Thanks for the additional info. I have a suspicion what might be going on here.
Are you manually/explicitly setting a password for the MariaDB 'root' user?
TL;DR - if so, that's the issue! Please don't do that. Use the 'adminer" user (password should be set on firstboot) with Adminer/Webmin. Details/context below.
can't reconcile between users root, mysql, admin & adminer
I'm not sure, but I suspect that this may be the root cause of your issue (excuse the pun). These users have different contexts and are used in different scenarios, for different purposes. If I'm correct and understand the issue correctly, it's not the installing the security updates that is the issue, but the reboot.
Let me explain a bit more:
'root' is the name of both a Linux user and a mysql/maraidb user. Whilst they are named the same, they are separate users, used in specific contexts. I.e. logging into your Linux system or logging into maraidb respectively. Just to make it clear as mud, they are somewhat linked as I'll explain further down.
'mysql' is a Linux (system) user only. It's the limited user account that the mariadb service runs under. All the files that the mariadb service needs to write to need to be owned by the 'mysql' Linux user.
'admin' is the default Redmine user. It is only for logging into the Redmine UI via your web browser.
'adminer' is a "root-like" mariadb user - for logging into mariadb only. E.g. in Adminer or the Webmin mysql module.
Just to confuse things some more, there is also a 'vcs' Linux user. That one is used to interact directly with the underlying version control system (git or svn).
Now circling back to the 'root' Linux and MariaDB users; once upon a time (in a release long, long ago), the 'root' MariaDB user had a password set. So the 'root' MariaDB user could be used for both CLI interaction and within Webmin and Adminer.
However, some time ago, a better security system for accessing MariaDB became the default for the 'root' MariaDB user. This "new" authentication system is called "socket authentication" (incidentally PostgreSQL has used it forever, but let's not go there). Socket auth requires both a Linux user and a MariaDB user of the same name and somewhat links them for the purposes of MariaDB access. Any user can use socket auth to get access, but on TurnKey only the 'root' user is configured by default (inherited from Debian).
I won't go into the nuts and bolts of "socket auth" works, but effectively it allows a logged in Linux user to access MariaDB without requiring a password. No other Linux users can access MariaDB by that user at all - unless running as that user (e.g. using sudo or su). Plus it also only works for local MariaDB access - e.g. via the CLI.
However, that security improvement could also be considered a downside of socket auth. Tools such as Webmin and Adminer (and any other third party access inc remote access except local CLI) can only use password auth. Enter the "root like" 'adminer' MariaDB user. That's a (MariaDB only) user that we create specifically to allow access via username/password (Webmin & Adminer).
One of the security disadvantages of username/password auth is that to start/stop the MariaDB service, a 'root-like' Linux/MariaDB system user pair is required. By requirement that means that a plain text password needs to be stored in a config file (in /etc). With socket auth, the MariaDB can be stopped/started by 'root', with the MariaDB service itself using the limited 'mysql' Linux user.
My suspicion is that there is something you are doing along the line that is breaking our assumptions. Likely setting a password for the 'root' MariaDB user? But perhaps something else? You could revert to the old way of things ('root' using user/pass auth), but it would also require the additional steps to (re)create a 'root-like' Linux/MariaDB user pair - with the password saved somewhere.
If that sounds right, please let me know. Although if I have time, I intend to double check whether I can recreate the issue when installing as ISO.
Thanks for the additional info.
Thanks for the additional info. I have a suspicion what might be going on here.
Are you manually/explicitly setting a password for the MariaDB 'root' user?
TL;DR - if so, that's the issue! Please don't do that. Use the 'adminer" user (password should be set on firstboot) with Adminer/Webmin. Details/context below.
I'm not sure, but I suspect that this may be the root cause of your issue (excuse the pun). These users have different contexts and are used in different scenarios, for different purposes. If I'm correct and understand the issue correctly, it's not the installing the security updates that is the issue, but the reboot.
Let me explain a bit more:
Now circling back to the 'root' Linux and MariaDB users; once upon a time (in a release long, long ago), the 'root' MariaDB user had a password set. So the 'root' MariaDB user could be used for both CLI interaction and within Webmin and Adminer.
However, some time ago, a better security system for accessing MariaDB became the default for the 'root' MariaDB user. This "new" authentication system is called "socket authentication" (incidentally PostgreSQL has used it forever, but let's not go there). Socket auth requires both a Linux user and a MariaDB user of the same name and somewhat links them for the purposes of MariaDB access. Any user can use socket auth to get access, but on TurnKey only the 'root' user is configured by default (inherited from Debian).
I won't go into the nuts and bolts of "socket auth" works, but effectively it allows a logged in Linux user to access MariaDB without requiring a password. No other Linux users can access MariaDB by that user at all - unless running as that user (e.g. using sudo or su). Plus it also only works for local MariaDB access - e.g. via the CLI.
However, that security improvement could also be considered a downside of socket auth. Tools such as Webmin and Adminer (and any other third party access inc remote access except local CLI) can only use password auth. Enter the "root like" 'adminer' MariaDB user. That's a (MariaDB only) user that we create specifically to allow access via username/password (Webmin & Adminer).
One of the security disadvantages of username/password auth is that to start/stop the MariaDB service, a 'root-like' Linux/MariaDB system user pair is required. By requirement that means that a plain text password needs to be stored in a config file (in /etc). With socket auth, the MariaDB can be stopped/started by 'root', with the MariaDB service itself using the limited 'mysql' Linux user.
My suspicion is that there is something you are doing along the line that is breaking our assumptions. Likely setting a password for the 'root' MariaDB user? But perhaps something else? You could revert to the old way of things ('root' using user/pass auth), but it would also require the additional steps to (re)create a 'root-like' Linux/MariaDB user pair - with the password saved somewhere.
If that sounds right, please let me know. Although if I have time, I intend to double check whether I can recreate the issue when installing as ISO.