Minimal, statically linked tools designed for container health checks. Built with musl for minimal size and zero dependencies.
A common use case is to include these tools in HEALTHCHECK instructions in Dockerfiles, allowing Docker to
monitor the health of applications running inside containers. Typically, you
don't need them in Kubernetes (because Kubernetes has its own health check mechanisms, where the
kubelet periodically checks the container's status), but in vanilla Docker or other container runtimes without
built-in health checks, these tools can be very useful.
You might say, "But why? There are already tools like curl or wget!". That's true, but those tools are often
quite large because they include many features and dependencies. Using them only for health checks can
unnecessarily increase the size of your Docker images. These tools are designed to be as small as possible
while still providing the required functionality, especially for scratch or distroless images (curl and
wget won't work there at all, since they rely on shared libraries). In addition, their exit codes are
designed to match Docker's expectations for health checks (0 = healthy, 1 = unhealthy), whereas curl and
wget do not follow this convention.
Just to illustrate the size difference, here is a comparison of adding httpcheck versus curl or wget:
COPY --from=... /bin/httpcheck [β--------------------------------------] 75Kb
apk add wget [βββββββββββββββββββ--------------------] 3.3Mb // 44Γ larger
apt install wget [βββββββββββββββββββββ------------------] 4Mb // 53Γ larger
apk add curl [ββββββββββββββββββββββββββ-------------] 5.2Mb // 69Γ larger
apt install curl [βββββββββββββββββββββββββββββββββββββββ] 9.3Mb // 124Γ larger
So, think of this as an alternative to:
-# install curl for health checks (+~10MB)
-RUN apt update && apt install -y curl && rm -r /var/lib/apt/lists/*
-
-HEALTHCHECK --interval=5m --timeout=3s CMD curl -f http://localhost:8080/ || exit 1
+# add httpcheck binary (+~75KB)
+COPY --from=ghcr.io/tarampampam/microcheck:1 /bin/httpcheck /bin/httpcheck
+
+HEALTHCHECK --interval=5m --timeout=3s CMD ["httpcheck", "http://localhost:8080/"]Note
By the way - the first approach also creates a shell process (adding unnecessary overhead) and depends on the shell being present in the container, which may not be the case in minimal images.
- Statically linked: Works in minimal containers (e.g.,
scratch,distroless) - Pretty fast: Written in pure
C, compiled withmusl - Multi-arch and cross-compiled (x86_64, ARM, etc.), even for macOS you may find precompiled binaries in the releases
- Distributed as single binaries (see the releases page) and Docker image
- Minimal size: Optimized for small Docker images
- TLS support: Uses
mbedTLSfor HTTPS (accepts self-signed certificates and does NOT verify SSL/TLS certificates) - Protocol auto-detection (
httpscheckonly): Automatically tries HTTPS first, falls back to HTTP on TLS errors - Flexible configuration: Command-line flags and environment variables
- Docker-friendly: Handles signals (
SIGTERM,SIGINT) gracefully
| Tool | Size | Use case |
|---|---|---|
httpcheck |
~75KB | Check HTTP (only) endpoints |
httpscheck |
~500KB | Check HTTP and HTTPS endpoints |
portcheck |
~70KB | Check TCP/UDP ports |
parallel |
~50KB | Run multiple commands in parallel |
pidcheck |
~40KB | Check if process from PID file is running |
Those tools perform HTTP health checks. httpscheck includes TLS support, while httpcheck does not to reduce
the binary file size. Both tools share the same command-line interface, and even compile from the same source
code (but with different build flags).
Note
httpscheck supports protocol auto-detection: when no protocol (http:// or https://) is specified in the URL,
it will first attempt an HTTPS connection. If the HTTPS connection fails (TLS handshake error), it will automatically
fall back to HTTP. This is useful for applications that may have TLS enabled or disabled based on configuration.
Options:
-h, --help Show this help message
-m, --method HTTP method to use (default: "GET") [$CHECK_METHOD]
--method-env Change env variable name for --method
-u, --user-agent User-Agent header value (default: "healthcheck/0.0.0 (httpscheck)") [$CHECK_USER_AGENT]
--user-agent-env Change env variable name for --user-agent
-t, --timeout Request timeout in seconds (default: "5") [$CHECK_TIMEOUT]
--timeout-env Change env variable name for --timeout
-H, --header Add custom HTTP header (can be used multiple times)
--basic-auth Basic auth credentials (username:password) [$CHECK_BASIC_AUTH]
--basic-auth-env Change env variable name for --basic-auth
--host Override hostname from URL [$CHECK_HOST]
--host-env Change env variable name for --host
-p, --port Override port from URL [$CHECK_PORT]
--port-env Change env variable name for --port
URL Format Examples:
# Explicit HTTP
httpcheck http://localhost:8080/health
# Explicit HTTPS
httpscheck https://localhost:8080/health
# Auto-detect (httpscheck only): tries HTTPS first, falls back to HTTP on TLS error
httpscheck localhost:8080/healthThis tool checks if a TCP or UDP port is open on a given host (usually 127.0.0.1). For TCP, it attempts to
establish a connection, while for UDP... Since UDP is connectionless - very frequently it may not be possible to
determine if the port is open or closed.
Important
Most UDP servers respond only to valid protocol requests. This tool sends nearly empty UDP datagram, which may not receive a response from many services. Use UDP checks only when you are certain the target will respond appropriately.
Note
You need to specify the target host and port explicitly via flags or environment variables. Don't try to pass
them as positional arguments like portcheck --port 80 example.com, as this tool does not accept them that way.
Use --host and --port options instead - portcheck --port 80 --host example.com.
Options:
-h, --help Show this help message
--tcp Use TCP protocol (default)
--udp Use UDP protocol
--host Target hostname or IPv4 address (default: "127.0.0.1") [$CHECK_HOST]
--host-env Change env variable name for --host
-p, --port Target port number (required) [$CHECK_PORT]
--port-env Change env variable name for --port
-t, --timeout Check timeout in seconds (default: "5") [$CHECK_TIMEOUT]
--timeout-env Change env variable name for --timeout
Examples:
# Check TCP port 80 on localhost
portcheck --port 80
# Check UDP port 53 on example.com
portcheck --udp --port 53 --host example.comThis tool executes multiple commands in parallel and is designed specifically for Docker health checks where you need to verify multiple conditions simultaneously. It returns exit code 0 only if all commands succeed, or the exit code of the first failed command otherwise.
The main use case is combining multiple health checks (HTTP endpoints, TCP ports, etc.) into a single
HEALTHCHECK instruction. When any command fails, parallel immediately terminates all other running commands
and returns the failure code, ensuring fast failure detection.
Options:
-h, --help Show this help message
-j, --jobs Limit number of parallel jobs (has no effect, kept for backward compatibility
Examples:
# Check both HTTP endpoint AND port using parallel
parallel "httpcheck http://127.0.0.1:8080" "portcheck --port 8080"
# Check multiple HTTP endpoints
parallel "httpcheck http://127.0.0.1:8080/health" "httpcheck http://127.0.0.1:8080/status"Commands can be specified as:
- Unquoted words for simple commands:
parallel whoami id - Quoted strings for commands with arguments:
parallel "echo hello" "echo world" - Mixed quoted/unquoted parts that concatenate:
parallel cmd'arg1 arg2'"arg3"(produces a single argument:cmdarg1 arg2arg3)
Inside quoted strings:
- Single quotes preserve everything literally (no escaping)
- Double quotes allow backslash escaping
- Spaces and tabs separate arguments
- Adjacent quoted/unquoted parts concatenate into single argument
This tool checks whether a process specified in a PID file or directly by PID is currently running. It reads the PID
from a file or a command line argument and verifies that the process exists using the kill(pid, 0) system call.
Note
The zero signal (kill(pid, 0)) does not actually send a signal but performs error checking to determine whether
the process exists and whether the current user has permission to send signals to it.
It may be useful for monitoring daemon processes inside containers that do not open any kind of network ports, but write their PID to a file.
Options:
-h, --help Show this help message
-f, --file Path to PID file [$CHECK_PIDFILE]
--file-env Change env variable name for --file
-p, --pid Process ID to check [$CHECK_PID]
--pid-env Change env variable name for --pid
Note
The --file and --pid options are mutually exclusive and cannot be used together.
Here is an example of how to create and write a PID file in your Go app:
package main
import (
"fmt"
"os"
"strconv"
)
func main() {
pidFile := "/var/run/myapp.pid"
// write the PID to the specified file
if err := os.WriteFile(pidFile, []byte(strconv.Itoa(os.Getpid())), 0o644); err != nil {
panic(fmt.Errorf("failed to write PID file: %w", err))
}
defer func() { _ = os.Remove(pidFile) }() // remove PID file on exit
// ... the rest of your app
}And then use pidcheck in your Dockerfile:
HEALTHCHECK --interval=5s CMD ["pidcheck", "--file", "/var/run/myapp.pid"]The PID file should contain a single process ID number. Leading and trailing whitespace is automatically stripped. Any non-numeric content will result in an error.
Most options can be overridden via environment variables. This is useful in Docker containers, where you may want to configure health checks without modifying the command line. For example:
# Use a custom method via environment variable
CHECK_METHOD=HEAD httpcheck http://127.0.0.1
# If the application already uses the APP_PORT variable, you can map it to override the port used by httpcheck
APP_PORT=8080 httpcheck --port-env=APP_PORT http://127.0.0.1| Registry | Image |
|---|---|
| GitHub Container Registry | ghcr.io/tarampampam/microcheck |
| Red Hat Container Registry | quay.io/tarampampam/microcheck |
| Docker Hub | tarampampam/microcheck |
Important
Using the latest tag for the Docker image is highly discouraged due to potential backward-incompatible changes
during major upgrades. Please use tags in the X.Y.Z, X.Y, or at least X format.
The following platforms for this image are available:
$ docker run --rm mplatform/mquery ghcr.io/tarampampam/microcheck:1
Image: ghcr.io/tarampampam/microcheck:1
* Manifest List: Yes (Image type: application/vnd.oci.image.index.v1+json)
* Supported platforms:
- linux/386
- linux/amd64
- linux/arm/v6
- linux/arm/v7
- linux/arm64
- linux/ppc64le
- linux/s390xPre-compiled static binaries are available on the releases page. Download the appropriate binary for your architecture and operating system.
π Healthcheck for HTTP server
# use empty filesystem
FROM scratch
# import some executable application
COPY --from=docker.io/containous/whoami:v1.5.0 /whoami /whoami
# import httpcheck from current repository image (exactly 'httpcheck' due
# to we don't need TLS here)
COPY --from=ghcr.io/tarampampam/microcheck:1 /bin/httpcheck /bin/httpcheck
# docs: <https://docs.docker.com/reference/dockerfile#healthcheck>
HEALTHCHECK --interval=5s --retries=2 CMD ["httpcheck", "http://127.0.0.1:8080/health"]
ENTRYPOINT ["/whoami", "-port", "8080"]Let's build it and run:
$ docker build -t http-check:local - < ./examples/http-check.Dockerfile
$ docker run --rm -d --name http-check http-check:local
$ docker ps --filter 'name=http-check' --format '{{.Status}}'
Up 6 seconds (healthy)
$ docker kill http-checkπ Multiple health checks with parallel
This example shows how to use parallel to check multiple conditions simultaneously. The container is
considered healthy only if all checks pass:
FROM scratch
# import some executable application
COPY --from=docker.io/containous/whoami:v1.5.0 /whoami /whoami
# import httpcheck, portcheck and parallel from microcheck image
COPY --from=ghcr.io/tarampampam/microcheck:1 /bin/httpcheck /bin/portcheck /bin/parallel /bin/
# check both HTTP endpoint AND port using parallel (the port usually will differ from the HTTP port)
HEALTHCHECK --interval=5s --retries=2 CMD ["parallel", \
"httpcheck http://127.0.0.1:8080", \
"portcheck --port 8080" \
]
ENTRYPOINT ["/whoami", "-port", "8080"]Let's build it and run:
$ docker build -t parallel:local - < ./examples/parallel.Dockerfile
$ docker run --rm -d --name parallel parallel:local
$ docker ps --filter 'name=parallel' --format '{{.Status}}'
Up 6 seconds (healthy)
$ docker kill parallelπ Healthcheck with protocol auto-detection
This example demonstrates the protocol auto-detection feature of httpscheck, which is useful when your application
may have TLS enabled or disabled based on configuration:
# use empty filesystem
FROM scratch
# import your application (example assumes it can run with or without TLS)
COPY --from=your-app:latest /app /app
# import httpscheck to enable auto-detection
COPY --from=ghcr.io/tarampampam/microcheck:1 /bin/httpscheck /bin/httpscheck
# healthcheck will try HTTPS first, fall back to HTTP if TLS is not available
# note: no http:// or https:// prefix in the URL
HEALTHCHECK --interval=5s --retries=2 CMD ["httpscheck", "127.0.0.1:8080/health"]
ENTRYPOINT ["/app"]How it works:
- When no protocol is specified (
127.0.0.1:8080/healthinstead ofhttps://...),httpscheckfirst attempts an HTTPS connection - If the HTTPS handshake fails (TLS error), it automatically falls back to HTTP
- This happens silently without any output, making it transparent for health checks
- The fallback only occurs on connection/TLS errors, not on HTTP status codes (
4xx,5xx)
This is particularly useful for:
- Applications with optional TLS configuration
- Development vs production environments
- Gradual TLS rollouts
π Healthcheck for TCP server
The same as previous, but using portcheck:
# use empty filesystem
FROM scratch
# import some executable application
COPY --from=docker.io/containous/whoami:v1.5.0 /whoami /whoami
# import portcheck because we need only TCP port check here
COPY --from=ghcr.io/tarampampam/microcheck:1 /bin/portcheck /bin/portcheck
# docs: <https://docs.docker.com/reference/dockerfile#healthcheck>
HEALTHCHECK --interval=5s --retries=2 CMD ["portcheck", "--port", "8080"]
ENTRYPOINT ["/whoami", "-port", "8080"]Let's build it and run:
$ docker build -t tcp-check:local - < ./examples/tcp-check.Dockerfile
$ docker run --rm -d --name tcp-check tcp-check:local
$ docker ps --filter 'name=tcp-check' --format '{{.Status}}'
Up 7 seconds (healthy)
$ docker kill tcp-checkπ Healthcheck for daemon process using pidcheck
This example demonstrates how to use pidcheck to monitor a daemon process inside a Docker container.
[!NOTE] Since
nginxexposes TCP port and even HTTP endpoint, we use herepidcheckjust for demonstration purposes (better to useportcheckorhttpcheckin real-world scenarios).
FROM docker.io/library/nginx:1.25-alpine
# import pidcheck from microcheck image
COPY --from=ghcr.io/tarampampam/microcheck:1 /bin/pidcheck /bin/pidcheck
# nginx writes its PID to /var/run/nginx.pid by default
HEALTHCHECK --interval=5s --retries=2 CMD ["pidcheck", "--file", "/var/run/nginx.pid"]Let's build it and run:
$ docker build -t pidcheck:local - < ./examples/pidcheck.Dockerfile
$ docker run --rm -d --name pidcheck pidcheck:local
$ docker ps --filter 'name=pidcheck' --format '{{.Status}}'
Up 8 seconds (healthy)
$ docker kill pidcheckSince you're here, you might find it useful to know how to healthcheck some popular Docker images (you don't need tools from this repository for that, but it might be interesting anyway):
π§ͺ PostgreSQL
PostgreSQL, often simply "Postgres", is an object-relational database management system (ORDBMS) with an emphasis on extensibility and standards-compliance.
# compose.yml
services:
postgresql:
image: docker.io/library/postgres:18-alpine
environment:
POSTGRES_DB: some_dbname # POSTGRES_DATABASE in older versions
POSTGRES_USER: some_user
POSTGRES_PASSWORD: some_password
ports: ['5432/tcp']
healthcheck:
test: ['CMD', 'pg_isready', '-U', 'some_user', '-d', 'some_dbname']
interval: 10sπ§ͺ Temporal
Temporal is a scalable and reliable runtime for durable function executions.
# compose.yml
services:
temporal:
image: docker.io/temporalio/auto-setup:1.28.1
environment:
BIND_ON_IP: 0.0.0.0
ports: ['7233/tcp']
healthcheck:
test: ['CMD', 'tctl', '--address', '127.0.0.1:7233', 'workflow', 'list']
interval: 10sπ§ͺ Jaeger
Jaeger is an open-source, distributed tracing platform used to monitor and troubleshoot complex microservices architectures.
# compose.yml
services:
jaeger:
image: docker.io/jaegertracing/all-in-one:1.60
ports: ['6831/udp', '16686/tcp', '4318/tcp']
healthcheck:
test: ['CMD', 'wget', '--spider', '-q', 'http://127.0.0.1:14269/healthz']
interval: 10sπ§ͺ Minio
MinIO is a high-performance, Kubernetes-native object storage system that is compatible with the Amazon S3 API.
# compose.yml
services:
minio:
image: quay.io/minio/minio:RELEASE.2025-09-07T16-13-09Z
command: server /data --json --console-address ':9090'
ports: ['9000/tcp', '9090/tcp']
healthcheck:
test: ['CMD', 'curl', '-f', 'http://127.0.0.1:9000/minio/health/live']
interval: 10sπ§ͺ MySQL
MySQL is an open-source relational database management system (RDBMS).
# compose.yml
services:
mysql:
image: docker.io/library/mysql:9
environment:
MYSQL_RANDOM_ROOT_PASSWORD: 'true'
MYSQL_DATABASE: some_dbname
MYSQL_USER: some_user
MYSQL_PASSWORD: some_password
ports: ['3306/tcp', '3306/tcp'] # use port 32601 for local development
healthcheck:
test: ['CMD', 'mysql', '-h', '127.0.0.1', '--user=some_user', '--password=some_password', '--execute', 'SELECT 1']
interval: 10sπ§ͺ Redis
Redis is an open-source, in-memory data structure store used as a database, cache, and message broker.
# compose.yml
services:
redis:
image: docker.io/library/redis:8-alpine
ports: ['6379/tcp']
healthcheck:
test: ['CMD', 'redis-cli', 'ping']
interval: 10sπ§ͺ Adminer (phpMinAdmin)
Adminer (formerly phpMinAdmin) is a full-featured database management tool written in PHP.
# compose.yml
services:
adminer:
image: docker.io/library/adminer:5
ports: ['8080/tcp']
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:8080/"]
interval: 10sπ§ͺ Caddy
Caddy 2 is a powerful, enterprise-ready, open source web server with automatic HTTPS written in Go.
# compose.yml
services:
caddy:
image: docker.io/library/caddy:2-alpine
ports: ['80/tcp', '443/tcp']
healthcheck:
test: ['CMD', 'wget', '--spider', '-q', 'http://127.0.0.1:80/']
interval: 10sπ§ͺ Cassandra
Apache Cassandra is an open source distributed database management system designed to handle large amounts of data across many commodity servers, providing high availability with no single point of failure.
# compose.yml
services:
cassandra:
image: docker.io/library/cassandra:5
ports: ['9042/tcp']
healthcheck:
test: ['CMD', 'cqlsh', '-e', 'DESCRIBE KEYSPACES', '127.0.0.1', '9042']
interval: 10s
start_period: 60s # <-- importantTip
Feel free to contribute more examples via pull requests!
To build the tools from sources, ensure you have the following dependencies installed:
musl-gcccmakewgetpatch- Standard build tools (
make,tar) - Optionally -
clang-format
After cloning the repository, build the tools using the Makefile - execute make.
For testing, you need python3 and openssl installed. Run tests with make test.
If you encounter any bugs in the project, please create an issue in this repository.
This is open-sourced software licensed under the MIT License.