No Dockerfile HEALTHCHECK — Unhealthy Containers Not Detected in Standalone Docker Deployments - IssueFinder - SN 08

[dinuduke]

Description

Repository

• https://github.com/NVIDIA/NemoClaw
• Branch: main

Description

Neither Dockerfile nor Dockerfile.base includes a HEALTHCHECK instruction. In standalone Docker deployments (without Kubernetes probes), Docker and Docker Compose cannot detect unhealthy containers. Containers may appear running but be internally broken.

Impact

Failed containers remain in "running" state, causing silent outages in non-K8s deployments.

Affected Area

• File(s): Dockerfile, Dockerfile.base

Expected Behavior

HEALTHCHECK instruction enables Docker to detect and report unhealthy containers.

Actual Behavior

No health monitoring available for standalone Docker deployments.

Reproduction Steps

Steps to Reproduce

1. docker build -t nemoclaw .
2. docker run -d nemoclaw
3. Kill the main process inside: container still shows "Up"
4. docker inspect --format='{{.State.Health}}' nemoclaw → no health data

Environment

• OS: Any (Docker host)
• NemoClaw Version: v0.1.0
• Branch: main
• Docker Version: 24.x+
• Runtime: Docker
• Container / Orchestration Info: Standalone Docker (not K8s)
• Network Setup: N/A

Debug Output

# Verify no HEALTHCHECK exists in the Dockerfile:
grep -i 'HEALTHCHECK' Dockerfile Dockerfile.base
# Expected: no matches

# Check container health status:
docker inspect --format='{{.State.Health}}' <container-id>
# Expected: <nil> (no health check configured)

# Manual health verification:
docker exec <container-id> curl -sf http://127.0.0.1:18789/health || echo "unhealthy"

Logs

# docker ps output showing no health status:
CONTAINER ID   IMAGE      STATUS          PORTS   NAMES
abc123         nemoclaw   Up 5 minutes            my-nemoclaw
# ↑ No "(healthy)" or "(unhealthy)" status — HEALTHCHECK not configured

Checklist

• I confirmed this bug is reproducible
• I searched existing issues and this is not a duplicate

[dinuduke]

Recommended Fix

# Add after ENTRYPOINT in Dockerfile:
HEALTHCHECK --interval=10s --timeout=3s --start-period=10s --retries=3 \
  CMD openclaw doctor --quick || exit 1

[latenighthackathon]

NemoClaw's primary deployment target is Kubernetes via OpenShell, where health checking is handled at the pod level through liveness, readiness, and startup probes — not in the container image. Docker HEALTHCHECK is primarily useful for standalone Docker or Compose deployments.

The idea of a health check is reasonable, but the suggested fix (openclaw doctor) runs inside the nested sandbox, which the host container cannot reach directly. A HEALTHCHECK at the Dockerfile level would need to target something in the host container scope (e.g., checking if the OpenShell gateway process is alive). For K8s deployments, this would typically be a liveness probe in the pod spec.