Merge pull request #63610 from ClickHouse/backport/24.3/63400

Backport #63400 to 24.3: The Dockerfile is reviewed by docker-official

docker/server/Dockerfile.ubuntu

@@ -1,11 +1,14 @@
 FROM ubuntu:20.04
 
 # see https://github.com/moby/moby/issues/4032#issuecomment-192327844
+# It could be removed after we move on a version 23:04+
 ARG DEBIAN_FRONTEND=noninteractive
 
 # ARG for quick switch to a given ubuntu mirror
 ARG apt_archive="http://archive.ubuntu.com"
 
+# We shouldn't use `apt upgrade` to not change the upstream image. It's updated biweekly
+
 # user/group precreated explicitly with fixed uid/gid on purpose.
 # It is especially important for rootless containers: in that case entrypoint
 # can't do chown and owners of mounted volumes should be configured externally.
@@ -16,13 +19,11 @@ RUN sed -i "s|http://archive.ubuntu.com|${apt_archive}|g" /etc/apt/sources.list
     && groupadd -r clickhouse --gid=101 \
     && useradd -r -g clickhouse --uid=101 --home-dir=/var/lib/clickhouse --shell=/bin/bash clickhouse \
     && apt-get update \
-    && apt-get upgrade -yq \
     && apt-get install --yes --no-install-recommends \
         ca-certificates \
         locales \
         tzdata \
         wget \
-    && apt-get clean \
     && rm -rf /var/lib/apt/lists/* /var/cache/debconf /tmp/*
 
 ARG REPO_CHANNEL="stable"
@@ -30,6 +31,9 @@ ARG REPOSITORY="deb [signed-by=/usr/share/keyrings/clickhouse-keyring.gpg] https
 ARG VERSION="24.2.2.71"
 ARG PACKAGES="clickhouse-client clickhouse-server clickhouse-common-static"
 
+#docker-official-library:off
+# The part between `docker-official-library` tags is related to our builds
+
 # set non-empty deb_location_url url to create a docker image
 # from debs created by CI build, for example:
 # docker build . --network host --build-arg version="21.4.1.6282" --build-arg deb_location_url="https://..." -t ...
@@ -80,19 +84,22 @@ RUN if [ -n "${single_binary_location_url}" ]; then \
         && rm -rf /tmp/* ; \
     fi
 
+# The rest is the same in the official docker and in our build system
+#docker-official-library:on
+
 # A fallback to installation from ClickHouse repository
 RUN if ! clickhouse local -q "SELECT ''" > /dev/null 2>&1; then \
         apt-get update \
         && apt-get install --yes --no-install-recommends \
             apt-transport-https \
-            ca-certificates \
             dirmngr \
             gnupg2 \
         && mkdir -p /etc/apt/sources.list.d \
         && GNUPGHOME=$(mktemp -d) \
-        && GNUPGHOME="$GNUPGHOME" gpg --no-default-keyring \
+        && GNUPGHOME="$GNUPGHOME" gpg --batch --no-default-keyring \
             --keyring /usr/share/keyrings/clickhouse-keyring.gpg \
-            --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 8919F6BD2B48D754 \
+            --keyserver hkp://keyserver.ubuntu.com:80 \
+            --recv-keys 3a9ea1193a97b548be1457d48919f6bd2b48d754 \
         && rm -rf "$GNUPGHOME" \
         && chmod +r /usr/share/keyrings/clickhouse-keyring.gpg \
         && echo "${REPOSITORY}" > /etc/apt/sources.list.d/clickhouse.list \
@@ -127,7 +134,6 @@ RUN mkdir /docker-entrypoint-initdb.d
 
 COPY docker_related_config.xml /etc/clickhouse-server/config.d/
 COPY entrypoint.sh /entrypoint.sh
-RUN chmod +x /entrypoint.sh
 
 EXPOSE 9000 8123 9009
 VOLUME /var/lib/clickhouse

docker/server/README.md

@@ -4,33 +4,34 @@
 
 ClickHouse is an open-source column-oriented DBMS (columnar database management system) for online analytical processing (OLAP) that allows users to generate analytical reports using SQL queries in real-time.
 
-ClickHouse works 100-1000x faster than traditional database management systems, and processes hundreds of millions to over a billion rows and tens of gigabytes of data per server per second.  With a widespread user base around the globe, the technology has received praise for its reliability, ease of use, and fault tolerance.
+ClickHouse works 100-1000x faster than traditional database management systems, and processes hundreds of millions to over a billion rows and tens of gigabytes of data per server per second. With a widespread user base around the globe, the technology has received praise for its reliability, ease of use, and fault tolerance.
 
 For more information and documentation see https://clickhouse.com/.
 
 ## Versions
 
-- The `latest` tag points to the latest release of the latest stable branch.
-- Branch tags like `22.2` point to the latest release of the corresponding branch.
-- Full version tags like `22.2.3.5` point to the corresponding release.
-- The tag `head` is built from the latest commit to the default branch.
-- Each tag has optional `-alpine` suffix to reflect that it's built on top of `alpine`.
+-	The `latest` tag points to the latest release of the latest stable branch.
+-	Branch tags like `22.2` point to the latest release of the corresponding branch.
+-	Full version tags like `22.2.3.5` point to the corresponding release.
+-	The tag `head` is built from the latest commit to the default branch.
+-	Each tag has optional `-alpine` suffix to reflect that it's built on top of `alpine`.
 
 ### Compatibility
 
-- The amd64 image requires support for [SSE3 instructions](https://en.wikipedia.org/wiki/SSE3). Virtually all x86 CPUs after 2005 support SSE3.
-- The arm64 image requires support for the [ARMv8.2-A architecture](https://en.wikipedia.org/wiki/AArch64#ARMv8.2-A) and additionally the Load-Acquire RCpc register. The register is optional in version ARMv8.2-A and mandatory in [ARMv8.3-A](https://en.wikipedia.org/wiki/AArch64#ARMv8.3-A). Supported in Graviton >=2, Azure and GCP instances. Examples for unsupported devices are Raspberry Pi 4 (ARMv8.0-A) and Jetson AGX Xavier/Orin (ARMv8.2-A).
+-	The amd64 image requires support for [SSE3 instructions](https://en.wikipedia.org/wiki/SSE3). Virtually all x86 CPUs after 2005 support SSE3.
+-	The arm64 image requires support for the [ARMv8.2-A architecture](https://en.wikipedia.org/wiki/AArch64#ARMv8.2-A) and additionally the Load-Acquire RCpc register. The register is optional in version ARMv8.2-A and mandatory in [ARMv8.3-A](https://en.wikipedia.org/wiki/AArch64#ARMv8.3-A). Supported in Graviton >=2, Azure and GCP instances. Examples for unsupported devices are Raspberry Pi 4 (ARMv8.0-A) and Jetson AGX Xavier/Orin (ARMv8.2-A).
 
 ## How to use this image
 
 ### start server instance
+
 ```bash
 docker run -d --name some-clickhouse-server --ulimit nofile=262144:262144 clickhouse/clickhouse-server
 ```
 
 By default, ClickHouse will be accessible only via the Docker network. See the [networking section below](#networking).
 
-By default, starting above server instance will be run as the `default` user without  password.
+By default, starting above server instance will be run as the `default` user without password.
 
 ### connect to it from a native client
 
@@ -66,9 +67,7 @@ docker run -d -p 18123:8123 -p19000:9000 --name some-clickhouse-server --ulimit
 echo 'SELECT version()' | curl 'http://localhost:18123/' --data-binary @-
 ```
 
-```
-22.6.3.35
-```
+`22.6.3.35`
 
 or by allowing the container to use [host ports directly](https://docs.docker.com/network/host/) using `--network=host` (also allows achieving better network performance):
 
@@ -77,16 +76,14 @@ docker run -d --network=host --name some-clickhouse-server --ulimit nofile=26214
 echo 'SELECT version()' | curl 'http://localhost:8123/' --data-binary @-
 ```
 
-```
-22.6.3.35
-```
+`22.6.3.35`
 
 ### Volumes
 
 Typically you may want to mount the following folders inside your container to achieve persistency:
 
-* `/var/lib/clickhouse/` - main folder where ClickHouse stores the data
-* `/var/log/clickhouse-server/` - logs
+-	`/var/lib/clickhouse/` - main folder where ClickHouse stores the data
+-	`/var/log/clickhouse-server/` - logs
 
 ```bash
 docker run -d \
@@ -97,9 +94,9 @@ docker run -d \
 
 You may also want to mount:
 
-* `/etc/clickhouse-server/config.d/*.xml` - files with server configuration adjustments
-* `/etc/clickhouse-server/users.d/*.xml` - files with user settings adjustments
-* `/docker-entrypoint-initdb.d/` - folder with database initialization scripts (see below).
+-	`/etc/clickhouse-server/config.d/*.xml` - files with server configuration adjustments
+-	`/etc/clickhouse-server/users.d/*.xml` - files with user settings adjustments
+-	`/docker-entrypoint-initdb.d/` - folder with database initialization scripts (see below).
 
 ### Linux capabilities