跳至主要内容

在 Docker 中配置 CAP_IPC_LOCK 和 CAP_SYS_NICE 权限

了解如何在容器中运行 ClickHouse 时解决 `CAP_IPC_LOCK` 和 `CAP_SYS_NICE` 的 Docker 权限警告。

问题

在 Docker 中运行 ClickHouse 时,Docker 抱怨系统中缺少 CAP_IPC_LOCKCAP_SYS_NICE 功能。如何解决这个问题?

以下是缺少 CAP_SYS_NICECAP_SYS_NICE 功能的日志消息示例

docker run -d --name clickhouse-server \
    --ulimit nofile=262144:262144 \
    --network clickhouse-net \
    -p 8123:8123 -p 9000:9000 -p 9009:9009 -p 9363:9363 \
    clickhouse/clickhouse-server:23.2

2023.04.19 08:04:10.022720 [ 1 ] {} <Information> Application: It looks like the process has no CAP_IPC_LOCK capability, binary mlock will be disabled. It could happen due to incorrect ClickHouse package installation. You could resolve the problem manually with 'sudo setcap cap_ipc_lock=+ep /usr/bin/clickhouse'. Note that it will not work on 'nosuid' mounted filesystems.

2023.04.19 08:04:10.065860 [ 1 ] {} <Information> Application: It looks like the process has no CAP_SYS_NICE capability, the setting 'os_thread_priority' will have no effect. It could happen due to incorrect ClickHouse package installation. You could resolve the problem manually with 'sudo setcap cap_sys_nice=+ep /usr/bin/clickhouse'. Note that it will not work on 'nosuid' mounted filesystems.

答案

  1. 添加两个 --cap-add 参数,为容器提供 IPC_LOCKSYS_NICE 功能
docker run -d --name clickhouse-server \
   --cap-add=SYS_NICE \
   --cap-add=IPC_LOCK \
   --ulimit nofile=262144:262144 \
   --network clickhouse-net \
   -p 8123:8123 -p 9000:9000 -p 9009:9009 -p 9363:9363 \
   clickhouse/clickhouse-server:23.2
  1. 使用以下命令检查容器中是否可见这些功能
apt-get update > /dev/null && apt-get install -y libcap2-bin > /dev/null && capsh --print

响应类似于

debconf: delaying package configuration, since apt-utils is not installed
WARNING: libcap needs an update (cap=40 should have a name).
Current: = cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_ipc_lock,cap_sys_chroot,cap_sys_nice,cap_mknod,cap_audit_write,cap_setfcap+ep
Bounding set =cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_ipc_lock,cap_sys_chroot,cap_sys_nice,cap_mknod,cap_audit_write,cap_setfcap
Ambient set =
Securebits: 00/0x0/1'b0
 secure-noroot: no (unlocked)
 secure-no-suid-fixup: no (unlocked)
 secure-keep-caps: no (unlocked)
 secure-no-ambient-raise: no (unlocked)
uid=0(root) euid=0(root)
gid=0(root)
groups=0(root)
Guessed mode: UNCERTAIN (0)
  1. 手动为 ClickHouse 设置这两个功能
setcap "cap_ipc_lock=+ep cap_sys_nice=+ep" /usr/bin/clickhouse
  1. 检查功能是否已应用。
getcap -v /usr/bin/clickhouse

您应该看到以下内容

/usr/bin/clickhouse = cap_ipc_lock,cap_sys_nice+ep
  1. 重启 ClickHouse 服务器,日志消息不应再显示。

查看这篇 关于 Linux 功能的文章 以获取更多详细信息。

·2 分钟阅读
    © . This site is unofficial and not affiliated with ClickHouse, Inc.