Skip to content

Fix serve quadlet: SELinux label and ready-signal healthcheck #18

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jdoss merged 1 commit into from
Apr 8, 2026
Merged

Fix serve quadlet: SELinux label and ready-signal healthcheck #18

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions psi/unitgen.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -354,6 +354,13 @@ def generate_container_serve_quadlet(image: str, settings: PsiSettings) -> str:
f"Image={image}",
"Exec=serve",
"Network=host",
"SecurityLabelType=container_runtime_t",
"Notify=healthy",
f"HealthCmd=curl -sf --unix-socket {sock} http://localhost/healthz",
"HealthInterval=30s",
"HealthRetries=10",
"HealthStartPeriod=60s",
"HealthTimeout=5s",
f"Volume={config_dir}:{config_dir}:ro",
f"Volume={state}:{state}:Z",
f"Volume={runtime_dir}:{runtime_dir}:Z",
Expand Down
21 changes: 21 additions & 0 deletions tests/test_unitgen.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -419,3 +419,24 @@ def test_tls_renew_quadlet_has_container_name(self, tmp_path: Path) -> None:
settings = _mock_settings(tmp_path)
content = generate_container_tls_renew_quadlet("psi:latest", settings)
assert "ContainerName=psi-tls-renew" in content

def test_serve_quadlet_has_security_label_type(self, tmp_path: Path) -> None:
"""Without SecurityLabelType=container_runtime_t the container cannot
read /etc/psi/config.yaml from the host without a :Z relabel, which we
do not want on shared config directories.
"""
settings = _mock_settings(tmp_path)
content = generate_container_serve_quadlet("psi:latest", settings)
assert "SecurityLabelType=container_runtime_t" in content

def test_serve_quadlet_has_notify_healthy(self, tmp_path: Path) -> None:
"""Quadlet emits Type=notify by default and expects an sd_notify ready
signal. Notify=healthy makes podman send it once the healthcheck first
passes. Without this the unit hangs in 'activating' until TimeoutStartSec.
"""
settings = _mock_settings(tmp_path)
content = generate_container_serve_quadlet("psi:latest", settings)
assert "Notify=healthy" in content
assert "HealthCmd=curl -sf --unix-socket " in content
assert "http://localhost/healthz" in content
assert "HealthStartPeriod=60s" in content
Loading