基於SSL的mysql主從複製
【背景】
MySQL的協議是明文的,當複製一些重要數據時。有時需要用到SSL功能,以保證數據的安全性。
【準備】
準備前期準備
一.主從時間一致性
[root@node3 support-files]# crontab -e ####主節點 */3 * * * * /usr/sbin/ntpdate 172.16.0.1 &> /dev/null [root@node1 CA ]# crontab -e ####從節 */3 * * * * /usr/sbin/ntpdate 172.16.0.1 &> /dev/null
二.主從複製使用最小小權限
三.CA是放在主節點
四.如果想要使用SSL功能,需要自己編譯定製。這裏不在演示:corosync+pacemaker+mysql有詳細。
######雙節點編譯安裝MySQL。
【配置各節點證書】
###############################CA生成私鑰###################################
[root@node1 CA ]#(umask 077;openssl genrsa -out private/cakey.pem 1024) Generating RSA private key, 1024 bit long modulus ...................++++++ ................++++++ e is 65537 (0x10001)
###############################CA生成自簽證書################################
[root@node1 CA ]#openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:HA Locality Name (eg, city) [Default City]:ZZ Organization Name (eg, company) [Default Company Ltd]:magedu Organizational Unit Name (eg, section) []:14qi Common Name (eg,your name or your server's hostname) []:cacert Email Address []:admin.stu11.com [root@node1 CA ]# touch index.txt [root@node1 CA ]# echo 01 > serial
#################################爲master生成私鑰###################################
[root@node1 CA ]# cd /etc/mysql/ssl/ [root@node1 ssl ]# (umask 077;openssl genrsa -out master.key 1024) Generating RSA private key, 1024 bit long modulus ...................................++++++ .............................++++++ e is 65537 (0x10001)
###############################爲master生成證書籤署請求##############################
[root@node1ssl ]# openssl req -new -key master.key -out master.csr -days 365 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:HA Locality Name (eg, city) [Default City]:ZZ Organization Name (eg, company) [Default Company Ltd]:magedu Organizational Unit Name (eg, section) []:14qi Common Name (eg, your name or your server's hostname) []:master.crt Email Address[]:[email protected] Please enter thefollowing 'extra' attributes to be sent with your certificate request A challenge password[]: An optional company name []:
###############################爲master簽署證書######################################
[root@node1 ssl ]#openssl ca -in master.csr -out master.crt -days 365 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Jan 25 07:12:12 2015 GMT Not After : Jan 25 07:12:12 2016 GMT Subject: countryName = CN stateOrProvinceName = HA organizationName = magedu organizationalUnitName = 14qi commonName = master.crt emailAddress = [email protected] X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 93:50:74:97:39:91:86:5A:1F:C6:2F:6A:87:FB:77:04:7B:70:33:5C X509v3 Authority Key Identifier: keyid:C0:69:22:4E:9A:E5:BD:13:2B:BD:93:7B:0F:99:E6:0F:3A:FA:40:7E Certificate is to be certified until Jan 25 07:12:12 2016 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [root@node1 ssl ]# ls master.crt master.csr master.key [root@node1 ssl ]# chown -R mysql:mysql * [root@node1 ssl ]#ll total 16 -rw-r--r-- 1 mysql mysql 1013 Jan 25 15:12 cacert.pem -rw-r--r-- 1 mysql mysql 3161 Jan 25 15:12 master.crt -rw-r--r-- 1 mysql mysql 680 Jan 25 15:11 master.csr -rw------- 1 mysql mysql 887 Jan 25 15:09 master.key
#################################爲slave生成私鑰###################################
[root@node3 ssl]# (umask 077;openssl genrsa -out slave.key 1024) Generating RSA private key, 1024 bit long modulus ..........................++++++ .........................++++++ e is 65537 (0x10001)
###############################爲slave生成簽署請求################################
[root@node3 ssl]# openssl req -new -key slave.key -out slave.csr -days 365 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:HA Locality Name (eg, city) [Default City]:ZZ Organization Name (eg, company) [Default Company Ltd]:magedu Organizational Unit Name (eg, section) []:14qi Common Name (eg, your name or your server's hostname) []:slave.cert Email Address []:[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
###############################slave簽署與收回###################################
[root@node3 ssl]# scp slave.csr 172.16.249.141:/etc/pki/CA/ [root@node1 CA ]# openssl ca -in slave.csr -out slave.crt -days 365 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 2 (0x2) Validity Not Before: Jan 25 07:21:11 2015 GMT Not After : Jan 25 07:21:11 2016 GMT Subject: countryName = CN stateOrProvinceName = HA organizationName = magedu organizationalUnitName = 14qi commonName = slave.cert emailAddress = [email protected] X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: F8:06:AD:F0:1D:8A:78:62:ED:A7:FF:BB:7A:F6:79:14:D4:FB:26:39 X509v3 Authority Key Identifier: keyid:C0:69:22:4E:9A:E5:BD:13:2B:BD:93:7B:0F:99:E6:0F:3A:FA:40:7E Certificate is to be certified until Jan 25 07:21:11 2016 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [root@node1 CA ]# scp slave.crt 172.16.11.3:/etc/mysql/ssl/ [root@node1 CA ]# scp cacert.pem 172.16.11.3:/etc/mysql/ssl/ [root@node3 ssl]# chown -R mysql:mysql * [root@node3 ssl]# ll total 16 -rw-r--r-- 1 mysql mysql 1013 Jan 25 15:22 cacert.pem -rw-r--r-- 1 mysql mysql 3161 Jan 25 15:21 slave.crt -rw-r--r-- 1 mysql mysql 680 Jan 25 15:19 slave.csr -rw------- 1 mysql mysql 887 Jan 25 15:14 slave.key
########################配置主節點使用SSL###################################
################主節點配置文件
41 thread_concurrency = 8 42 datadir = /mydata ####數據目錄 43 innodb_file_per_table =on ####每表一個innodb 44 skip_name_resolve =on ####跳過名稱解析 45 ssl ####開啓ssl功能 46 ssl_ca =/etc/mysql/ssl/cacert.pem ####指定ca位置 47 ssl_key = /etc/mysql/ssl/master.key ####主節點密鑰 48 ssl_cert = /etc/mysql/ssl/master.crt ####主節點證書 63log-bin=/bin/log/master-bin ####二進制文件開啓 66 binlog_format=mixed ####二進制文件格式 71 server-id = 10 ####唯一的server-id
[root@node1 CA ]# service mysqld start ####啓動主節點 Starting MySQL [ OK ] ##############授權一個可以讓從節點複製的用戶,並請強制要求使用############## mysql> grant replication slave,replication client on *.* to 'cpuser'@'%' identified by 'magedu' require ssl; Query OK, 0 rows affected (0.00 sec) mysql> flush privileges; Query OK, 0 rows affected (0.00 sec)
########################配置從節點使用SSL###################################
################從節點配置文件
41 thread_concurrency= 8 42 datadir = /mydata ####數據目錄 43 innodb_file_per_table =on ####每表一個innodb 44 skip_name_resolve =on ####跳過名稱解析 45 ssl ###開啓ssl功能 46 ssl_ca =/etc/mysql/ssl/cacert.pem ####指定ca位置 47 ssl_key = /etc/mysql/ssl/slave.key ####主節點密鑰 48 ssl_cert = /etc/mysql/ssl/slave.crt ####主節點證書 66 binlog_format=mixed ####二進制文件格式 71 server-id = 10 ####唯一的server-id 72relay-log=relay-bin ####開啓中繼日誌 73read-only = on ####從節點只讀 [root@node3 CA ]# service mysqld start ####啓動主節點 Starting MySQL [ OK ]
mysql> show master status; +-------------------+----------+--------------+------------------------------------+ |File | Position |Binlog_Do_DB | Binlog_Ignore_DB | +-------------------+----------+--------------+------------------------------------+ |master-bin.000006 | 669 | | | +-------------------+----------+--------------+------------------------------------+
############################配置從節點使用ssl連接主節點##################################
mysql> change master to master_host='172.16.249.141',master_user='cpuser',master_password='magedu',master_log_file='master-bin.000006',master_log_pos=669,master_ssl=1,master_ssl_ca='/etc/mysql/ssl/cacert.pem',master_ssl_cert='/etc/mysql/ssl/slave.crt',master_ssl_key='/etc/mysql/ssl/slave.key'; Query OK, 0 rows affected (0.14 sec) mysql> start slave; #####啓動從節點線程 Query OK, 0 rows affected (0.01 sec) mysql> show slave status\G; #####查看狀態 *******************************************1. row ************************************* Slave_IO_State: Waiting for master to send event Master_Host: 172.16.249.141 Master_User: cpuser Master_Port: 3306 Connect_Retry: 60 Master_Log_File: master-bin.000006 Read_Master_Log_Pos: 669 Relay_Log_File: relay-bin.000002 Relay_Log_Pos: 536 Relay_Master_Log_File: master-bin.000006 Slave_IO_Running: Yes ####IO線程準備就緒 Slave_SQL_Running: Yes ####SQL線程準備就緒 Replicate_Do_DB: Replicate_Ignore_DB: Replicate_Do_Table: Replicate_Ignore_Table: Replicate_Wild_Do_Table: Replicate_Wild_Ignore_Table: Last_Errno: 0 Last_Error: Skip_Counter: 0 Exec_Master_Log_Pos: 669 Relay_Log_Space: 827 Until_Condition: None Until_Log_File: Until_Log_Pos: 0 Master_SSL_Allowed: Yes Master_SSL_CA_File: /etc/mysql/ssl/cacert.pem Master_SSL_CA_Path: Master_SSL_Cert: /etc/mysql/ssl/slave.crt Master_SSL_Cipher: Master_SSL_Key: /etc/mysql/ssl/slave.key Seconds_Behind_Master: 0 Master_SSL_Verify_Server_Cert: No Last_IO_Errno: 0 Last_IO_Error: Last_SQL_Errno: 0 Last_SQL_Error: Replicate_Ignore_Server_Ids: Master_Server_Id: 10 Master_SSL_Crl: /etc/mysql/ssl/cacert.pem Master_SSL_Crlpath: Using_Gtid: No Gtid_IO_Pos:
###############################測試結果############################################
#####主節點創建庫tb1
####從節點正常複製過來了
至此,基於SSL的主從複製配置完畢!!!!!