mirror of
https://github.com/ClickHouse/ClickHouse.git
synced 2024-11-23 08:02:02 +00:00
Merge pull request #14135 from ClickHouse/simplify-init-script
Simplify init script
This commit is contained in:
commit
db481a33bd
69
debian/clickhouse-server.init
vendored
69
debian/clickhouse-server.init
vendored
@ -153,82 +153,19 @@ initdb()
|
|||||||
|
|
||||||
start()
|
start()
|
||||||
{
|
{
|
||||||
[ -x $CLICKHOUSE_BINDIR/$PROGRAM ] || exit 0
|
${CLICKHOUSE_GENERIC_PROGRAM} start --user "${CLICKHOUSE_USER}" --pid-path "${CLICKHOUSE_PIDDIR}" --config-path "${CLICKHOUSE_CONFDIR}" --binary-path "${CLICKHOUSE_BINDIR}"
|
||||||
local EXIT_STATUS
|
|
||||||
EXIT_STATUS=0
|
|
||||||
|
|
||||||
echo -n "Start $PROGRAM service: "
|
|
||||||
|
|
||||||
if is_running; then
|
|
||||||
echo -n "already running "
|
|
||||||
EXIT_STATUS=1
|
|
||||||
else
|
|
||||||
ulimit -n 262144
|
|
||||||
mkdir -p $CLICKHOUSE_PIDDIR
|
|
||||||
chown -R $CLICKHOUSE_USER:$CLICKHOUSE_GROUP $CLICKHOUSE_PIDDIR
|
|
||||||
initdb
|
|
||||||
if ! is_running; then
|
|
||||||
# Lock should not be held while running child process, so we release the lock. Note: obviously, there is race condition.
|
|
||||||
# But clickhouse-server has protection from simultaneous runs with same data directory.
|
|
||||||
su -s $SHELL ${CLICKHOUSE_USER} -c "$FLOCK -u 9; $CLICKHOUSE_PROGRAM_ENV exec -a \"$PROGRAM\" \"$CLICKHOUSE_BINDIR/$PROGRAM\" --daemon --pid-file=\"$CLICKHOUSE_PIDFILE\" --config-file=\"$CLICKHOUSE_CONFIG\""
|
|
||||||
EXIT_STATUS=$?
|
|
||||||
if [ $EXIT_STATUS -ne 0 ]; then
|
|
||||||
return $EXIT_STATUS
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ $EXIT_STATUS -eq 0 ]; then
|
|
||||||
attempts=0
|
|
||||||
while ! is_running && [ $attempts -le ${CLICKHOUSE_START_TIMEOUT:=10} ]; do
|
|
||||||
attempts=$(($attempts + 1))
|
|
||||||
sleep 1
|
|
||||||
done
|
|
||||||
if is_running; then
|
|
||||||
echo "DONE"
|
|
||||||
else
|
|
||||||
echo "UNKNOWN"
|
|
||||||
fi
|
|
||||||
else
|
|
||||||
echo "FAILED"
|
|
||||||
fi
|
|
||||||
|
|
||||||
return $EXIT_STATUS
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
stop()
|
stop()
|
||||||
{
|
{
|
||||||
#local EXIT_STATUS
|
${CLICKHOUSE_GENERIC_PROGRAM} stop --pid-path "${CLICKHOUSE_PIDDIR}"
|
||||||
EXIT_STATUS=0
|
|
||||||
|
|
||||||
if [ -f $CLICKHOUSE_PIDFILE ]; then
|
|
||||||
|
|
||||||
echo -n "Stop $PROGRAM service: "
|
|
||||||
|
|
||||||
kill -TERM $(cat "$CLICKHOUSE_PIDFILE")
|
|
||||||
|
|
||||||
if ! wait_for_done ${CLICKHOUSE_STOP_TIMEOUT}; then
|
|
||||||
EXIT_STATUS=2
|
|
||||||
echo "TIMEOUT"
|
|
||||||
else
|
|
||||||
echo "DONE"
|
|
||||||
fi
|
|
||||||
|
|
||||||
fi
|
|
||||||
return $EXIT_STATUS
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
restart()
|
restart()
|
||||||
{
|
{
|
||||||
check_config
|
${CLICKHOUSE_GENERIC_PROGRAM} restart --user "${CLICKHOUSE_USER}" --pid-path "${CLICKHOUSE_PIDDIR}" --config-path "${CLICKHOUSE_CONFDIR}" --binary-path "${CLICKHOUSE_BINDIR}"
|
||||||
if stop; then
|
|
||||||
if start; then
|
|
||||||
return 0
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
return 1
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
104
debian/clickhouse-server.postinst
vendored
104
debian/clickhouse-server.postinst
vendored
@ -2,6 +2,7 @@
|
|||||||
set -e
|
set -e
|
||||||
# set -x
|
# set -x
|
||||||
|
|
||||||
|
PROGRAM=clickhouse-server
|
||||||
CLICKHOUSE_USER=${CLICKHOUSE_USER:=clickhouse}
|
CLICKHOUSE_USER=${CLICKHOUSE_USER:=clickhouse}
|
||||||
CLICKHOUSE_GROUP=${CLICKHOUSE_GROUP:=${CLICKHOUSE_USER}}
|
CLICKHOUSE_GROUP=${CLICKHOUSE_GROUP:=${CLICKHOUSE_USER}}
|
||||||
# Please note that we don't support paths with whitespaces. This is rather ignorant.
|
# Please note that we don't support paths with whitespaces. This is rather ignorant.
|
||||||
@ -12,6 +13,7 @@ CLICKHOUSE_BINDIR=${CLICKHOUSE_BINDIR:=/usr/bin}
|
|||||||
CLICKHOUSE_GENERIC_PROGRAM=${CLICKHOUSE_GENERIC_PROGRAM:=clickhouse}
|
CLICKHOUSE_GENERIC_PROGRAM=${CLICKHOUSE_GENERIC_PROGRAM:=clickhouse}
|
||||||
EXTRACT_FROM_CONFIG=${CLICKHOUSE_GENERIC_PROGRAM}-extract-from-config
|
EXTRACT_FROM_CONFIG=${CLICKHOUSE_GENERIC_PROGRAM}-extract-from-config
|
||||||
CLICKHOUSE_CONFIG=$CLICKHOUSE_CONFDIR/config.xml
|
CLICKHOUSE_CONFIG=$CLICKHOUSE_CONFDIR/config.xml
|
||||||
|
CLICKHOUSE_PIDDIR=/var/run/$PROGRAM
|
||||||
|
|
||||||
[ -f /usr/share/debconf/confmodule ] && . /usr/share/debconf/confmodule
|
[ -f /usr/share/debconf/confmodule ] && . /usr/share/debconf/confmodule
|
||||||
[ -f /etc/default/clickhouse ] && . /etc/default/clickhouse
|
[ -f /etc/default/clickhouse ] && . /etc/default/clickhouse
|
||||||
@ -41,105 +43,5 @@ if [ "$1" = configure ] || [ -n "$not_deb_os" ]; then
|
|||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Make sure the administrative user exists
|
${CLICKHOUSE_GENERIC_PROGRAM} install --user "${CLICKHOUSE_USER}" --group "${CLICKHOUSE_GROUP}" --pid-path "${CLICKHOUSE_PIDDIR}" --config-path "${CLICKHOUSE_CONFDIR}" --binary-path "${CLICKHOUSE_BINDIR}" --log-path "${CLICKHOUSE_LOGDIR}" --data-path "${CLICKHOUSE_DATADIR}"
|
||||||
if ! getent passwd ${CLICKHOUSE_USER} > /dev/null; then
|
|
||||||
if [ -n "$not_deb_os" ]; then
|
|
||||||
useradd -r -s /bin/false --home-dir /nonexistent ${CLICKHOUSE_USER} > /dev/null
|
|
||||||
else
|
|
||||||
adduser --system --disabled-login --no-create-home --home /nonexistent \
|
|
||||||
--shell /bin/false --group --gecos "ClickHouse server" ${CLICKHOUSE_USER} > /dev/null
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
# if the user was created manually, make sure the group is there as well
|
|
||||||
if ! getent group ${CLICKHOUSE_GROUP} > /dev/null; then
|
|
||||||
groupadd -r ${CLICKHOUSE_GROUP} > /dev/null
|
|
||||||
fi
|
|
||||||
|
|
||||||
# make sure user is in the correct group
|
|
||||||
if ! id -Gn ${CLICKHOUSE_USER} | grep -qw ${CLICKHOUSE_USER}; then
|
|
||||||
usermod -a -G ${CLICKHOUSE_GROUP} ${CLICKHOUSE_USER} > /dev/null
|
|
||||||
fi
|
|
||||||
|
|
||||||
# check validity of user and group
|
|
||||||
if [ "$(id -u ${CLICKHOUSE_USER})" -eq 0 ]; then
|
|
||||||
echo "The ${CLICKHOUSE_USER} system user must not have uid 0 (root).
|
|
||||||
Please fix this and reinstall this package." >&2
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ "$(id -g ${CLICKHOUSE_GROUP})" -eq 0 ]; then
|
|
||||||
echo "The ${CLICKHOUSE_USER} system user must not have root as primary group.
|
|
||||||
Please fix this and reinstall this package." >&2
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ -x "$CLICKHOUSE_BINDIR/$EXTRACT_FROM_CONFIG" ] && [ -f "$CLICKHOUSE_CONFIG" ]; then
|
|
||||||
if [ -z "$SHELL" ]; then
|
|
||||||
SHELL="/bin/sh"
|
|
||||||
fi
|
|
||||||
CLICKHOUSE_DATADIR_FROM_CONFIG=$(su -s $SHELL ${CLICKHOUSE_USER} -c "$CLICKHOUSE_BINDIR/$EXTRACT_FROM_CONFIG --config-file=\"$CLICKHOUSE_CONFIG\" --key=path") ||:
|
|
||||||
echo "Path to data directory in ${CLICKHOUSE_CONFIG}: ${CLICKHOUSE_DATADIR_FROM_CONFIG}"
|
|
||||||
fi
|
|
||||||
CLICKHOUSE_DATADIR_FROM_CONFIG=${CLICKHOUSE_DATADIR_FROM_CONFIG:=$CLICKHOUSE_DATADIR}
|
|
||||||
|
|
||||||
if [ ! -d ${CLICKHOUSE_DATADIR_FROM_CONFIG} ]; then
|
|
||||||
mkdir -p ${CLICKHOUSE_DATADIR_FROM_CONFIG}
|
|
||||||
chown ${CLICKHOUSE_USER}:${CLICKHOUSE_GROUP} ${CLICKHOUSE_DATADIR_FROM_CONFIG}
|
|
||||||
chmod 700 ${CLICKHOUSE_DATADIR_FROM_CONFIG}
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ -d ${CLICKHOUSE_CONFDIR} ]; then
|
|
||||||
mkdir -p ${CLICKHOUSE_CONFDIR}/users.d
|
|
||||||
mkdir -p ${CLICKHOUSE_CONFDIR}/config.d
|
|
||||||
rm -fv ${CLICKHOUSE_CONFDIR}/*-preprocessed.xml ||:
|
|
||||||
fi
|
|
||||||
|
|
||||||
[ -e ${CLICKHOUSE_CONFDIR}/preprocessed ] || ln -s ${CLICKHOUSE_DATADIR_FROM_CONFIG}/preprocessed_configs ${CLICKHOUSE_CONFDIR}/preprocessed ||:
|
|
||||||
|
|
||||||
if [ ! -d ${CLICKHOUSE_LOGDIR} ]; then
|
|
||||||
mkdir -p ${CLICKHOUSE_LOGDIR}
|
|
||||||
chown root:${CLICKHOUSE_GROUP} ${CLICKHOUSE_LOGDIR}
|
|
||||||
# Allow everyone to read logs, root and clickhouse to read-write
|
|
||||||
chmod 775 ${CLICKHOUSE_LOGDIR}
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Set net_admin capabilities to support introspection of "taskstats" performance metrics from the kernel
|
|
||||||
# and ipc_lock capabilities to allow mlock of clickhouse binary.
|
|
||||||
|
|
||||||
# 1. Check that "setcap" tool exists.
|
|
||||||
# 2. Check that an arbitrary program with installed capabilities can run.
|
|
||||||
# 3. Set the capabilities.
|
|
||||||
|
|
||||||
# The second is important for Docker and systemd-nspawn.
|
|
||||||
# When the container has no capabilities,
|
|
||||||
# but the executable file inside the container has capabilities,
|
|
||||||
# then attempt to run this file will end up with a cryptic "Operation not permitted" message.
|
|
||||||
|
|
||||||
TMPFILE=/tmp/test_setcap.sh
|
|
||||||
|
|
||||||
command -v setcap >/dev/null \
|
|
||||||
&& echo > $TMPFILE && chmod a+x $TMPFILE && $TMPFILE && setcap "cap_net_admin,cap_ipc_lock,cap_sys_nice+ep" $TMPFILE && $TMPFILE && rm $TMPFILE \
|
|
||||||
&& setcap "cap_net_admin,cap_ipc_lock,cap_sys_nice+ep" "${CLICKHOUSE_BINDIR}/${CLICKHOUSE_GENERIC_PROGRAM}" \
|
|
||||||
|| echo "Cannot set 'net_admin' or 'ipc_lock' or 'sys_nice' capability for clickhouse binary. This is optional. Taskstats accounting will be disabled. To enable taskstats accounting you may add the required capability later manually."
|
|
||||||
|
|
||||||
# Clean old dynamic compilation results
|
|
||||||
if [ -d "${CLICKHOUSE_DATADIR_FROM_CONFIG}/build" ]; then
|
|
||||||
rm -f ${CLICKHOUSE_DATADIR_FROM_CONFIG}/build/*.cpp ${CLICKHOUSE_DATADIR_FROM_CONFIG}/build/*.so ||:
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ -f /usr/share/debconf/confmodule ]; then
|
|
||||||
db_get clickhouse-server/default-password
|
|
||||||
defaultpassword="$RET"
|
|
||||||
if [ -n "$defaultpassword" ]; then
|
|
||||||
echo "<yandex><users><default><password>$defaultpassword</password></default></users></yandex>" > ${CLICKHOUSE_CONFDIR}/users.d/default-password.xml
|
|
||||||
chown ${CLICKHOUSE_USER}:${CLICKHOUSE_GROUP} ${CLICKHOUSE_CONFDIR}/users.d/default-password.xml
|
|
||||||
chmod 600 ${CLICKHOUSE_CONFDIR}/users.d/default-password.xml
|
|
||||||
fi
|
|
||||||
|
|
||||||
# everything went well, so now let's reset the password
|
|
||||||
db_set clickhouse-server/default-password ""
|
|
||||||
# ... done with debconf here
|
|
||||||
db_stop
|
|
||||||
fi
|
|
||||||
fi
|
fi
|
||||||
|
@ -548,11 +548,27 @@ int mainEntryClickHouseInstall(int argc, char ** argv)
|
|||||||
users_config_file.string(), users_d.string());
|
users_config_file.string(), users_d.string());
|
||||||
}
|
}
|
||||||
|
|
||||||
/// Set capabilities for the binary.
|
/** Set capabilities for the binary.
|
||||||
|
*
|
||||||
|
* 1. Check that "setcap" tool exists.
|
||||||
|
* 2. Check that an arbitrary program with installed capabilities can run.
|
||||||
|
* 3. Set the capabilities.
|
||||||
|
*
|
||||||
|
* The second is important for Docker and systemd-nspawn.
|
||||||
|
* When the container has no capabilities,
|
||||||
|
* but the executable file inside the container has capabilities,
|
||||||
|
* then attempt to run this file will end up with a cryptic "Operation not permitted" message.
|
||||||
|
*/
|
||||||
|
|
||||||
#if defined(__linux__)
|
#if defined(__linux__)
|
||||||
fmt::print("Setting capabilities for clickhouse binary. This is optional.\n");
|
fmt::print("Setting capabilities for clickhouse binary. This is optional.\n");
|
||||||
std::string command = fmt::format("command -v setcap && setcap 'cap_net_admin,cap_ipc_lock,cap_sys_nice+ep' {}", main_bin_path.string());
|
std::string command = fmt::format("command -v setcap >/dev/null"
|
||||||
|
" && echo > {0} && chmod a+x {0} && {0} && setcap 'cap_net_admin,cap_ipc_lock,cap_sys_nice+ep' {0} && {0} && rm {0}"
|
||||||
|
" && setcap 'cap_net_admin,cap_ipc_lock,cap_sys_nice+ep' {1}"
|
||||||
|
" || echo \"Cannot set 'net_admin' or 'ipc_lock' or 'sys_nice' capability for clickhouse binary."
|
||||||
|
" This is optional. Taskstats accounting will be disabled."
|
||||||
|
" To enable taskstats accounting you may add the required capability later manually.\"",
|
||||||
|
"/tmp/test_setcap.sh", main_bin_path.string());
|
||||||
fmt::print(" {}\n", command);
|
fmt::print(" {}\n", command);
|
||||||
executeScript(command);
|
executeScript(command);
|
||||||
#endif
|
#endif
|
||||||
|
@ -32,7 +32,7 @@ FileDictionarySource::FileDictionarySource(
|
|||||||
{
|
{
|
||||||
const String user_files_path = context.getUserFilesPath();
|
const String user_files_path = context.getUserFilesPath();
|
||||||
if (!startsWith(filepath, user_files_path))
|
if (!startsWith(filepath, user_files_path))
|
||||||
throw Exception("File path " + filepath + " is not inside " + user_files_path, ErrorCodes::PATH_ACCESS_DENIED);
|
throw Exception(ErrorCodes::PATH_ACCESS_DENIED, "File path {} is not inside {}", filepath, user_files_path);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -60,7 +60,7 @@ BlockInputStreamPtr FileDictionarySource::loadAll()
|
|||||||
|
|
||||||
std::string FileDictionarySource::toString() const
|
std::string FileDictionarySource::toString() const
|
||||||
{
|
{
|
||||||
return "File: " + filepath + ' ' + format;
|
return fmt::format("File: {}, {}", filepath, format);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user