wolfi-dev · octo-sts · Dec 25, 2025 · Dec 25, 2025
diff --git a/clickhouse-25.12.yaml b/clickhouse-25.12.yaml
@@ -0,0 +1,399 @@
+package:
+  name: clickhouse-25.12
+  version: "25.12.1.649-stable"
+  epoch: 0
+  description: ClickHouse is the fastest and most resource efficient open-source database for real-time apps and analytics.
+  copyright:
+    - license: Apache-2.0
+  resources:
+    cpu: 65
+    memory: 128Gi
+  dependencies:
+    provides:
+      - clickhouse=${{package.full-version}}
+    runtime:
+      - merged-usrsbin
+      - wolfi-baselayout
+
+var-transforms:
+  - from: ${{package.version}}
+    match: ^(\d+).*
+    replace: $1
+    to: major-version
+  - from: ${{package.version}}
+    match: ^(\d+\.\d+).*
+    replace: $1
+    to: major-minor-version
+
+environment:
+  contents:
+    packages:
+      - bash
+      - build-base
+      - busybox
+      - ca-certificates-bundle
+      - clang-19
+      - cmake
+      - coreutils
+      - findutils
+      - git
+      - grep
+      - ini-file
+      - libcxx1
+      - lld-19
+      - nasm<3
+      - ninja
+      - perl
+      - python3
+      - rust
+      - shadow
+      - xmlstarlet
+      - yasm
+
+pipeline:
+  - uses: git-checkout
+    with:
+      repository: https://github.com/ClickHouse/ClickHouse
+      tag: v${{package.version}}-stable
+      expected-commit: bf4280aa19d3bade619578a749919e25ce490861
+
+  # The default build script is defensive and tries to protect against defining cflags.
+  - uses: patch
+    with:
+      patches: allow_cflags.patch
+
+  - runs: |
+      # parallel submodule fetch saves ~10 min during build; '0' tells git to use a reasonable value.
+      git config --global submodule.fetchJobs 0
+      git submodule update --init
+
+      # Overwrite VERSION_STRING to properly set the version of the binary.
+      sed -i "s|^SET(VERSION_STRING [^)]*)|SET(VERSION_STRING ${{package.version}})|" cmake/autogenerated_versions.txt
+
+      mkdir build
+      cd build
+      export PATH=$PATH:$HOME/.cargo/bin
+
+      # Reference for cmake options: https://github.com/ClickHouse/ClickHouse/blob/master/ci/jobs/build_clickhouse.py
+      cmake \
+        -DCOMPILER_CACHE=disabled \
+        -DCMAKE_INSTALL_PREFIX=/usr \
+        -DCMAKE_BUILD_TYPE=RELEASE \
+        -DNO_ARMV81_OR_HIGHER=1 \
+        -DCMAKE_INSTALL_LIBDIR=lib \
+        -DCMAKE_CXX_FLAGS="-Wno-error=unused-result" \
+        -DVERSION_STRING=${{package.version}} \
+        -DCLICKHOUSE_OFFICIAL_BUILD=1 \
+        ..
+
+  - runs: |
+      cd build
+      ninja -j $(nproc)
+      mkdir -p  ${{targets.destdir}}/var/log/clickhouse-server
+      DESTDIR=${{targets.destdir}} ninja install
+      rm -rf ${{targets.destdir}}/usr/lib/debug
+
+  - uses: strip
+
+subpackages:
+  - name: "${{package.name}}-dev"
+    description: "headers for clickhouse"
+    pipeline:
+      - uses: split/dev
+    dependencies:
+      runtime:
+        - merged-usrsbin
+        - wolfi-baselayout
+
+  - name: "${{package.name}}-bash-completion"
+    description: "bash completion for clickhouse"
+    pipeline:
+      - runs: |
+          mkdir -p ${{targets.subpkgdir}}/usr/share/bash-completion/completions
+          mv ${{targets.destdir}}/usr/share/bash-completion/completions/clickhouse ${{targets.subpkgdir}}/usr/share/bash-completion/completions
+    dependencies:
+      runtime:
+        - merged-usrsbin
+        - wolfi-baselayout
+
+  - name: "${{package.name}}-compat"
+    description: "docker compat for clickhouse"
+    pipeline:
+      - runs: |
+          cd build
+          install -Dm755 ../docker/server/entrypoint.sh ${{targets.subpkgdir}}/entrypoint.sh
+          mkdir -p ${{targets.subpkgdir}}/etc/clickhouse-server/config.d/
+          # users.d dir required by entrypoint script
+          mkdir -p ${{targets.subpkgdir}}/etc/clickhouse-server/users.d/
+          cp  ../docker/server/docker_related_config.xml ${{targets.subpkgdir}}/etc/clickhouse-server/config.d/docker_related_config.xml
+    dependencies:
+      runtime:
+        - merged-usrsbin
+        - wolfi-baselayout
+
+  - name: ${{package.name}}-iamguarded-compat
+    dependencies:
+      provides:
+        - clickhouse-iamguarded-compat=${{package.full-version}}
+      runtime:
+        - bash
+        - busybox
+        - coreutils
+        - merged-usrsbin
+        - wolfi-baselayout
+        - xmlstarlet
+    pipeline:
+      - uses: iamguarded/build-compat
+        with:
+          package: clickhouse
+          version: ${{vars.major-version}}
+      - runs: |
+          set -x
+          mkdir -p /iamguarded/clickhouse/etc
+          mkdir -p /iamguarded/clickhouse/data
+          mkdir -p /opt/iamguarded/clickhouse/etc.default
+          mkdir -p /opt/iamguarded/clickhouse/etc/config.d
+          mkdir -p /opt/iamguarded/clickhouse/etc/conf.d
+          mkdir -p /opt/iamguarded/clickhouse/etc/users.d
+          mkdir -p /opt/iamguarded/clickhouse/bin
+          mkdir -p /opt/iamguarded/clickhouse/logs
+          mkdir -p /opt/iamguarded/clickhouse/tmp
+          mkdir -p /opt/iamguarded/clickhouse/licenses
+          mkdir -p ${{targets.contextdir}}/var/log/clickhouse-server
+          mkdir ${{targets.contextdir}}/docker-entrypoint-initdb.d
+          mkdir ${{targets.contextdir}}/docker-entrypoint-startdb.d
+          install -m755 ${{targets.destdir}}/etc/clickhouse-keeper/keeper_config.xml /opt/iamguarded/clickhouse/etc/keeper_config.xml
+          install -m755 ${{targets.destdir}}/etc/clickhouse-server/users.xml /opt/iamguarded/clickhouse/etc/users.xml
+          install -m755 ${{targets.destdir}}/etc/clickhouse-server/config.xml /opt/iamguarded/clickhouse/etc/config.xml
+          mkdir -p ${{targets.contextdir}}/var/log/
+          # Disable some commands used in iamguarded scripts. These commands more likely fail in this since this image take non root approach
+          # sed -i 's/owned_by "$dir" "$owner_user" "$owner_group"/continue/g' /opt/iamguarded/scripts/libfs.sh
+          sed -i 's/ensure_user_exists/# ensure_user_exists/g' /opt/iamguarded/scripts/clickhouse/postunpack.sh
+          # sed -i 's/am_i_root/# am_i_root/g' /opt/iamguarded/scripts/clickhouse/setup.sh
+          # The `--userspec`` flag belongs to GNU's chroot, whereas we are use BusyBox's. As a workaround, use `su-exec` instead.
+          sed -i 's|exec chroot --userspec="$userspec" /|exec chroot / su-exec "$userspec"|' /opt/iamguarded/scripts/libos.sh
+          sed -i 's|chroot --userspec="$userspec" /|chroot / su-exec "$userspec"|' /opt/iamguarded/scripts/libos.sh
+          # Use package path while unpacking
+          find /opt/iamguarded/scripts -iname "*.sh" -exec sed -i '/chown/c\continue' -i {} \;
+          # Remove existing symlinks that might conflict
+          rm -f /etc/clickhouse-server /var/lib/clickhouse /var/log/clickhouse-server /var/lib/clickhouse/tmp
+          /opt/iamguarded/scripts/clickhouse/postunpack.sh
+          # Find all files in /usr/bin that are either named "clickhouse" or symlinks pointing to "clickhouse"
+          for file in ${{targets.destdir}}/usr/bin/*; do
+              if [ -f "$file" ] && [ "$(basename "$file")" = "clickhouse" ]; then
+                  # Found a direct match for "clickhouse"
+                  ln -sf /usr/bin/clickhouse /opt/iamguarded/clickhouse/bin/clickhouse
+              elif [ -L "$file" ]; then
+                  # Check if the symlink points to clickhouse
+                  target=$(readlink -f "$file")
+                  if [ "$(basename "$target")" = "clickhouse" ]; then
+                      link_name=$(basename "$file")
+                      ln -sf /usr/bin/clickhouse "/opt/iamguarded/clickhouse/bin/$link_name"
+                  fi
+              fi
+          done
+          ln -s /dev/stdout ${{targets.contextdir}}/var/log/clickhouse-server/clickhouse.log
+          ln -s /dev/stderr ${{targets.contextdir}}/var/log/clickhouse-server/clickhouse_error.log
+          mkdir -p ${{targets.contextdir}}/var/lib
+          ln -s /iamguarded/clickhouse/data ${{targets.contextdir}}/var/lib/clickhouse
+      - uses: iamguarded/finalize-compat
+        with:
+          package: clickhouse
+          version: ${{vars.major-version}}
+    test:
+      environment:
+        contents:
+          packages:
+            - ${{package.name}}
+      pipeline:
+        - uses: iamguarded/test-compat
+          with:
+            package: clickhouse
+            version: ${{vars.major-version}}
+
+  - name: "clickhouse-keeper-${{vars.major-minor-version}}"
+    description: "clickhouse keeper"
+    dependencies:
+      provides:
+        - clickhouse-keeper=${{package.full-version}}
+    pipeline:
+      - runs: |
+          install -Dm755 ${{targets.destdir}}/usr/bin/clickhouse-keeper ${{targets.subpkgdir}}/usr/bin/clickhouse-keeper
+
+          # multicall symlinks
+          ln -sf /usr/bin/clickhouse-keeper ${{targets.subpkgdir}}/usr/bin/clickhouse-keeper-converter
+          ln -sf /usr/bin/clickhouse-keeper ${{targets.subpkgdir}}/usr/bin/clickhouse-keeper-client
+    test:
+      pipeline:
+        - uses: test/virtualpackage
+          with:
+            virtual-pkg-name: clickhouse-keeper
+            real-pkg-name: ${{subpkg.name}}
+
+  - name: "clickhouse-keeper-${{vars.major-minor-version}}-compat"
+    description: "docker compat for clickhouse keeper"
+    dependencies:
+      provides:
+        - clickhouse-keeper-compat=${{package.full-version}}
+      runtime:
+        - bash
+        - coreutils
+        - gosu
+    pipeline:
+      - runs: |
+          mkdir -p ${{targets.subpkgdir}}/etc/clickhouse-keeper
+          mkdir -p ${{targets.subpkgdir}}/usr/share/clickhouse-keeper
+          mkdir -p ${{targets.subpkgdir}}/lib/systemd/system
+
+          install -Dm755 docker/keeper/entrypoint.sh ${{targets.subpkgdir}}/entrypoint.sh
+          install -Dm644 programs/keeper/keeper_config.xml ${{targets.subpkgdir}}/usr/share/clickhouse-keeper/keeper_config.xml
+          install -Dm644 packages/clickhouse-keeper.service ${{targets.subpkgdir}}/lib/systemd/system/clickhouse-keeper.service
+          ln -sf /usr/share/clickhouse-keeper/keeper_config.xml ${{targets.subpkgdir}}/etc/clickhouse-keeper/keeper_config.xml
+
+  - name: clickhouse-keeper-iamguarded-compat-${{vars.major-minor-version}}
+    dependencies:
+      provides:
+        - clickhouse-keeper-iamguarded-compat=${{package.full-version}}
+      runtime:
+        - bash
+        - busybox
+        - coreutils
+        - merged-usrsbin
+        - wolfi-baselayout
+        - clickhouse-keeper
+        - xmlstarlet
+    pipeline:
+      - uses: iamguarded/build-compat
+        with:
+          package: clickhouse-keeper
+          version: ${{vars.major-version}}
+      - runs: |
+          mkdir -p /iamguarded/clickhouse-keeper/etc
+          mkdir -p /iamguarded/clickhouse-keeper/data
+          mkdir -p /opt/iamguarded/clickhouse-keeper/etc
+          mkdir -p /opt/iamguarded/clickhouse-keeper/etc.default
+          mkdir -p /opt/iamguarded/clickhouse-keeper/bin
+          mkdir -p /opt/iamguarded/clickhouse-keeper/logs
+          mkdir -p /opt/iamguarded/clickhouse-keeper/tmp
+          mkdir -p /opt/iamguarded/clickhouse-keeper/licenses
+
+          mkdir -p ${{targets.contextdir}}/var/log/clickhouse-server
+
+          install -m755 ${{targets.destdir}}/etc/clickhouse-keeper/keeper_config.xml /opt/iamguarded/clickhouse-keeper/etc/keeper_config.xml
+
+          mkdir -p ${{targets.contextdir}}/var/log/
+
+          sed -i 's/ensure_user_exists/# ensure_user_exists/g' /opt/iamguarded/scripts/clickhouse-keeper/postunpack.sh
+
+          sed -i 's|exec chroot --userspec="$userspec" /|exec chroot / su-exec "$userspec"|' /opt/iamguarded/scripts/libos.sh
+          sed -i 's|chroot --userspec="$userspec" /|chroot / su-exec "$userspec"|' /opt/iamguarded/scripts/libos.sh
+
+          # Use package path while unpacking
+          find /opt/iamguarded/scripts -iname "*.sh" -exec sed -i '/chown/c\continue' -i {} \;
+          # Remove existing symlinks that might conflict
+          rm -f /etc/clickhouse-keeper /var/lib/clickhouse /var/log/clickhouse-server
+          /opt/iamguarded/scripts/clickhouse-keeper/postunpack.sh
+
+          # Find all files in /usr/bin that are either named "clickhouse-keeper" or symlinks pointing to "clickhouse-keeper"
+          for file in ${{targets.destdir}}/usr/bin/*; do
+              if [ -f "$file" ] && [ "$(basename "$file")" = "clickhouse-keeper" ]; then
+                  # Found a direct match for "clickhouse-keeper"
+                  ln -sf /usr/bin/clickhouse-keeper /opt/iamguarded/clickhouse-keeper/bin/clickhouse-keeper
+              elif [ -L "$file" ]; then
+                  # Check if the symlink points to clickhouse-keeper
+                  target=$(readlink -f "$file")
+                  if [ "$(basename "$target")" = "clickhouse-keeper" ]; then
+                      link_name=$(basename "$file")
+                      ln -sf /usr/bin/clickhouse-keeper "/opt/iamguarded/clickhouse-keeper/bin/$link_name"
+                  fi
+              fi
+          done
+      - uses: iamguarded/finalize-compat
+        with:
+          package: clickhouse-keeper
+          version: ${{vars.major-version}}
+    test:
+      environment:
+        contents:
+          packages:
+            - ${{package.name}}
+      pipeline:
+        - uses: iamguarded/test-compat
+          with:
+            package: clickhouse-keeper
+            version: ${{vars.major-version}}
+
+update:
+  enabled: true
+  git:
+    tag-filter-prefix: v25.12.
+    strip-prefix: v
+    strip-suffix: -stable
+
+test:
+  environment:
+    accounts:
+      groups:
+        - groupname: nonroot
+          gid: 1001
+      users:
+        - username: nonroot
+          gid: 1001
+          uid: 1001
+      run-as: 0
+    contents:
+      packages:
+        - bash
+        - coreutils
+        - findutils
+        - procps # for checking server process
+        - curl # for HTTP interface testing
+  pipeline:
+    # AUTOGENERATED
+    - runs: |
+        ch --version
+        chc --version
+        chl --version
+        clickhouse --version
+        clickhouse-benchmark --help
+        clickhouse-client --version
+        clickhouse-compressor --help
+        # clickhouse-disks does not support --version
+        # clickhouse-disks --version
+        clickhouse-format version
+        clickhouse-git-import version
+        clickhouse-keeper --version
+        clickhouse-keeper-client --help
+        clickhouse-keeper-converter --help
+        clickhouse-local --version
+        clickhouse-obfuscator --help
+        clickhouse-server --version
+        clickhouse-static-files-disk-uploader --help
+        clickhouse-su --version
+        chc --help
+        chl --help
+        clickhouse-client --help
+        clickhouse-disks --help
+        clickhouse-format help
+        clickhouse-git-import help
+        clickhouse-keeper --help
+        clickhouse-local --help
+        clickhouse-obfuscator version
+        clickhouse-server --help
+        clickhouse-static-files-disk-uploader version
+        clickhouse-su --help
+    - name: "Test server"
+      uses: test/daemon-check-output
+      with:
+        # NOTE(joshrwolf): This is required because for whatever reason,
+        # specifying this with melange "paths" isn't working on linux + docker
+        # runners as of 06/20/2025
+        setup: |
+          chown -R nonroot:nonroot /home/build
+        start: clickhouse-su nonroot:nonroot clickhouse-server
+        expected_output: |
+          Starting ClickHouse
+          starting up
+          Scanning
+        post: |
+          ./test-daemon.sh