ClickHouse/packages
Azat Khuzhin 1fe8076b94 Fix capabilities installed via systemd service (fixes netlink/IO priorities)
CapabilityBoundingSet that contained in systemd unit before is about
allowing to set some capabilities, not about granting them.

To grant them you need to use AmbientCapabilities.

And if you do not use 'clickhouse install' then:
- IO priorities was unavailable (since they requires CAP_SYS_NICE)
- For taskstats the procfs was used instead of netlink

Not a big deal, but still.

Here how it had been tested:

    $ systemd-run -p CapabilityBoundingSet=CAP_NET_ADMIN --shell
    root:/etc (master)# capsh --print
    Current: cap_net_admin=ep
    Bounding set =cap_net_admin
    Ambient set =

    $ systemd-run -p User=azat -p CapabilityBoundingSet=CAP_NET_ADMIN --shell
    azat:/etc$ capsh --print
    Current: =
    Bounding set =cap_net_admin
    Ambient set =

    $ systemd-run -p User=azat -p AmbientCapabilities=CAP_NET_ADMIN -p CapabilityBoundingSet=CAP_NET_ADMIN --shell
    azat:/etc$ capsh --print
    Current: cap_net_admin=eip
    Bounding set =cap_net_admin
    Ambient set =cap_net_admin

Note, if you are running it under root (without changing user) you don't
need to specify AmbientCapabilities additionally, because root has all
capabilities by default and they had been inherited.

Signed-off-by: Azat Khuzhin <a.khuzhin@semrush.com>
2023-07-21 13:57:31 +02:00
..
.gitignore Migrate to nfpm 2022-03-22 11:09:59 +01:00
build Do not use debconf/confmodule in tgz packages 2023-02-03 12:16:19 +01:00
clickhouse-client.yaml Fix preserving user configs in rpm packages 2022-11-03 16:58:12 +01:00
clickhouse-common-static-dbg.yaml Add deb Source for packages 2022-09-19 20:42:02 +02:00
clickhouse-common-static.yaml Add deb Source for packages 2022-09-19 20:42:02 +02:00
clickhouse-keeper-dbg.yaml Add deb Source for packages 2022-09-19 20:42:02 +02:00
clickhouse-keeper.postinstall Add necessary postinst steps for clickhouse-keeper 2023-02-03 12:16:18 +01:00
clickhouse-keeper.service fix: keeper systemd service file include invalid inline comment 2023-03-02 02:15:09 +08:00
clickhouse-keeper.yaml Add necessary postinst steps for clickhouse-keeper 2023-02-03 12:16:18 +01:00
clickhouse-rpm.repo Add clickhouse-rpm.repo to repository 2022-02-23 20:54:17 +01:00
clickhouse-server.init Adding cron config checking before running sed cmd (#42081) 2022-10-10 13:34:38 +02:00
clickhouse-server.postinstall Remove unused variables from clickhouse-server.postinstall 2023-02-03 12:16:18 +01:00
clickhouse-server.service Fix capabilities installed via systemd service (fixes netlink/IO priorities) 2023-07-21 13:57:31 +02:00
clickhouse-server.yaml Remove adduser dependency 2023-01-07 01:45:54 +01:00