Podman does not detect HEALTHCHECKs from Docker container

[olifre]

Issue Description

Building a container with the following small Dockerfile:

FROM debian:12

# Healthcheck
HEALTHCHECK --interval=15s --timeout=5s --retries=5 \
    CMD ["/bin/bash", "-c", "/bin/true"]

ENTRYPOINT ["/bin/bash", "-c", "/bin/sleep 120"]

with Docker and pushing it to DockerHub, then pulling it down with Podman leads to Podman not detecting the HEALTHCHECK.

Steps to reproduce the issue

Steps to reproduce the issue

1. Build and push container with Docker, given above Dockerfile.
2. Try to execute healthcheck via:

$ podman run --name hc-test -d olifre/podman-healthcheck-test:main 
2cecfbd77fb65711a28ac2b181e493572b95b6466fb1e369f356cc586346398c
$ podman healthcheck run hc-test
Error: container 2cecfbd77fb65711a28ac2b181e493572b95b6466fb1e369f356cc586346398c has no defined healthcheck

Describe the results you received

Healthcheck not detected, also not listed with podman inspect. Inspecting the image yields:

            {
                "created": "2023-12-19T01:20:16.083612549Z",
                "created_by": "HEALTHCHECK \u0026{[\"CMD\" \"/bin/bash\" \"-c\" \"/bin/true\"] \"15s\" \"5s\" \"0s\" '\\x05'}",
                "comment": "buildkit.dockerfile.v0",
                "empty_layer": true
            },

i.e. the command is seen correctly, but not parsed.

Describe the results you expected

Healthcheck to be detected and executed.

podman info output

host:
  arch: amd64
  buildahVersion: 1.23.1
  cgroupControllers:
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: 'conmon: /usr/bin/conmon'
    path: /usr/bin/conmon
    version: 'conmon version 2.0.25, commit: unknown'
  cpus: 4
  distribution:
    codename: jammy
    distribution: ubuntu
    version: "22.04"
  eventLogger: journald
  hostname: fv-az840-413
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 127
      size: 1
    - container_id: 1
      host_id: 165536
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1001
      size: 1
    - container_id: 1
      host_id: 165536
      size: 65536
  kernel: 6.2.0-1018-azure
  linkmode: dynamic
  logDriver: journald
  memFree: 14745321472
  memTotal: 16757788672
  ociRuntime:
    name: crun
    package: 'crun: /usr/bin/crun'
    path: /usr/bin/crun
    version: |-
      crun version 0.17
      commit: 0e9229ae34caaebcb86f1fde18de3acaf18c6d9a
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
  os: linux
  remoteSocket:
    exists: true
    path: /run/user/1001/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: 'slirp4netns: /usr/bin/slirp4netns'
    version: |-
      slirp4netns version 1.0.1
      commit: 6a7b16babc95b6a3056b33fb45b74a6f62262dd4
      libslirp: 4.6.1
  swapFree: 4294963200
  swapTotal: 4294963200
  uptime: 2m 7.53s
plugins:
  log:
  - k8s-file
  - none
  - journald
  network:
  - bridge
  - macvlan
  volume:
  - local
registries:
  search:
  - docker.io
  - quay.io
store:
  configFile: /home/runner/.config/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /home/runner/.local/share/containers/storage
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Using metacopy: "false"
  imageStore:
    number: 0
  runRoot: /run/user/1001/containers
  volumePath: /home/runner/.local/share/containers/storage/volumes
version:
  APIVersion: 3.4.4
  Built: 0
  BuiltTime: Thu Jan  1 00:00:00 1970
  GitCommit: ""
  GoVersion: go1.17.3
  OsArch: linux/amd64
  Version: 3.4.4

Podman in a container

No

Privileged Or Rootless

Privileged

Upstream Latest Release

No

Additional environment details

Tested with Podman from Ubuntu 22.04 (see "podman info" above) and also Podman form Debian 12 (version 4.3.1).

Example containers:

• https://hub.docker.com/r/buanet/iobroker
  (built from https://github.com/olifre/podman-healthcheck-test/blob/main/Dockerfile )
• https://hub.docker.com/r/olifre/podman-healthcheck-test
  (built from https://github.com/buanet/ioBroker.docker/blob/main/debian12/Dockerfile at the time of writing)

Additional information

Additional information like issue happens only occasionally or issue happens with a particular architecture or on a particular setting

[flouthoc]

@olifre Did you use --format docker while building the image ? HEALTHCHECK is only supported in docker images and not oci images.

[olifre]

@flouthoc As outlined above, I built the containers using Docker (not buildah) and pushed them to DockerHub, then pulled them with podman and observed the problem. I think the format flag you refer to would be for buildah, correct?

For comparison, pulling and running the very same images with docker yields a functional / active health check.

[rhatdan]

I think there is an existing issue on this.

[olifre]

@rhatdan Indeed, that seems to be: #18904
Sorry for the duplication, I did not check for BuildKit, but Docker in my search. I'll close this one in favour of the existing issue and will carry over a mention of my small test image in the hope it helps there.