Instalace plausible

jarda · April 14, 2025, 1:53pm

Snažím se nainstalovat plausible, což je alternativa k Google Analytics.
Instaluji docker verzi a součastí je ClickHouse a s tím mám problém.
ClickHouse se odmítá spustit s chybou:

plausible_events_db-1 | /entrypoint.sh: explicitly skip changing user ‘default’
plausible_events_db-1 | Processing configuration file ‘/etc/clickhouse-server/config.xml’.
plausible_events_db-1 | Merging configuration file ‘/etc/clickhouse-server/config.d/disable_async_metrics.xml’.
plausible_events_db-1 | Merging configuration file ‘/etc/clickhouse-server/config.d/docker_related_config.xml’.
plausible_events_db-1 | Merging configuration file ‘/etc/clickhouse-server/config.d/ipv4-only.xml’.
plausible_events_db-1 | Merging configuration file ‘/etc/clickhouse-server/config.d/logs.xml’.
plausible_events_db-1 | Merging configuration file ‘/etc/clickhouse-server/config.d/low-resources.xml’.
plausible_events_db-1 | Logging warning to /var/log/clickhouse-server/clickhouse-server.log
plausible_events_db-1 | Logging errors to /var/log/clickhouse-server/clickhouse-server.err.log
plausible_events_db-1 | 2025.04.14 13:32:48.145941 [ 1 ] {} Application: std::exception. Code: 1001, type: std::__1::__fs::filesystem::filesystem_error, e.what() = filesystem error: in directory_iterator::directory_iterator(…): Permission denied [“/sys/block”], Stack trace (when copying this message, always include the lines below):
plausible_events_db-1 |
plausible_events_db-1 | 0. std::system_error::system_error(std::error_code, String const&) @ 0x0000000018a055f5
plausible_events_db-1 | 1. std::__fs::filesystem::filesystem_error::filesystem_error[abi:v15007](String const&, std::__fs::filesystem::path const&, std::error_code) @ 0x000000000d7bb821
plausible_events_db-1 | 2. void std::__fs::filesystem::__throw_filesystem_error[abi:v15007]<String&, std::__fs::filesystem::path const&, std::error_code const&>(String&, std::__fs::filesystem::path const&, std::error_code const&) @ 0x00000000189b8eba
plausible_events_db-1 | 3. std::__fs::filesystem::detail::(anonymous namespace)::ErrorHandler::report(std::error_code const&) const (.llvm.1570443736777904000) @ 0x00000000189b7340
plausible_events_db-1 | 4. std::__fs::filesystem::directory_iterator::directory_iterator(std::__fs::filesystem::path const&, std::error_code*, std::__fs::filesystem::directory_options) @ 0x00000000189b71a7
plausible_events_db-1 | 5. DB::AsynchronousMetrics::openBlockDevices() @ 0x000000000d8a689a
plausible_events_db-1 | 6. DB::AsynchronousMetrics::AsynchronousMetrics(unsigned int, std::function<std::vector<DB::ProtocolServerMetrics, std::allocatorDB::ProtocolServerMetrics> ()> const&, bool, bool) @ 0x000000000d8a4b59
plausible_events_db-1 | 7. DB::ServerAsynchronousMetrics::ServerAsynchronousMetrics(std::shared_ptr<DB::Context const>, unsigned int, bool, unsigned int, std::function<std::vector<DB::ProtocolServerMetrics, std::allocatorDB::ProtocolServerMetrics> ()> const&, bool, bool) @ 0x00000000121867f3
plausible_events_db-1 | 8. DB::Server::main(std::vector<String, std::allocator> const&) @ 0x000000000d9fa7f9
plausible_events_db-1 | 9. Poco::Util::Application::run() @ 0x000000001666fd66
plausible_events_db-1 | 10. DB::Server::run() @ 0x000000000d9f5f10
plausible_events_db-1 | 11. Poco::Util::ServerApplication::run(int, char**) @ 0x0000000016678be7
plausible_events_db-1 | 12. mainEntryClickHouseServer(int, char**) @ 0x000000000d9f2d93
plausible_events_db-1 | 13. main @ 0x0000000008640abc
plausible_events_db-1 | 14. ? @ 0x00007fe125afcd90
plausible_events_db-1 | 15. ? @ 0x00007fe125afce40
plausible_events_db-1 | 16. _start @ 0x00000000065e102e
plausible_events_db-1 |
plausible_events_db-1 | Cannot print extra info for Poco::Exception (version 24.12.6.70 (official build))
plausible_events_db-1 exited with code 0

Chybí mu přístup do /sys/block. Na radu AI jsem zakázal asynchronous_metric_log pomocí <asynchronous_metric_log remove=“1” /> ale to nepomohlo.
Nemá někdo radu jak ClickHouse spustit. Pod kvm se mi to zdá zbytečně komplikované.
Díky.

snajpa · April 14, 2025, 5:01pm

Muzes si udelat vlastni adresar se strukturou, kterou to ocekava a ten tomu pak dat jako volume, a la:

docker run -v /path/to/fake-sys-block:/sys/block [other options] [image] [command]

jarda · April 15, 2025, 12:13pm

Ahoj, díky za radu.
Pokud se pokusím nahradit adresář /sys/block, kontejner se vůbec nespustí a dostanu chybu:
Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error m
ounting “/opt/plausible-ce/sys” to rootfs at “/sys/block”: create mountpoint for /sys/block mount: re-opening handle to “/var/lib/docker/overlay2/7f7b8d8f819ecba997e2229e98419cfbcc903d4c73a27754c7dc7f4f797f10b3/
merged/sys/block”: reopen fd 11: permission denied: unknown
root@mail2:/opt/plausible-ce# ls -l /sys/block/
ls: cannot open directory ‘/sys/block/’: Permission denied

Můžu nahradit celý adresář /sys prázdným adresářem. To funguje kontejner i ClickHouse se spustí, jen vypíše nějaké chyby. Jenže to už mi přijde přiliš “divoké” a moc tomu nedůvěřuji.
Nejde mít adresář /sys/block prázdný ale přístupný? Nebo jiná rada?
Díky

snajpa · April 15, 2025, 6:33pm

Jedine report vyvojarum, at si to opravi. Predpoklad, ze je aplikace na serveru sama a muze si tam delat uplne, co chce a sahat, kam chce, je ta podstata problemu tady, to je na vyvojarich, aby z toho polevili.

Uz nekolikrat nam omezeny pristup do sysfs usetril praci pri reseni security problemu jednoduse tim, ze se na dane soubory zadny kod, co by to mohl chtit zneuzit, nedostane. Myslim, ze ta omezeni opravnenima v sysfs maji smysl, co mi uplne smysl nedava, je aplikace, co se tvari, jako ze maji cely system pro sebe

snajpa · April 15, 2025, 7:16pm

github.com/ClickHouse/ClickHouse

Restricted sysfs compatibility

opened 07:16PM - 15 Apr 25 UTC

snajpa

usability

### Company or project name vpsFree.cz members trying to use Plausible Docker i…mage ### Describe the unexpected behaviour Hello, members of our nonprofit association have reproted that ClickHouse isn't working in our environment based on Linux containers ([vpsadminos.org](https://vpsadminos.org)) It would seem to be because we run unprivileged containers instead of full virtualization and in order to ensure secure environment for our members, we restrict parts of `sysfs` using traditional Unix `ugo`, denying all access to all hardware-related files, because that's out of scope what the single container can manage. It has saved us from having to panic about at least 2 zero-days thus far, so we think this restriction is useful to have. I would like to ask, whether it would be possible to make ClickHouse happy even if it has no HW-related metrics? We run OpenZFS, the zpool is managed by the central admin team, it has no practical use to allow individual containers to access `/sys/block` Would it be possible to change the behavior to simply skip those metrics where permission is denied? What can I do to help? ### How to reproduce Before trying to run the Docker container with ClickHouse, restrict `/sys/block` this way: ``` chmod o-rwx /sys/block ``` Now try to start the docker container and observe the permission denied error and subsequent exit. ### Expected behavior Would expect errors about permission denied in logs, but the DB probably should start :) ### Error message and/or stacktrace Log from an attempt to start a clickhouse-based Docker container (`plausible`): ``` plausible_events_db-1 | /entrypoint.sh: explicitly skip changing user ‘default’ plausible_events_db-1 | Processing configuration file ‘/etc/clickhouse-server/config.xml’. plausible_events_db-1 | Merging configuration file ‘/etc/clickhouse-server/config.d/disable_async_metrics.xml’. plausible_events_db-1 | Merging configuration file ‘/etc/clickhouse-server/config.d/docker_related_config.xml’. plausible_events_db-1 | Merging configuration file ‘/etc/clickhouse-server/config.d/ipv4-only.xml’. plausible_events_db-1 | Merging configuration file ‘/etc/clickhouse-server/config.d/logs.xml’. plausible_events_db-1 | Merging configuration file ‘/etc/clickhouse-server/config.d/low-resources.xml’. plausible_events_db-1 | Logging warning to /var/log/clickhouse-server/clickhouse-server.log plausible_events_db-1 | Logging errors to /var/log/clickhouse-server/clickhouse-server.err.log plausible_events_db-1 | 2025.04.14 13:32:48.145941 [ 1 ] {} Application: std::exception. Code: 1001, type: std::__1::__fs::filesystem::filesystem_error, e.what() = filesystem error: in directory_iterator::directory_iterator(…): Permission denied [“/sys/block”], Stack trace (when copying this message, always include the lines below): plausible_events_db-1 | plausible_events_db-1 | 0. std::system_error::system_error(std::error_code, String const&) @ 0x0000000018a055f5 plausible_events_db-1 | 1. std::__fs::filesystem::filesystem_error::filesystem_error[abi:v15007](String const&, std::__fs::filesystem::path const&, std::error_code) @ 0x000000000d7bb821 plausible_events_db-1 | 2. void std::__fs::filesystem::__throw_filesystem_error[abi:v15007]<String&, std::__fs::filesystem::path const&, std::error_code const&>(String&, std::__fs::filesystem::path const&, std::error_code const&) @ 0x00000000189b8eba plausible_events_db-1 | 3. std::__fs::filesystem::detail::(anonymous namespace)::ErrorHandler::report(std::error_code const&) const (.llvm.1570443736777904000) @ 0x00000000189b7340 plausible_events_db-1 | 4. std::__fs::filesystem::directory_iterator::directory_iterator(std::__fs::filesystem::path const&, std::error_code*, std::__fs::filesystem::directory_options) @ 0x00000000189b71a7 plausible_events_db-1 | 5. DB::AsynchronousMetrics::openBlockDevices() @ 0x000000000d8a689a plausible_events_db-1 | 6. DB::AsynchronousMetrics::AsynchronousMetrics(unsigned int, std::function<std::vector<DB::ProtocolServerMetrics, std::allocatorDB::ProtocolServerMetrics> ()> const&, bool, bool) @ 0x000000000d8a4b59 plausible_events_db-1 | 7. DB::ServerAsynchronousMetrics::ServerAsynchronousMetrics(std::shared_ptr<DB::Context const>, unsigned int, bool, unsigned int, std::function<std::vector<DB::ProtocolServerMetrics, std::allocatorDB::ProtocolServerMetrics> ()> const&, bool, bool) @ 0x00000000121867f3 plausible_events_db-1 | 8. DB::Server::main(std::vector<String, std::allocator> const&) @ 0x000000000d9fa7f9 plausible_events_db-1 | 9. Poco::Util::Application::run() @ 0x000000001666fd66 plausible_events_db-1 | 10. DB::Server::run() @ 0x000000000d9f5f10 plausible_events_db-1 | 11. Poco::Util::ServerApplication::run(int, char**) @ 0x0000000016678be7 plausible_events_db-1 | 12. mainEntryClickHouseServer(int, char**) @ 0x000000000d9f2d93 plausible_events_db-1 | 13. main @ 0x0000000008640abc plausible_events_db-1 | 14. ? @ 0x00007fe125afcd90 plausible_events_db-1 | 15. ? @ 0x00007fe125afce40 plausible_events_db-1 | 16. _start @ 0x00000000065e102e plausible_events_db-1 | plausible_events_db-1 | Cannot print extra info for Poco::Exception (version 24.12.6.70 (official build)) plausible_events_db-1 exited with code 0 ``` We have tried to fake `/sys/block` using a volume, but it seems ClickHouse's layer which does the mounting, so that fails too: ``` Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error m ounting “/opt/plausible-ce/sys” to rootfs at “/sys/block”: create mountpoint for /sys/block mount: re-opening handle to “/var/lib/docker/overlay2/7f7b8d8f819ecba997e2229e98419cfbcc903d4c73a27754c7dc7f4f797f10b3/ merged/sys/block”: reopen fd 11: permission denied: unknown root@mail2:/opt/plausible-ce# ls -l /sys/block/ ls: cannot open directory ‘/sys/block/’: Permission denied ``` ### Additional context _No response_

jarda · April 16, 2025, 6:02am

Díky za reakci i hlášení problému vývojářům . Ty bezpečnostní rizika chápu.

snajpa · April 22, 2025, 7:41am

Sice je to asi pochopitelny, ale stale opruz Zkousim vymyslet nejaky lepsi pristup k tomuhle filtrovani, transparentni k aplikacim, aby nedostaly -EPERM, ale abych toho nemusel menit v kernelu zas tolik a hlavne, aby zmena te restrict policy nevyzadovala reboot. Neslibuju uplne, ze z toho neco bude, ale nejake napady mam a dokud je nevycerpam, nebudu vedet jiste

jarda · April 22, 2025, 9:16am

Díky za snahu o pomoc, vývojáři ClickHouse toho asi mají moc .