How to get MediaWiki running after upgrade from Debian 9 to Debian 10

My wiki on wiki.mkcs.at is a LXC container which was so far running Debian 9 and its host is also running Debian 9. I already set up a new host running Debian 10 (buster) and of course the containers running on it should run the same OS version.

After I copied the container from the old to the new host, everything was still working fine. But after I upgraded to Debian 10, suffering began, followed by some hours of tinkering. I would like to safe you that time and share my experiences.

The first service that failed to start was Apache. This could be seen directly in the output of apt full-upgrade:

apache2.service: Failed to set up mount namespacing: Permission denied

apache2.service: Failed at step NAMESPACE spawning /usr/sbin/apachectl: Permission denied

apache2.service: Control process exited, code=exited, status=226/NAMESPACE

As I read here, these two lines in /lib/systemd/system/apache2.service fix that problem:

PrivateTmp=false
NoNewPrivileges=yes

These commands then start Apache:

systemctl daemon-reload

systemctl start apache2.service

 

The next service that failed to start was mariadb and this was the one that was hard to fix. dpkg --list | grep -i mariadb showed that mariadb wasn't installed at all, so I installed it using apt install default-mysql-server. However, after installation, it did not run and systemctl status mysql showed

mariadb.service: Failed to set up mount namespacing: Permission denied

mariadb.service: Failed at step NAMESPACE spawning /usr/bin/install: Permission denied

mariadb.service: Control process exited, code=exited, status=226/NAMESPACE

The error was similar to the one I had with Apache but I could not quickly find a simple solution. Many search results on Google pointed to solutions with Proxmox or LXD that helped me to slightly understand the cause of the problem (somehow, AppArmor is preventing access) but not a solution. As I have seen in the output of dmesg, mariadb was not the only application that did not work:

audit: type=1400 audit(1621946328.497:5424): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=4240 comm="(install)" flags="rw, rslave"

audit: type=1400 audit(1621946331.481:5425): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=4241 comm="(vnstatd)" flags="rw, rslave"

On my LXC wiki page I once noted to add a line "lxc.aa_profile = unconfined" if strange permission problems occur in the container, but LXC then refused to start the container:

confile.c: parse_line: 2312 Unknown configuration key "lxc.aa_profile"

So, the option must have renamed in LXC 3. This page showed the right option:

lxc.apparmor.profile = unconfined

And finally mariadb was working again.

The next challenge was to get MediaWiki running. It first complained that it was missing "mbstring" and "xml" modules, so I installed them using apt -y install php-mbstring php-xml. Then I figured out that php7.3 and php7.3-mysql were not installed and I installed them too (apt -y install php7.3 php7.3-mysql). Next, MediaWiki complained it could not connect to the database:

no viable database extension found for type 'mysql'

The problem was that two versions of the mysql library were installed, as dpkg -S mysqlnd.so showed:

php7.0-mysql: /usr/lib/php/20151012/mysqlnd.so
php7.3-mysql: /usr/lib/php/20180731/mysqlnd.so

dpkg --list | grep "php7.0" showed that several packages belonging PHP 7.0 were still installed, so I removed them using apt remove php7.0 php7.0-cli php7.0-common php7.0-json php7.0-mysql php7.0-opcache php7.0-readline.

Finally I tested my wiki by logging in, modifying an article and see if it occurs in the "Recent changes" page. Everything worked smoothly. 😀

SSL_ERROR_RX_RECORD_TOO_LONG after upgrading Apache on Debian

Recently I upgraded a Debian server from Debian 8 (jessie) to Debian 9 (stretch) which also caused Apache to be upgraded from version 2.4.10 to 2.4.25. After the upgrade, when trying to connect to the web site using HTTPS, Firefox showed an error message with the code "SSL_ERROR_RX_RECORD_TOO_LONG". This error message is quite confusing, I thought that there would be something wrong with the certificate or the code that handles TLS. After searching a little bit in the Web, I figured out that Apache is actually serving HTTP on port 443 which doesn't work of course. The page that helped me was

https://community.letsencrypt.org/t/ssl-error-rx-record-too-long-on-debian-9-apache-2/123371

The command apachectl revealed that Apache was only aware of the virtual host configuration to serve on HTTP:

apachectl -t -D DUMP_VHOSTS
VirtualHost configuration:
*:80                   x.y.z (/etc/apache2/sites-enabled/000-default.conf:3)

It's interesting that Apache can't detect this misconfiguration somehow. Who wants to run a HTTP server on port 443 anyway?

Once I was aware of the problem, I tried to find out why it didn't read the virtual host configuration using TLS. The filename was /etc/apache2/sites-enabled/001-default-ssl and it worked fine with Apache 2.4.10 on Debian 8. So I took a look at /etc/apache2/apache2.conf and made a diff with the old configuration file. Then I saw this:

< IncludeOptional sites-enabled/*.conf
---
> Include sites-enabled/

While the old configuration told Apache2 to just read any file in sites-enabled/, the new configuration only processes files with ".conf" at the file name's end (which is clever IMHO). So what I had to do was to remove all the wrong links in sites-enabled, rename the configuration files in sites-available and add them again using "a2ensite". Finally, my web site was working again using HTTPS.