fix: improve Dockerfile healthcheck, signal handling, and slim runtime

[tac0turtle]

Description

• Replace no-op --version healthcheck with actual RPC liveness probe
• Add explicit STOPSIGNAL SIGTERM for proper graceful shutdown
• Remove unnecessary build/debug packages from runtime image (libssl-dev, pkg-config, strace)

[gemini-code-assist]

Summary of Changes

Hello @tac0turtle, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request enhances the Dockerfile for the ev-reth application by improving its operational resilience and efficiency. It introduces a more accurate healthcheck mechanism to verify application responsiveness, ensures graceful application termination through explicit signal handling, and reduces the final image size by removing superfluous development dependencies. These changes contribute to a more stable and optimized container deployment.

Highlights

• Improved Docker Healthcheck: The Dockerfile's healthcheck has been upgraded from a basic --version check to a more robust RPC liveness probe using curl to eth_syncing on port 8545, ensuring the application is truly responsive. The start-period for the healthcheck was also increased to 60 seconds.
• Graceful Shutdown: An explicit STOPSIGNAL SIGTERM has been added to the Dockerfile, enabling proper graceful shutdown of the containerized application by sending a termination signal.
• Slimmer Runtime Image: Unnecessary development and debugging packages, specifically libssl-dev, pkg-config, and strace, have been removed from the runtime Docker image, reducing its size and potential attack surface.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• Dockerfile
  • Removed libssl-dev, pkg-config, and strace from the apt-get install command in the runtime stage to reduce image size.
  • Updated the HEALTHCHECK instruction to perform an RPC call to eth_syncing via curl on port 8545, replacing the previous --version check. The start-period was also adjusted to 60s.
  • Added STOPSIGNAL SIGTERM to define the signal used for stopping the container, promoting graceful shutdowns.

Activity

• No specific activity (comments, reviews, etc.) was provided in the context for this pull request.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[claude]

Claude finished @tac0turtle's task —— View job

---

PR Review: Dockerfile Improvements

Todo List:

• Read and analyze Dockerfile changes
• Review code quality and best practices
• Check for potential bugs or issues
• Evaluate performance considerations
• Assess security concerns
• Review test coverage implications
• Provide comprehensive feedback

---

Code Review Summary

This PR makes three focused improvements to the Dockerfile that enhance operational reliability and reduce attack surface. Overall, these are solid improvements that follow Docker best practices.

✅ Excellent Changes

1. Improved Healthcheck (Dockerfile:68-70)

HEALTHCHECK --interval=30s --timeout=3s --start-period=60s --retries=3 \
    CMD curl -sf http://localhost:8545/ -X POST -H "Content-Type: application/json" \
    -d '{"jsonrpc":"2.0","method":"eth_syncing","params":[],"id":1}' || exit 1

✅ Excellent improvement!

• Replaces meaningless --version check with actual RPC liveness probe
• Tests that the JSON-RPC server is responsive on port 8545
• Uses eth_syncing method which is lightweight and universally supported
• Increased start-period from 40s to 60s gives more time for Ethereum client startup

2. Explicit Signal Handling (Dockerfile:72)

STOPSIGNAL SIGTERM

✅ Great addition!

• Ensures graceful shutdown when container stops
• SIGTERM allows the application to clean up resources properly
• Critical for Ethereum clients to avoid database corruption
• Works well with existing tini init system

3. Slimmed Runtime Image (Dockerfile:57)

# Removed: libssl-dev pkg-config strace
apt-get install -y ca-certificates curl jq tini

✅ Security improvement!

• Removes unnecessary development packages from runtime
• libssl-dev and pkg-config are build-time dependencies, not needed at runtime
• strace removal reduces debugging surface area
• Smaller attack surface and image size

🔍 Technical Analysis

Code Quality: A

• Changes follow Docker best practices
• Proper separation of build vs runtime dependencies
• Clean, readable Dockerfile structure

Security: A

• Reduced attack surface: Removed unnecessary packages
• No security regressions: All changes improve or maintain security posture
• Proper signal handling: Prevents abrupt termination issues

Performance: A

• Faster health checks: RPC probe is more efficient than subprocess spawn
• Smaller image: Fewer packages reduce pull time and storage
• Better resource management: SIGTERM enables clean shutdown

Reliability: A

• More accurate health detection: Actually tests service functionality
• Graceful shutdown: Prevents data corruption scenarios
• Increased startup time: 60s start-period accommodates Ethereum client initialization

🔧 Minor Suggestions

1. Consider adding error handling to healthcheck:

HEALTHCHECK --interval=30s --timeout=3s --start-period=60s --retries=3 \
    CMD curl -sf http://localhost:8545/ -X POST -H "Content-Type: application/json" \
    -d '{"jsonrpc":"2.0","method":"eth_syncing","params":[],"id":1}' | jq -e '.result != null' || exit 1

This would verify the response is valid JSON, not just that curl succeeds.

2. Document the healthcheck endpoint in comments or README for operators who need to understand the health check logic.

❌ No Issues Found

• No bugs or regressions detected
• No performance concerns
• No security vulnerabilities introduced
• Changes align with ev-reth architecture (Ethereum client with Engine API focus)

Test Coverage Assessment

The changes are infrastructure-level (Dockerfile) and don't require code test coverage. However:

• ✅ Manual testing recommended: Verify container starts/stops gracefully
• ✅ Integration testing: Ensure healthcheck works in deployment environments
• ✅ Load testing: Confirm healthcheck doesn't impact performance under load

Final Verdict: ✅ APPROVED

This PR demonstrates excellent Docker practices and operational awareness. All changes are beneficial with no downsides. The improvements will make the containerized ev-reth more reliable in production environments.

Recommended actions:

1. ✅ Merge this PR
2. Consider documenting the new healthcheck behavior for operators
3. Test graceful shutdown behavior in staging environment

---

[gemini-code-assist]

Code Review

This pull request introduces several good improvements to the Dockerfile. It slims down the runtime image by removing unnecessary packages, improves the health check to be more robust by using a real RPC liveness probe, and sets STOPSIGNAL for graceful shutdown. My review includes a couple of suggestions to further enhance the Dockerfile: one to reduce the image size even more, and another to make the health check more reliable by validating the RPC response.

[gemini-code-assist]

The current healthcheck only verifies that curl exits successfully. However, a JSON-RPC server can return a successful HTTP status (200 OK) even if there's an error in the response payload (e.g., {"jsonrpc":"2.0","error":{...},"id":1}).

To make the healthcheck more robust, you can pipe the output to jq and verify that the response contains a result field, which indicates a successful RPC call. The jq utility is already installed in the image.

    CMD curl -sf http://localhost:8545/ -X POST -H "Content-Type: application/json" \
    -d '{"jsonrpc":"2.0","method":"eth_syncing","params":[],"id":1}' | jq -e '.result != null'