Automatically repair app when the HealthCheck goes down (Not Responding)
- 
Perhaps upvote this or add additional comments there to make it happen. 
- 
@Lonk such a functionality would need to have some parameters it needs to work within. Like "needs to be unresponsive for x checks" and "only try restarting for y times, before giving up". Supervisor can actually already help for some of these cases, i think if one it it's processes fail it tries restarting it. @fbartels said in Automatically "/repair" app when the HealthCheck goes down (Not Responding): @Lonk such a functionality would need to have some parameters it needs to work within. Like "needs to be unresponsive for x checks" and "only try restarting for y times, before giving up". boxalready works in a similar fashion. It waits a good few minutes and fails like 30 Healthchecks before being labeled unresponsive which makes it a perfect opportunity to use the/repairendpoint on the app because you literally have nothing to lose, the app isn’t responding and using the/repairundocumented API endpoint has solved way more issues than a simple restart.This is all within the Dashboard and boxsystem. And my ideal times to try is once. If one/repairdoesn’t fix it. It’s unlikely a second will.
- 
I do not understand what you are proposing here. Should app implement this /repair//restartapi endpoint ? If so, how are they exected to respond to it if they are already unresponsive by that point ? Or is it supposed to be on the platform ? Or do they already exist and you are propsing a change of behaviour ? I am completely lost here ^^@mehdi said in Automatically "/repair" app when the HealthCheck goes down (Not Responding): I do not understand what you are proposing here. Should app implement this /repair//restartapi endpoint ? If so, how are they exected to respond to it if they are already unresponsive by that point ? Or is it supposed to be on the platform ? Or do they already exist and you are propsing a change of behaviour ? I am completely lost here ^^Box / The dashboard would /repairthe app. It’s an undocumented Cloudron endpoint and always fixes any issue I have with apps, unlike simply restarting them. Right now, apps could stop responding to the HEALTHCHECK and within 5 - 10 minutes, the Cloudron labels them unresponsive because they aren’t responsive.I’m saying why wouldn’t the system try a /repairat that point. There’s nothing to lose and a working app to gain.
- 
I would ideally like to remove Cloudron's healthcheck field and replace it with Docker's own HEALTHCHECK (https://github.com/moby/moby/pull/22719). When we started out, that feature didn't exist in docker and maybe it replaces what Cloudron does internally. Once we do that, we can get automatic restarts etc from upstream docker. Even though I note that https://github.com/moby/moby/issues/28400 is open for over 2 years now. @girish said in Automatically "/repair" app when the HealthCheck goes down (Not Responding): I would ideally like to remove Cloudron's healthcheck field and replace it with Docker's own HEALTHCHECK (https://github.com/moby/moby/pull/22719). When we started out, that feature didn't exist in docker and maybe it replaces what Cloudron does internally. Once we do that, we can get automatic restarts etc from upstream docker. Even though I note that https://github.com/moby/moby/issues/28400 is open for over 2 years now. Completely agree. Ideally we’d be using DOCKER HEALTHCHECKS but until then, this seems like a single line of code, if app becomes unresponsive, then /repairit. Maybe it’ll become responsive again, maybe it won’t - but at least your system tried to fix it automatically before notifying a human who has to take the/repairstep manually anyway (and who knows what time it is).
- 
I would ideally like to remove Cloudron's healthcheck field and replace it with Docker's own HEALTHCHECK (https://github.com/moby/moby/pull/22719). When we started out, that feature didn't exist in docker and maybe it replaces what Cloudron does internally. Once we do that, we can get automatic restarts etc from upstream docker. Even though I note that https://github.com/moby/moby/issues/28400 is open for over 2 years now. @girish said in Automatically "/repair" app when the HealthCheck goes down (Not Responding): Even though I note that https://github.com/moby/moby/issues/28400 is open for over 2 years now. You made a home grown health check before them. So you could make a home grown /repaironce after “UNHEALTHY” (or “Not Responding” in the Dashboard sense). What do we have to lose by doing so especially given it’s just a single endpoint already exposed in your API. This would be a quick option to add and could be an extra benefit to your home grown healthcheck even before you switch to Docker’s internal one.
- 
@girish said in Automatically "/repair" app when the HealthCheck goes down (Not Responding): Even though I note that https://github.com/moby/moby/issues/28400 is open for over 2 years now. You made a home grown health check before them. So you could make a home grown /repaironce after “UNHEALTHY” (or “Not Responding” in the Dashboard sense). What do we have to lose by doing so especially given it’s just a single endpoint already exposed in your API. This would be a quick option to add and could be an extra benefit to your home grown healthcheck even before you switch to Docker’s internal one.
- 
I would ideally like to remove Cloudron's healthcheck field and replace it with Docker's own HEALTHCHECK (https://github.com/moby/moby/pull/22719). When we started out, that feature didn't exist in docker and maybe it replaces what Cloudron does internally. Once we do that, we can get automatic restarts etc from upstream docker. Even though I note that https://github.com/moby/moby/issues/28400 is open for over 2 years now. 
- 
@mehdi said in Automatically "/repair" app when the HealthCheck goes down (Not Responding): I do not understand what you are proposing here. Should app implement this /repair//restartapi endpoint ? If so, how are they exected to respond to it if they are already unresponsive by that point ? Or is it supposed to be on the platform ? Or do they already exist and you are propsing a change of behaviour ? I am completely lost here ^^Box / The dashboard would /repairthe app. It’s an undocumented Cloudron endpoint and always fixes any issue I have with apps, unlike simply restarting them. Right now, apps could stop responding to the HEALTHCHECK and within 5 - 10 minutes, the Cloudron labels them unresponsive because they aren’t responsive.I’m saying why wouldn’t the system try a /repairat that point. There’s nothing to lose and a working app to gain.@Lonk said in Automatically "/repair" app when the HealthCheck goes down (Not Responding): Box / The dashboard would /repair the app. It’s an undocumented Cloudron endpoint and always fixes any issue I have with apps, unlike simply restarting them. But what does this /repairdo ? I am not clear on how an endpoint can magically repair an app in all case..
- 
@Lonk said in Automatically "/repair" app when the HealthCheck goes down (Not Responding): Box / The dashboard would /repair the app. It’s an undocumented Cloudron endpoint and always fixes any issue I have with apps, unlike simply restarting them. But what does this /repairdo ? I am not clear on how an endpoint can magically repair an app in all case..@mehdi said in Automatically "/repair" app when the HealthCheck goes down (Not Responding): @Lonk said in Automatically "/repair" app when the HealthCheck goes down (Not Responding): Box / The dashboard would /repair the app. It’s an undocumented Cloudron endpoint and always fixes any issue I have with apps, unlike simply restarting them. But what does this /repairdo ? I am not clear on how an endpoint can magically repair an app in all case..It destroys the container and rebuilds it (it’s undocumented but exists). If there’s something wrong with the container - this will fix it. If there’s something wrong with NGINX, this will fix it. Restarting the container can help. But only 10% of the time when 90% of the time, the repair endpoint fixes a “Not Responding” app for me. 
- 
The idea for the repair is to be done consciously and also ideally be monitored by the admin. So I don't think it is good to just run it for good measure. I think what would be more important to get down to why things have failed and then see how to prevent that instead. This may mean we have to add better logging or status reporting. 
- 
The idea for the repair is to be done consciously and also ideally be monitored by the admin. So I don't think it is good to just run it for good measure. I think what would be more important to get down to why things have failed and then see how to prevent that instead. This may mean we have to add better logging or status reporting. @nebulon said in Automatically "/repair" app when the HealthCheck goes down (Not Responding): The idea for the repair is to be done consciously and also ideally be monitored by the admin. So I don't think it is good to just run it for good measure. I think what would be more important to get down to why things have failed and then see how to prevent that instead. This may mean we have to add better logging or status reporting. The reason I brought this up in the forum is because I was going to make a script that checked the health status of all my apps and /repairthem when they switch to Not Responding, which is about 5 minutes after they actually go down.Then I realized, what's the healthcheck for except for to react when an app goes down. I'm not saying don't log it in notifications. If it's a one-off thing, then it didn't require human intervention to get working again (which could take awhile if you infrequently monitor the Dashboard). So, give us the info, sure, not a bad idea - but automatically trying to repair the app first and noting that it was successfully repaired after being down in notifications is a better solution. Having this be a manual step so that the admin "knows about it" is silly if it's a random one-off thing is silly and irrelevant if they get a notification about it. If the /repairendpoint works - then that's all the admin would do, review their notifications. It could be run a singular time to keep the site up and notify the admin and that sounds best IMO. Better logging, for sure, I can agree with that. But notifying + auto-repair (just one try) and then notifying if that repair was a success is better. Much better. It's the reason healthchecks exist - the native Docker now has "restart on failed healthcheck" (as doessupervisor) - but you guys can take it beyond that with a/repair.I can still write my script. I can even keep it on the same Cloudron instance, monitoring the status of all the apps and do a /repairon one if it "stops responding". If it starts responding cool, I'll check the logs as soon as I can to make sure it doesn't happen again. If it doesn't start responding after that, I'll find the problem and fix it.I just don't get the stance "we could automate the first troubleshooting step that every admin will take to get their site up and running again, but we don't think it's a good idea because we want them to intentionally take that step." My question to that is, why when you could be losing on precious uptime? 
- 
Cloudron already restarts an app when it starts using too much memory. Cloudron could just stop the app using too much memory and have the admin notified that it stopped the app so they can start it back up manually (which, of course, sounds ridiculous - and I don't see the difference between this and that). It doesn't do that though, it restarts it, why? I'd say to keep the app running. So not at least attempting a single /repairwhen an app stops responding for the sake of the admin to do so manually feels needlessly manual and doesn't keep the app running when it could be (say the admin is the only admin and they're on vacation for a week, this feature could save them).
- 
I still think we should not hide issues, which may be fixed running repair. This is a bit like just having bandage over an issue lurking in the dark. Generally if repair does indeed fix the issue, then this indicates either problems in the app package, the runtime management of apps in the platform or maybe external dependencies should be handled better (like DNS setup) This is a bit like docker issues we encounter every now and then. Sometimes docker restart fixes them, but the conclusion should probably not be to restart docker every now and then if an app fails for good measure. My be just me, but I haven't experienced many systems which work well in a self-healing manner and I am afraid of hiding real bugs through this. To me this conversation should be about the issue which triggered your thinking of automatically running repair in the first place. 
- 
I still think we should not hide issues, which may be fixed running repair. This is a bit like just having bandage over an issue lurking in the dark. Generally if repair does indeed fix the issue, then this indicates either problems in the app package, the runtime management of apps in the platform or maybe external dependencies should be handled better (like DNS setup) This is a bit like docker issues we encounter every now and then. Sometimes docker restart fixes them, but the conclusion should probably not be to restart docker every now and then if an app fails for good measure. My be just me, but I haven't experienced many systems which work well in a self-healing manner and I am afraid of hiding real bugs through this. To me this conversation should be about the issue which triggered your thinking of automatically running repair in the first place. @nebulon said in Automatically "/repair" app when the HealthCheck goes down (Not Responding): - My goal is not to hide anything from the admin, just make the apps have higher up times by cutting out a human step. I don't see a difference of handling this the same way you run out of memory. Post a notification on the Dashboard, display the error:
 "App was not responding due to x error - Cloudron automatically repaired the app and it's running but please look at the logs here to see what might have happen to have caused this (and the log screen should show the last bit of the log file before the app stopped responding). - 
For me personally, this has only happened once. A Wordpress blog that wasn't even in use (no plugins yet - aside from the pre-installed ones) stopped responding and a restart didn't work. A "repair" did though. I still don't know what was wrong but it never went down after that (it's been a month now). So this feature is more of a comfort for me to know that edge case would be covered when I'm on "vacation for a week." 
- 
As a developer, I don't want "band-aids" - I want to fix the problem, but if your notification system gives me the date, time, and logs of when it had to /repairthe app, then I can still do that with virtually only 5 minutes downtime of my app (instead of me, a human, getting around to checking the logs, try to figure out what happened, meanwhile I can't repair without adding more to the log, so a snapshot of the log, and a automatic singular attempt to "repair" the app seems like a better flow for user and developer alike). I, of course, don't mind an app stopping since I only use Cloudron for development - but I'm thinking more about your everyday users. If people get this proposed repair notification feature I'm asking for, then there app doesn't stay down, which is good - but it allows them to post on the forums the logs and the app (mine was Wordpress Unmanaged, and like I said, it only happened once).
- 
As @fbartels mentioned, surpervisor does things like this. And as @girish mentioned, the latest Docker itself now does this. So, this is definitely a valid suggestion. Why would all of these other app managers do this is if it wasn't useful? We can make it even more useful by snapshotting the logs and adding a notification saying that something may need to be fixed even though a auto-repair was successful (then click on the snapshotted logs and dig in). 
 
- 
Today, after the update to latest cloudron version, I had between 15-20 apps in a failed state. Clicking the repair fixed every one of them. And I had a client send me a message about downtime. I didn't look more into it, having spent at least 30 minutes going into each not responding app settings individually, clicking repair and waiting for it to successfully get back online. (And I wish there was a button to repair all apps at once^^) As much as I agree with not bandaidging issues, for my client and my reputation, I wished not responding apps would have been repaired automatically and errors to be reported. Between repairing an app and getting to run or start an asynchronous debugging on the forum, I'll always click on the repair button first. If repairing is detrimental to bug solving/reporting, I would suggest to put a place where not responding logs/errors can be retrieved in one click. 
- 
Note 1: Even though it's only happened to me once organically, I would feel at peace knowing there's at least, an extra added / precaution / attempt there to keep a production app up. Note 2: The reason I encounter this often on purpose is when I update the code of the VPN Client app I'm working on, it breaks any apps containers that were connected to it, and those apps take 8 mins and then go to "Not responding..." status in the dashboard. Their container needs to be re-created and /repairdoes that while/restartdoes not so I consider/repairto be more thorough when attempting to bring back up an app that went down (again, just one attempt) for any reason. @girish and I will make certain that when the OpenVPN Client on the app store gets updated, any apps connected to it gets "re-connected" properly but if I hadn't have noticed that big and we did a v1.1 release of the OpenVPN Client app, then people's apps could have gone down and they'd have no way to know why but if that/repairprotection in place, it's likely neither they nor the users would notice the 8 minute downtime.Of course, as the developer of this app, I would eventually notice the behavior and fix it. That's why I'm working with @girish on boxcode to make sure this doesn't happen.But I just explained to you a real case that could have happened and it helps users and doesn't hurt developers. All pros, no cons. So, you tell me why a user wouldn't want that added protection (but they should still be notified it happened like I said above)? Cause I understand your belief system, but when I see all pros with no cons, I have to fight my case. 
- 
Today, after the update to latest cloudron version, I had between 15-20 apps in a failed state. Clicking the repair fixed every one of them. And I had a client send me a message about downtime. I didn't look more into it, having spent at least 30 minutes going into each not responding app settings individually, clicking repair and waiting for it to successfully get back online. (And I wish there was a button to repair all apps at once^^) As much as I agree with not bandaidging issues, for my client and my reputation, I wished not responding apps would have been repaired automatically and errors to be reported. Between repairing an app and getting to run or start an asynchronous debugging on the forum, I'll always click on the repair button first. If repairing is detrimental to bug solving/reporting, I would suggest to put a place where not responding logs/errors can be retrieved in one click. @ruihildt said in Automatically "/repair" app when the HealthCheck goes down (Not Responding): Today, after the update to latest cloudron version, I had between 15-20 apps in a failed state. Clicking the repair fixed every one of them. And I had a client send me a message about downtime. I didn't look more into it, having spent at meats 30 minutes going into each not responding app settings individually, clicking repair and waiting for it to successfully get back online. (And I wish there was a button to repair all apps at once^^) As much as I agree with not bandaidging issues, for my client and my reputation, I wished not responding apps would have been repaired automatically and errors to be reported. Between repairing an app and getting to run or start an asynchronous debugging on the forum, I'll always click on the repair button first. If repairing is detrimental to bug solving/reporting, I would suggest to put a place where not responding logs/errors can be retrieved in one click. Nevermind, ignore my potential "use case" for adding this protection because it was theoretical and instead @ruihildt's is real (we literally posted at the same time and the cases were oddly similar) and I think it should be heavily considered and talked about with @girish and yourself ( @nebulon ). This is a real problem that occurred with one of your users in a production environment recently and this protection I'm proposing would have made the issue transparent to the user and his client. But us developers will eventually catch all the bugs as we build out better unit tests and whatnot. User experience is my number one priority, and nothing says it better than @ruihildt's testimony. 
- 
I would ideally like to remove Cloudron's healthcheck field and replace it with Docker's own HEALTHCHECK (https://github.com/moby/moby/pull/22719). When we started out, that feature didn't exist in docker and maybe it replaces what Cloudron does internally. Once we do that, we can get automatic restarts etc from upstream docker. Even though I note that https://github.com/moby/moby/issues/28400 is open for over 2 years now. This would be a precaution added until @girish is ready to add what he wrote below (I don't know if dockerodehas it which would be a huge difference in difficulty in adding that as a feature):@girish said in Automatically "/repair" app when the HealthCheck goes down (Not Responding): I would ideally like to remove Cloudron's healthcheck field and replace it with Docker's own HEALTHCHECK (https://github.com/moby/moby/pull/22719). When we started out, that feature didn't exist in docker and maybe it replaces what Cloudron does internally. Once we do that, we can get automatic restarts etc from upstream docker. Even though I note that https://github.com/moby/moby/issues/28400 is open for over 2 years now. 
 





