Adding a timeout to starting the exec as discussed in the maintainer call looks to have done the trick: tests are no longer hanging. PTAL @thaJeztah @cpuguy83 @tianon @tonistiigi

Execs are expected to only have second-precision.
It may happen faster than a second but cannot be guaranteed.
Consequently the timeouts for execs only use second precision as well.

I'm not sure I understand the the purpose of the change given that.
If someone's healthcheck probes are timing out due to the latency involved in starting up the actual exec, most likely the timeout for that needs to be adjusted because it is much too small.
If the system is overloaded and cannot run the exec within the timeout period, then most likely the service is unhealthy, and at the very least we are unable to determine if it is healthy or not.

gave CI a kick to do another run 👍

@cpuguy83 The swagger docs for the ContainerCreate API document the Healthcheck field as "[a] test to perform to check that the container is healthy." A health check is supposed to probe the health of a container, independently from the container runtime. Applying the timeout to the entire cmdProbe.run call lumps the runtime's health with that of the container, blaming the container if the runtime takes too long. It would be unreasonable to expect users to take the runtime time into consideration when configuring the timeout as health check configuration can be baked into images, which are runtime-independent, but the amount of time consumed by the runtime could vary significantly by runtime flavor and version.

Execs are expected to only have second-precision.
It may happen faster than a second but cannot be guaranteed.
Consequently the timeouts for execs only use second precision as well.

I'm not sure I understand the the purpose of the change given that.

The purpose of the change is to decouple timeouts for health checks from the time it takes to start an exec'd process precisely because the exec start time is so large and variable.

The Healthcheck.Timeout field is documented to be "[t]he time to wait before considering the check to have hung. It should be 0 or at least 1000000 (1 ms)." The Dockerfile reference for the HEALTHCHECK instruction describes it similarly. There is no mention of the timeout encompassing both the time it takes to run the command inside the container and the time it takes for the command inside the container to run. I would expect a health check timeout to cover exclusively the time it takes for the configured command to run, and I suspect that most users would think the same. The other interpretation leads to absurdities where health checks with short timeouts can time out before the command has even started.

If someone's healthcheck probes are timing out due to the latency involved in starting up the actual exec, most likely the timeout for that needs to be adjusted because it is much too small. If the system is overloaded and cannot run the exec within the timeout period, then most likely the service is unhealthy, and at the very least we are unable to determine if it is healthy or not.

Not necessarily. Consider the case of a container configured with reserved CPU and memory. The dockerd, containerd and shim are running in the host namespace, and therefore the work required to start the health-check exec does not get to leverage the container's reserved resources. The exec'd health check process, however, does get to take advantage of the dedicated resources reserved for the container. The container could keep ticking along, happy and responsive, even while dockerd and containerd are bogged down by an overloaded system. Without this change, that container's health check could fail even if the exec'd command takes exactly the same amount of time to run to completion, simply because it takes dockerd and containerd more time than usual to exec the command.

windows failure is unrelated (TestNetworkDBIslands, known flaky test)