diff --git a/tests/clickhouse-test b/tests/clickhouse-test
index 9c4552f549e9..08b8ea99d1db 100755
--- a/tests/clickhouse-test
+++ b/tests/clickhouse-test
@@ -1830,6 +1830,7 @@ class TestCase:
"ASAN_OPTIONS",
"MSAN_OPTIONS",
"UBSAN_OPTIONS",
+ "LSAN_OPTIONS",
]:
current_options = os.environ.get(env_name, None)
if current_options is None:
@@ -1837,6 +1838,20 @@ class TestCase:
elif "log_path=" not in current_options:
os.environ[env_name] += f":log_path={args.client_log}"
+ # Ensure LSAN picks up the suppressions file if available
+ lsan_suppressions = os.path.join(
+ os.path.dirname(os.path.abspath(__file__)),
+ "config",
+ "lsan_suppressions.txt",
+ )
+ if os.path.exists(lsan_suppressions):
+ current = os.environ.get("LSAN_OPTIONS", "")
+ if "suppressions=" not in current:
+ sep = ":" if current else ""
+ os.environ["LSAN_OPTIONS"] = (
+ current + sep + f"suppressions={lsan_suppressions}"
+ )
+
os.environ["CLICKHOUSE_CLIENT_OPT"] = (
os.environ["CLICKHOUSE_CLIENT_OPT"]
if "CLICKHOUSE_CLIENT_OPT" in os.environ
diff --git a/tests/config/lsan_suppressions.txt b/tests/config/lsan_suppressions.txt
index 39eb40560d7e..0b9274f980a7 100644
--- a/tests/config/lsan_suppressions.txt
+++ b/tests/config/lsan_suppressions.txt
@@ -1,2 +1,6 @@
# See https://bugs.llvm.org/show_bug.cgi?id=47418
# leak:getActualTableStructure
+
+# AWS-LC FIPS 2.0.0: suppress per-thread FIPS service indicator state leak.
+# https://github.com/aws/aws-lc/blob/AWS-LC-FIPS-2.0.0/crypto/fipsmodule/service_indicator/service_indicator.c#L57
+leak:service_indicator_get
diff --git a/tests/integration/helpers/cluster.py b/tests/integration/helpers/cluster.py
index 337403af0646..cb7197ce61be 100644
--- a/tests/integration/helpers/cluster.py
+++ b/tests/integration/helpers/cluster.py
@@ -469,6 +469,16 @@ def __init__(
# [1]: https://github.com/ClickHouse/ClickHouse/issues/43426#issuecomment-1368512678
self.env_variables["ASAN_OPTIONS"] = "use_sigaltstack=0"
self.env_variables["TSAN_OPTIONS"] = "use_sigaltstack=0"
+ lsan_suppressions_file = p.abspath(
+ p.join(HELPERS_DIR, "lsan_suppressions.txt")
+ )
+ if p.exists(lsan_suppressions_file):
+ self.lsan_suppressions_file = lsan_suppressions_file
+ self.env_variables["LSAN_OPTIONS"] = (
+ "suppressions=/etc/clickhouse-server/lsan_suppressions.txt"
+ )
+ else:
+ self.lsan_suppressions_file = None
self.env_variables["CLICKHOUSE_WATCHDOG_ENABLE"] = "0"
self.env_variables["CLICKHOUSE_NATS_TLS_SECURE"] = "0"
self.up_called = False
@@ -4737,6 +4747,10 @@ def write_embedded_config(name, dest_dir, fix_log_level=False):
self.coredns_config_dir, p.abspath(p.join(self.path, "coredns_config"))
)
+ # Copy LSAN suppressions if available (mounted at /etc/clickhouse-server/)
+ if self.cluster.lsan_suppressions_file:
+ shutil.copy(self.cluster.lsan_suppressions_file, instance_config_dir)
+
# Copy config.d configs
logging.debug(
f"Copy custom test config files {self.custom_main_config_paths} to {self.config_d_dir}"
diff --git a/tests/integration/helpers/lsan_suppressions.txt b/tests/integration/helpers/lsan_suppressions.txt
new file mode 100644
index 000000000000..04c37e7efec8
--- /dev/null
+++ b/tests/integration/helpers/lsan_suppressions.txt
@@ -0,0 +1,7 @@
+# AWS-LC FIPS 2.0.0: suppress per-thread FIPS service indicator state leak.
+# The service indicator tracks whether each crypto operation used a FIPS-approved
+# algorithm. It is allocated via CRYPTO_set_thread_local on first use and freed
+# by a pthread TLS destructor when the thread exits. In ClickHouse, the crypto
+# operations run on GlobalThreadPool worker threads that outlive LSAN's check.
+# https://github.com/aws/aws-lc/blob/AWS-LC-FIPS-2.0.0/crypto/fipsmodule/service_indicator/service_indicator.c#L57
+leak:service_indicator_get
diff --git a/tests/integration/test_replicated_merge_tree_encryption_codec/configs/key_a.xml b/tests/integration/test_replicated_merge_tree_encryption_codec/configs/key_a.xml
index a31978e70155..586af598adaa 100644
--- a/tests/integration/test_replicated_merge_tree_encryption_codec/configs/key_a.xml
+++ b/tests/integration/test_replicated_merge_tree_encryption_codec/configs/key_a.xml
@@ -1,7 +1,7 @@
-
+
aaaaaaaaaaaaaaaa
-
+
diff --git a/tests/integration/test_replicated_merge_tree_encryption_codec/configs/key_a_and_b_current_a.xml b/tests/integration/test_replicated_merge_tree_encryption_codec/configs/key_a_and_b_current_a.xml
index 01ca9123ccbc..8dd190649332 100644
--- a/tests/integration/test_replicated_merge_tree_encryption_codec/configs/key_a_and_b_current_a.xml
+++ b/tests/integration/test_replicated_merge_tree_encryption_codec/configs/key_a_and_b_current_a.xml
@@ -1,10 +1,10 @@
-
+
aaaaaaaaaaaaaaaa
bbbbbbbbbbbbbbbb
0
-
+
diff --git a/tests/integration/test_replicated_merge_tree_encryption_codec/configs/key_a_and_b_current_b.xml b/tests/integration/test_replicated_merge_tree_encryption_codec/configs/key_a_and_b_current_b.xml
index 98cf6ced0c75..ff161c3776e1 100644
--- a/tests/integration/test_replicated_merge_tree_encryption_codec/configs/key_a_and_b_current_b.xml
+++ b/tests/integration/test_replicated_merge_tree_encryption_codec/configs/key_a_and_b_current_b.xml
@@ -1,10 +1,10 @@
-
+
aaaaaaaaaaaaaaaa
bbbbbbbbbbbbbbbb
1
-
+
diff --git a/tests/integration/test_replicated_merge_tree_encryption_codec/configs/key_a_and_nonce_x.xml b/tests/integration/test_replicated_merge_tree_encryption_codec/configs/key_a_and_nonce_x.xml
index 40c5adab19b9..715c9a77e98c 100644
--- a/tests/integration/test_replicated_merge_tree_encryption_codec/configs/key_a_and_nonce_x.xml
+++ b/tests/integration/test_replicated_merge_tree_encryption_codec/configs/key_a_and_nonce_x.xml
@@ -1,8 +1,8 @@
-
+
aaaaaaaaaaaaaaaa
xxxxxxxxxxxx
-
+
diff --git a/tests/integration/test_replicated_merge_tree_encryption_codec/configs/key_a_and_nonce_y.xml b/tests/integration/test_replicated_merge_tree_encryption_codec/configs/key_a_and_nonce_y.xml
index eadfb6e67338..713057c4e223 100644
--- a/tests/integration/test_replicated_merge_tree_encryption_codec/configs/key_a_and_nonce_y.xml
+++ b/tests/integration/test_replicated_merge_tree_encryption_codec/configs/key_a_and_nonce_y.xml
@@ -1,8 +1,8 @@
-
+
aaaaaaaaaaaaaaaa
yyyyyyyyyyyy
-
+
diff --git a/tests/integration/test_replicated_merge_tree_encryption_codec/configs/key_b.xml b/tests/integration/test_replicated_merge_tree_encryption_codec/configs/key_b.xml
index e336324f648c..0060d720e242 100644
--- a/tests/integration/test_replicated_merge_tree_encryption_codec/configs/key_b.xml
+++ b/tests/integration/test_replicated_merge_tree_encryption_codec/configs/key_b.xml
@@ -1,7 +1,7 @@
-
+
bbbbbbbbbbbbbbbb
-
+
diff --git a/tests/integration/test_storage_delta/test.py b/tests/integration/test_storage_delta/test.py
index f5a23ab807eb..a5dc74d8447f 100644
--- a/tests/integration/test_storage_delta/test.py
+++ b/tests/integration/test_storage_delta/test.py
@@ -47,6 +47,8 @@
from helpers.config_cluster import minio_access_key
from helpers.config_cluster import minio_secret_key
+pytestmark = pytest.mark.skip(reason="DeltaLake not supported in FIPS")
+
SCRIPT_DIR = os.path.dirname(os.path.realpath(__file__))
diff --git a/tests/integration/test_storage_delta/test_imds.py b/tests/integration/test_storage_delta/test_imds.py
index 257de0d6778d..feb4e79cd999 100644
--- a/tests/integration/test_storage_delta/test_imds.py
+++ b/tests/integration/test_storage_delta/test_imds.py
@@ -34,6 +34,8 @@
prepare_s3_bucket,
)
+pytestmark = pytest.mark.skip(reason="DeltaLake not supported in FIPS")
+
SCRIPT_DIR = os.path.dirname(os.path.realpath(__file__))
METADATA_SERVER_HOSTNAME = "resolver"
METADATA_SERVER_PORT = 8080
diff --git a/tests/queries/0_stateless/02985_dialects_with_distributed_tables.sql b/tests/queries/0_stateless/02985_dialects_with_distributed_tables.sql
index e9e6934f13cb..28d9bb2cf326 100644
--- a/tests/queries/0_stateless/02985_dialects_with_distributed_tables.sql
+++ b/tests/queries/0_stateless/02985_dialects_with_distributed_tables.sql
@@ -1,4 +1,4 @@
--- Tags: no-fasttest, distributed
+-- Tags: disabled, no-fasttest, distributed
SET allow_experimental_prql_dialect = 1;
SET allow_experimental_kusto_dialect = 1;