mariadb/mysql基於SSL主從複製
node7: 172.16.92.7/16 mariadb主服務器
node8: 172.16.92.8/16 mariadb從服務器
以上節點均爲CentOS 7.1
配置環境
1. 配置好光盤yum源
2. 關閉selinux和iptables
node7, node8 都安裝好mariadb-server
[root@node* ~]# yum -y install mariadb-server
1. node7主節點自簽證書作爲CA服務器
[root@node7 ~]# cd /etc/pki/CA
#創建私鑰;
[root@node7 CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
#生成自簽署證書;
[root@node7 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650
CN
GD
GZ
mariadb
ca
ca.mariadb.com
[email protected]
---------------------
創建索引庫文件和序列號文件:
[root@node7 CA]# touch index.txt; echo 01 > serial;
[root@node7 CA]# ls
cacert.pem certs crl index.txt newcerts private serial
2.爲Master節點node7創建證書申請並由CA服務器簽發證書
#爲數據庫服務器創建ssl證書存放路徑
[root@node7 CA]# mkdir -pv /etc/my.cnf.d/ssl
[root@node7 CA]# cd /etc/my.cnf.d/ssl
#創建私鑰文件;
[root@node7 ssl]# (umask 077;openssl genrsa -out master.key 2048)
#生成證書申請;
[root@node7 ssl]# openssl req -new -key master.key -out master.csr -days 3650
CN
GD
GZ
mariadb
master
master.mariadb.com
[email protected]
--------------------------
#CA服務器簽署證書請求;
[root@node7 ssl]# openssl ca -in master.csr -out master.crt -days 3650
Subject:
countryName = CN
stateOrProvinceName = GD
organizationName = mariadb
organizationalUnitName = master
commonName = master.mariadb.com
emailAddress = [email protected]
------------------------------------------------------------
3.Slave節點node8創建證書申請並由CA服務器簽署證書
#創建證書存放路徑;
[root@node8 ~]# mkdir /etc/my.cnf.d/ssl
[root@node8 ~]# cd /etc/my.cnf.d/ssl
#生成私鑰;
[root@node8 ssl]# (umask 077;openssl genrsa -out slave.key 2048)
#生成證書申請文件;
[root@node8 ssl]# openssl req -new -key slave.key -out slave.csr -days 3650
CN
GD
GZ
mariadb
slave
slave.mariadb.com
[email protected]
--------------------------
#將slave節點的證書申請發送到CA服務器,
[root@node8 ssl]# scp slave.csr node7:/root
#讓CA簽署Slave服務器證書;
[root@node7 ssl]# cd /etc/pki/CA
[root@node7 CA]# openssl ca -in /root/slave.csr -out certs/slave.crt -days 1000
Subject:
countryName = CN
stateOrProvinceName = GD
organizationName = mariadb
organizationalUnitName = slave
commonName = slave.mariadb.com
emailAddress = [email protected]
---------------------------------------------------------------
#證書在CA服務器節點簽署好後,發回slave服務器:
[root@node7 CA]# scp certs/slave.crt node8:/etc/my.cnf.d/ssl/
#從服務器查看一下證書
[root@node8 ssl]# ls
slave.crt slave.csr slave.key
#將CA證書拷貝到Slave服務器併爲Master拷貝一份
[root@node7 ssl]# scp /etc/pki/CA/cacert.pem node8:/etc/my.cnf.d/ssl/
[root@node7 ssl]# cp /etc/pki/CA/cacert.pem /etc/my.cnf.d/ssl/
#修改Master與Slave服務器證書屬主、屬組爲mysql用戶
主節點的權限授予:
[root@node7 ssl]# chown -R mysql.mysql /etc/my.cnf.d/ssl/
[root@node7 ssl]# ls /etc/my.cnf.d/ssl/ -l
#從節點的權限授予:
[root@node8 ssl]# chown -R mysql.mysql /etc/my.cnf.d/ssl/
[root@node8 ssl]# ls -l /etc/my.cnf.d/ssl/
4.在Master與Slave服務器修改主配置文件開啓SSL加密功能
#node7: mariadb主服務器配置
[root@node7 ~]# vim /etc/my.cnf
[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
# Disabling symbolic-links is recommended to prevent assorted security risks
symbolic-links=0
# Settings user and group are ignored when systemd is used.
# If you need to run mysqld under a different user or group,
# customize your systemd unit file for mariadb according to the
# instructions in http://fedoraproject.org/wiki/Systemd
#######以下的內容爲添加########
ssl #開啓SSL功能
ssl_ca = /etc/my.cnf.d/ssl/cacert.pem #指定CA文件位置
ssl_cert = /etc/my.cnf.d/ssl/master.crt #指定證書文件位置
ssl_key = /etc/my.cnf.d/ssl/master.key #指定密鑰所在位置
#二進制變更日誌
log-bin=mysql-bin
#二進制日誌格式爲混合模式
binlog_format=mixed
#爲主服務器node7的ID值
server-id = 7
innodb_file_per_table = on
skip_name_resolve = on
####### 以下內容非必要 #########
port = 3306
key_buffer_size = 256M
max_allowed_packet = 1M
table_open_cache = 256
sort_buffer_size = 1M
read_buffer_size = 1M
read_rnd_buffer_size = 4M
myisam_sort_buffer_size = 64M
thread_cache_size = 8
query_cache_size= 16M
thread_concurrency = 4
[mysqldump]
quick
max_allowed_packet = 16M
[mysql]
no-auto-rehash
[myisamchk]
key_buffer_size = 128M
sort_buffer_size = 128M
read_buffer = 2M
write_buffer = 2M
[mysqlhotcopy]
interactive-timeout
#############################
[mysqld_safe]
log-error=/var/log/mariadb/mariadb.log
pid-file=/var/run/mariadb/mariadb.pid
#
# include all files from the config directory
#
!includedir /etc/my.cnf.d
############### End for my.cnf #################
node8: mariadb從服務器配置
[root@node8 ~]# vim /etc/my.cnf
[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
# Disabling symbolic-links is recommended to prevent assorted security risks
symbolic-links=0
# Settings user and group are ignored when systemd is used.
# If you need to run mysqld under a different user or group,
# customize your systemd unit file for mariadb according to the
# instructions in http://fedoraproject.org/wiki/Systemd
########## 添加以下內容 ##########
ssl
ssl_ca = /etc/my.cnf.d/ssl/cacert.pem
ssl_cert = /etc/my.cnf.d/ssl/slave.crt
ssl_key = /etc/my.cnf.d/ssl/slave.key
log-bin=mysql-bin
binlog_format=mixed
server-id = 8
relay-log = relay-bin
log_slave_updates = 1
read_only = on
innodb_file_per_table = on
skip_name_resolve = on
######### 以下內容非必要 ############
port = 3306
key_buffer_size = 256M
max_allowed_packet = 1M
table_open_cache = 256
sort_buffer_size = 1M
read_buffer_size = 1M
read_rnd_buffer_size = 4M
myisam_sort_buffer_size = 64M
thread_cache_size = 8
query_cache_size= 16M
thread_concurrency = 4
[mysqldump]
quick
max_allowed_packet = 16M
[mysql]
no-auto-rehash
[myisamchk]
key_buffer_size = 128M
sort_buffer_size = 128M
read_buffer = 2M
write_buffer = 2M
[mysqlhotcopy]
interactive-timeout
####################################
[mysqld_safe]
log-error=/var/log/mariadb/mariadb.log
pid-file=/var/run/mariadb/mariadb.pid
#
# include all files from the config directory
#
!includedir /etc/my.cnf.d
############# End of my.cnf ###############
5.在Master服務器查看SSL加密是否開啓;然後創建授權一個基於密鑰認證的用戶
[root@node7 ~]# systemctl start mariadb
[root@node7 ~]# mysql
MariaDB [(none)]> show variables like '%ssl%';
+---------------+------------------------------+
| Variable_name | Value |
+---------------+------------------------------+
| have_openssl | YES |
| have_ssl | YES |
| ssl_ca | /etc/my.cnf.d/ssl/cacert.pem |
| ssl_capath | |
| ssl_cert | /etc/my.cnf.d/ssl/master.crt |
| ssl_cipher | |
| ssl_key | /etc/my.cnf.d/ssl/master.key |
+---------------+------------------------------+
MariaDB [(none)]> grant replication client,replication slave on *.* to 'slaveuser'@'172.16.%.%' identified by 'oracle' require ssl;
MariaDB [(none)]> flush privileges;
MariaDB [(none)]> show master status\G
*************************** 1. row ***************************
File: mysql-bin.000003
Position: 507
6. 在Slave服務器 (node8) 測試使用加密用戶指定密鑰連接Master服務器
[root@node8 ~]# mysql \
-uslaveuser -poracle -h172.16.92.7 \
--ssl-ca=/etc/my.cnf.d/ssl/cacert.pem \
--ssl-cert=/etc/my.cnf.d/ssl/slave.crt \
--ssl-key=/etc/my.cnf.d/ssl/slave.key
MariaDB [(none)]> show master status\G
*************************** 1. row ***************************
File: mysql-bin.000003
Position: 507 #可以看出時間節點和上面顯示的一致;
######### 記下這兩個選項, 設置中繼日誌時有用 #########
MariaDB [(none)]> quit
7. slave服務器 (node8)
[root@node8 ~]# systemctl start mariadb
[root@node8 ~]# mysql
MariaDB [(none)]> show global variables like '%read_only%'\G
*************************** 1. row ***************************
Variable_name: read_only
Value: ON
------------------------------
MariaDB [(none)]> show variables like '%ssl%';
+---------------+------------------------------+
| Variable_name | Value |
+---------------+------------------------------+
| have_openssl | YES |
| have_ssl | YES |
| ssl_ca | /etc/my.cnf.d/ssl/cacert.pem |
| ssl_capath | |
| ssl_cert | /etc/my.cnf.d/ssl/slave.crt |
| ssl_cipher | |
| ssl_key | /etc/my.cnf.d/ssl/slave.key |
+---------------+------------------------------+
#設置連接master節點;
MariaDB [(none)]> change master to
master_host='172.16.92.7',
master_user='slaveuser',
master_password='oracle',
master_log_file='mysql-bin.000003',
master_log_pos=507,
master_ssl=1,
master_ssl_ca='/etc/my.cnf.d/ssl/cacert.pem',
master_ssl_cert='/etc/my.cnf.d/ssl/slave.crt',
master_ssl_key='/etc/my.cnf.d/ssl/slave.key';
MariaDB [(none)]> start slave;
MariaDB [(none)]> show slave status\G
*************************** 1. row ***************************
Slave_IO_State: Waiting for master to send event
Master_Host: 172.16.92.1
Master_User: repluser
Master_Port: 3306
Connect_Retry: 5
Master_Log_File: mysql-bin.000003
Read_Master_Log_Pos: 497
Relay_Log_File: relay-bin.000002
Relay_Log_Pos: 529
Relay_Master_Log_File: mysql-bin.000003
Slave_IO_Running: Yes
Slave_SQL_Running: Yes
........ 其餘信息略 ........
Master_SSL_Allowed: Yes
Master_SSL_CA_File: /etc/my.cnf.d/ssl/cacert.pem
Master_SSL_CA_Path:
Master_SSL_Cert: /etc/my.cnf.d/ssl/slave.crt
Master_SSL_Cipher:
Master_SSL_Key: /etc/my.cnf.d/ssl/slave.key
........ 其餘信息略 ........
MariaDB [(none)]> show processlist\G
*************************** 3. row ***************************
State: Slave has read all relay log; waiting for the slave I/O thread to update it
#說明: 從節點已經接收到所有的中繼日誌, 並且以啓動I/O線程等待更新
node7 主節點上可查看到此進程
MariaDB [(none)]> show processlist\G
*************************** 2. row ***************************
State: Master has sent all binlog to slave; waiting for binlog to be updated
#說明: 主節點已經發送所有的二進制日誌到從服務器
在主節點上創建數據庫測試是否能主從同步
MariaDB [(none)]> create database zzz;
在從節點上可看到hellodb數據庫, 說明主從同步成功!
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| test |
| zzz |
+--------------------+
############# mysql/mariadb基於SSL加密主從複製已全部完成 ##############
七.複製相關的文件介紹
我們到slave節點查看數據文件:
[root@node8 ~]# ls /mydata/data/
aria_log.00000001 master.info mysql-bin.000005 performance_schema
aria_log_control multi-master.info mysql-bin.000006 relay-bin.000001
binlog mysql mysql-bin.000007 relay-bin.000002
hellodb mysql-bin.000001 mysql-bin.000008 relay-bin.index
ibdata1 mysql-bin.000002 mysql-bin.index relaylog
ib_logfile0 mysql-bin.000003 node8.centos7.com.err relay-log.info
ib_logfile1 mysql-bin.000004 node8.centos7.com.pid test
這裏除了基本的數據庫文件和二進制日誌,還有一些與複製相關的文件。如下:
(1)mysql-bin.index
服務器一旦開啓二進制日誌,會產生一個與二日誌文件同名,但是以.index結尾的文件。它用於跟蹤磁盤上存在哪些二進制日誌文件。MySQL用它來定位二進制日誌文件。它的內容如下:
[root@node8 ~]# cat /mydata/data/mysql-bin.index
./mysql-bin.000001
./mysql-bin.000002
./mysql-bin.000003
./mysql-bin.000004
./mysql-bin.000005
./mysql-bin.000006
./mysql-bin.000007
./mysql-bin.000008
(2)mysql-relay-bin.index
該文件的功能與mysql-bin.index類似,但是它是針對中繼日誌,而不是二進制日誌。內容如下:
[root@node8 ~]# cat /mydata/data/relay-bin.index
./relay-bin.000001
./relay-bin.000002
(3)master.info
保存master的相關信息。不要刪除它,否則,slave重啓後不能連接master。內容如圖:
MariaDB數據庫主從複製、雙主複製、半同步複製、基於SSL的安全複製實現及其功能特性介紹
(4)relay-log.info
包含slave中當前二進制日誌和中繼日誌的信息。
[root@node8 ~]# cat /mydata/data/relay-log.info
./relay-bin.000002
8849
mysql-bin.000008
8970
mariadb/mysql基於SSL主從複製
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章