Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Debian] clickhouse-server should depend on libcap2-bin #4091

Closed
tungdam opened this issue Jan 18, 2019 · 3 comments
Closed

[Debian] clickhouse-server should depend on libcap2-bin #4091

tungdam opened this issue Jan 18, 2019 · 3 comments
Assignees
Labels

Comments

@tungdam
Copy link

tungdam commented Jan 18, 2019

Hi

As we use setcap in postinst script:
# Set net_admin capabilities to support introspection of "taskstats" performance metrics from the kernel. command -v setcap >/dev/null \ && setcap cap_net_admin=+ep "${CLICKHOUSE_BINDIR}/${CLICKHOUSE_GENERIC_PROGRAM}" \ || echo "Cannot set 'net_admin' capability for clickhouse binary. This is optional. Taskstats accounting will be disabled. To enable taskstats accounting you may add the required capability later manually."
i believe we should make clickhouse-server package depends on libcap2-bin.
Otherwise the setup will be inconsistent. I got a situation when my clickhouse servers installed on 2 different machines with different initial package list ( 1 is stretch and the other is jessie ) . On my Debian Stretch node, got this warning because there's no setcap command ( belongs to libcap2-bin )

2019.01.17 15:35:22.013554 [ 1 ] {} Application: It looks like the process has no CAP_NET_ADMIN capability, 'taskstats' performance statistics will be disabled. It could happen due to incorrect ClickHouse package installation. You could resolve the problem manually with 'sudo setcap cap_net_admin=+ep /usr/bin/clickhouse'. Note that it will not work on 'nosuid' mounted filesystems. It also doesn't work if you run clickhouse-server inside network namespace as it happens in some containers.

Please consider it.

Thank you

@alexey-milovidov
Copy link
Member

ClickHouse doesn't run at all in Docker with enabled capabilities.

docker run -it ubuntu:precise /bin/bash

apt-get update
apt-get install gnupg2

apt-key adv --keyserver keyserver.ubuntu.com --recv E0C56BD4

echo "deb http://repo.yandex.ru/clickhouse/deb/stable/ main/" | tee /etc/apt/sources.list.d/clickhouse.list
apt-get update

apt-get install -y clickhouse-server clickhouse-client

service clickhouse-server start

Operation not permitted

root@a7f57d249637:/# file /usr/bin/clickhouse
/usr/bin/clickhouse: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 3.2.0, BuildID[sha1]=0x9b59a4489f2a66383bc74e54a04ba5f6e74559d6, stripped
root@a7f57d249637:/# ldd /usr/bin/clickhouse
        linux-vdso.so.1 =>  (0x00007fffd4f5e000)
        libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fec318f9000)
        libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fec316f5000)
        librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007fec314ed000)
        libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007fec311f1000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fec30e30000)
        /lib64/ld-linux-x86-64.so.2 (0x00007fec31b16000)
root@a7f57d249637:/# /usr/bin/clickhouse
bash: /usr/bin/clickhouse: Operation not permitted
root@a7f57d249637:/# sudo strace /usr/bin/clickhouse
strace: ptrace(PTRACE_TRACEME, ...): Operation not permitted
root@a7f57d249637:/# sudo /usr/bin/clickhouse
root@a7f57d249637:/# sudo /usr/bin/clickhouse --help
root@a7f57d249637:/# getcap 
usage: getcap [-v] [-r] [-h] <filename> [<filename> ...]

        displays the capabilities on the queried file(s).
root@a7f57d249637:/# getcap /usr/bin/clickhouse
/usr/bin/clickhouse = cap_net_admin,cap_ipc_lock+ep
root@a7f57d249637:/# setcap cap_net_admin,cap_ipc_lock-ep /usr/bin/clickhouse
root@a7f57d249637:/# getcap /usr/bin/clickhouse
/usr/bin/clickhouse =
root@a7f57d249637:/# /usr/bin/clickhouse
Use one of the following commands:
clickhouse local [args] 
clickhouse client [args] 
clickhouse benchmark [args] 
clickhouse server [args] 
clickhouse performance-test [args] 
clickhouse extract-from-config [args] 
clickhouse compressor [args] 
clickhouse format [args] 
clickhouse copier [args] 
clickhouse obfuscator [args] 
clickhouse odbc-bridge [args] 
clickhouse clang [args] 
clickhouse clang++ [args] 
clickhouse lld [args]

@alexey-milovidov
Copy link
Member

Solved in #4136

@tungdam
Copy link
Author

tungdam commented Jan 25, 2019

Thanks for your quick feedback.
I have a question related to taskstats info ( Hope you don't mind me asking it here )
As i understand, enable cap_net_admin capabilities will provide us more info about taskstats, basically it's ProfileEvents info in query_log/query_thread_log/processes table. But I noticed no significant changes before and after enabling it.
I still have following info even when Taskstats accounting was disabled.

ProfileEvents.Names: ['FileOpen','Seek','ReadBufferFromFileDescriptorRead','ReadBufferFromFileDescriptorReadBytes','ReadCompressedBytes','CompressedReadBufferBlocks','CompressedReadBufferBytes','IOBufferAllocs','IOBufferAllocBytes','FunctionExecute','MarkCacheHits','CreatedReadBufferOrdinary','DiskReadElapsedMicroseconds','ContextLock','RealTimeMicroseconds','UserTimeMicroseconds','SystemTimeMicroseconds','SoftPageFaults']
ProfileEvents.Values: [84,83,227,966210,828706,1591,120583483,156,5754574,335,84,84,3999,2,539707,532000,4000,170]

Where are they come from ? Could you please explain ?
Thanks in advance

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants