Altinity · mkmkme · Apr 7, 2026 · Apr 2, 2026 · Apr 3, 2026 · Apr 3, 2026
diff --git a/tests/clickhouse-test b/tests/clickhouse-test
@@ -1830,13 +1830,28 @@ class TestCase:
                 "ASAN_OPTIONS",
                 "MSAN_OPTIONS",
                 "UBSAN_OPTIONS",
+                "LSAN_OPTIONS",
             ]:
                 current_options = os.environ.get(env_name, None)
                 if current_options is None:
                     os.environ[env_name] = f"log_path={args.client_log}"
                 elif "log_path=" not in current_options:
                     os.environ[env_name] += f":log_path={args.client_log}"
 
+            # Ensure LSAN picks up the suppressions file if available
+            lsan_suppressions = os.path.join(
+                os.path.dirname(os.path.realpath(__file__)),
+                "config",
+                "lsan_suppressions.txt",
+            )
+            if os.path.exists(lsan_suppressions):
+                current = os.environ.get("LSAN_OPTIONS", "")
+                if "suppressions=" not in current:
+                    sep = ":" if current else ""
+                    os.environ["LSAN_OPTIONS"] = (
+                        current + sep + f"suppressions={lsan_suppressions}"
+                    )
+
             os.environ["CLICKHOUSE_CLIENT_OPT"] = (
                 os.environ["CLICKHOUSE_CLIENT_OPT"]
                 if "CLICKHOUSE_CLIENT_OPT" in os.environ

diff --git a/tests/config/lsan_suppressions.txt b/tests/config/lsan_suppressions.txt
@@ -1,2 +1,6 @@
 # See https://bugs.llvm.org/show_bug.cgi?id=47418
 # leak:getActualTableStructure
+
+# AWS-LC FIPS 2.0.0: suppress per-thread FIPS service indicator state leak.
+# https://github.com/aws/aws-lc/blob/AWS-LC-FIPS-2.0.0/crypto/fipsmodule/service_indicator/service_indicator.c#L57
+leak:service_indicator_get
diff --git a/tests/integration/helpers/cluster.py b/tests/integration/helpers/cluster.py
@@ -469,6 +469,16 @@ def __init__(
         #    [1]: https://github.com/ClickHouse/ClickHouse/issues/43426#issuecomment-1368512678
         self.env_variables["ASAN_OPTIONS"] = "use_sigaltstack=0"
         self.env_variables["TSAN_OPTIONS"] = "use_sigaltstack=0"
+        lsan_suppressions_file = p.abspath(
+            p.join(HELPERS_DIR, "lsan_suppressions.txt")
+        )
+        if p.exists(lsan_suppressions_file):
+            self.lsan_suppressions_file = lsan_suppressions_file
+            self.env_variables["LSAN_OPTIONS"] = (
+                "suppressions=/etc/clickhouse-server/lsan_suppressions.txt"
+            )
+        else:
+            self.lsan_suppressions_file = None
         self.env_variables["CLICKHOUSE_WATCHDOG_ENABLE"] = "0"
         self.env_variables["CLICKHOUSE_NATS_TLS_SECURE"] = "0"
         self.up_called = False
@@ -4737,6 +4747,10 @@ def write_embedded_config(name, dest_dir, fix_log_level=False):
                 self.coredns_config_dir, p.abspath(p.join(self.path, "coredns_config"))
             )
 
+        # Copy LSAN suppressions if available (mounted at /etc/clickhouse-server/)
+        if self.cluster.lsan_suppressions_file:
+            shutil.copy(self.cluster.lsan_suppressions_file, instance_config_dir)
+
         # Copy config.d configs
         logging.debug(
             f"Copy custom test config files {self.custom_main_config_paths} to {self.config_d_dir}"

diff --git a/tests/integration/helpers/lsan_suppressions.txt b/tests/integration/helpers/lsan_suppressions.txt
@@ -0,0 +1,7 @@
+# AWS-LC FIPS 2.0.0: suppress per-thread FIPS service indicator state leak.
+# The service indicator tracks whether each crypto operation used a FIPS-approved
+# algorithm. It is allocated via CRYPTO_set_thread_local on first use and freed
+# by a pthread TLS destructor when the thread exits. In ClickHouse, the crypto
+# operations run on GlobalThreadPool worker threads that outlive LSAN's check.
+# https://github.com/aws/aws-lc/blob/AWS-LC-FIPS-2.0.0/crypto/fipsmodule/service_indicator/service_indicator.c#L57
+leak:service_indicator_get
diff --git a/tests/integration/test_replicated_merge_tree_encryption_codec/configs/key_a.xml b/tests/integration/test_replicated_merge_tree_encryption_codec/configs/key_a.xml
@@ -1,7 +1,7 @@
 <clickhouse>
     <encryption_codecs>
-        <aes_128_gcm_siv>
+        <aes_128_gcm>
             <key>aaaaaaaaaaaaaaaa</key>
-        </aes_128_gcm_siv>
+        </aes_128_gcm>
     </encryption_codecs>
 </clickhouse>
diff --git a/...integration/test_replicated_merge_tree_encryption_codec/configs/key_a_and_b_current_a.xml b/...integration/test_replicated_merge_tree_encryption_codec/configs/key_a_and_b_current_a.xml
@@ -1,10 +1,10 @@
 <clickhouse>
     <encryption_codecs>
-        <aes_128_gcm_siv>
+        <aes_128_gcm>
             <key remove="1"/>
             <key id="0">aaaaaaaaaaaaaaaa</key>
             <key id="1">bbbbbbbbbbbbbbbb</key>
             <current_key_id>0</current_key_id>
-        </aes_128_gcm_siv>
+        </aes_128_gcm>
     </encryption_codecs>
 </clickhouse>
diff --git a/...integration/test_replicated_merge_tree_encryption_codec/configs/key_a_and_b_current_b.xml b/...integration/test_replicated_merge_tree_encryption_codec/configs/key_a_and_b_current_b.xml
@@ -1,10 +1,10 @@
 <clickhouse>
     <encryption_codecs>
-        <aes_128_gcm_siv>
+        <aes_128_gcm>
             <key remove="1"/>
             <key id="0">aaaaaaaaaaaaaaaa</key>
             <key id="1">bbbbbbbbbbbbbbbb</key>
             <current_key_id>1</current_key_id>
-        </aes_128_gcm_siv>
+        </aes_128_gcm>
     </encryption_codecs>
 </clickhouse>
diff --git a/tests/integration/test_replicated_merge_tree_encryption_codec/configs/key_a_and_nonce_x.xml b/tests/integration/test_replicated_merge_tree_encryption_codec/configs/key_a_and_nonce_x.xml
@@ -1,8 +1,8 @@
 <clickhouse>
     <encryption_codecs>
-        <aes_128_gcm_siv>
+        <aes_128_gcm>
             <key>aaaaaaaaaaaaaaaa</key>
             <nonce>xxxxxxxxxxxx</nonce>
-        </aes_128_gcm_siv>
+        </aes_128_gcm>
     </encryption_codecs>
 </clickhouse>
diff --git a/tests/integration/test_replicated_merge_tree_encryption_codec/configs/key_a_and_nonce_y.xml b/tests/integration/test_replicated_merge_tree_encryption_codec/configs/key_a_and_nonce_y.xml
@@ -1,8 +1,8 @@
 <clickhouse>
     <encryption_codecs>
-        <aes_128_gcm_siv>
+        <aes_128_gcm>
             <key>aaaaaaaaaaaaaaaa</key>
             <nonce>yyyyyyyyyyyy</nonce>
-        </aes_128_gcm_siv>
+        </aes_128_gcm>
     </encryption_codecs>
 </clickhouse>
diff --git a/tests/integration/test_replicated_merge_tree_encryption_codec/configs/key_b.xml b/tests/integration/test_replicated_merge_tree_encryption_codec/configs/key_b.xml
@@ -1,7 +1,7 @@
 <clickhouse>
     <encryption_codecs>
-        <aes_128_gcm_siv>
+        <aes_128_gcm>
             <key>bbbbbbbbbbbbbbbb</key>
-        </aes_128_gcm_siv>
+        </aes_128_gcm>
     </encryption_codecs>
 </clickhouse>
diff --git a/tests/integration/test_storage_delta/test.py b/tests/integration/test_storage_delta/test.py
@@ -47,6 +47,8 @@
 from helpers.config_cluster import minio_access_key
 from helpers.config_cluster import minio_secret_key
 
+pytestmark = pytest.mark.skip(reason="DeltaLake not supported in FIPS")
+
 SCRIPT_DIR = os.path.dirname(os.path.realpath(__file__))
 
 

diff --git a/tests/integration/test_storage_delta/test_imds.py b/tests/integration/test_storage_delta/test_imds.py
@@ -34,6 +34,8 @@
     prepare_s3_bucket,
 )
 
+pytestmark = pytest.mark.skip(reason="DeltaLake not supported in FIPS")
+
 SCRIPT_DIR = os.path.dirname(os.path.realpath(__file__))
 METADATA_SERVER_HOSTNAME = "resolver"
 METADATA_SERVER_PORT = 8080

diff --git a/tests/queries/0_stateless/02985_dialects_with_distributed_tables.sql b/tests/queries/0_stateless/02985_dialects_with_distributed_tables.sql
@@ -1,4 +1,4 @@
--- Tags: no-fasttest, distributed
+-- Tags: disabled, no-fasttest, distributed
 
 SET allow_experimental_prql_dialect = 1;
 SET allow_experimental_kusto_dialect = 1;