Fixed error when program cannot start within container due to capabilities.

debian/clickhouse-server.postinst

@@ -88,9 +88,20 @@ Please fix this and reinstall this package." >&2
         chmod 775 ${CLICKHOUSE_LOGDIR}
     fi
 
-    # Set net_admin capabilities to support introspection of "taskstats" performance metrics from the kernel.
+    # Set net_admin capabilities to support introspection of "taskstats" performance metrics from the kernel
+    #  and ipc_lock capabilities to allow mlock of clickhouse binary.
+
+    # 1. Check that "setcap" tool exists.
+    # 2. Check that an arbitrary program with installed capabilities can run.
+    # 3. Set the capabilities.
+
+    # The second is important for Docker and systemd-nspawn.
+    # When the container has no capabilities,
+    #  but the executable file inside the container has capabilities,
+    #  then attempt to run this file will end up with a cryptic "Operation not permitted" message.
 
     command -v setcap >/dev/null \
+        && echo > /tmp/test.sh && chmod a+x /tmp/test.sh && /tmp/test.sh && setcap "cap_net_admin,cap_ipc_lock+ep" /tmp/test.sh && /tmp/test.sh && rm /tmp/test.sh
         && setcap "cap_net_admin=+ep cap_ipc_lock=+ep" "${CLICKHOUSE_BINDIR}/${CLICKHOUSE_GENERIC_PROGRAM}" \
         || echo "Cannot set 'net_admin' or 'ipc_lock' capability for clickhouse binary. This is optional. Taskstats accounting will be disabled. To enable taskstats accounting you may add the required capability later manually."