Page MenuHomePhabricator

Upgrade matomo1001 to latest upstream
Closed, ResolvedPublic5 Story Points

Description

According to https://matomo.org/changelog we should upgrade to 3.9.1 to allow to fix some security issues.

Changelog 3.7.0 -> 3.9.1 (4 releases):

As far as I can see from the notes there is not big schema change to perform so this upgrade should be very quick and not too painful.

Details

Related Gerrit Patches:

Event Timeline

elukey created this task.Mar 11 2019, 3:27 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 11 2019, 3:27 PM
Milimetric triaged this task as High priority.Mar 18 2019, 3:46 PM
Milimetric moved this task from Incoming to Operational Excellence on the Analytics board.
elukey updated the task description. (Show Details)Mar 29 2019, 11:21 AM
elukey updated the task description. (Show Details)

Change 500007 had a related patch set uploaded (by Elukey; owner: Elukey):
[operations/puppet@production] role::piwik: simplify profile's parameters and remove dead code

https://gerrit.wikimedia.org/r/500007

Change 500007 merged by Elukey:
[operations/puppet@production] role::piwik: simplify profile's parameters and remove dead code

https://gerrit.wikimedia.org/r/500007

elukey added a comment.EditedMar 29 2019, 12:35 PM

Re-created the matomo instance in labs and configured with our current version (the other one had problems that I wasn't able to solve so I decided for a clean start).

Filed https://github.com/matomo-org/matomo/issues/14286 since in debian.piwik.org there is only the package for 3.8.1. Since 3.9.1 contains security fixes as well better to wait for it.

elukey moved this task from Next Up to In Progress on the Analytics-Kanban board.
elukey moved this task from Backlog to In Progress on the User-Elukey board.Apr 1 2019, 11:27 AM
elukey moved this task from In Progress to Stalled on the User-Elukey board.Apr 3 2019, 10:21 AM
elukey moved this task from In Progress to Paused on the Analytics-Kanban board.Apr 12 2019, 9:04 AM

Packages uploaded by upstream. Tested the update in labs, in requires some db alters:

elukey@matomo:~$ sudo -u www-data /usr/bin/php /usr/share/matomo/console core:update

    *** Update ***

    Database Upgrade Required

    Your Matomo database is out-of-date, and must be upgraded before you can continue.

    Matomo database will be upgraded from version 3.7.0 to the new version 3.9.1.

    *** Note: this is a Dry Run ***

    ALTER TABLE `piwik_user` ADD COLUMN `twofactor_secret` VARCHAR(40) NOT NULL DEFAULT '';
    CREATE TABLE `piwik_twofactor_recovery_code` (`idrecoverycode` BIGINT UNSIGNED NOT NULL AUTO_INCREMENT, `login` VARCHAR(100) NOT NULL, `recovery_code` VARCHAR(40) NOT NULL, PRIMARY KEY ( `idrecoverycode` )) ENGINE=InnoDB DEFAULT CHARSET=utf8;
    ./console plugin:activate "TwoFactorAuth"
    ./console plugin:deactivate "GoogleAuthenticator"
    CREATE TABLE `piwik_tracking_failure` (`idsite` BIGINT(20) UNSIGNED NOT NULL, `idfailure` SMALLINT UNSIGNED NOT NULL, `date_first_occurred` DATETIME NOT NULL, `request_url` MEDIUMTEXT NOT NULL, PRIMARY KEY ( `idsite`, `idfailure` )) ENGINE=InnoDB DEFAULT CHARSET=utf8;
    CREATE TABLE `piwik_brute_force_log` (`id_brute_force_log` bigint(11) NOT NULL AUTO_INCREMENT, `ip_address` VARCHAR(60) DEFAULT NULL, `attempted_at` datetime NOT NULL, PRIMARY KEY ( `id_brute_force_log` )) ENGINE=InnoDB DEFAULT CHARSET=utf8;
    ALTER TABLE `piwik_brute_force_log` ADD INDEX index_ip_address (`ip_address`);

    *** End of Dry Run ***

A database upgrade is required. Execute update? (y/N) y

Starting the database upgrade process now. This may take a while, so please be patient.

    *** Update ***

    Database Upgrade Required

    Your Matomo database is out-of-date, and must be upgraded before you can continue.

    Matomo database will be upgraded from version 3.7.0 to the new version 3.9.1.

    The database upgrade process may take a while, so please be patient.

  Executing ALTER TABLE `piwik_user` ADD COLUMN `twofactor_secret` VARCHAR(40) NOT NULL DEFAULT '';... Done. [1 / 7]
  Executing CREATE TABLE `piwik_twofactor_recovery_code` (`idrecoverycode` BIGINT UNSIGNED NOT NULL AUTO_INCREMENT, `login` VARCHAR(100) NOT NULL, `recovery_code` VARCHAR(40) NOT NULL, PRIMARY KEY ( `idrecoverycode` )) ENGINE=InnoDB DEFAULT CHARSET=utf8;... Done. [2 / 7]
  Executing ./console plugin:activate "TwoFactorAuth"... Done. [3 / 7]
  Executing ./console plugin:deactivate "GoogleAuthenticator"... Done. [4 / 7]
  Executing CREATE TABLE `piwik_tracking_failure` (`idsite` BIGINT(20) UNSIGNED NOT NULL, `idfailure` SMALLINT UNSIGNED NOT NULL, `date_first_occurred` DATETIME NOT NULL, `request_url` MEDIUMTEXT NOT NULL, PRIMARY KEY ( `idsite`, `idfailure` )) ENGINE=InnoDB DEFAULT CHARSET=utf8;... Done. [5 / 7]
  Executing CREATE TABLE `piwik_brute_force_log` (`id_brute_force_log` bigint(11) NOT NULL AUTO_INCREMENT, `ip_address` VARCHAR(60) DEFAULT NULL, `attempted_at` datetime NOT NULL, PRIMARY KEY ( `id_brute_force_log` )) ENGINE=InnoDB DEFAULT CHARSET=utf8;... Done. [6 / 7]
  Executing ALTER TABLE `piwik_brute_force_log` ADD INDEX index_ip_address (`ip_address`);... Done. [7 / 7]

Matomo has been successfully updated!

It appears you have executed this update with user www-data:www-data, while your Matomo files are owned by root:root.

To ensure that the Matomo files are readable by the correct user, you may need to run the following command (or a similar command depending on your server configuration):

$ chown -R www-data:www-data /usr/share/matomo

It seems something that can run very quickly, tables are not that big in production.

Mentioned in SAL (#wikimedia-operations) [2019-04-12T10:13:04Z] <elukey> matomo updated to 3.9.1 on matomo1001 + deb upload to wikimedia-stretch - T218037

elukey set the point value for this task to 5.Apr 12 2019, 10:20 AM
elukey moved this task from Paused to Done on the Analytics-Kanban board.
elukey moved this task from Stalled to Done on the User-Elukey board.Apr 15 2019, 9:27 AM
Nuria closed this task as Resolved.Apr 19 2019, 1:31 PM