When shipping containers into an enterprise environment, it's common to have a perfectly functional deployment blocked by security scanners—not because the application is broken, but because the base image carries CVEs that are irrelevant to your workload. This happened to a team self-hosting Langfuse on Kubernetes in November 2025: their ClickHouse image was flagged by AWS ECR with three critical vulnerabilities in the base image, and the security team refused to let it reach production. Docker Hardened Images (DHI) offer a straightforward way out of this jam. Below, we answer the most pressing questions about this scenario, ClickHouse's architecture, and how DHI gets you from security blocked to prod ready.
Why Was the ClickHouse Deployment Blocked?
The pipeline scanner on AWS ECR found three critical CVEs—not in ClickHouse itself, but in the base image that the ClickHouse container was built on. Even though those vulnerabilities were never touched by the application, the security team treated them as real risks. The deployment was halted, and the team had to spend a day investigating the findings, writing up a risk exception, and trying to convince security that the CVEs were practically irrelevant. This is a classic enterprise problem: scanners flag anything with a CVE, regardless of exploitability in the actual runtime context. Docker Hardened Images solve this by stripping out unnecessary packages and applying security patches, so scanners come back clean.
What Are Docker Hardened Images?
Docker Hardened Images (DHI) are pre-configured, minimized container images designed for production security. They remove all non-essential packages, libraries, and tools that could harbor vulnerabilities, while still providing a fully functional runtime. DHI are built with a minimal base (often Alpine or a stripped-down Debian) and include only the absolutely necessary dependencies for the target application—like ClickHouse. They also apply the latest security patches and often use multi-stage builds to keep the final image small and secure. The result is an image that passes container security scans with zero critical or high-severity CVEs, so security teams have no reason to block it.
How Does DHI Fix the CVE Problem for ClickHouse?
Docker Hardened Images address the root cause: CVEs in packages the application never uses. For ClickHouse, the official image might include tools like curl, bash, or apt that are present for developer convenience but aren't needed in production. Scanners flag every CVE in those packages. DHI eliminates them by providing a bare-minimum base image that contains only what ClickHouse requires to run—no extra shells, package managers, or utilities. Additionally, DHI applies security patches to the remaining packages and uses conservative settings. When this hardened image is scanned, it returns zero critical vulnerabilities, and the security team can approve the deployment without exceptions.
What Is ClickHouse and Why Is It So Popular?
ClickHouse is an open-source, columnar database designed for real-time analytical workloads at massive scale. It can query billions of rows and return results in milliseconds, outperforming traditional row-oriented databases by orders of magnitude on aggregation-heavy queries. Companies like Cloudflare, Uber, and Spotify rely on ClickHouse for observability, log analytics, and business intelligence. With over 100 million pulls from Docker Hub, it's the go-to infrastructure for teams that need serious analytics throughput. However, the official Docker image was built with developer ease-of-use in mind, not production hardening—which is exactly where DHI steps in to bridge the gap.
How Is ClickHouse Architecturally Layered?
ClickHouse follows a layered architecture optimized for analytical speed at scale. At the top, Query Layer: SQL queries arrive over HTTP (port 8123) or TCP (port 9000). They pass through an optimizer that parses them into an abstract syntax tree, prunes irrelevant parts, and hands them to the pipeline executor. The executor distributes work across parallel threads for maximum CPU utilization. Below that is the Storage Layer, centered on the MergeTree engine. MergeTree stores data in columnar .bin files and uses a sparse primary index to skip irrelevant granules without reading entire columns. Finally, an Integration Layer allows pluggable storage backends: local disk, S3, or HDFS. This separation of concerns makes ClickHouse both fast and flexible.
How Does ClickHouse Handle Queries and What Ports Are Used?
ClickHouse exposes two primary ports: 8123 for HTTP(S) and 9000 for native TCP. The HTTP interface is RESTful and convenient for simple queries or integrations with data tools. The native TCP interface is optimized for high-throughput, low-latency communication with ClickHouse clients (e.g., the official clickhouse-client). When a query arrives, the optimizer parses it, generates a query plan, and passes it to the pipeline executor. The executor splits the work into multiple threads, each processing a chunk of data in parallel. Results are then merged and returned. This multithreaded, column-oriented approach is why ClickHouse can scan billions of rows in milliseconds—ideal for dashboards, anomaly detection, and large-scale reporting.
What Makes MergeTree Storage Engine So Effective?
MergeTree is ClickHouse's core storage engine. Data is physically stored in columnar .bin files—each column of a table in a separate file, which allows queries to read only the columns they need. MergeTree also uses a sparse primary index, which records the primary key value at the start of each data granule (a fixed-size group of rows). During a SELECT, ClickHouse reads the index first to determine which granules are relevant, then loads only those granules' .bin files. This avoids scanning entire columns. Additionally, background merge processes compact small parts into larger ones to maintain query performance over time. The engine also supports data partitioning, sorting keys, and granular TTL-based deletion—making it highly customizable for time-series, event logs, or any analytical use case.