 +262,10 @@ guest_tls_key = "/etc/openshell/certs/client-key.pem" enable_bind_mounts = false # Set to 0 to leave Podman's runtime default unchanged. sandbox_pids_limit = 2048 +# Health check interval in seconds. Lower values detect readiness faster +# but increase process churn (each check spawns a conmon subprocess). +# Set to 0 to disable health checks entirely. Default: 10. +health_check_interval_secs = 10 ``` ### MicroVM