Open
Conversation
WalkthroughA new Docker analytics image infrastructure is introduced, including a Dockerfile that builds an Ubuntu-based container with Ballerina, OpenJDK 21, and Fluent Bit. An entrypoint script orchestrates startup of both the FHIR service and Fluent Bit monitoring. The Changes
Sequence DiagramsequenceDiagram
participant Container as Container Runtime
participant Entrypoint as entrypoint.sh
participant FhirService as FHIR Service<br/>(Java JAR)
participant FluentBit as Fluent Bit
Container->>Entrypoint: Execute /home/ballerina/entrypoint.sh
activate Entrypoint
Entrypoint->>FhirService: exec java -jar fhir.service.jar &
activate FhirService
FhirService-->>Entrypoint: Running (background)
Entrypoint->>FluentBit: /opt/fluent-bit/bin/fluent-bit -c fluent-bit.conf
activate FluentBit
FluentBit-->>Entrypoint: Monitoring active
Note over FhirService,FluentBit: Both services running concurrently
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Poem
🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Tip Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs). Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (3)
fhir-service/resources/analytics/docker/Dockerfile (3)
39-39: Consider adding a HEALTHCHECK instruction.Without a HEALTHCHECK, container orchestrators cannot detect if the Java service inside becomes unresponsive. This is especially important given the dual-process setup.
💡 Example HEALTHCHECK
HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \ CMD curl -f http://localhost:8080/health || exit 1Adjust the port and endpoint to match your service's health endpoint.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@fhir-service/resources/analytics/docker/Dockerfile` at line 39, Add a Docker HEALTHCHECK to the Dockerfile (near the ENTRYPOINT ["/home/ballerina/entrypoint.sh"]) so orchestrators can detect an unresponsive Java process; implement a HEALTHCHECK that periodically curls your service health endpoint (adjust host, port and path to match the Java service, e.g., localhost:8080/health) with sensible --interval, --timeout, --start-period and --retries values; place this instruction before or after the ENTRYPOINT line in the Dockerfile so the container reports unhealthy when the HTTP check fails.
10-15: Consider consolidatingapt-get updatecalls to reduce layers and build time.There are four separate
apt-get updatecalls (lines 6, 10, 17, 21). Consolidating package installations into fewer RUN instructions reduces image layers and speeds up builds.♻️ Example consolidated structure
RUN apt-get update \ && apt-get install -y --no-install-recommends \ openjdk-21-jre-headless \ wget \ curl \ gnupg \ ca-certificates \ && wget https://dist.ballerina.io/downloads/2201.12.3/ballerina-2201.12.3-swan-lake-linux-x64.deb \ && dpkg -i ballerina-2201.12.3-swan-lake-linux-x64.deb \ && rm ballerina-2201.12.3-swan-lake-linux-x64.deb \ # ... fluent-bit installation ... \ && apt-get clean \ && rm -rf /var/lib/apt/lists/*🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@fhir-service/resources/analytics/docker/Dockerfile` around lines 10 - 15, Multiple RUN blocks call apt-get update separately which increases image layers and build time; consolidate package installs and related commands into a single RUN block (the existing RUN that installs wget and dpkg-installs Ballerina is a good location) by merging all apt-get install targets (e.g., openjdk-21-jre-headless, wget, curl, gnupg, ca-certificates, and any fluent-bit deps) into that RUN, run apt-get update once, perform installs, run the wget + dpkg -i ballerina-2201.12.3-swan-lake-linux-x64.deb, then clean with apt-get clean and rm -rf /var/lib/apt/lists/* so the Dockerfile's RUN that contains wget and dpkg -i ballerina-2201.12.3-swan-lake-linux-x64.deb is the consolidated place to remove the extra apt-get update calls and reduce layers.
6-8: Add--no-install-recommendsto reduce image size.Installing the full JDK without
--no-install-recommendspulls in many unnecessary packages. Since only a runtime is needed to execute the JAR, consider usingopenjdk-21-jre-headlessinstead.♻️ Proposed fix
RUN apt-get update \ - && apt-get install -y openjdk-21-jdk \ + && apt-get install -y --no-install-recommends openjdk-21-jre-headless \ && rm -rf /var/lib/apt/lists/*🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@fhir-service/resources/analytics/docker/Dockerfile` around lines 6 - 8, In the Dockerfile RUN step that currently installs openjdk-21-jdk, replace the full JDK install with a minimal runtime and disable recommended packages: use apt-get install -y --no-install-recommends openjdk-21-jre-headless (keep the apt-get update and the rm -rf /var/lib/apt/lists/* cleanup) so the image size is reduced and only the runtime needed to run the JAR is installed; look for the RUN line that mentions openjdk-21-jdk and update it accordingly.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@fhir-service/resources/analytics/docker/Dockerfile`:
- Around line 21-28: The Dockerfile RUN step currently pipes curl to sh (curl
https://raw.githubusercontent.com/fluent/fluent-bit/master/install.sh | sh)
which is a supply-chain risk; replace this by adding the official Fluent Bit APT
repository with a pinned package version (import the fluentbit.key via curl ->
gpg --dearmor > /usr/share/keyrings/fluentbit-keyring.gpg, add the apt source
list for fluent-bit, apt-get update, then apt-get install
fluent-bit=<desired-version>) or, if you must run the installer script, download
the script first (curl -o install.sh), verify its checksum/signature, then
execute it; update the RUN block to remove any direct curl | sh usage and ensure
package version pinning and signature/checksum verification for the fluent-bit
installer.
In `@fhir-service/resources/analytics/docker/entrypoint.sh`:
- Around line 1-8: The entrypoint.sh starts the Java service in the background
with "exec java -jar /home/ballerina/fhir.service.jar &" and then runs Fluent
Bit in foreground, so if Java crashes the container stays up; also "exec" is
meaningless when backgrounding. Fix by running the primary service in foreground
and the sidecar in background (or use a supervisor): stop backgrounding the Java
process (remove "&" and the incorrect use of exec for it) and launch
/opt/fluent-bit/bin/fluent-bit -c /etc/fluent-bit/fluent-bit.conf in the
background, or replace the script with a proper process supervisor (e.g.,
supervisord or tini) to manage both processes and ensure container exit/restart
on Java failure; also add or ensure health checks for the Java process.
---
Nitpick comments:
In `@fhir-service/resources/analytics/docker/Dockerfile`:
- Line 39: Add a Docker HEALTHCHECK to the Dockerfile (near the ENTRYPOINT
["/home/ballerina/entrypoint.sh"]) so orchestrators can detect an unresponsive
Java process; implement a HEALTHCHECK that periodically curls your service
health endpoint (adjust host, port and path to match the Java service, e.g.,
localhost:8080/health) with sensible --interval, --timeout, --start-period and
--retries values; place this instruction before or after the ENTRYPOINT line in
the Dockerfile so the container reports unhealthy when the HTTP check fails.
- Around line 10-15: Multiple RUN blocks call apt-get update separately which
increases image layers and build time; consolidate package installs and related
commands into a single RUN block (the existing RUN that installs wget and
dpkg-installs Ballerina is a good location) by merging all apt-get install
targets (e.g., openjdk-21-jre-headless, wget, curl, gnupg, ca-certificates, and
any fluent-bit deps) into that RUN, run apt-get update once, perform installs,
run the wget + dpkg -i ballerina-2201.12.3-swan-lake-linux-x64.deb, then clean
with apt-get clean and rm -rf /var/lib/apt/lists/* so the Dockerfile's RUN that
contains wget and dpkg -i ballerina-2201.12.3-swan-lake-linux-x64.deb is the
consolidated place to remove the extra apt-get update calls and reduce layers.
- Around line 6-8: In the Dockerfile RUN step that currently installs
openjdk-21-jdk, replace the full JDK install with a minimal runtime and disable
recommended packages: use apt-get install -y --no-install-recommends
openjdk-21-jre-headless (keep the apt-get update and the rm -rf
/var/lib/apt/lists/* cleanup) so the image size is reduced and only the runtime
needed to run the JAR is installed; look for the RUN line that mentions
openjdk-21-jdk and update it accordingly.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 08749126-9dae-47a0-aff7-83e5462fe58e
📒 Files selected for processing (3)
.gitignorefhir-service/resources/analytics/docker/Dockerfilefhir-service/resources/analytics/docker/entrypoint.sh
Comment on lines
+21
to
+28
| RUN apt-get update \ | ||
| && apt-get install -y --no-install-recommends \ | ||
| curl \ | ||
| ca-certificates \ | ||
| && sh -c 'curl https://packages.fluentbit.io/fluentbit.key | gpg --dearmor > /usr/share/keyrings/fluentbit-keyring.gpg' \ | ||
| && curl https://raw.githubusercontent.com/fluent/fluent-bit/master/install.sh | sh \ | ||
| && apt-get clean \ | ||
| && rm -rf /var/lib/apt/lists/* |
There was a problem hiding this comment.
Piping curl output directly to sh is a supply chain risk.
Executing curl ... | sh without verifying the script's integrity exposes the build to potential supply chain attacks if the remote script is compromised.
Consider:
- Pinning to a specific Fluent Bit version via APT repository
- Or downloading the script, verifying a checksum, then executing
🔒 Safer alternative using APT repository with pinned version
RUN apt-get update \
&& apt-get install -y --no-install-recommends \
curl \
ca-certificates \
- && sh -c 'curl https://packages.fluentbit.io/fluentbit.key | gpg --dearmor > /usr/share/keyrings/fluentbit-keyring.gpg' \
- && curl https://raw.githubusercontent.com/fluent/fluent-bit/master/install.sh | sh \
+ gnupg \
+ lsb-release \
+ && curl https://packages.fluentbit.io/fluentbit.key | gpg --dearmor -o /usr/share/keyrings/fluentbit-keyring.gpg \
+ && echo "deb [signed-by=/usr/share/keyrings/fluentbit-keyring.gpg] https://packages.fluentbit.io/ubuntu/noble noble main" \
+ > /etc/apt/sources.list.d/fluent-bit.list \
+ && apt-get update \
+ && apt-get install -y --no-install-recommends fluent-bit \
&& apt-get clean \
&& rm -rf /var/lib/apt/lists/*🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@fhir-service/resources/analytics/docker/Dockerfile` around lines 21 - 28, The
Dockerfile RUN step currently pipes curl to sh (curl
https://raw.githubusercontent.com/fluent/fluent-bit/master/install.sh | sh)
which is a supply-chain risk; replace this by adding the official Fluent Bit APT
repository with a pinned package version (import the fluentbit.key via curl ->
gpg --dearmor > /usr/share/keyrings/fluentbit-keyring.gpg, add the apt source
list for fluent-bit, apt-get update, then apt-get install
fluent-bit=<desired-version>) or, if you must run the installer script, download
the script first (curl -o install.sh), verify its checksum/signature, then
execute it; update the RUN block to remove any direct curl | sh usage and ensure
package version pinning and signature/checksum verification for the fluent-bit
installer.
Comment on lines
+1
to
+8
| #!/bin/bash | ||
| set -e | ||
|
|
||
| # Start the Ballerina service | ||
| exec java -jar /home/ballerina/fhir.service.jar & | ||
|
|
||
| # Start Fluent Bit server | ||
| /opt/fluent-bit/bin/fluent-bit -c /etc/fluent-bit/fluent-bit.conf |
There was a problem hiding this comment.
No process supervision—container stays up if Java crashes.
The Java service runs in background while Fluent Bit runs in foreground. If the Java process crashes, Fluent Bit keeps running and the container won't restart, leaving the service unavailable without alerting Kubernetes/Choreo.
Additionally, exec ... & is misleading—exec has no effect when backgrounding.
Consider:
- Using a process supervisor (e.g.,
supervisord,tiniwith a wrapper) - Or running Java in foreground and Fluent Bit in background (if Java is the primary service)
- Adding health checks to detect Java failures
🔧 Simpler alternative: Java foreground, Fluent Bit background
#!/bin/bash
set -e
+# Start Fluent Bit in background
+/opt/fluent-bit/bin/fluent-bit -c /etc/fluent-bit/fluent-bit.conf &
+
# Start the Ballerina service
-exec java -jar /home/ballerina/fhir.service.jar &
-
-# Start Fluent Bit server
-/opt/fluent-bit/bin/fluent-bit -c /etc/fluent-bit/fluent-bit.conf
+exec java -jar /home/ballerina/fhir.service.jarThis way, if Java crashes the container exits and orchestrator can restart it.
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
Suggested change
| #!/bin/bash | |
| set -e | |
| # Start the Ballerina service | |
| exec java -jar /home/ballerina/fhir.service.jar & | |
| # Start Fluent Bit server | |
| /opt/fluent-bit/bin/fluent-bit -c /etc/fluent-bit/fluent-bit.conf | |
| #!/bin/bash | |
| set -e | |
| # Start Fluent Bit in background | |
| /opt/fluent-bit/bin/fluent-bit -c /etc/fluent-bit/fluent-bit.conf & | |
| # Start the Ballerina service | |
| exec java -jar /home/ballerina/fhir.service.jar |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@fhir-service/resources/analytics/docker/entrypoint.sh` around lines 1 - 8,
The entrypoint.sh starts the Java service in the background with "exec java -jar
/home/ballerina/fhir.service.jar &" and then runs Fluent Bit in foreground, so
if Java crashes the container stays up; also "exec" is meaningless when
backgrounding. Fix by running the primary service in foreground and the sidecar
in background (or use a supervisor): stop backgrounding the Java process (remove
"&" and the incorrect use of exec for it) and launch
/opt/fluent-bit/bin/fluent-bit -c /etc/fluent-bit/fluent-bit.conf in the
background, or replace the script with a proper process supervisor (e.g.,
supervisord or tini) to manage both processes and ensure container exit/restart
on Java failure; also add or ensure health checks for the Java process.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Purpose
Summary by CodeRabbit
Chores