[Bug 41099] New: koha-mysql doesn't work out of the box on Debian 13
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41099 Bug ID: 41099 Summary: koha-mysql doesn't work out of the box on Debian 13 Initiative type: --- Sponsorship --- status: Product: Koha Version: unspecified Hardware: All OS: All Status: NEW Severity: major Priority: P5 - low Component: Command-line Utilities Assignee: koha-bugs@lists.koha-community.org Reporter: tomascohen@gmail.com QA Contact: testopia@bugs.koha-community.org CC: robin@catalyst.net.nz The shipped mysql client on Debian 13 has `ssl=on` by default. So, on newer Debian and Ubuntu versions, we would need to add a configuration step for disabling SSL if you're not using it. I propose we disable it by default in `koha-mysql` as we are already setting `ssl=on` when SSL/TLS is properly configured in Koha (i.e. it is a change that will keep the current behavior, both of them). -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41099 --- Comment #1 from Tomás Cohen Arazi (tcohen) <tomascohen@gmail.com> --- Created attachment 188434 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=188434&action=edit Bug 41099: Make `koha-mysql` disable SSL if required Now that Debian 13 (and Ubuntu 25.04) set `ssl=on` by default, we should make the `koha-mysql` helper script disable it by default if not configured. This patch does that. To test: 1. Run: $ ktd --shell k$ koha-mysql kohadev => SUCCESS: You get into the DB shell 2. Apply this patch 3. Run: k$ debian/scripts/koha-mysql kohadev => SUCCESS: It works as step 1! 4. Make sure you enable SSL in my.cnf: [client] ssl = on 5. Repeat 1 => FAIL: You get an error about SSL in the server being disabled 6. Repeat 4 => SUCCESS: The patch fixes it! 7. This steps imply we reproduced the issue, and it gets fixed, while keeping the current behavior. 8. Sign off :-D Signed-off-by: Tomás Cohen Arazi <tomascohen@theke.io> -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41099 Tomás Cohen Arazi (tcohen) <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Patch complexity|--- |Trivial patch Status|NEW |Needs Signoff --- Comment #2 from Tomás Cohen Arazi (tcohen) <tomascohen@gmail.com> --- Now that Debian 13 (and Ubuntu 25.04) set `ssl=on` by default, we should make the `koha-mysql` helper script disable it by default if not configured. This patch does that. To test: 1. Run: $ ktd --shell k$ koha-mysql kohadev => SUCCESS: You get into the DB shell 2. Apply this patch 3. Run: k$ debian/scripts/koha-mysql kohadev => SUCCESS: It works as step 1! 4. Make sure you enable SSL in my.cnf: [client] ssl = on 5. Repeat 1 => FAIL: You get an error about SSL in the server being disabled 6. Repeat 4 => SUCCESS: The patch fixes it! 7. This steps imply we reproduced the issue, and it gets fixed, while keeping the current behavior. 8. Sign off :-D Signed-off-by: Tomás Cohen Arazi <tomascohen@theke.io> -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41099 Tomás Cohen Arazi (tcohen) <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |40680 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40680 [Bug 40680] Many warnings on Perl 5.40 due to importing methods from not yet defined packages -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41099 Tomás Cohen Arazi (tcohen) <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |tomascohen@gmail.com Assignee|koha-bugs@lists.koha-commun |tomascohen@gmail.com |ity.org | -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41099 David Nind <david@davidnind.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |david@davidnind.com --- Comment #3 from David Nind <david@davidnind.com> --- For step 3 and 4 of the test plan, do I need to do anything else? I don't get an SSL failure error. Using KTD with Debian 12. Do I need to use a Debian 13 image? -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41099 Victor Grousset/tuxayo <victor@tuxayo.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #188434|0 |1 is obsolete| | --- Comment #4 from Victor Grousset/tuxayo <victor@tuxayo.net> --- Created attachment 188493 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=188493&action=edit Bug 41099: Make `koha-mysql` disable SSL if required Now that Debian 13 (and Ubuntu 25.04) set `ssl=on` by default, we should make the `koha-mysql` helper script disable it by default if not configured. This patch does that. To test: 0. Start a Debian 13 KTD e.g. with: $ KOHA_IMAGE=main-trixie ktd up 1. Run: $ ktd --shell k$ koha-mysql kohadev => SUCCESS: You get into the DB shell 2. Apply this patch 3. Run: k$ debian/scripts/koha-mysql kohadev => SUCCESS: It works as step 1! 4. Make sure you enable SSL in my.cnf: [client] ssl = on 5. Repeat 1 => FAIL: You get an error about SSL in the server being disabled 6. Repeat 4 => SUCCESS: The patch fixes it! 7. This steps imply we reproduced the issue, and it gets fixed, while keeping the current behavior. 8. Sign off :-D Signed-off-by: Tomás Cohen Arazi <tomascohen@theke.io> Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41099 Victor Grousset/tuxayo <victor@tuxayo.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Signed Off CC| |victor@tuxayo.net --- Comment #5 from Victor Grousset/tuxayo <victor@tuxayo.net> --- It works! (In reply to David Nind from comment #3)
Using KTD with Debian 12. Do I need to use a Debian 13 image?
Yes, I amended the test plan to reflect this. Also, with MariaDB 12 (latest) the issue isn't reproducible. But with the default (10.5) it can be reproduced. So anyone else having trouble should also check that. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41099 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dcook@prosentient.com.au -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41099 David Nind <david@davidnind.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #188493|0 |1 is obsolete| | --- Comment #6 from David Nind <david@davidnind.com> --- Created attachment 188495 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=188495&action=edit Bug 41099: Make `koha-mysql` disable SSL if required Now that Debian 13 (and Ubuntu 25.04) set `ssl=on` by default, we should make the `koha-mysql` helper script disable it by default if not configured. This patch does that. To test: 0. Start a Debian 13 KTD e.g. with: $ KOHA_IMAGE=main-trixie ktd up 1. Run: $ ktd --shell k$ koha-mysql kohadev => SUCCESS: You get into the DB shell 2. Apply this patch 3. Run: k$ debian/scripts/koha-mysql kohadev => SUCCESS: It works as step 1! 4. Make sure you enable SSL in my.cnf: [client] ssl = on 5. Repeat 1 => FAIL: You get an error about SSL in the server being disabled 6. Repeat 4 => SUCCESS: The patch fixes it! 7. This steps imply we reproduced the issue, and it gets fixed, while keeping the current behavior. 8. Sign off :-D Signed-off-by: Tomás Cohen Arazi <tomascohen@theke.io> Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net> Signed-off-by: David Nind <david@davidnind.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41099 --- Comment #7 from David Nind <david@davidnind.com> --- (In reply to Victor Grousset/tuxayo from comment #5)
It works!
(In reply to David Nind from comment #3)
Using KTD with Debian 12. Do I need to use a Debian 13 image?
Yes, I amended the test plan to reflect this.
Also, with MariaDB 12 (latest) the issue isn't reproducible. But with the default (10.5) it can be reproduced. So anyone else having trouble should also check that.
Thanks Victor! Using a Debian 13 image worked. I've added my sign off, so your sign off can probably be counted as QA. David -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41099 Tomás Cohen Arazi (tcohen) <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- QA Contact|testopia@bugs.koha-communit |victor@tuxayo.net |y.org | Status|Signed Off |Passed QA --- Comment #8 from Tomás Cohen Arazi (tcohen) <tomascohen@gmail.com> --- Thanks for the amended test plan. I wrote it without explicitly mentioning Debian 13 because the issue was reproducible by tweaking the mysql config. And by the time I submitted the main-trixie image was not tweaked to launch regardless of this fix. But it is great that we test on Debian 13. Once we push this patch, we can remove the workaround on KTD. Thanks everyone! -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41099 --- Comment #9 from Victor Grousset/tuxayo <victor@tuxayo.net> --- (In reply to David Nind from comment #7)
so your sign off can probably be counted as QA.
By default no. But here it's ok. (In reply to Tomás Cohen Arazi (tcohen) from comment #0)
I propose we disable it by default in `koha-mysql` as we are already setting `ssl=on` when SSL/TLS is properly configured in Koha (i.e. it is a change that will keep the current behavior, both of them).
Let's do this indeed. I just tested with mysql 8 and no issue. Expected since the client is still mariadb's. Works, makes sense, QA script happy, code looks good, passing QA :) -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41099 Lucas Gass (lukeg) <lucas@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Passed QA |Pushed to main CC| |lucas@bywatersolutions.com Version(s)| |25.11.00 released in| | --- Comment #10 from Lucas Gass (lukeg) <lucas@bywatersolutions.com> --- Pushed to main for 25.11.00 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41099 Lucas Gass (lukeg) <lucas@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Pushed to main |Failed QA Version(s)|25.11.00 | released in| | --- Comment #11 from Lucas Gass (lukeg) <lucas@bywatersolutions.com> --- This has been reverted from main upon Tomas's request. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41099 --- Comment #12 from Tomás Cohen Arazi (tcohen) <tomascohen@gmail.com> --- (In reply to Lucas Gass (lukeg) from comment #11)
This has been reverted from main upon Tomas's request.
There's no elegant solution that works for everyone, at `koha-mysql` level. The `mysql` command (be it from MariaDB or MySQL) on each of the supported OS versions has really different behaviors: | Version | SSL Disable Method | Status | |---------------|---------------------------|-----------------| | MySQL 5.7 | None reliable | Omit SSL config | | MySQL 8.0+ | `ssl=off` | Supported | | MariaDB 10.5 | `ssl=off` | Supported | | MariaDB 10.6 | `ssl=off` | Supported. | | MariaDB 10.11 | `ssl=off` or `--skip-ssl` | Both supported | | MariaDB 11.4+ | `ssl-mode=DISABLED` | Supported | I suggest we add something like this at KTD level, in `run.sh`: ```bash # Detect database version DB_VERSION=$(mysql --version | grep -oE '[0-9]+\.[0-9]+') DB_TYPE=$(mysql --version | grep -q MariaDB && echo "mariadb" || echo "mysql") # Set SSL parameter based on version if [[ "$DB_TYPE" == "mysql" ]]; then if [[ "$DB_VERSION" == "5.7" ]]; then SSL_PARAM="" # No reliable disable option else SSL_PARAM="ssl=off" fi elif [[ "$DB_TYPE" == "mariadb" ]]; then case "$DB_VERSION" in 10.5|10.6) SSL_PARAM="ssl=off" ;; 10.11) SSL_PARAM="ssl=off" # or --skip-ssl ;; 11.*) SSL_PARAM="ssl-mode=DISABLED" ;; *) SSL_PARAM="ssl=off" # fallback ;; esac fi ``` -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41099 --- Comment #13 from Victor Grousset/tuxayo <victor@tuxayo.net> ---
MariaDB 11.4+ | `ssl-mode=DISABLED`
Are you sure it's the only possible option? On version 11.8.3-MariaDB client (in Debian 13) I have ssl = off in my.cnf $ mysql --help | grep ssl [...] --ssl Enable SSL for connection (automatically enabled with (Defaults to on; use --skip-ssl to disable.) [...] ssl FALSE [...] And no ssl-mode=DISABLED in sight, I find that in mysql doc however. Same on version 10.11 from Debian 12 And if I switch to ssl = off in my.cnf, the --help shows TRUE for ssl Does MySQL have an influence here? It's for KTD for the client in the koha container which I think comes from the mariadb-client. Regardless of using mysql for the db container. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41099 --- Comment #14 from Tomás Cohen Arazi (tcohen) <tomascohen@gmail.com> --- (In reply to Victor Grousset/tuxayo from comment #13)
Does MySQL have an influence here? It's for KTD for the client in the koha container which I think comes from the mariadb-client. Regardless of using mysql for the db container.
Right. But that's the reason to revert this patch, as there is no proper solution for production sites which *could* prefer to stick to MySQL. That's the reason for making it a KTD-specific fix and updating the docs to let people know how to workaround it on affected systems. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41099 --- Comment #15 from Victor Grousset/tuxayo <victor@tuxayo.net> --- I meant the PoC for new proposal in comment 12 could just set ssl=off without any condition. As it's just for the dev and CI container so the client is mariadb-client which seem to support ssl=off in all versions. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41099 Victor Grousset/tuxayo <victor@tuxayo.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks|40680 |41077 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40680 [Bug 40680] Many warnings on Perl 5.40 due to importing methods from not yet defined packages https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41077 [Bug 41077] [OMNIBUS] Debian 13 and Perl 5.40 compatibility -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41099 --- Comment #16 from Tomás Cohen Arazi (tcohen) <tomascohen@gmail.com> --- (In reply to Victor Grousset/tuxayo from comment #15)
I meant the PoC for new proposal in comment 12 could just set ssl=off without any condition. As it's just for the dev and CI container so the client is mariadb-client which seem to support ssl=off in all versions.
I tried that and it didn’t work on some versions. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41099 --- Comment #17 from Victor Grousset/tuxayo <victor@tuxayo.net> ---
I tried that and it didn’t work on some versions.
It likely is related to "TLS/SSL error: SSL is required" only happening on MariaDB < 11.4. So the failing versions are 10.11, 10.6, 10.5, 10.3 (I didn't try 10.1, too old. And non LTS versions.) Like I can't reproduce the issue on 11.4 and 12.0. And if I add [client] ssl = on or [client] ssl = off `koha-mysql kohadev` will still work. `mysql --help | grep ssl` confirms the ssl = on/off config is read and default to ssl = on What was your approach to get failures with MariaDB >= 11.4? Whether koha-mysql or the KTD startup. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41099 Tomás Cohen Arazi (tcohen) <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Failed QA |RESOLVED Resolution|--- |WORKSFORME --- Comment #18 from Tomás Cohen Arazi (tcohen) <tomascohen@gmail.com> --- I worked around this on KTD. If someone wants to write a how-to on the Koha_on_Debian wiki entry, they can do it. For now, this is done. -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org