Merge pull request ClickHouse#76219 from ClickHouse/backport/24.8/75643

Backport ClickHouse#75643 to 24.8: Improve clickhouse-server entrypoint

Author: Felixoid

docker/server/Dockerfile.ubuntu

@@ -125,8 +125,8 @@ RUN clickhouse-local -q 'SELECT * FROM system.build_options' \
     && chmod ugo+Xrw -R /var/lib/clickhouse /var/log/clickhouse-server /etc/clickhouse-server /etc/clickhouse-client
 
 RUN locale-gen en_US.UTF-8
-ENV LANG en_US.UTF-8
-ENV TZ UTC
+ENV LANG=en_US.UTF-8
+ENV TZ=UTC
 
 RUN mkdir /docker-entrypoint-initdb.d
 
@@ -136,6 +136,6 @@ COPY entrypoint.sh /entrypoint.sh
 EXPOSE 9000 8123 9009
 VOLUME /var/lib/clickhouse
 
-ENV CLICKHOUSE_CONFIG /etc/clickhouse-server/config.xml
+ENV CLICKHOUSE_CONFIG=/etc/clickhouse-server/config.xml
 
 ENTRYPOINT ["/entrypoint.sh"]

docker/server/entrypoint.sh

@@ -54,7 +54,7 @@ readarray -t DISKS_METADATA_PATHS < <(clickhouse extract-from-config --config-fi
 CLICKHOUSE_USER="${CLICKHOUSE_USER:-default}"
 CLICKHOUSE_PASSWORD_FILE="${CLICKHOUSE_PASSWORD_FILE:-}"
 if [[ -n "${CLICKHOUSE_PASSWORD_FILE}" && -f "${CLICKHOUSE_PASSWORD_FILE}" ]]; then
-  CLICKHOUSE_PASSWORD="$(cat "${CLICKHOUSE_PASSWORD_FILE}")"
+    CLICKHOUSE_PASSWORD="$(cat "${CLICKHOUSE_PASSWORD_FILE}")"
 fi
 CLICKHOUSE_PASSWORD="${CLICKHOUSE_PASSWORD:-}"
 CLICKHOUSE_DB="${CLICKHOUSE_DB:-}"
@@ -88,29 +88,47 @@ function create_directory_and_do_chown() {
     fi
 }
 
-create_directory_and_do_chown "$DATA_DIR"
-
-# Change working directory to $DATA_DIR in case there're paths relative to $DATA_DIR, also avoids running
-# clickhouse-server at root directory.
-cd "$DATA_DIR"
-
-for dir in "$ERROR_LOG_DIR" \
-  "$LOG_DIR" \
-  "$TMP_DIR" \
-  "$USER_PATH" \
-  "$FORMAT_SCHEMA_PATH" \
-  "${DISKS_PATHS[@]}" \
-  "${DISKS_METADATA_PATHS[@]}"
-do
-    create_directory_and_do_chown "$dir"
-done
-
-if [ "$CLICKHOUSE_SKIP_USER_SETUP" == "1" ]; then
-    echo "$0: explicitly skip changing user 'default'"
-# if clickhouse user is defined - create it (user "default" already exists out of box)
-elif [ -n "$CLICKHOUSE_USER" ] && [ "$CLICKHOUSE_USER" != "default" ] || [ -n "$CLICKHOUSE_PASSWORD" ] || [ "$CLICKHOUSE_ACCESS_MANAGEMENT" != "0" ]; then
-    echo "$0: create new user '$CLICKHOUSE_USER' instead 'default'"
-    cat <<EOT > /etc/clickhouse-server/users.d/default-user.xml
+function manage_clickhouse_directories() {
+    for dir in "$ERROR_LOG_DIR" \
+      "$LOG_DIR" \
+      "$TMP_DIR" \
+      "$USER_PATH" \
+      "$FORMAT_SCHEMA_PATH" \
+      "${DISKS_PATHS[@]}" \
+      "${DISKS_METADATA_PATHS[@]}"
+    do
+        create_directory_and_do_chown "$dir"
+    done
+}
+
+function manage_clickhouse_user() {
+    # Check if the `defaul` user is changed through any mounted file. It will mean that user took care of it already
+    # First, extract the users_xml.path and check it's relative or absolute
+    local USERS_XML USERS_CONFIG
+    USERS_XML=$(clickhouse extract-from-config --config-file "$CLICKHOUSE_CONFIG" --key='user_directories.users_xml.path')
+    case $USERS_XML in
+        /* ) # absolute path
+            cp "$USERS_XML" /tmp
+            USERS_CONFIG="/tmp/$(basename $USERS_XML)"
+            ;;
+        * ) # relative path to the $CLICKHOUSE_CONFIG
+            cp "$(dirname "$CLICKHOUSE_CONFIG")/${USERS_XML}" /tmp
+            USERS_CONFIG="/tmp/$(basename $USERS_XML)"
+            ;;
+    esac
+
+    # Compare original `users.default` to the processed one
+    local ORIGINAL_DEFAULT PROCESSED_DEFAULT CLICKHOUSE_DEFAULT_CHANGED
+    ORIGINAL_DEFAULT=$(clickhouse extract-from-config --config-file "$USERS_CONFIG" --key='users.default' | sha256sum)
+    PROCESSED_DEFAULT=$(clickhouse extract-from-config --config-file "$CLICKHOUSE_CONFIG" --users --key='users.default' --try | sha256sum)
+    [ "$ORIGINAL_DEFAULT" == "$PROCESSED_DEFAULT" ] && CLICKHOUSE_DEFAULT_CHANGED=0 || CLICKHOUSE_DEFAULT_CHANGED=1
+
+    if [ "$CLICKHOUSE_SKIP_USER_SETUP" == "1" ]; then
+        echo "$0: explicitly skip changing user 'default'"
+    elif [ -n "$CLICKHOUSE_USER" ] && [ "$CLICKHOUSE_USER" != "default" ] || [ -n "$CLICKHOUSE_PASSWORD" ] || [ "$CLICKHOUSE_ACCESS_MANAGEMENT" != "0" ]; then
+        # if clickhouse user is defined - create it (user "default" already exists out of box)
+        echo "$0: create new user '$CLICKHOUSE_USER' instead 'default'"
+        cat <<EOT > /etc/clickhouse-server/users.d/default-user.xml
 <clickhouse>
   <!-- Docs: <https://clickhouse.com/docs/en/operations/settings/settings_users/> -->
   <users>
@@ -130,9 +148,12 @@ elif [ -n "$CLICKHOUSE_USER" ] && [ "$CLICKHOUSE_USER" != "default" ] || [ -n "$
   </users>
 </clickhouse>
 EOT
-else
-    echo "$0: neither CLICKHOUSE_USER nor CLICKHOUSE_PASSWORD is set, disabling network access for user '$CLICKHOUSE_USER'"
-    cat <<EOT > /etc/clickhouse-server/users.d/default-user.xml
+    elif [ "$CLICKHOUSE_DEFAULT_CHANGED" == "1" ]; then
+        # Leave users as is, do nothing
+        :
+    else
+        echo "$0: neither CLICKHOUSE_USER nor CLICKHOUSE_PASSWORD is set, disabling network access for user '$CLICKHOUSE_USER'"
+        cat <<EOT > /etc/clickhouse-server/users.d/default-user.xml
 <clickhouse>
   <!-- Docs: <https://clickhouse.com/docs/en/operations/settings/settings_users/> -->
   <users>
@@ -146,85 +167,88 @@ else
   </users>
 </clickhouse>
 EOT
-fi
+    fi
+}
 
 CLICKHOUSE_ALWAYS_RUN_INITDB_SCRIPTS="${CLICKHOUSE_ALWAYS_RUN_INITDB_SCRIPTS:-}"
 
-# checking $DATA_DIR for initialization
-if [ -d "${DATA_DIR%/}/data" ]; then
-    DATABASE_ALREADY_EXISTS='true'
-fi
-
-# run initialization if flag CLICKHOUSE_ALWAYS_RUN_INITDB_SCRIPTS is not empty or data directory is empty
-if [[ -n "${CLICKHOUSE_ALWAYS_RUN_INITDB_SCRIPTS}" || -z "${DATABASE_ALREADY_EXISTS}" ]]; then
-  RUN_INITDB_SCRIPTS='true'
-fi
-
-if [ -n "${RUN_INITDB_SCRIPTS}" ]; then
-    if [ -n "$(ls /docker-entrypoint-initdb.d/)" ] || [ -n "$CLICKHOUSE_DB" ]; then
-        # port is needed to check if clickhouse-server is ready for connections
-        HTTP_PORT="$(clickhouse extract-from-config --config-file "$CLICKHOUSE_CONFIG" --key=http_port --try)"
-        HTTPS_PORT="$(clickhouse extract-from-config --config-file "$CLICKHOUSE_CONFIG" --key=https_port --try)"
+function init_clickhouse_db() {
+    # checking $DATA_DIR for initialization
+    if [ -d "${DATA_DIR%/}/data" ]; then
+        DATABASE_ALREADY_EXISTS='true'
+    fi
 
-        if [ -n "$HTTP_PORT" ]; then
-            URL="http://127.0.0.1:$HTTP_PORT/ping"
-        else
-            URL="https://127.0.0.1:$HTTPS_PORT/ping"
-        fi
+    # run initialization if flag CLICKHOUSE_ALWAYS_RUN_INITDB_SCRIPTS is not empty or data directory is empty
+    if [[ -n "${CLICKHOUSE_ALWAYS_RUN_INITDB_SCRIPTS}" || -z "${DATABASE_ALREADY_EXISTS}" ]]; then
+      RUN_INITDB_SCRIPTS='true'
+    fi
 
-        # Listen only on localhost until the initialization is done
-        clickhouse su "${USER}:${GROUP}" clickhouse-server --config-file="$CLICKHOUSE_CONFIG" -- --listen_host=127.0.0.1 &
-        pid="$!"
+    if [ -n "${RUN_INITDB_SCRIPTS}" ]; then
+        if [ -n "$(ls /docker-entrypoint-initdb.d/)" ] || [ -n "$CLICKHOUSE_DB" ]; then
+            # port is needed to check if clickhouse-server is ready for connections
+            HTTP_PORT="$(clickhouse extract-from-config --config-file "$CLICKHOUSE_CONFIG" --key=http_port --try)"
+            HTTPS_PORT="$(clickhouse extract-from-config --config-file "$CLICKHOUSE_CONFIG" --key=https_port --try)"
 
-        # check if clickhouse is ready to accept connections
-        # will try to send ping clickhouse via http_port (max 1000 retries by default, with 1 sec timeout and 1 sec delay between retries)
-        tries=${CLICKHOUSE_INIT_TIMEOUT:-1000}
-        while ! wget --spider --no-check-certificate -T 1 -q "$URL" 2>/dev/null; do
-            if [ "$tries" -le "0" ]; then
-                echo >&2 'ClickHouse init process timeout.'
-                exit 1
+            if [ -n "$HTTP_PORT" ]; then
+                URL="http://127.0.0.1:$HTTP_PORT/ping"
+            else
+                URL="https://127.0.0.1:$HTTPS_PORT/ping"
             fi
-            tries=$(( tries-1 ))
-            sleep 1
-        done
 
-        clickhouseclient=( clickhouse-client --multiquery --host "127.0.0.1" -u "$CLICKHOUSE_USER" --password "$CLICKHOUSE_PASSWORD" )
+            # Listen only on localhost until the initialization is done
+            clickhouse su "${USER}:${GROUP}" clickhouse-server --config-file="$CLICKHOUSE_CONFIG" -- --listen_host=127.0.0.1 &
+            pid="$!"
 
-        echo
+            # check if clickhouse is ready to accept connections
+            # will try to send ping clickhouse via http_port (max 1000 retries by default, with 1 sec timeout and 1 sec delay between retries)
+            tries=${CLICKHOUSE_INIT_TIMEOUT:-1000}
+            while ! wget --spider --no-check-certificate -T 1 -q "$URL" 2>/dev/null; do
+                if [ "$tries" -le "0" ]; then
+                    echo >&2 'ClickHouse init process timeout.'
+                    exit 1
+                fi
+                tries=$(( tries-1 ))
+                sleep 1
+            done
 
-        # create default database, if defined
-        if [ -n "$CLICKHOUSE_DB" ]; then
-            echo "$0: create database '$CLICKHOUSE_DB'"
-            "${clickhouseclient[@]}" -q "CREATE DATABASE IF NOT EXISTS $CLICKHOUSE_DB";
-        fi
+            clickhouseclient=( clickhouse-client --multiquery --host "127.0.0.1" -u "$CLICKHOUSE_USER" --password "$CLICKHOUSE_PASSWORD" )
 
-        for f in /docker-entrypoint-initdb.d/*; do
-            case "$f" in
-                *.sh)
-                    if [ -x "$f" ]; then
-                        echo "$0: running $f"
-                        "$f"
-                    else
-                        echo "$0: sourcing $f"
-                        # shellcheck source=/dev/null
-                        . "$f"
-                    fi
-                    ;;
-                *.sql)    echo "$0: running $f"; "${clickhouseclient[@]}" < "$f" ; echo ;;
-                *.sql.gz) echo "$0: running $f"; gunzip -c "$f" | "${clickhouseclient[@]}"; echo ;;
-                *)        echo "$0: ignoring $f" ;;
-            esac
             echo
-        done
 
-        if ! kill -s TERM "$pid" || ! wait "$pid"; then
-            echo >&2 'Finishing of ClickHouse init process failed.'
-            exit 1
+            # create default database, if defined
+            if [ -n "$CLICKHOUSE_DB" ]; then
+                echo "$0: create database '$CLICKHOUSE_DB'"
+                "${clickhouseclient[@]}" -q "CREATE DATABASE IF NOT EXISTS $CLICKHOUSE_DB";
+            fi
+
+            for f in /docker-entrypoint-initdb.d/*; do
+                case "$f" in
+                    *.sh)
+                        if [ -x "$f" ]; then
+                            echo "$0: running $f"
+                            "$f"
+                        else
+                            echo "$0: sourcing $f"
+                            # shellcheck source=/dev/null
+                            . "$f"
+                        fi
+                        ;;
+                    *.sql)    echo "$0: running $f"; "${clickhouseclient[@]}" < "$f" ; echo ;;
+                    *.sql.gz) echo "$0: running $f"; gunzip -c "$f" | "${clickhouseclient[@]}"; echo ;;
+                    *)        echo "$0: ignoring $f" ;;
+                esac
+                echo
+            done
+
+            if ! kill -s TERM "$pid" || ! wait "$pid"; then
+                echo >&2 'Finishing of ClickHouse init process failed.'
+                exit 1
+            fi
         fi
+    else
+        echo "ClickHouse Database directory appears to contain a database; Skipping initialization"
     fi
-else
-    echo "ClickHouse Database directory appears to contain a database; Skipping initialization"
-fi
+}
 
 # if no args passed to `docker run` or first argument start with `--`, then the user is passing clickhouse-server arguments
 if [[ $# -lt 1 ]] || [[ "$1" == "--"* ]]; then
@@ -233,9 +257,24 @@ if [[ $# -lt 1 ]] || [[ "$1" == "--"* ]]; then
     CLICKHOUSE_WATCHDOG_ENABLE=${CLICKHOUSE_WATCHDOG_ENABLE:-0}
     export CLICKHOUSE_WATCHDOG_ENABLE
 
+    create_directory_and_do_chown "$DATA_DIR"
+
+    # Change working directory to $DATA_DIR in case there're paths relative to $DATA_DIR, also avoids running
+    # clickhouse-server at root directory.
+    cd "$DATA_DIR"
+
+    # Using functions here to avoid unnecessary work in case of launching other binaries,
+    # inspired by postgres, mariadb etc. entrypoints
+    # It is necessary to pass the docker library consistency test
+    manage_clickhouse_directories
+    manage_clickhouse_user
+    init_clickhouse_db
+
     # This replaces the shell script with the server:
     exec clickhouse su "${USER}:${GROUP}" clickhouse-server --config-file="$CLICKHOUSE_CONFIG" "$@"
 fi
 
 # Otherwise, we assume the user want to run his own process, for example a `bash` shell to explore this image
 exec "$@"
+
+# vi: ts=4: sw=4: sts=4: expandtab

programs/extract-from-config/ExtractFromConfig.cpp

@@ -1,3 +1,4 @@
+#include <filesystem>
 #include <iostream>
 #include <string>
 #include <vector>
@@ -19,6 +20,16 @@
 #include <Common/parseGlobs.h>
 #include <Common/re2.h>
 
+namespace DB
+{
+    namespace ErrorCodes
+    {
+        extern const int CANNOT_LOAD_CONFIG;
+    }
+}
+
+namespace fs = std::filesystem;
+
 static void setupLogging(const std::string & log_level)
 {
     Poco::AutoPtr<Poco::ConsoleChannel> channel(new Poco::ConsoleChannel);
@@ -79,8 +90,7 @@ static std::vector<std::string> extactFromConfigAccordingToGlobs(DB::Configurati
 }
 
 
-static std::vector<std::string> extractFromConfig(
-        const std::string & config_path, const std::string & key, bool process_zk_includes, bool try_get = false)
+static DB::ConfigurationPtr get_configuration(const std::string & config_path, bool process_zk_includes)
 {
     DB::ConfigProcessor processor(config_path, /* throw_on_bad_incl = */ false, /* log_to_console = */ false);
     bool has_zk_includes;
@@ -97,7 +107,27 @@ static std::vector<std::string> extractFromConfig(
         zkutil::ZooKeeperNodeCache zk_node_cache([&] { return zookeeper; });
         config_xml = processor.processConfig(&has_zk_includes, &zk_node_cache);
     }
-    DB::ConfigurationPtr configuration(new Poco::Util::XMLConfiguration(config_xml));
+    return DB::ConfigurationPtr(new Poco::Util::XMLConfiguration(config_xml));
+}
+
+
+static std::vector<std::string> extractFromConfig(
+        const std::string & config_path, const std::string & key, bool process_zk_includes, bool try_get = false, bool get_users = false)
+{
+    DB::ConfigurationPtr configuration = get_configuration(config_path, process_zk_includes);
+
+    if (get_users)
+    {
+        bool has_user_directories = configuration->has("user_directories");
+        if (!has_user_directories && !try_get)
+            throw DB::Exception(DB::ErrorCodes::CANNOT_LOAD_CONFIG, "Can't load config for users");
+
+        std::string users_config_path = configuration->getString("user_directories.users_xml.path");
+        const auto config_dir = fs::path{config_path}.remove_filename().string();
+        if (fs::path(users_config_path).is_relative() && fs::exists(fs::path(config_dir) / users_config_path))
+            users_config_path = fs::path(config_dir) / users_config_path;
+        configuration = get_configuration(users_config_path, process_zk_includes);
+    }
 
     /// Check if a key has globs.
     if (key.find_first_of("*?{") != std::string::npos)
@@ -117,6 +147,7 @@ int mainEntryClickHouseExtractFromConfig(int argc, char ** argv)
     bool print_stacktrace = false;
     bool process_zk_includes = false;
     bool try_get = false;
+    bool get_users = false;
     std::string log_level;
     std::string config_path;
     std::string key;
@@ -130,6 +161,7 @@ int mainEntryClickHouseExtractFromConfig(int argc, char ** argv)
         ("process-zk-includes", po::bool_switch(&process_zk_includes),
          "if there are from_zk elements in config, connect to ZooKeeper and process them")
         ("try", po::bool_switch(&try_get), "Do not warn about missing keys")
+        ("users", po::bool_switch(&get_users), "Return values from users.xml config")
         ("log-level", po::value<std::string>(&log_level)->default_value("error"), "log level")
         ("config-file,c", po::value<std::string>(&config_path)->required(), "path to config file")
         ("key,k", po::value<std::string>(&key)->required(), "key to get value for");
@@ -156,7 +188,7 @@ int mainEntryClickHouseExtractFromConfig(int argc, char ** argv)
         po::notify(options);
 
         setupLogging(log_level);
-        for (const auto & value : extractFromConfig(config_path, key, process_zk_includes, try_get))
+        for (const auto & value : extractFromConfig(config_path, key, process_zk_includes, try_get, get_users))
             std::cout << value << std::endl;
     }
     catch (...)

tests/ci/ci_utils.py

@@ -298,6 +298,7 @@ def normalize_string(string: str) -> str:
             (",", "_"),
             ("/", "_"),
             ("-", "_"),
+            (":", "_"),
         ):
             res = res.replace(*r)
         return res