## Summary Implement compose healthcheck directive: \`\`\`yaml healthcheck: test: \["CMD", "curl", "-f", "[http://localhost](http://localhost)"\] interval: 30s timeout: 10s retries: 3 \`\`\` ## Implementation ### Config Storage via Instance Metadata Healthcheck config and state are stored directly in the instance's \`user.\*\` config keys (Incus \`map\[string\]string\`). No external config file or database needed for ic-healthd. Keys written by \`project/project.go\`: | Key | Value | |-----|-------| | \`user.healthcheck.test\` | JSON array, e.g. \`\["CMD","curl","-f","[http://localhost"\]\\\`](http://localhost%22%5D%5C%60) | | \`user.healthcheck.interval\` | Duration string, e.g. \`30s\` | | \`user.healthcheck.timeout\` | Duration string, e.g. \`10s\` | | \`user.healthcheck.retries\` | Integer string, e.g. \`3\` | | \`user.healthcheck.status\` | Runtime state: \`starting\`, \`healthy\`, \`unhealthy\` | | \`user.restart\` | \`always\` or \`on-failure\` (also drives restart logic) | ic-healthd **discovers** its own config at runtime via \`GetInstancesFull\` — no static config file required. ### ic-healthd Sidecar - Small Go binary in \`cmd/ic-healthd/\` - Reads healthcheck config by querying Incus API (discovers \`user.healthcheck.\*\` keys on instances in the project) - Authenticates via one-time restricted token (token consumed, cert persisted in \`/run/secrets/ic-healthd/\`) - Runs health loop: executes test commands via Incus exec API, tracks consecutive failures, restarts instances on threshold - Also handles \`user.restart=always|on-failure\` without a healthcheck test ### Healthd Resource (\`client/resource_healthd.go\`) - \`KindHealthd\` resource, priority = \`PriorityInstance + 1\` (starts after all instances) - Creates a restricted token scoped to the project via \`incus config trust add\` - Launches \`ic-healthd\` sidecar container with token injected as a secret - Manages sidecar lifecycle: created/deleted with the stack ### incus-compose up Integration - Auto-detects services with \`healthcheck\` directives or \`restart: always|on-failure\` - Creates \`ic-healthd\` sidecar automatically (no opt-in required) - \`--no-healthd\` flag disables the sidecar - \`--healthd-binary\` flag injects a local binary (uses \`images:alpine/edge\` instead of OCI image, for development) ### No External Configuration ic-healthd needs only a restricted token for auth. All service-specific config lives in the instances themselves. ## References - [Incus Authorization](https://linuxcontainers.org/incus/docs/main/authorization/) - \`incus config trust add --help\`