Disable network access for user `default` in docker images by Felixoid · Pull Request #75259 · ClickHouse/ClickHouse · GitHub
Skip to content

Disable network access for user default in docker images#75259

Merged
Felixoid merged 1 commit into
masterfrom
docker-localhost-default
Jan 30, 2025
Merged

Disable network access for user default in docker images#75259
Felixoid merged 1 commit into
masterfrom
docker-localhost-default

Conversation

@Felixoid

@Felixoid Felixoid commented Jan 30, 2025

Copy link
Copy Markdown
Member

Changelog category (leave one):

  • Build/Testing/Packaging Improvement

Changelog entry (a user-readable short description of the changes that goes to CHANGELOG.md):

Potentially breaking: Improvement to set even more restrictive defaults. The current defaults are already secure - the user has to specify an option to publish ports explicitly. But when the default user doesn’t have a password set by CLICKHOUSE_PASSWORD and/or a username changed by CLICKHOUSE_USER environment variables, it should be available only from the local system as an additional level of protection.

Documentation entry for user-facing changes

  • Documentation is written (mandatory for new features)

Information about CI checks: https://clickhouse.com/docs/en/development/continuous-integration/

CI Settings (Only check the boxes if you know what you are doing)

All builds in Builds_1 and Builds_2 stages are always mandatory and will run independently of the checks below:

  • Only: Stateless tests
  • Only: Integration tests
  • Only: Performance tests

  • Skip: Style check
  • Skip: Fast test

  • Run all checks ignoring all possible failures (Resource-intensive. All test jobs execute in parallel).
  • Disable CI cache

@robot-ch-test-poll2 robot-ch-test-poll2 added the pr-build Pull request with build/testing/packaging improvement label Jan 30, 2025
@robot-ch-test-poll4

robot-ch-test-poll4 commented Jan 30, 2025

Copy link
Copy Markdown
Contributor

@pufit pufit self-assigned this Jan 30, 2025
@Felixoid Felixoid added this pull request to the merge queue Jan 30, 2025
Merged via the queue into master with commit c4755ae Jan 30, 2025
@Felixoid Felixoid deleted the docker-localhost-default branch January 30, 2025 16:26
@robot-ch-test-poll robot-ch-test-poll added the pr-synced-to-cloud The PR is synced to the cloud repo label Jan 30, 2025
@Felixoid Felixoid added the pr-must-backport Pull request should be backported intentionally. Use this label with great care! label Jan 30, 2025
robot-clickhouse added a commit that referenced this pull request Jan 30, 2025
robot-clickhouse added a commit that referenced this pull request Jan 30, 2025
robot-clickhouse added a commit that referenced this pull request Jan 30, 2025
robot-clickhouse added a commit that referenced this pull request Jan 30, 2025
robot-clickhouse added a commit that referenced this pull request Jan 30, 2025
@alexey-milovidov

alexey-milovidov commented Feb 6, 2025

Copy link
Copy Markdown
Member

@Felixoid, when the password for the default user is already set in one or another configuration file, it should not argue. Configuration files can be mapped to the container in numerous ways.

@Felixoid

Felixoid commented Feb 6, 2025

Copy link
Copy Markdown
Member Author

why you choose to runtime change configuration files inside the container in entrypoint.sh Instead of just change docker_related_config.xml? These changes mixed declarative configuration approach on build time.

Because there was a code that managed users, hardcoding defaults looked worse at the time. The purpose of the changes is pushing users to set up the user/password.

These changes actually will just break many installations, which will use read-only volumes for /etc/clickhouse-server or /etc/clichouse-server/users.d/

That was another point in favor of adding CLICKHOUSE_SKIP_USER_SETUP to make default as before. AFAIK, the RBAC user management is used for such cases. Unfortunately, not everyone is so advanced to set it up.

This is not make clickhouse-server docker installation more secure because most of the users just will decide CLICKHOUSE_SKIP_USER_SETUP=1 and default without password user will still present

Then it's on the user to leave the DB completely open, right?

when the password for the default user is already set in one or another configuration file, it should not argue. Configuration files can be mapped to the container in numerous ways.

It's an interesting point that could be implemented. However, making it work is tricky because of the numerous ways.

The 100% working way would imply the patch to clickhouse-extract-from-config that would automatically read the users' configuration by an arg '--users'. Something like

if (users_config_path.empty() && has_user_directories)
{
users_config_path = getClientConfiguration().getString("user_directories.users_xml.path");
if (fs::path(users_config_path).is_relative() && fs::exists(fs::path(config_dir) / users_config_path))
users_config_path = fs::path(config_dir) / users_config_path;
}
if (users_config_path.empty())
users_config = getConfigurationFromXMLString(minimal_default_user_xml);
else
{
ConfigProcessor config_processor(users_config_path);
const auto loaded_config = config_processor.loadConfig();
users_config = loaded_config.configuration;
}

Then we can check the content of users.default for keys password, password_sha256_hex, password_double_sha1_hex, ldap.server, or kerberos.

@azat

azat commented Feb 6, 2025

Copy link
Copy Markdown
Member

Then we can check the content of users.default for keys password, password_sha256_hex, password_double_sha1_hex, ldap.server, or kerberos.

I would say just check that the user is configured, regardless of the password*/no_password, since if he provides the config - it was the "explicit intention"

@Felixoid

Felixoid commented Feb 6, 2025

Copy link
Copy Markdown
Member Author

It's a chicken-egg issue, kind of.

That means we need to compare the content of the default user to the "matrix" one. Copy /etc/clickhouse-server/users.xml into /tmp and compare the output to the one without users.d?

Slach added a commit to Altinity/clickhouse-operator that referenced this pull request Feb 6, 2025
@Felixoid

Felixoid commented Feb 6, 2025

Copy link
Copy Markdown
Member Author

It looks like the #75643 addresses all concerns, especially the case when default user is already changed somehow

@azat

azat commented Feb 6, 2025

Copy link
Copy Markdown
Member

I don't want to beat about the bush, but I kind of liked the way clickhouse images works before, no need to set any env variables - it just works (unlike mysql, where you need to go and read documentation for the image make it run)

Slach added a commit to Altinity/clickhouse-backup that referenced this pull request Feb 6, 2025
Signed-off-by: Slach <bloodjazman@gmail.com>
@Felixoid

Felixoid commented Feb 7, 2025

Copy link
Copy Markdown
Member Author

Everybody interesting in checking the fix from #75643 is working, you can build it as following:

cd ClickHouse # repo root
git fetch https://github.com/ClickHouse/ClickHouse.git improve-entrypoints
git checkout improve-entrypoints
docker buildx build --output=type=docker --platform=linux/amd64 --label=build-url=https://github.com/ClickHouse/ClickHouse/actions/runs/13187011934 --label=com.clickhouse.build.githash=183c840f10c9d869e5346357b3e7a6037247a9b4 --label=com.clickhouse.build.version= --build-arg=DIRECT_DOWNLOAD_URLS='https://s3.amazonaws.com/clickhouse-builds/PRs/75643/579c3023f7188f156e9a08320f522da467ccf2f9/package_release/clickhouse-client_25.2.1.1202_amd64.deb https://s3.amazonaws.com/clickhouse-builds/PRs/75643/579c3023f7188f156e9a08320f522da467ccf2f9/package_release/clickhouse-common-static_25.2.1.1202_amd64.deb https://s3.amazonaws.com/clickhouse-builds/PRs/75643/579c3023f7188f156e9a08320f522da467ccf2f9/package_release/clickhouse-server_25.2.1.1202_amd64.deb' --tag=clickhouse/clickhouse-server:head-amd64 --build-arg=VERSION='25.2.1.1' --progress=plain --file=docker/server/Dockerfile.ubuntu docker/server

@pkit

pkit commented Feb 10, 2025

Copy link
Copy Markdown
Contributor

@Felixoid

Then it's on the user to leave the DB completely open, right?

Nobody leaves anything open. Users are mapped from config maps or volumes or files.
Obviously read-only for security reasons. And then all other users are managed from DDL.
That setup is completely destroyed by the PR here.

@Slach

Hope, these changes not relates to the latest deepseek stupid installation mistakes

They for sure are. The Wiz attention whoring was hilarious though.
The right course of action is to ignore. But you know...

@Felixoid

Felixoid commented Feb 10, 2025

Copy link
Copy Markdown
Member Author

That setup is completely destroyed by the PR here.

Does it mean you've seen the code from the message above on how to check the follow-up PR?

What was the result?

@Felixoid

Felixoid commented Feb 10, 2025

Copy link
Copy Markdown
Member Author

We have checked it for the read-only volumes with the entrypoint.sh from #75643

Since everyone who commented on the PR has not provided feedback since last week, it either works or nobody wants to help.

I'll give it more time to try it out, and the check for the changed default user will be merged and backported tomorrow.

@Felixoid

Copy link
Copy Markdown
Member Author
$ docker run --rm -v /etc/clickhouse-server/users.d/:/etc/clickhouse-server/users.d/:ro --name xxx1 clickhouse/clickhouse-server:head
Processing configuration file '/etc/clickhouse-server/config.xml'.
Merging configuration file '/etc/clickhouse-server/config.d/docker_related_config.xml'.
Logging trace to /var/log/clickhouse-server/clickhouse-server.log
Logging errors to /var/log/clickhouse-server/clickhouse-server.err.log
$ docker run --rm -v /tmp/wrong-dir:/etc/clickhouse-server/users.d/:ro --name xxx1 clickhouse/clickhouse-server:head
/entrypoint.sh: neither CLICKHOUSE_USER nor CLICKHOUSE_PASSWORD is set, disabling network access for user 'default'
/entrypoint.sh: line 156: /etc/clickhouse-server/users.d/default-user.xml: Read-only file system
$ docker run --rm --name xxx1 clickhouse/clickhouse-server:head
/entrypoint.sh: neither CLICKHOUSE_USER nor CLICKHOUSE_PASSWORD is set, disabling network access for user 'default'
Processing configuration file '/etc/clickhouse-server/config.xml'.
Merging configuration file '/etc/clickhouse-server/config.d/docker_related_config.xml'.
Logging trace to /var/log/clickhouse-server/clickhouse-server.log
Logging errors to /var/log/clickhouse-server/clickhouse-server.err.log
$ docker run --rm --name xxx1 -e CLICKHOUSE_SKIP_USER_SETUP=1 clickhouse/clickhouse-server:head
/entrypoint.sh: explicitly skip changing user 'default'
Processing configuration file '/etc/clickhouse-server/config.xml'.
Merging configuration file '/etc/clickhouse-server/config.d/docker_related_config.xml'.
Logging trace to /var/log/clickhouse-server/clickhouse-server.log
Logging errors to /var/log/clickhouse-server/clickhouse-server.err.log
$ docker run -it --rm -v /etc/clickhouse-server/users.d/:/etc/clickhouse-server/users.d/:ro --name xxx1 clickhouse/clickhouse-server:head bash
root@f973bb045d2a:/#
exit

@maederm

maederm commented Feb 14, 2025

Copy link
Copy Markdown

@Felixoid, could you add this change to the breaking changes section in the changelog? This would have saved me troubleshooting time.

@Felixoid

Felixoid commented Feb 14, 2025

Copy link
Copy Markdown
Member Author

I added a note.

Together with #75643, it's much less intrusive. Could you test the latest image, please? It's 25.1

Releases 24.3, 24.8, 24.11, and 24.12 don't have it backported yet

@maederm

maederm commented Feb 15, 2025

Copy link
Copy Markdown

@Felixoid: I tested the image, but in my use case it still breaks the CI pipeline running integration tests as it is started like docker run --rm -p 127.0.0.1:9000:9000 clickhouse/clickhouse-server:latest. Using -e CLICKHOUSE_SKIP_USER_SETUP=1 brought back the old behavior.

Here is an example of such a CI pipeline.

@Felixoid

Felixoid commented Feb 15, 2025

Copy link
Copy Markdown
Member Author

Yes, the -p 127.0.0.1:9000:9000 doesn't work as the localhost under the hood https://github.com/ClickHouse/ClickHouse/pull/74605/files#diff-cb35cbd88e33b5c202774e3e47b97fb914a161f8a67e98d3c453ef57a56e81d1R76

To address it, --network=host will help.

I'll take the documentation part from the #74605 and will update it on the docker hub ASAP.

update: #76207

@pkit

pkit commented Feb 15, 2025

Copy link
Copy Markdown
Contributor

That setup is completely destroyed by the PR here.

Does it mean you've seen the code from the message above on how to check the follow-up PR?

What was the result?

I'm not sure how to answer that one.
I have a perfectly secure (as it can get) flow.
Now I need to change it for no reason.
No matter the setup, I need to change it. Because it fails.
Obviously the easiest change for me was just to set CLICKHOUSE_SKIP_USER_SETUP=1 to remove the strange attempt at "security" that just brings more headache. :)
In the future I think I will just return to building the image myself with a proper entrypoint.

@Felixoid

Copy link
Copy Markdown
Member Author

No matter the setup, I need to change it. Because it fails.

With the latest image version, the user setup step is automatically omitted if the user default is changed in the users.d.

@pkit

pkit commented Feb 15, 2025

Copy link
Copy Markdown
Contributor

No matter the setup, I need to change it. Because it fails.

With the latest image version, the user setup step is automatically omitted if the user default is changed in the users.d.

That's much better! Unfortunately I don't see which version of CH supports --users ...

@Felixoid

Felixoid commented Feb 15, 2025

Copy link
Copy Markdown
Member Author

I think you mean the clickhouse-extract-from-config command.

25.1 supports it, as does the latest master.

I plan to update the rest of the active releases on Monday.

@pkit

pkit commented Feb 16, 2025

Copy link
Copy Markdown
Contributor

Which one of the 25.1s? Lol
25.2 does not support it asa far as I'm concerned:

std::exception. Code: 1001, type: boost::wrapexcept<boost::program_options::unknown_option>, e.what() = unrecognised option '--users' (version 25.2.1.1840 (official build))

@Felixoid

Felixoid commented Feb 16, 2025

Copy link
Copy Markdown
Member Author

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

pr-backports-created Backport PRs are successfully created, it won't be processed by CI script anymore pr-backports-created-cloud deprecated label, NOOP pr-build Pull request with build/testing/packaging improvement pr-must-backport Pull request should be backported intentionally. Use this label with great care! pr-must-backport-synced The `*-must-backport` labels are synced into the cloud Sync PR pr-synced-to-cloud The PR is synced to the cloud repo

Projects

None yet

Development

Successfully merging this pull request may close these issues.