Docker healthcheck for nginx container

I have a project using the official nginx docker container from Docker Hub, launching via Docker Compose. I have healthchecks configured in Docker Compose for each of my containers, and recently the healthcheck for this nginx container has been behaving strangely; on launching with docker-compose up -d, all my containers launch, and begin running healthchecks, but the nginx container looks like it never runs the healthcheck. I can manually run the script just fine if I docker exec into the container, and the healthcheck runs normally if I restart the container.

Example output from docker ps:

CONTAINER ID        IMAGE                     COMMAND                  CREATED             STATUS                            PORTS                                                                       NAMES
458a55ae8971        my_custom_image           "/tini -- /usr/local…"   7 minutes ago       Up 7 minutes (healthy)                                                                                        project_worker_1
5024781b1a73        redis:3.2                 "docker-entrypoint.s…"   7 minutes ago       Up 7 minutes (healthy)            127.0.0.1:6379->6379/tcp                                                    project_redis_1
bd405dde8ce7        postgres:9.6              "docker-entrypoint.s…"   7 minutes ago       Up 7 minutes (healthy)            127.0.0.1:15432->5432/tcp                                                   project_postgres_1
93e15c18d879        nginx:mainline            "nginx -g 'daemon of…"   7 minutes ago       Up 7 minutes (health: starting)   127.0.0.1:80->80/tcp, 127.0.0.1:443->443/tcp                                nginx

Example (partial, for brevity) output from docker inspect nginx:

    "State": {
        "Status": "running",
        "Running": true,
        "Paused": false,
        "Restarting": false,
        "OOMKilled": false,
        "Dead": false,
        "Pid": 11568,
        "ExitCode": 0,
        "Error": "",
        "StartedAt": "2018-02-13T21:04:22.904241169Z",
        "FinishedAt": "0001-01-01T00:00:00Z",
        "Health": {
            "Status": "unhealthy",
            "FailingStreak": 0,
            "Log": []
        }
    },

The portion of the docker-compose.yml defining the nginx container:

nginx:
  image: nginx:mainline
  # using container_name means there will only ever be one nginx container!
  container_name: nginx
  restart: always
  networks:
    - proxynet
  volumes:
    - /etc/nginx/conf.d
    - /etc/nginx/vhost.d
    - /usr/share/nginx/html
    - tlsdata:/etc/nginx/certs:ro
    - attachdata:/usr/share/nginx/html/uploads:ro
    - staticdata:/usr/share/nginx/html/static:ro
    - ./nginx/healthcheck.sh:/bin/healthcheck.sh
  healthcheck:
    test: ['CMD', '/bin/healthcheck.sh']
    interval: 1m
    timeout: 5s
    retries: 3
  ports:
    # Make the http/https ports available on the Docker host IPv4 loopback interface
    - '127.0.0.1:80:80'
    - '127.0.0.1:443:443'

The healthcheck.sh I am loading in as a volume:

#!/bin/bash

service nginx status || exit 1

It looks like the problem is just an issue with systemd never returning from the status check when the container initially launches, and at the same time the configured healthcheck timeout does not trigger. Everything else works, and nginx is up and responding, but it would be nice for the healthcheck to function properly without needing to manually restart each time I start up.

Is there something missing in my configuration, or a better check I can run?

Over a year later, I have found a solution. First, an additional clarification on the environment, what I believe is happening, and speculation on a possible bug with the Docker Engine.

The Compose file I am using now is launching a lightly modified version of the 'official' Alpine NGINX image, which uses COPY to load in the healthcheck script and adds HEALTHCHECK explicitly in the image. This image is used for an nginx service, and is used in concert with an image running jwilder/docker-gen to use container metadata from Docker to generate NGINX configuration files. This container is running as a service named nginx-gen. When containers change, configuration is re-generated, and if there are any changes, a SIGHUP is sent to the nginx service.

What I discovered is the following:

• If all services are launched together, the nginx service never runs healthchecks;
• If the nginx service is restarted soon after launch, healthchecks complete normally;
• If the nginx service is launched by itself, healthchecks complete normally;
• If all services other than nginx-gen are launched together, healthchecks complete normally;
• If all services are launched together, but nginx-gen is modified to sleep 60 before doing anything, healthchecks complete normally;

So, it appears that there is some obscure interaction with signal processing, Docker, and NGINX. If a SIGHUP is sent to an NGINX process in a container before the first healthcheck runs in that container, no healthchecks ever run.

The final iteration I came up with modifies the nginx-gen container to poll the health of the nginx container. It looks up the health status of a container with a defined label in a loop, with a short sleep. Once the nginx container reports healthy, nginx-gen proceeds to generate configuration files. I also changed the notification method to docker exec a script to explicitly test and reload configuration in the nginx container, rather than rely on SIGHUP.

End result: I can docker-compose up -d, and everything eventually reports healthy without further intervention. Success!