From 5fc934410d95026ea1a9613ef95ca5501a7c86f9 Mon Sep 17 00:00:00 2001 From: Bharat Kathi Date: Thu, 4 Jun 2026 23:44:44 -0700 Subject: [PATCH] fix(clickhouse): chown admin.xml to uid 101 so container can read it MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit users.d/admin.xml was chmod'd 600 but left owned by root. The clickhouse-server container runs as uid 101, and bind-mounts preserve numeric host uids inside the container — so the container couldn't read the file, crashloop with CANNOT_LOAD_CONFIG. Add chown 101:101 before the chmod so the container's clickhouse user owns the file in its view. remove-default-user.xml is fine at default 644 (no secret in it). Doesn't affect existing instances due to the aws_instance lifecycle ignore_changes on user_data — only matters for the next replacement. --- infra/modules/clickhouse-ec2/user-data.sh.tftpl | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/infra/modules/clickhouse-ec2/user-data.sh.tftpl b/infra/modules/clickhouse-ec2/user-data.sh.tftpl index 90044a5..aa4aaa9 100644 --- a/infra/modules/clickhouse-ec2/user-data.sh.tftpl +++ b/infra/modules/clickhouse-ec2/user-data.sh.tftpl @@ -57,6 +57,11 @@ cat >/etc/clickhouse-server/users.d/remove-default-user.xml <<'EOF' EOF +# Bind-mount preserves numeric uid/gid into the container, which runs as +# the clickhouse uid 101. A plain `chmod 600` leaves the file readable by +# root only, and the container can't load it (CANNOT_LOAD_CONFIG crash +# loop). Chown to 101 so the container's clickhouse user can read it. +chown 101:101 /etc/clickhouse-server/users.d/admin.xml chmod 600 /etc/clickhouse-server/users.d/admin.xml # --network=host: nothing else on this box uses 8123 or 9000, so skip the