[bitnami/clickhouse] add capaibilites to the clickhouse binary

[patrickdung]

Name and Version

bitnami/clickhouse:24.9.1-debian-12-r1

What is the problem this feature will solve?

2024.10.02 04:46:10.129253 [ 42 ] {} <Information> Application: It looks like the process has no CAP_IPC_LOCK capability, binary mlock will be disabled. It could happen due to incorrect ClickHouse package installation. You could resolve the problem manually with 'sudo setcap cap_ipc_lock=+ep /opt/bitnami/clickhouse/bin/clickhouse'. Note that it will not work on 'nosuid' mounted filesystems.

2024.10.02 04:46:10.278414 [ 42 ] {} <Information> Application: It looks like the process has no CAP_SYS_NICE capability, the setting 'os_thread_priority' will have no effect. It could happen due to incorrect ClickHouse package installation. You could resolve the problem manually with 'sudo setcap cap_sys_nice=+ep /opt/bitnami/clickhouse/bin/clickhouse'. Note that it will not work on 'nosuid' mounted filesystems.

It seems setting this has no effect (for bitnami/clickhouse helm chart)

containerSecurityContext:
  enabled: true
  seLinuxOptions: {}
  runAsUser: 1001
  runAsGroup: 1001
  runAsNonRoot: true
  privileged: false
  allowPrivilegeEscalation: false
  readOnlyRootFilesystem: true
  capabilities:
    drop: ["ALL"]
    add:
      - SYS_NICE
      - IPC_LOCK
  seccompProfile:
    type: "RuntimeDefault"

I think it may need to perform setcap on the clickhouse binary when the docker image is created.

What is the feature you are proposing to solve the problem?

Fixing the Linux capabilities for the Clickhouse in a container environment

[migruiz4]

Thank you for your feedback @patrickdung!

We are working to release a new version of the bitnami/clickhouse that enables cap_ipc_lock and cap_sys_nice for the clickhouse binary at build time.