[awf] api-proxy: Flaky awf-api-proxy unhealthy failure during docker compose up

[lpcox]

Problem

The awf-api-proxy sidecar container intermittently fails its health check during docker compose up, causing the agent to never start. This has been reported on gh-aw v0.71.1 with firewall image 0.25.28 and matches a prior pattern from #27888 (now closed).

The compose health check configuration is:

healthcheck:
  test: [CMD, curl, '-f', '(localhost/redacted)
  interval: 1s
  timeout: 1s
  retries: 5
  start_period: 2s

Total window is only 7 seconds (2s start + 5×1s), which may be insufficient on loaded GitHub-hosted runners.

Context

• Original issue: Flaky awf-api-proxy unhealthy failure in downstream Copilot workflow gh-aw#28898
• Affected version: gh-aw v0.71.1, firewall 0.25.28
• Runner image: ubuntu24, ImageVersion: 20260426.100.1
• Downstream repo: elastic/docs-content
• Failed run: https://github.com/elastic/docs-content/actions/runs/25046213576

Root Cause

Two compounding problems:

1. Insufficient health check grace period. The start_period: 2s and 5 retries with 1s interval gives a maximum window of ~7s for the Node.js api-proxy process to start, bind its port, and pass the /health check. On a resource-constrained or busy runner, container startup alone can exceed this window.

2. Missing log capture on failure. When docker compose up fails due to an unhealthy container, the api-proxy logs are not captured before containers are removed. The api-proxy-logs mount directory is absent from uploaded artifacts, making the failure undiagnosable.

Relevant source files:

• src/docker-manager.ts — generates the Docker Compose config including the health check parameters
• src/cli.ts — stopContainers() cleans up after failure; does not capture api-proxy logs before teardown
• containers/api-proxy/ — the api-proxy container itself

Proposed Solution

1. Increase health check tolerance in src/docker-manager.ts: raise start_period to 5s, retries to 10, and timeout to 3s to match the Squid health check's robustness.

2. Capture api-proxy container logs on failure in src/cli.ts: before calling docker compose down, run docker compose logs api-proxy and write to the work directory's api-proxy-logs/ folder so it is included in uploaded artifacts.

3. Always include api-proxy-logs/ in artifacts (even if empty) to make absence explicit and aid triage.

4. Optionally retry docker compose up once if only the api-proxy health check fails, before treating the whole run as failed.

Generated by Firewall Issue Dispatcher · ● 726.9K · ◷

[github-actions]

👋 Hello! I noticed this issue might be related to an existing issue:

• api-proxy healthcheck flaps during startup, causing Docker Compose to fail #2154 - api-proxy healthcheck flaps during startup, causing Docker Compose to fail (closed as completed on April 22, 2026)

Both issues describe the same problem: awf-api-proxy failing its health check during docker compose up due to insufficient start_period/retry tolerance, with the same proposed fixes (increase start_period, retries, timeout in src/docker-manager.ts).

If #2154's fix was applied but the regression has reappeared, this new issue may represent a recurrence worth investigating separately. Otherwise, please review whether the fix from #2154 fully resolved the problem.

This is an automated message from the issue duplication detector.

Note

🔒 Integrity filter blocked 1 item

The following item was blocked because it doesn't meet the GitHub integrity level.

• #2139 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

Generated by Issue Duplication Detector for issue #2266 · ● 182.6K · ◷

[lpcox]

Closing — this was addressed by PR #2255 (merged), which increased the api-proxy health check tolerances:

• start_period: 10s → 30s
• retries: 10 → 15
• interval: 1s → 2s, timeout: 2s → 3s

This gives slower/busier runners significantly more headroom. The fix is included in firewall v0.25.29.