feat: Add network sanity check for Kamal deployments

ewlarson · ewlarson · commit 52afaacc1d38 · 2026-04-07T13:55:08.000-05:00
- Introduced a new Makefile target `kamal-network-sanity` to compare host-shell and app-container connectivity on a Kamal destination.
- Added a Python script `check_kamal_network_sanity.py` that probes external URLs and the server's public hostname, reporting connectivity issues.
- Updated documentation to include usage instructions for the new Makefile target, enhancing the deployment process by ensuring network accessibility.

These changes improve the reliability of Kamal deployments by validating network configurations.
diff --git a/Makefile b/Makefile
@@ -1,5 +1,5 @@
 .PHONY: help lint lint-check format test lint-test test-coverage-compare clear-thumbnail-cache prime-thumbnail-cache prime-static-map-cache prime-visual-caches db-export db-import db-sync gbl-admin-db-download gbl-admin-db-unzip gbl-admin-db-restore gbl-admin-db-sync gbl-admin-db-add-latest-btaa-fields gbl-admin-db-import-resources populate-distributions backfill-distributions populate-data-dictionaries gbl-admin-db-import-all reindex reindex-benchmark local-clear-search-cache es-unblock populate-relationships verify-h3-index kamal-reindex kamal-verify-h3-index kamal-clear-cache kamal-prime-thumbnail-cache clear_cache frontend-reset ogm-refresh ogm-refresh-all ogm-refresh-repo ogm-status ogm-status-watch ogm-failures bridge-init bridge-sync bridge-cancel bridge-status bridge-status-watch bridge-failures blog-sync
-.PHONY: kamal-blog-sync kamal-purge-home-blog-cache kamal-bridge-status kamal-bridge-status-watch kamal-cron-debug kamal-cron-test-bridge kamal-worker-logs docs-serve docs-build
+.PHONY: kamal-blog-sync kamal-purge-home-blog-cache kamal-bridge-status kamal-bridge-status-watch kamal-cron-debug kamal-cron-test-bridge kamal-worker-logs kamal-network-sanity docs-serve docs-build
 
 # Load environment variables from .env file if it exists
 -include .env
@@ -87,6 +87,10 @@ KAMAL_REINDEX_REMOVE_LEGACY_INDEX ?= true
 # If unset, the target falls back to APPLICATION_URL from Kamal env.
 KAMAL_API_URL ?=
 KAMAL_CACHE_TYPE ?= search
+KAMAL_NETWORK_SELF_URL ?=
+KAMAL_NETWORK_EXTERNAL_URLS ?= https://api.github.com https://raw.githubusercontent.com https://gin.btaa.org http://example.com
+KAMAL_NETWORK_CONNECT_TIMEOUT ?= 5
+KAMAL_NETWORK_MAX_TIME ?= 12
 OGM_API_URL ?= http://localhost:8000
 OGM_STATUS_POLL_SECONDS ?= 5
 BRIDGE_API_URL ?= http://localhost:8000
@@ -1044,6 +1048,30 @@ kamal-worker-logs: ## Tail Celery worker logs (diagnose queued-but-not-running t
 	@echo "Tailing worker logs (Ctrl+C to stop)..."
 	@kamal app logs -d $(KAMAL_DEST) --roles worker --lines $(or $(KAMAL_LOG_LINES),200) -f
 
+# Compare host-shell and app-container networking on a Kamal destination.
+# This catches "host works, container cannot reach self public FQDN" problems.
+# Usage:
+#   make kamal-network-sanity
+#   make kamal-network-sanity KAMAL_DEST=dev2
+#   make kamal-network-sanity KAMAL_APP_ROLE=cron
+#   make kamal-network-sanity KAMAL_NETWORK_EXTERNAL_URLS="https://api.github.com https://geo.btaa.org"
+kamal-network-sanity: ## Check host/container outbound + self-FQDN networking on Kamal
+	@echo "Checking Kamal networking sanity (dest: $(KAMAL_DEST), role: $(KAMAL_APP_ROLE))..."
+	@if [ -z "$$KAMAL_SSH_USER" ] || [ -z "$$KAMAL_HOST" ]; then \
+		echo "ERROR: KAMAL_SSH_USER and KAMAL_HOST environment variables must be set."; \
+		echo "Use KAMAL_DEST=dev1 or dev2. Ensure .kamal/secrets-common and .kamal/secrets.dev1 (or .secrets.dev2) exist."; \
+		exit 1; \
+	fi
+	@KAMAL_DEST="$(KAMAL_DEST)" \
+	KAMAL_HOST="$(KAMAL_HOST)" \
+	KAMAL_SSH_USER="$(KAMAL_SSH_USER)" \
+	KAMAL_APP_ROLE="$(KAMAL_APP_ROLE)" \
+	KAMAL_NETWORK_SELF_URL="$(KAMAL_NETWORK_SELF_URL)" \
+	KAMAL_NETWORK_EXTERNAL_URLS='$(KAMAL_NETWORK_EXTERNAL_URLS)' \
+	KAMAL_NETWORK_CONNECT_TIMEOUT="$(KAMAL_NETWORK_CONNECT_TIMEOUT)" \
+	KAMAL_NETWORK_MAX_TIME="$(KAMAL_NETWORK_MAX_TIME)" \
+	python3 backend/scripts/check_kamal_network_sanity.py
+
 # Prime thumbnail cache on remote Kamal app container.
 # Usage examples:
 #   source .kamal/secrets && make kamal-prime-thumbnail-cache
diff --git a/backend/scripts/check_kamal_network_sanity.py b/backend/scripts/check_kamal_network_sanity.py
@@ -0,0 +1,206 @@
+from __future__ import annotations
+
+import os
+import re
+import shlex
+import shutil
+import subprocess
+import sys
+from dataclasses import dataclass
+from typing import Dict, Iterable, List
+
+DEFAULT_EXTERNAL_URLS = (
+    "https://api.github.com",
+    "https://raw.githubusercontent.com",
+    "https://gin.btaa.org",
+    "http://example.com",
+)
+RESULT_PREFIX = "RESULT\t"
+
+
+@dataclass
+class ProbeResult:
+    url: str
+    exit_code: int
+    details: str
+
+    @property
+    def fields(self) -> Dict[str, str]:
+        return dict(re.findall(r"([a-z_]+)=([^ ]*)", self.details))
+
+    @property
+    def http_code(self) -> str:
+        return self.fields.get("http", "")
+
+    @property
+    def remote_ip(self) -> str:
+        return self.fields.get("remote_ip", "")
+
+    @property
+    def total(self) -> str:
+        return self.fields.get("total", "")
+
+    @property
+    def ok(self) -> bool:
+        return self.exit_code == 0 and self.http_code not in {"", "000"}
+
+
+def _required_env(name: str) -> str:
+    value = os.getenv(name, "").strip()
+    if not value:
+        raise SystemExit(f"ERROR: {name} is required")
+    return value
+
+
+def _probe_script(urls: Iterable[str], *, connect_timeout: str, max_time: str) -> str:
+    url_args = " ".join(shlex.quote(url) for url in urls)
+    return (
+        f"for url in {url_args}; do "
+        "out=$(curl -I -sS -o /dev/null "
+        f"-w 'http=%{{http_code}} remote_ip=%{{remote_ip}} connect=%{{time_connect}} "
+        f"tls=%{{time_appconnect}} total=%{{time_total}}' "
+        f"--connect-timeout {shlex.quote(connect_timeout)} "
+        f'-m {shlex.quote(max_time)} "$url" 2>&1); '
+        "status=$?; "
+        'printf \'RESULT\t%s\t%s\t%s\n\' "$url" "$status" "$out"; '
+        "done"
+    )
+
+
+def _run_command(cmd: List[str], label: str) -> str:
+    try:
+        result = subprocess.run(cmd, check=True, capture_output=True, text=True)
+    except FileNotFoundError as exc:
+        raise SystemExit(f"ERROR: missing required command for {label}: {exc.filename}") from exc
+    except subprocess.CalledProcessError as exc:
+        stderr = exc.stderr.strip()
+        stdout = exc.stdout.strip()
+        detail = stderr or stdout or f"exit status {exc.returncode}"
+        raise SystemExit(f"ERROR: {label} failed: {detail}") from exc
+    return result.stdout
+
+
+def _parse_results(output: str) -> Dict[str, ProbeResult]:
+    results: Dict[str, ProbeResult] = {}
+    for line in output.splitlines():
+        if not line.startswith(RESULT_PREFIX):
+            continue
+        _, url, exit_code, details = line.split("\t", 3)
+        results[url] = ProbeResult(url=url, exit_code=int(exit_code), details=details)
+    return results
+
+
+def _print_section(
+    title: str, urls: List[str], results: Dict[str, ProbeResult], self_url: str
+) -> None:
+    print(f"{title}:")
+    for url in urls:
+        result = results.get(url)
+        if result is None:
+            print(f"  FAIL {url} (no result)")
+            continue
+        label = "self" if url == self_url else "ext "
+        if result.ok:
+            print(
+                f"  OK   [{label}] {url} "
+                f"http={result.http_code} ip={result.remote_ip or '-'} total={result.total or '-'}"
+            )
+        else:
+            print(
+                f"  FAIL [{label}] {url} exit={result.exit_code} "
+                f"http={result.http_code or '000'} detail={result.details}"
+            )
+
+
+def main() -> int:
+    if shutil.which("ssh") is None:
+        raise SystemExit("ERROR: ssh is required")
+    if shutil.which("kamal") is None:
+        raise SystemExit("ERROR: kamal is required")
+
+    kamal_dest = _required_env("KAMAL_DEST")
+    kamal_host = _required_env("KAMAL_HOST")
+    kamal_ssh_user = _required_env("KAMAL_SSH_USER")
+    kamal_app_role = os.getenv("KAMAL_APP_ROLE", "web").strip() or "web"
+    connect_timeout = os.getenv("KAMAL_NETWORK_CONNECT_TIMEOUT", "5").strip() or "5"
+    max_time = os.getenv("KAMAL_NETWORK_MAX_TIME", "12").strip() or "12"
+
+    self_url = os.getenv("KAMAL_NETWORK_SELF_URL", "").strip() or f"https://{kamal_host}"
+    external_urls = shlex.split(os.getenv("KAMAL_NETWORK_EXTERNAL_URLS", "").strip())
+    if not external_urls:
+        external_urls = list(DEFAULT_EXTERNAL_URLS)
+
+    urls = list(dict.fromkeys([*external_urls, self_url]))
+    probe_script = _probe_script(urls, connect_timeout=connect_timeout, max_time=max_time)
+
+    host_output = _run_command(
+        ["ssh", f"{kamal_ssh_user}@{kamal_host}", f"bash -lc {shlex.quote(probe_script)}"],
+        "host probe",
+    )
+    container_output = _run_command(
+        [
+            "kamal",
+            "app",
+            "exec",
+            "-d",
+            kamal_dest,
+            "--roles",
+            kamal_app_role,
+            "--reuse",
+            f"bash -lc {shlex.quote(probe_script)}",
+        ],
+        "container probe",
+    )
+
+    host_results = _parse_results(host_output)
+    container_results = _parse_results(container_output)
+
+    print(
+        f"Network sanity report for {kamal_dest} "
+        f"(host={kamal_host}, role={kamal_app_role}, self_url={self_url})"
+    )
+    print("")
+    _print_section("Host shell", urls, host_results, self_url)
+    print("")
+    _print_section("Container", urls, container_results, self_url)
+    print("")
+
+    failures: List[str] = []
+    for url in urls:
+        host_result = host_results.get(url)
+        container_result = container_results.get(url)
+        if host_result is None or not host_result.ok:
+            failures.append(f"host failed: {url}")
+        if container_result is None or not container_result.ok:
+            failures.append(f"container failed: {url}")
+
+    host_self_ok = host_results.get(self_url).ok if self_url in host_results else False
+    container_self_ok = (
+        container_results.get(self_url).ok if self_url in container_results else False
+    )
+    external_container_failures = [
+        url for url in external_urls if not container_results.get(url, ProbeResult(url, 1, "")).ok
+    ]
+
+    if not failures:
+        print(
+            "PASS: host shell and container can reach the expected external URLs "
+            "and self public hostname."
+        )
+        return 0
+
+    if host_self_ok and not container_self_ok and not external_container_failures:
+        print(
+            "FAIL: host shell can reach the self public hostname, but the container cannot. "
+            "This points to a container-to-self-FQDN / hairpin / firewall-path issue."
+        )
+    else:
+        print("FAIL: one or more host/container connectivity probes failed.")
+
+    for failure in failures:
+        print(f"  - {failure}")
+    return 1
+
+
+if __name__ == "__main__":
+    sys.exit(main())
diff --git a/docs/make_tasks.md b/docs/make_tasks.md
@@ -40,6 +40,7 @@ Overrides:
   - Useful overrides: `KAMAL_REINDEX_RETAIN_PREVIOUS=1` (default), `KAMAL_REINDEX_PRUNE_OLD=true` (default), `KAMAL_REINDEX_ALLOW_PARTIAL=false` (default; blocks swap on indexing/count mismatch), `KAMAL_REINDEX_REMOVE_LEGACY_INDEX=true` (default; one-time migration from legacy non-alias index name).
 - `make kamal-verify-h3-index`: verify H3 fields on remote Kamal app containers. Use `KAMAL_DEST=dev1` or `dev2`.
 - `make kamal-clear-cache`: clear remote API cache on Kamal (defaults to `KAMAL_CACHE_TYPE=search`). Use `KAMAL_DEST=dev1` or `dev2`. Override with `KAMAL_CACHE_TYPE=all` (or `suggest`/`item`).
+- `make kamal-network-sanity`: compare host-shell and app-container connectivity on a Kamal destination. It probes a few external URLs plus the server's own public hostname and exits nonzero if the container cannot reach something the host can. Defaults to `KAMAL_DEST=dev1`, role `web`, self URL `https://$(KAMAL_HOST)`, and external URLs `https://api.github.com https://raw.githubusercontent.com https://gin.btaa.org http://example.com`. Override with `KAMAL_APP_ROLE=cron`, `KAMAL_NETWORK_SELF_URL=...`, or `KAMAL_NETWORK_EXTERNAL_URLS="..."`.
 - `make ingest`: ingest BTAA fixture JSON files into the DB (runs inside the `api` Docker container). Default: `data/fixtures/btaa_fixtures_data`. Override with `make ingest FIXTURES_DIR=btaa_featured_resources REPO_NAME=btaa_featured_resources`. After ingest, run `make reindex` to index into Elasticsearch.
 - `make ingest-featured`: ingest `data/fixtures/btaa_featured_resources` into the DB and then reindex into Elasticsearch (one-step for featured resources).
 - `make clear_cache`: flush Redis cache DB (`REDIS_DB`, requires `REDIS_PASSWORD`)
@@ -108,4 +109,3 @@ Elasticsearch blocks writes when the disk passes the flood-stage watermark (e.g.
 3. **Relax watermarks for local dev only**: In `docker-compose.yml`, under the `elasticsearch` service env, you can temporarily set e.g. `cluster.routing.allocation.disk.watermark.flood_stage=99.9%` (or disable with `cluster.routing.allocation.disk.threshold_enabled=false`). Only do this on a dev machine with enough free space; otherwise you risk filling the disk.
 
 4. **Use a remote Elasticsearch** with more space: Point the app at another ES (e.g. via `ELASTICSEARCH_URL` and run reindex there).
-
