Disable network access for user default in docker images#75259
Conversation
|
@Felixoid, when the password for the default user is already set in one or another configuration file, it should not argue. Configuration files can be mapped to the container in numerous ways. |
Because there was a code that managed users, hardcoding defaults looked worse at the time. The purpose of the changes is pushing users to set up the user/password.
That was another point in favor of adding
Then it's on the user to leave the DB completely open, right?
It's an interesting point that could be implemented. However, making it work is tricky because of the numerous ways. The 100% working way would imply the patch to ClickHouse/programs/local/LocalServer.cpp Lines 475 to 489 in 0ae0521 Then we can check the content of |
I would say just check that the user is configured, regardless of the |
|
It's a chicken-egg issue, kind of. That means we need to compare the content of the |
|
It looks like the #75643 addresses all concerns, especially the case when |
|
I don't want to beat about the bush, but I kind of liked the way clickhouse images works before, no need to set any env variables - it just works (unlike mysql, where you need to go and read documentation for the image make it run) |
Signed-off-by: Slach <bloodjazman@gmail.com>
|
Everybody interesting in checking the fix from #75643 is working, you can build it as following: |
Nobody leaves anything open. Users are mapped from config maps or volumes or files.
They for sure are. The Wiz attention whoring was hilarious though. |
Does it mean you've seen the code from the message above on how to check the follow-up PR? What was the result? |
|
We have checked it for the read-only volumes with the Since everyone who commented on the PR has not provided feedback since last week, it either works or nobody wants to help. I'll give it more time to try it out, and the check for the changed |
|
|
@Felixoid, could you add this change to the breaking changes section in the changelog? This would have saved me troubleshooting time. |
|
I added a note. Together with #75643, it's much less intrusive. Could you test the latest image, please? It's 25.1 Releases 24.3, 24.8, 24.11, and 24.12 don't have it backported yet |
|
@Felixoid: I tested the image, but in my use case it still breaks the CI pipeline running integration tests as it is started like Here is an example of such a CI pipeline. |
|
Yes, the To address it, I'll take the documentation part from the #74605 and will update it on the docker hub ASAP. update: #76207 |
I'm not sure how to answer that one. |
With the |
That's much better! Unfortunately I don't see which version of CH supports |
|
I think you mean the 25.1 supports it, as does the latest master. I plan to update the rest of the active releases on Monday. |
|
Which one of the 25.1s? Lol |

Changelog category (leave one):
Changelog entry (a user-readable short description of the changes that goes to CHANGELOG.md):
Potentially breaking: Improvement to set even more restrictive defaults. The current defaults are already secure - the user has to specify an option to publish ports explicitly. But when the
defaultuser doesn’t have a password set byCLICKHOUSE_PASSWORDand/or a username changed byCLICKHOUSE_USERenvironment variables, it should be available only from the local system as an additional level of protection.Documentation entry for user-facing changes
CI Settings (Only check the boxes if you know what you are doing)
All builds in Builds_1 and Builds_2 stages are always mandatory and will run independently of the checks below: