Improve Docker socket connection resiliency when using socket proxy

[mg-dev25]

Issue Description

When using Sablier with a Docker socket proxy (rather than direct socket access), the application fails to properly handle connection interruptions. Specifically, if the socket proxy terminates a connection due to timeouts or other reasons, Sablier logs an error but continues to report itself as healthy while being unable to execute Docker operations.

Current Behavior

1. Sablier establishes a connection to Docker via a socket proxy
2. If the socket proxy times out or terminates the connection, Sablier logs:

   ERR docker/docker.go:155 event stream error provider=docker error="unexpected EOF"
   ERR docker/docker.go:148 event stream closed provider=docker
   

3. Sablier's health check (/health endpoint) continues to return a 200 status code with "OK"
4. Subsequent Docker operations fail silently, and users must manually restart the Sablier container

Expected Behavior

1. Sablier should attempt to reconnect to the Docker daemon when the connection is lost
2. The health check should verify Docker connectivity, not just API responsiveness
3. If reconnection fails after several attempts, Sablier should either:
   • Update its health status to unhealthy
   • Log a clear error that the Docker connection is permanently lost
   • Automatically restart itself (if possible)

Reproduction Steps

1. Configure Sablier to use a socket proxy with a timeout value (e.g., PROXY_READ_TIMEOUT=8000)
2. Wait for the timeout to occur
3. Observe Sablier logs showing "event stream error" and "event stream closed"
4. Verify that /health still returns 200 OK
5. Attempt to start a container through Sablier, which will fail

Technical Details

This issue stems from how Sablier handles the Docker client connection in the provider implementation. In the Docker provider, there appear to be two key issues:

1. Event stream resilience: The NotifyInstanceStopped method establishes a connection to the Docker events API, but doesn't automatically reconnect if this connection is lost.
2. Docker client reuse: The Docker client is created once during provider initialization and reused, but there's no mechanism to verify its connectivity or recreate it if it becomes invalid.

Proposed Solutions

1. Implement automatic reconnection to Docker daemon:

   • Add a reconnection loop in the event stream handler
   • Periodically verify Docker connectivity and recreate the client if needed

2. Enhance health check:

   • Update the /health endpoint to verify Docker connectivity
   • Add a new /health/docker endpoint specifically for Docker connectivity

3. Connection tracking:

   • Track the most recent successful Docker operation
   • If operations fail or too much time passes since the last successful operation, attempt to recreate the connection

Environment Information

• Sablier version: 1.8.4
• Docker version: 27.5.1
• Docker API version: 1.47
• Socket proxy: Used with PROXY_READ_TIMEOUT=8000

Additional Context

This issue becomes particularly problematic in production environments where Sablier is a critical component for managing containers, as it requires manual intervention to recover from connection issues.

[acouvreur]

Thanks for submitting this issue @mg-dev25

I like the idea behind enhancing the healthcheck to have the provider health status also checked.
But we should also make the event stream try to reconnect.

Is this something that happens often ? Do you know why you are losing the connection to the proxy ?

[mg-dev25]

Hi @acouvreur ,
Thanks for your prompt response! Yes, this happens frequently in my production environment where I use a Docker socket proxy for security reasons. The socket proxy is configured with a read timeout (PROXY_READ_TIMEOUT=8000 seconds), which causes disconnections after periods of inactivity. I propose a PR to try to resolve this. Thanks

[tiamilani]

Hi, I would like to add a little bit of information to this issue, which is of main interest also for me and my environment.

The connection is closed as expected behavior of the docker socket proxy, see this issue: https://github.com/Tecnativa/docker-socket-proxy/issues/21.
I think that also the error should be de-classed to a warning, given that indeed this is expected to happen sooner or later (depending on the configuration of PROXY_READ_TIMEOUT).
Something like "warning, the connection to the socket proxy has been closed, establishing re-connection..."

[Finch290]

i'm also intestered about this topic. any news?

[w00tlarr]

+1 for this issue. Occasionally and oddly quite frequently (once a day) my docker tcp gets lost and have to restart Sablier. Healthcheck so I can autoheal Sablier would be great!

[acouvreur]

I've implemented an event stream reconnection mechanism now: #891

This should be available in release 1.12.0