Hi, webserver module and vhost are working fine.
I am unable to create a database connection from a webapp installation to a mariadb instance. I cannot find any useful troubleshoot information in the server logs, the only error is a client side javascript “database connection failed” error from the php installation script.
I used both localhost and the cluster node FQDN and a username/password created in the phpmyadmin UI in the connection string.
My question:
What should a mysql connection string look like if I connect a vhost to the mariadb instance?
Do I need to do any additional configuration on the mariadb instance to allow a vhost connection?
Yes I used the right port.
It’s a joomla installer that should be able to connect to that port if you include the portnumber in the hostname declaration. See joomla docs, just below the second code snippet.
The phpmyadmin instance connects to localhost:3306, phpmyadmin seems to live inside the mariadb container.
In the meantime I did some digging. Troubleshooting on the host on a new system is not very easy
api-cli run get-configuration --agent module/mariadb1 --data null
Warning: using user “cluster” credentials from the environment
{“mariadb_tcp_port”: “20013”, “path”: “/redacted”, “http2https”: false, “hostname”: “myserverip”}
Also checked the podman config inside the mariabd container:
podman port mariadb-app
80/tcp → 127.0.0.1:20014
3306/tcp → 0.0.0.0:20013
I tried HeidiSql on a windows client and scanned the host with nmap.
Heidisql is unable to connect. Nmap result on the port is “filtered”. Other ports (80/433, 22, 25 and 9090) are correctly found open.
btw, the 25 and 9090 are unexpected. Host based on rocky 9-1.0.1.vmdk, 30-05-2023.
Only core, mariadb and nginx installed. No mail, no cockpit installed.
I finally figured things out. In the joomla installer, using ip-address of the cluster host on the external port works. But only if I disable the local firewall on the host. It is clearly rejected by firewalld:
What I still don’t understand is why the external sftp port (3092 in my case) cannot be found in the firewalld config list ( firewall-cmd --list-all) but is working without a rule.
I undestand the right descision to disallow non-TLS traffic.
Php-fpm only needs to be able to create the local db connection somehow.
It seems mariadb/mysql TLS implementation can only be forced globally or on a per user basis… Really bad fit with distributed containers.
A fw rule on an internal zone that groups ip space from apps together on the node is a better solution but the podman virtual network is bridged.
Anyway, this needs design and policy on distributed databases. Thx for now.