CapabilityBoundingSet that contained in systemd unit before is about
allowing to set some capabilities, not about granting them.
To grant them you need to use AmbientCapabilities.
And if you do not use 'clickhouse install' then:
- IO priorities was unavailable (since they requires CAP_SYS_NICE)
- For taskstats the procfs was used instead of netlink
Not a big deal, but still.
Here how it had been tested:
$ systemd-run -p CapabilityBoundingSet=CAP_NET_ADMIN --shell
root:/etc (master)# capsh --print
Current: cap_net_admin=ep
Bounding set =cap_net_admin
Ambient set =
$ systemd-run -p User=azat -p CapabilityBoundingSet=CAP_NET_ADMIN --shell
azat:/etc$ capsh --print
Current: =
Bounding set =cap_net_admin
Ambient set =
$ systemd-run -p User=azat -p AmbientCapabilities=CAP_NET_ADMIN -p CapabilityBoundingSet=CAP_NET_ADMIN --shell
azat:/etc$ capsh --print
Current: cap_net_admin=eip
Bounding set =cap_net_admin
Ambient set =cap_net_admin
Note, if you are running it under root (without changing user) you don't
need to specify AmbientCapabilities additionally, because root has all
capabilities by default and they had been inherited.
Signed-off-by: Azat Khuzhin <a.khuzhin@semrush.com>
After ClickHouse became systemd aware (#43400), it waits not more then
TimeoutStartSec (1m30sec by default), while before it simply ensures
that the process is there.
And likely 1m30sec can be not enough for some cluster, and this will
lead to endless restarts.
At first I've increased it to 10min, but there was a comment about that
this is not enough, and I agree with this.
But I'm not sure that using "inifinity" is a good option, but I cannot
think of any downsides of this.
Signed-off-by: Azat Khuzhin <a.khuzhin@semrush.com>