Configuring CAP_IPC_LOCK and CAP_SYS_NICE Capabilities in Docker

Learn how to resolve Docker capability warnings for `CAP_IPC_LOCK` and `CAP_SYS_NICE` when running ClickHouse in a container.

Question

When running ClickHouse in Docker, Docker is complaining about the lack of CAP_IPC_LOCK and CAP_SYS_NICE capabilities in the system. How can I resolve it?

Here is what the no CAP_SYS_NICE or CAP_SYS_NICE capability log messages look like:

Answer

1. Add two --cap-add arguments to provide the container with the IPC_LOCK and SYS_NICE capabilities:

2. Check that the capabilities are visible in the container using the following command:

The response is similar to:

3. Manually set both the capabilities for ClickHouse

4. Check that the capabilities are applied.

You should see the following:

5. Restart the ClickHouse server and the log messages should not be shown.

Check out this article on Linux capabilities for more details.

7 июн. 2023 г. · 2 мин. чтения