we are currently running PI 3.11.2 on a galera cluster (mariadb 10.11.18). I tried to upgrade (to PI 3.13.2) using
privacyidea-pip-update
but database migration stopped with the error:
sqlalchemy.exc.NotSupportedError: (pymysql.err.NotSupportedError) (1235, “This version of MariaDB doesn’t yet support ‘CACHE without INCREMENT BY 0 in Galera cluster’”)
[SQL: ALTER SEQUENCE tokencredentialidhash_seq RESTART WITH 10]
it seems to me this is related to:
any hints on what I could do to fix this? since we are affected by “OTP-bypass in the WebUI” we would like to upgrade as soon as possible.
If you need the whole log of the upgrade script, let me know.
thank you for your detailed description of the problem. This error occurs when running the 3.13.2 migration script with MariaDB Version 10.11.x with Galera Cluster. This simply means that there was an error, when altering the sequence for the tokencredentialidhash_seq table, which used for passkeys.
If you would not be using passkeys then this should not be relevant. But I can see that the value for the sequence id is 10, so you are probably using passkeys.
You can fix this manually as follows:
You need to issue the following sql commands in your MariaDB Database:
SELECT COALESCE(MAX(id), 0) + 1 FROM tokencredentialidhash;
This will result in a value, as seen in the screenshot below. You need this
ALTER SEQUENCE tokencredentialidhash_seq RESTART WITH <number_from_previous_command> INCREMENT BY 0;
hm, just that I understand correctly: in what you describe, I get the impression that the migration script will not run at all in the end (besides the commands that I execute manually). so besides adjusting the sequence, there are no database schema upgrades?
upgraded our production cluster to 3.13.3 just now. expected to have to execute the above sql commands to complete the db migration. it seems to me, you incorporated that already in the migration script. if yes ⇒ great work, thank you! if no ⇒ please let me know if I need to do the above steps, even after the migration script went through without error.
minor patch levels like 3.13.1 → 3.13.3 usually do not contain DB changes.
All update mechanisms (like ubuntu packages, post inst scsript) but also the privacyidea-pip-update contain the mechanism to run a schema update/database update.
If you have a support contract you can find more about this in the Knowledge Base in the article “Planning your privacyIDEA server update”.
ok, I try to ask differently, maybe that clears things up.
upgrading 3.13.1 ⇒ 3.13.2: I needed to manually execute the SQL statements you guys provided (see above)
upgrading 3.13.1 ⇒ 3.13.3: no need to run these SQL statements manually, so I was wondering whether these SQL changes were done by the upgrade/migration script.
and yes, we have a support contract, but to be honest, I do not believe that we ever got the information how to “invoke” it. but I will check my emails.
Interesting. Normally there should be no DB update from 3.13.1. to 3.13.2.
But in this case a DB (schema) update was broken or did nor work correctly for Galera.
In 3.13.3 a DB migration script was fixed, that was broken for galera. I.e.
when updating to 3.13.2 the automatic update will break with Galera. You need to fix it manually.
When updating to 3.13.3 the automic update for Galera was fixed. So it ran automatically in the background.