mirror of
https://github.com/ClickHouse/ClickHouse.git
synced 2024-11-21 23:21:59 +00:00
Fixed error when program cannot start within container due to capabilities.
This commit is contained in:
parent
e1c78a3b13
commit
135cfc42fa
13
debian/clickhouse-server.postinst
vendored
13
debian/clickhouse-server.postinst
vendored
@ -88,9 +88,20 @@ Please fix this and reinstall this package." >&2
|
||||
chmod 775 ${CLICKHOUSE_LOGDIR}
|
||||
fi
|
||||
|
||||
# Set net_admin capabilities to support introspection of "taskstats" performance metrics from the kernel.
|
||||
# Set net_admin capabilities to support introspection of "taskstats" performance metrics from the kernel
|
||||
# and ipc_lock capabilities to allow mlock of clickhouse binary.
|
||||
|
||||
# 1. Check that "setcap" tool exists.
|
||||
# 2. Check that an arbitrary program with installed capabilities can run.
|
||||
# 3. Set the capabilities.
|
||||
|
||||
# The second is important for Docker and systemd-nspawn.
|
||||
# When the container has no capabilities,
|
||||
# but the executable file inside the container has capabilities,
|
||||
# then attempt to run this file will end up with a cryptic "Operation not permitted" message.
|
||||
|
||||
command -v setcap >/dev/null \
|
||||
&& echo > /tmp/test.sh && chmod a+x /tmp/test.sh && /tmp/test.sh && setcap "cap_net_admin,cap_ipc_lock+ep" /tmp/test.sh && /tmp/test.sh && rm /tmp/test.sh
|
||||
&& setcap "cap_net_admin=+ep cap_ipc_lock=+ep" "${CLICKHOUSE_BINDIR}/${CLICKHOUSE_GENERIC_PROGRAM}" \
|
||||
|| echo "Cannot set 'net_admin' or 'ipc_lock' capability for clickhouse binary. This is optional. Taskstats accounting will be disabled. To enable taskstats accounting you may add the required capability later manually."
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user