Issue Latest 'beta' feature to Plesk to upgrade Mariadb is giving problems

[efisher@]

Server operating system version

Almalinux 9.3

Plesk version and microupdate number

18.0.58

I know I took a big risk to use the new beta feature in Plesk that juust released to upgrade my Mariadb instance to the latest, 10.11. All went well, but afterwards, Wordpress is no longer able to connect to 'localhost' for the database. If I change the DB_HOST to the host name or to 127.0.0.1 it works fine. I know that 'localhost' has a special meaning to MySQL derivatives, but not sure what would have changed between 10.5 and 10.11 to break Wordpress connecting to 'localhost'. This is on the latest update of Almalinux 9 on a very new server.

Anyone tried this out yet and anyone had any success or suggestions to offer?

Thanks,
-Eric

 

[Peter Debik]

@AYamshanov just FYI

 

[Peter Debik]

@efisher@ Please check /etc/my.cnf if it includes skip_name_resolve or skip-name-resolve = 1. If so, please try to comment these lines and reload MariaDB afterwards.

 

[danami]

@Peter Debik Not sure if this is related but there is a bug on newer versions of MariaDB/MySQL where it refuses connections to the socket with SELinux enabled. I've been tracking it and it doesn't look like the fix has made it's way to OS builds yet.

[MDEV-24941] SElinux incorrect label for server socket - Jira

jira.mariadb.org

So a user might have socket connection issues after upgrading MariaDB/MySQL.

 

[dash]

@efisher@ Thank you for the report! I'm able to reproduce the issue in our lab and we a working on this. I will inform you here as soon as we will find the root cause

 

[dash]

As a preliminary result, the problem is related to SELinux as @danami wrote above.
Here are the details:
Connection using mysql client works, as well via mysqli_connect().
With debug:
AH01071: Got error 'PHP message: PHP Warning: mysqli_real_connect(): (HY000/2002): Permission denied in /var/www/vhosts/test1.10-69-45-63.qa.plesk/httpdocs/wp-includes/class-wpdb.php on line 1987'
So only mysqli_real_connect() fails for whatever reason

Disabling SELinux helps. In audit.log:
type=AVC msg=audit(1705071197.377:1479): avc: denied { connectto } for pid=11111 comm="php-fpm" path="/var/lib/mysql/mysql.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=0
audit2allow:
#============= httpd_t ==============allow httpd_t unconfined_service_t:unix_stream_socket connectto

We continue our investigation.

@Peter Debik Not sure if this is related but there is a bug on newer versions of MariaDB/MySQL where it refuses connections to the socket with SELinux enabled. I've been tracking it and it doesn't look like the fix has made it's way to OS builds yet.

[MDEV-24941] SElinux incorrect label for server socket - Jira

jira.mariadb.org

So a user might have socket connection issues after upgrading MariaDB/MySQL.

 

[danami]

@dash Yes that's what I thought as it will connect using the socket when you use localhost. Unfortunately I couldn't see a quick easy fix without overriding the mariadb unit file like this:

How can I fix the error: unable to connect to DSN 'DBI:MariaDB:database=danami_warden;host=localhost'? - Knowledgebase - Danami

The SELinux label on the socket seems to get set every time mariadb is restarted so I don't think that you can just re-label it with semanage. The real fix has been merged into the mysql-selinux package located here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-2b65fa4f45

 

[dash]

@efisher@
So, finally the root cause is an incompatibility between system and MariaDB SElinux policy.
We will deliver Plesk update to fix the policy and prevent future failures.
As a workaround, to fix the issue you can execute the following command as a root user in SSH terminal:

#chcon system_u:object_r:mysqld_exec_t:s0 /usr/sbin/mariadbd && systemctl restart mariadb.service

thanks for your report!

 

[efisher@]

Thanks for investigating and thanks for the workaround. I can confirm that the workaround did indeed work for me. I'll watch for future updates on this.

-Eric

 

[danami]

@dash Do you have any idea when Plesk is going to include a fix for this?

 

[pleskuser67553]

Google brought me here with "SELinux is preventing /opt/plesk/php/8.3/sbin/php-fpm from connect to access on the unix_stream_socket /var/lib/mysql/mysql.sock"

Immediately after these updates my customer website started throwing "500" errors
- MariaDB-client 10.11.9-1.el9 from mariadb-main repo (previous version: 10.11.8-1.el9 from mariadb-main repo)
- MariaDB-common 10.11.9-1.el9 from mariadb-main repo (previous version: 10.11.8-1.el9 from mariadb-main repo)
- MariaDB-server 10.11.9-1.el9 from mariadb-main repo (previous version: 10.11.8-1.el9 from mariadb-main repo)
- MariaDB-shared 10.11.9-1.el9 from mariadb-main repo (previous version: 10.11.8-1.el9 from mariadb-main repo)
- galera-4 26.4.19-1.el9 from mariadb-main repo (previous version: 26.4.18-1.el9 from mariadb-main repo)

Database connection is using 'localhost'.

AlmaLinux 9.2
Plesk Obsidian Version 18.0.62 Update #2

I applied @dash 's workaround and website is back to normal and no more setroubleshoot errors in System Log Browser.

Ditto @danami 's query about a fix.

 

[danami]

@pleskuser67553 If I remember correctly I don't think that chcon changes will persist if the mariadb packages get updated again. You might want to use semanage and restorecon to apply the mysqld_exec_t label. This should keep it fixed even if mariadb gets updated.

semanage fcontext -a -t mysqld_exec_t -s system_u "/usr/sbin/mariadbd"
restorecon -v /usr/sbin/mariadbd
systemctl restart mariadb