From 2ab49fab62ad49311184c21db3ef86b1d7bb4476 Mon Sep 17 00:00:00 2001
From: notplants <@notplants>
Date: Tue, 9 Jun 2026 15:10:07 +0000
Subject: [PATCH] =?UTF-8?q?fix(clickhouse):=20require=20backup=20tool=20?=
 =?UTF-8?q?=E2=80=94=20abort=20if=20fetch=20fails=20after=20retries?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Make the clickhouse-backup install REQUIRED: if it cannot be fetched
after all retries the entrypoint aborts (non-zero exit, set -e) and
clickhouse-server is not started, so the deploy fails loudly rather than
coming up without backup/restore capability.
---
 entrypoint.clickhouse.sh | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/entrypoint.clickhouse.sh b/entrypoint.clickhouse.sh
index f8c49c4..714711c 100644
--- a/entrypoint.clickhouse.sh
+++ b/entrypoint.clickhouse.sh
@@ -10,10 +10,12 @@
 # Hardening (no behaviour change when the download succeeds first try):
 #   - cache the binary on the PERSISTENT clickhouse data volume (/var/lib/clickhouse) so it is fetched
 #     at most once and reused on every container restart (no re-download amplification);
-#   - retry with backoff;
-#   - NEVER let a download failure block the server start (best-effort: the server comes up, backup/
-#     restore degrade until the next successful fetch);
+#   - retry with backoff to ride out transient GitHub failures;
 #   - un-silenced so a failure is diagnosable in `docker service logs`.
+#
+# Policy: clickhouse-backup is REQUIRED. If it cannot be installed after all retries the entrypoint
+# aborts (non-zero exit) and the server is NOT started — we deliberately fail the deploy loudly rather
+# than come up silently without backup/restore capability.
 
 set -e
 
@@ -54,11 +56,12 @@ install_clickhouse_backup() {
     echo "clickhouse-backup: fetch attempt ${attempt} failed; backing off $((attempt * 10))s" >&2
     sleep $((attempt * 10))
   done
-  echo "clickhouse-backup: fetch FAILED after retries — starting clickhouse-server WITHOUT the backup tool (backup/restore unavailable until a later restart fetches it)" >&2
+  echo "clickhouse-backup: fetch FAILED after all retries — aborting; clickhouse-server will NOT start (backup tool is required)" >&2
   return 1
 }
 
-# Best-effort: the server MUST start even if the backup-tool fetch fails (it is not a server dependency).
-install_clickhouse_backup || true
+# Required: if the backup tool cannot be installed after retries, abort (set -e) so the deploy fails
+# loudly instead of coming up without backup/restore capability.
+install_clickhouse_backup
 
 exec /entrypoint.sh