Vhost mariadb database connection ns8

NethServer Version: ns8 single node cluster
Module: mariadb v1.03, webserver v1.08

Hi, webserver module and vhost are working fine.
I am unable to create a database connection from a webapp installation to a mariadb instance. I cannot find any useful troubleshoot information in the server logs, the only error is a client side javascript “database connection failed” error from the php installation script.
I used both localhost and the cluster node FQDN and a username/password created in the phpmyadmin UI in the connection string.

My question:
What should a mysql connection string look like if I connect a vhost to the mariadb instance?
Do I need to do any additional configuration on the mariadb instance to allow a vhost connection?

Did you use the right “External mariadb TCP port” from the mariadb settings in the web UI?

grafik

1 Like

Yes I used the right port.
It’s a joomla installer that should be able to connect to that port if you include the portnumber in the hostname declaration. See joomla docs, just below the second code snippet.
The phpmyadmin instance connects to localhost:3306, phpmyadmin seems to live inside the mariadb container.

In the meantime I did some digging. Troubleshooting on the host on a new system is not very easy :slight_smile:

api-cli run get-configuration --agent module/mariadb1 --data null
Warning: using user “cluster” credentials from the environment
{“mariadb_tcp_port”: “20013”, “path”: “/redacted”, “http2https”: false, “hostname”: “myserverip”}

Also checked the podman config inside the mariabd container:

podman port mariadb-app
80/tcp → 127.0.0.1:20014
3306/tcp → 0.0.0.0:20013

I tried HeidiSql on a windows client and scanned the host with nmap.
Heidisql is unable to connect. Nmap result on the port is “filtered”. Other ports (80/433, 22, 25 and 9090) are correctly found open.

btw, the 25 and 9090 are unexpected. Host based on rocky 9-1.0.1.vmdk, 30-05-2023.
Only core, mariadb and nginx installed. No mail, no cockpit installed.

Any ideas how to troubleshoot?

Just to be sure the joomla and the mariadb are on the same host ?

Normally in joomla you should use 127.0.0.1:20013

Yes, they are on the same host.

I finally figured things out. In the joomla installer, using ip-address of the cluster host on the external port works. But only if I disable the local firewall on the host. It is clearly rejected by firewalld:

myserver kernel: filter_IN_public_REJECT: IN=eth0 OUT= MAC=<redacted> SRC=<redacted> DST=<redacted> LEN=44 TOS=0x00 PREC=0x00 TTL=36 ID=59305 PROTO=TCP SPT=39020 DPT=**20013** WINDOW=1024 RES=0x00 SYN URGP=0

Added a firewall rule to allow this port manually and made it static for now.

firewall-cmd --zone=public --add-port=20013/tcp
firewall-cmd --runtime-to-permanent

What I still don’t understand is why the external sftp port (3092 in my case) cannot be found in the firewalld config list ( firewall-cmd --list-all) but is working without a rule.

we open it when we configure the module, here you talk about sftpgo

we got a talk with @davidep and we stated that the external mysql port is not under tls, so it should not be opened outside the localhost

either we could implement TLS for mysql or we could put a warning inside the UI explaining the FW must be opened manually for that port and TLS is off

ns8-mariadb was my first module done and obviously we could enhance it

I undestand the right descision to disallow non-TLS traffic.
Php-fpm only needs to be able to create the local db connection somehow.
It seems mariadb/mysql TLS implementation can only be forced globally or on a per user basis… Really bad fit with distributed containers.
A fw rule on an internal zone that groups ip space from apps together on the node is a better solution but the podman virtual network is bridged.

Anyway, this needs design and policy on distributed databases. Thx for now.

1 Like