Upgrading privacyidea on a galera cluster does not work

hkunz · June 11, 2026, 7:47am

Hi all,

we are currently running PI 3.11.2 on a galera cluster (mariadb 10.11.18). I tried to upgrade (to PI 3.13.2) using

privacyidea-pip-update

but database migration stopped with the error:

sqlalchemy.exc.NotSupportedError: (pymysql.err.NotSupportedError) (1235, “This version of MariaDB doesn’t yet support ‘CACHE without INCREMENT BY 0 in Galera cluster’”)
[SQL: ALTER SEQUENCE tokencredentialidhash_seq RESTART WITH 10]

it seems to me this is related to:

github.com/privacyidea/privacyidea

Error when installing privacyIDEA 3.9.2 with an MariaDB Galera Cluster

opened 04:58PM - 14 Feb 24 UTC

closed 12:09PM - 22 Apr 24 UTC

lefe8

Status: Waiting for merge into master Type: Possible bug

### Top-level intent I've tried installing privacyIDEA 3.9.2, which comes wit…h SQLAlchemy 1.4, with a MariaDB Galera cluster as a token database. An error, which I've described below, occurred and the installation did not succeed. ### Steps to reproduce 1. Set up a database with the current long-term versions MariaDB 10.11 and Galera 26.4. 2. Install privacyIDEA 3.9.2 from PyPI on a fresh Ubuntu 22.04 server. 3. Run the command "pi-manage create_tables" inside the virtual environment. ### Expected outcome The tables should be initialized. ### Actual outcome You'll get the error message from the "Error" section and the table creation will fail. ### Further scenarios I've also tested the following additional scenarios during error handling: privacyIDEA 3.8.1. + MariaDB Single Node: Succeeded privacyIDEA 3.8.1. + MariaDB Galera Cluster: Succeeded privacyIDEA 3.9.2. + MariaDB Single Node: Succeeded privacyIDEA 3.9.2. + MariaDB Galera Cluster: Failed ### Configuration * **privacyIDEA version**: 3.9.2 * **Installation method**: PyPI * **Python version**: 3.10 * **Operating system**: Ubuntu 22.04 * **Webserver**: Apache HTTP * **Token database**: MariaDB Galera Cluster ### Error pymysql.err.NotSupportedError:(1235, "This version of MariaDB doesn't yet support 'CACHE without INCREMENT BY 0 in Galera Cluster'") ### Assumption It appears that SQLAlchemy 1.4 reports that the database supports sequences because of the "mariadb" dialect. This is true in theory, but Galera does not yet support this. It seems as if the "dialect_supports_sequences()" function is missing a check as to whether replication with Galera is being used. Here's a search for the function I mentioned: https://github.com/search?q=repo%3Aprivacyidea%2Fprivacyidea%20dialect_supports_sequences&type=code At this point in the code, it appears that this has already been thought of: https://github.com/privacyidea/privacyidea/blob/9d8b5e5fff5bfe47f5e0b15c465802126220bc5d/migrations/versions/5cb310101a1f_.py#L29

any hints on what I could do to fix this? since we are affected by “OTP-bypass in the WebUI” we would like to upgrade as soon as possible.

If you need the whole log of the upgrade script, let me know.

Best,

Hp

lucas · June 11, 2026, 1:07pm

Hello Hp,

thank you for your detailed description of the problem. This error occurs when running the 3.13.2 migration script with MariaDB Version 10.11.x with Galera Cluster. This simply means that there was an error, when altering the sequence for the tokencredentialidhash_seq table, which used for passkeys.

If you would not be using passkeys then this should not be relevant. But I can see that the value for the sequence id is 10, so you are probably using passkeys.

You can fix this manually as follows:

You need to issue the following sql commands in your MariaDB Database:

SELECT COALESCE(MAX(id), 0) + 1 FROM tokencredentialidhash;

This will result in a value, as seen in the screenshot below. You need this

ALTER SEQUENCE tokencredentialidhash_seq RESTART WITH <number_from_previous_command> INCREMENT BY 0;

It may look like this:

Hopefully this helps. Let me know.

Best Regards

Lucas

hkunz · June 11, 2026, 1:21pm

ok, thank you very much. just to be sure: I do run these commands before running the migration script, right?

lucas · June 11, 2026, 1:35pm

If the migration script has already run and failed you can run it afterwards.

You can then check your alembic_version (version of database schema) with:

pi-manage db current

If you are still on version: 06b105a4f941

I suggest that you stamp your database, as described below.

If the migration script has not run yet, then you can run this command and then stamp the database with:

pi-manage db stamp b1a2c3d4e5f6

So that the migration script won’t run again.

Please let me know if it worked out, or if you have any further questions.

Best Regards

Lucas

hkunz · June 11, 2026, 1:46pm

hm, just that I understand correctly: in what you describe, I get the impression that the migration script will not run at all in the end (besides the commands that I execute manually). so besides adjusting the sequence, there are no database schema upgrades?

hkunz · June 11, 2026, 1:50pm

I get:

pi-manage db current
INFO [alembic.env] Running migrations online

lucas · June 11, 2026, 2:04pm

Typically when running pi-manage db current it should look something like this:

You can also check your alembic version by running:

select * from pi.alembic_version;

in your database.

The latest migration script only contains the modification to the tokencredentialidhash_seq sequence.

Therefore if you have reached the alembic version: 06b105a4f941

Then just running the command manually and then stamping the database if fully fine.

cornelinux · June 11, 2026, 2:45pm

You are using privacyidea-pip-update.
See privacyidea/tools/privacyidea-pip-update at master · privacyidea/privacyidea · GitHub
This can run the db schema upgrade or it can skip the upgrade. Totally depends on how you call it and if you hit y or n.

hkunz · June 11, 2026, 4:17pm

ok, thanks guys, this worked. one node us upgraded now. the 2nd node should upgrade without problems now