mysql基於SSL實現主從復制
mysql數據庫基於SSL實現主從復制
實驗環境:
node1:192.168.4.61
node2:192.168.4.62
CA:192.168.4.63
node1和node2時間同步
[root@node1~]#ntpdate 172.18.0.1
[root@node2~]#ntpdate 172.18.0.1
[root@node1~]#vim /etc/chrony.conf #node1和node2操作一樣
[root@node1~]#systemctl start chronyd.service #啟動服務
node1和node2基於key連接
[root@node1~]#ssh-keygen
[root@node1~]#ssh-copy-id -i /root/.ssh/id_rsa.pub 192.168.4.62#將公鑰復制到node2上
node2操作和node1操作相同。
修改hosts文件
node1和node2配置相同
[root@node1~]#vim /etc/hosts
3 192.168.4.61 node1 4 192.168.4.62 node2
確保關閉iptables和selinux
node1和node2安裝mariadb數據庫
[root@node1~]#yum install -y mariadb-server
[root@node2~]#yum install -y mariadb-server
配置node1為主服務器
[root@node1~]#vim /etc/my.cnf.d/server.cnf
[root@node1~]#systemctl start mariadb #啟動mariadb服務
MariaDB [(none)]> GRANT REPLICATION CLIENT,REPLICATION SLAVE ON *.* TO ‘joah‘@‘192.168.4.62‘ IDENTIFIED BY ‘123456‘; #對用戶授權
查看是否開啟二進制日誌
MariaDB [(none)]> SHOW VARIABLES LIKE ‘%log%bin%‘;
在node1上二進制日誌狀態信息
MariaDB [(none)]> SHOW MASTER STATUS;
配置node2從服務器
[root@node2~]#vim /etc/my.cnf.d/server.cnf
[root@node2~]#systemctl start mariadb #啟動mariadb服務
MariaDB [(none)]> CHANGE MASTER TO MASTER_HOST=‘192.168.4.61‘,MASTER_USER=‘joah‘,MASTER_PASSWORD=‘123456‘,MASTER_LOG_FILE=‘master-log.000003‘,MASTER_LOG_POS=417; #設置連接主服務器
啟動從服務器
MariaDB [(none)]> START SLAVE;
啟動IO線程和SQL線程
MariaDB [(none)]> START SLAVE IO_THREAD,SQL_THREAD;
查看從服務器狀態
MariaDB [(none)]> START SLAVE IO_THREAD,SQL_THREAD;
如果出現圖中紅框中的信息說明已經啟動成功。
測試是否已經實現主從復制
實現SSL功能
搭建CA服務器
[root@CA/etc/pki/CA]#touch index.txt
[root@CA/etc/pki/CA]#echo 01 > serial
生成key文件
[root@CA/etc/pki/CA]#(umask 077;openssl genrsa -out private/cakey.pem 2048)
生成自簽證書
[root@CA/etc/pki/CA]#openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650
node1生成證書
[root@node1~]#mkdir /etc/mysql/ssl -pv
[root@node1~]#chown mysql.mysql /etc/mysql/ssl/ -R
[root@node1/etc/mysql/ssl]#(umask 077;openssl genrsa -out master.key 2048)[root@node1/etc/mysql/ssl]#openssl req -new -key master.key -out master.csr
[root@node1/etc/mysql/ssl]#scp master.csr 192.168.4.63:/etc/pki/CA/newcerts/
[root@CA/etc/pki/CA/newcerts]#openssl ca -in master.csr -out master.crt -days 365
[root@CA/etc/pki/CA/newcerts]#scp master.crt ../cacert.pem 192.168.4.61:/etc/mysql/ssl
[root@node1~]#vim /etc/my.cnf.d/server.cnf
[root@node1~]#systemctl restart mariadb
查看是否開啟SSL功能
node2生成證書
[root@node2~]#mkdir /etc/mysql/ssl -pv
[root@node2~]#chown mysql.mysql /etc/mysql/ssl/ -R
[root@node2/etc/mysql/ssl]#(umask 077;openssl genrsa -out slave.key 2048)
[root@node2/etc/mysql/ssl]#openssl req -new -key slave.key -out slave.csr
[root@node2/etc/mysql/ssl]#scp slave.csr 192.168.4.63:/etc/pki/CA/newcerts
[root@CA/etc/pki/CA/newcerts]#openssl ca -in slave.csr -out slave.crt -days 365
[root@CA/etc/pki/CA/newcerts]#scp slave.crt ../cacert.pem 192.168.4.62:/etc/mysql/ssl
[root@node2/etc/mysql/ssl]#vim /etc/my.cnf.d/server.cnf
重啟服務
[root@node2/etc/mysql/ssl]#systemctl restart mariadb
基於SSL連接
node1授權
MariaDB [(none)]> GRANT REPLICATION CLIENT,REPLICATION SLAVE ON *.* TO ‘joah‘@‘192.168.4.62‘ IDENTIFIED BY ‘123456‘ REQUIRE SSL;
測試
[root@node2~]#mysql -ujoah -p123456 -h192.168.4.61 --ssl
node2連接主服務器以ssl復制
MariaDB [(none)]> CHANGE MASTER TO MASTER_HOST=‘192.168.4.61‘,MASTER_USER=‘joah‘,MASTER_PASSWORD=‘123456‘,MASTER_LOG_FILE=‘master-log.000008‘,MASTER_LOG_POS=429,MASTER_SSL=1,MASTER_SSL_CA=‘/etc/mysql/ssl/cacert.pem‘,MASTER_SSL_CERT=‘/etc/mysql/ssl/slave.crt‘,MASTER_SSL_KEY=‘/etc/mysql/ssl/slave.key‘; MariaDB [(none)]> START SLAVE; #啟動從服務器 MariaDB [(none)]> SHOW SLAVE STATUS\G;
小結
(1)如果你已經正確的添加了證書,但是啟動以後還是沒有啟動SSL功能,有可能沒有權限
[root@node2~]#chown mysql.mysql -R /etc/mysql/ssl
(2)如果出現圖片中的問題,停止slave即可
(3)每一個過程中都需要驗證是否成功然後進行下面的操作。
本文出自 “Joah” 博客,請務必保留此出處http://merit.blog.51cto.com/10757694/1980965
mysql基於SSL實現主從復制