20190225 實驗:實現基於SSL加密的主從復制
實驗步驟: 環境:三臺主機,一臺CA:200,一臺master:150 ,一臺slave:100
平時都是在CA上幫用戶生成私鑰,在服務器上做的
1 CA,master,slave 的證書相關文件
mkdir /etc/my.cnf.d/ssl
cd /etc/my.cnf.d/ssl
openssl genrsa 2048 > cakey.pem
openssl req -new -x509 -key cakey.pem -out cacert.pem -days 3650
給master 頒發證書
openssl req -newkey rsa:2048 -days 365 -nodes -keyout master.key > master.csr
給slave 頒發證書
openssl req -newkey rsa:2048 -days 365 -nodes -keyout slave.key > slave.csr
openssl x509 -req -in slave.csr -days 365 -CA cacert.pem -CAkey cakey.pem -set_serial 02 > slave.crt
root@CA ssl]#ls /etc/my.cnf.d/ssl/
scp -r /etc/my.cnf.d/ssl master:/etc/my.cnf.d/
scp -r /etc/my.cnf.d/ssl slave:/etc/my.cnf.d/
2 master
vim /etc/my.cnf
[mysqld]
log-bin
server-id=17
ssl-ca=/etc/my.cnf.d/ssl/cacert.pem
ssl-key=/etc/my.cnf.d/ssl/master.key
mysql> grant replication slave on . to ssluser@‘192.168.35.%‘ identified by ‘centos‘ require ssl ;
3 slave
vim /etc/my.cnf
[mysqld]
server-id=27
read-only
mysql> CHANGE MASTER TO
MASTER_HOST=‘master‘,
MASTER_USER=‘ssluser‘,
MASTER_PASSWORD=‘centos‘,
MASTER_PORT=3306,
MASTER_LOG_FILE=‘mariadb-bin.000003‘,
MASTER_LOG_POS=7821,
MASTER_SSL=1,
MASTER_SSL_CA = ‘/etc/my.cnf.d/ssl/cacert.pem‘,
MASTER_SSL_CERT = ‘/etc/my.cnf.d/ssl/slave.crt‘,
MASTER_SSL_KEY = ‘/etc/my.cnf.d/ssl/slave.key‘;
mysql>start slave;
1、150主機修改配置文件:加入“log_bin server_id=150” 100主機修改配置文件:加入“server_id=100 read_only”
150master:[root@centos7 ~]#vim /etc/my.cnf
[root@centos7 ~]#systemctl restart mariadb
[root@centos7 ~]#mysql
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 2
Server version: 5.5.60-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type ‘help;‘ or ‘\h‘ for help. Type ‘\c‘ to clear the current input statement.
MariaDB [(none)]> grant replication slave on . to repluser@‘192.168.141.%‘ identified by ‘123gxy‘; 創建用戶
Query OK, 0 rows affected (0.01 sec)
MariaDB [(none)]> show master logs;
+--------------------+-----------+
| Log_name | File_size |
+--------------------+-----------+
| mariadb-bin.000001 | 401 |
+--------------------+-----------+
1 row in set (0.00 sec)
100slave:MariaDB [(none)]> CHANGE MASTER TO MASTER_HOST=‘192.168.141.150‘, MASTER_USER=‘repluser‘, MASTER_PASSWORD=‘123gxy‘, MASTER_PORT=3306, MASTER_LOG_FILE=‘mariadb-bin.000001‘, MASTER_LOG_POS=245;
Query OK, 0 rows affected (0.02 sec)
MariaDB [(none)]> start slave;
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> show slave status\G;
1. row
Slave_IO_State: Waiting for master to send event
Master_Host: 192.168.141.150
Master_User: repluser
Master_Port: 3306
Connect_Retry: 60
Master_Log_File: mariadb-bin.000001
Read_Master_Log_Pos: 401
Relay_Log_File: mariadb-relay-bin.000002
Relay_Log_Pos: 687
Relay_Master_Log_File: mariadb-bin.000001
Slave_IO_Running: Yes
Slave_SQL_Running: Yes
Replicate_Do_DB:
Replicate_Ignore_DB:
Replicate_Do_Table:
Replicate_Ignore_Table:
Replicate_Wild_Do_Table:
Replicate_Wild_Ignore_Table:
Last_Errno: 0
Last_Error:
Skip_Counter: 0
Exec_Master_Log_Pos: 401
Relay_Log_Space: 983
Until_Condition: None
Until_Log_File:
Until_Log_Pos: 0
Master_SSL_Allowed: No
Master_SSL_CA_File:
Master_SSL_CA_Path:
Master_SSL_Cert:
Master_SSL_Cipher:
Master_SSL_Key:
Seconds_Behind_Master: 0
Master_SSL_Verify_Server_Cert: No
Last_IO_Errno: 0
Last_IO_Error:
Last_SQL_Errno: 0
Last_SQL_Error:
Replicate_Ignore_Server_Ids:
Master_Server_Id: 150
1 row in set (0.00 sec)
ERROR: No query specified
MariaDB [(none)]> select user,host from mysql.user;
+----------+---------------+
| user | host |
+----------+---------------+
| root | 127.0.0.1 |
| repluser | 192.168.141.% |
| root | ::1 |
| root | localhost |
+----------+---------------+
4 rows in set (0.00 sec) 可見此時已經連接master。
2、[root@CA ~]#mkdir /etc/my.cnf.d/ssl 專門存放證書
[root@CA ssl]#openssl genrsa 2048 > cakey.pem 生成CA的私鑰
Generating RSA private key, 2048 bit long modulus
.....................................................................................................+++
.................................+++
e is 65537 (0x10001)
[root@CA ssl]#openssl req -new -x509 -key cakey.pem -out cacert.pem -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:huayixiongdi
Organizational Unit Name (eg, section) []:devops
Common Name (eg, your name or your server‘s hostname) []:ca.magedu.com
Email Address []:
[root@CA ssl]#ll 這是CA給自己頒發的自簽名的證書
total 8
-rw-r--r--. 1 root root 1346 Feb 26 15:59 cacert.pem
-rw-r--r--. 1 root root 1679 Feb 26 15:56 cakey.pem
[root@CA ssl]#openssl req -newkey rsa:2048 -days 365 -nodes -keyout master.key > master.csr 生成master的私鑰文件
Generating a 2048 bit RSA private key
.........................+++
....................................................+++
writing new private key to ‘master.key‘
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:huayixiongdi
Organizational Unit Name (eg, section) []:devops
Common Name (eg, your name or your server‘s hostname) []:master.huayixiongdi.com
Email Address []:
Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@CA ssl]#ll
total 16
-rw-r--r--. 1 root root 1346 Feb 26 15:59 cacert.pem
-rw-r--r--. 1 root root 1679 Feb 26 15:56 cakey.pem
-rw-r--r--. 1 root root 1029 Feb 26 16:11 master.csr
-rw-r--r--. 1 root root 1708 Feb 26 16:11 master.key
3、頒發CA證書:
[root@CA ssl]#openssl x509 -req -in master.csr -days 365 -CA cacert.pem -CAkey cakey.pem -set_serial 01 > master.crt
Signature ok
subject=/C=cn/ST=beijing/L=beijing/O=huayixiongdi/OU=devops/CN=master.huayixiongdi.com
Getting CA Private Key
[root@CA ssl]#ll
total 20
-rw-r--r--. 1 root root 1346 Feb 26 15:59 cacert.pem
-rw-r--r--. 1 root root 1679 Feb 26 15:56 cakey.pem
-rw-r--r--. 1 root root 1233 Feb 26 16:15 master.crt
-rw-r--r--. 1 root root 1029 Feb 26 16:11 master.csr
-rw-r--r--. 1 root root 1708 Feb 26 16:11 master.key 有三個文件
[root@CA ssl]#openssl x509 -req -in slave.csr -days 365 -CA cacert.pem -CAkey cakey.pem -set_serial 01 > slave.crt
Signature ok
subject=/C=cn/ST=beijing/L=beijing/O=huayixiongdi/OU=devops/CN=slave.huayixiongdi.com
Getting CA Private Key
[root@CA ssl]#ll
total 32
-rw-r--r--. 1 root root 1346 Feb 26 15:59 cacert.pem
-rw-r--r--. 1 root root 1679 Feb 26 15:56 cakey.pem
-rw-r--r--. 1 root root 1233 Feb 26 16:15 master.crt
-rw-r--r--. 1 root root 1029 Feb 26 16:11 master.csr
-rw-r--r--. 1 root root 1708 Feb 26 16:11 master.key
-rw-r--r--. 1 root root 1229 Feb 26 16:51 slave.crt
-rw-r--r--. 1 root root 1029 Feb 26 16:18 slave.csr
-rw-r--r--. 1 root root 1704 Feb 26 16:18 slave.key
主服務器此時沒開啟加密:
MariaDB [(none)]> show variables like‘%ssl%‘;
+---------------+----------+
| Variable_name | Value |
+---------------+----------+
| have_openssl | DISABLED |
| have_ssl | DISABLED |
| ssl_ca | |
| ssl_capath | |
| ssl_cert | |
| ssl_cipher | |
| ssl_key | |
+---------------+----------+
7 rows in set (0.00 sec)
MariaDB [(none)]> show variables like‘%ssl%‘;
+---------------+-------+
| Variable_name | Value |
+---------------+-------+
| have_openssl | YES |
| have_ssl | YES |
| ssl_ca | |
| ssl_capath | |
| ssl_cert | |
| ssl_cipher | |
| ssl_key | |
+---------------+-------+
master:[root@centos7 ssl]#vim /etc/my.cnf
[mysqld]
log_bin
server_id=150
ssl-ca=/etc/my.cnf.d/ssl/cacert.pem
ssl-cert=/etc/my.cnf.d/ssl/master.crt
ssl-key=/etc/my.cnf.d/ssl/master.key
MariaDB [(none)]> show variables like‘%ssl%‘;
+---------------+------------------------------+
| Variable_name | Value |
+---------------+------------------------------+
| have_openssl | YES |
| have_ssl | YES |
| ssl_ca | /etc/my.cnf.d/ssl/cacert.pem |
| ssl_capath | |
| ssl_cert | /etc/my.cnf.d/ssl/master.crt |
| ssl_cipher | |
| ssl_key | /etc/my.cnf.d/ssl/master.key |
+---------------+------------------------------+
7 rows in set (0.00 sec)
我們用秘鑰登陸:
[root@centos7 ssl]#mysql -ussluser -p123gxy -h 192.168.141.150 --ssl-ca=cacert.pem --ssl-cert=slave.crt --ssl-key=slave.key
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 7
Server version: 5.5.60-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type ‘help;‘ or ‘\h‘ for help. Type ‘\c‘ to clear the current input statement.
MariaDB [(none)]> status
mysql Ver 15.1 Distrib 5.5.60-MariaDB, for Linux (x86_64) using readline 5.1
Connection id: 7
Current database:
Current user: [email protected]
SSL: Cipher in use is DHE-RSA-AES256-GCM-SHA384
Current pager: stdout
Using outfile: ‘‘
Using delimiter: ;
Server: MariaDB
Server version: 5.5.60-MariaDB MariaDB Server
Protocol version: 10
Connection: 192.168.141.150 via TCP/IP
Server characterset: latin1
Db characterset: latin1
Client characterset: utf8
Conn. characterset: utf8
TCP port: 3306
Uptime: 8 min 25 sec
普通登錄:
[root@centos7 ssl]#mysql -ussluser -p123gxy -h 192.168.141.150
ERROR 1045 (28000): Access denied for user ‘ssluser‘@‘192.168.141.100‘ (using password: YES)
[root@centos7 ssl]#mysql -urepluser -p123gxy -h 192.168.141.150
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 9
Server version: 5.5.60-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type ‘help;‘ or ‘\h‘ for help. Type ‘\c‘ to clear the current input statement.
MariaDB [(none)]> status;
mysql Ver 15.1 Distrib 5.5.60-MariaDB, for Linux (x86_64) using readline 5.1
Connection id: 9
Current database:
Current user: [email protected]
SSL: Not in use
Current pager: stdout
Using outfile: ‘‘
Using delimiter: ;
Server: MariaDB
Server version: 5.5.60-MariaDB MariaDB Server
Protocol version: 10
Connection: 192.168.141.150 via TCP/IP
Server characterset: latin1
Db characterset: latin1
Client characterset: utf8
Conn. characterset: utf8
TCP port: 3306
Uptime: 11 min 7 sec
5、master:MariaDB [(none)]> show master logs;
+--------------------+-----------+
| Log_name | File_size |
+--------------------+-----------+
| mariadb-bin.000001 | 420 |
| mariadb-bin.000002 | 264 |
| mariadb-bin.000003 | 264 |
| mariadb-bin.000004 | 7897 |
+--------------------+-----------+
4 rows in set (0.00 sec) 已經7897了
MariaDB [(none)]> stop slave;
Query OK, 0 rows affected (0.01 sec)
MariaDB [(none)]> reset slave all;
Query OK, 0 rows affected (0.01 sec) 關閉清空slave的復制
重新建: 在slave:
MariaDB [(none)]> CHANGE MASTER TO
-> MASTER_HOST=‘192.168.141.150‘,
-> MASTER_USER=‘ssluser‘,
-> MASTER_PASSWORD=‘123gxy‘,
-> MASTER_PORT=3306,
-> MASTER_LOG_FILE=‘mariadb-bin.000004‘,
-> MASTER_LOG_POS=7897,
-> MASTER_SSL=1,
-> MASTER_SSL_CA = ‘/etc/my.cnf.d/ssl/cacert.pem‘,
-> MASTER_SSL_CERT = ‘/etc/my.cnf.d/ssl/slave.crt‘,
-> MASTER_SSL_KEY = ‘/etc/my.cnf.d/ssl/slave.key‘;
Query OK, 0 rows affected (0.01 sec)
MariaDB [(none)]> show slave status\G
1. row
Slave_IO_State:
Master_Host: 192.168.141.150
Master_User: ssluser
Master_Port: 3306
Connect_Retry: 60
Master_Log_File: mariadb-bin.000004
Read_Master_Log_Pos: 7897
Relay_Log_File: mariadb-relay-bin.000001
Relay_Log_Pos: 4
Relay_Master_Log_File: mariadb-bin.000004
Slave_IO_Running: No
Slave_SQL_Running: No
Replicate_Do_DB:
Replicate_Ignore_DB:
Replicate_Do_Table:
Replicate_Ignore_Table:
Replicate_Wild_Do_Table:
Replicate_Wild_Ignore_Table:
Last_Errno: 0
Last_Error:
Skip_Counter: 0
Exec_Master_Log_Pos: 7897
Relay_Log_Space: 245
Until_Condition: None
Until_Log_File:
Until_Log_Pos: 0
Master_SSL_Allowed: Yes
Master_SSL_CA_File: /etc/my.cnf.d/ssl/cacert.pem
Master_SSL_CA_Path:
Master_SSL_Cert: /etc/my.cnf.d/ssl/slave.crt
Master_SSL_Cipher:
Master_SSL_Key: /etc/my.cnf.d/ssl/slave.key
Seconds_Behind_Master: NULL
Master_SSL_Verify_Server_Cert: No
Last_IO_Errno: 0
Last_IO_Error:
Last_SQL_Errno: 0
Last_SQL_Error:
Replicate_Ignore_Server_Ids:
Master_Server_Id: 150
1 row in set (0.00 sec)
這時,開啟從服務器:
DB [(none)]> start slave;
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> show slave status\G
1. row
Slave_IO_State: Waiting for master to send event
Master_Host: 192.168.141.150
Master_User: ssluser
Master_Port: 3306
Connect_Retry: 60
Master_Log_File: mariadb-bin.000004
Read_Master_Log_Pos: 7897
Relay_Log_File: mariadb-relay-bin.000002
Relay_Log_Pos: 531
Relay_Master_Log_File: mariadb-bin.000004
Slave_IO_Running: Yes
Slave_SQL_Running: Yes
Replicate_Do_DB:
Replicate_Ignore_DB:
Replicate_Do_Table:
Replicate_Ignore_Table:
Replicate_Wild_Do_Table:
Replicate_Wild_Ignore_Table:
Last_Errno: 0
Last_Error:
Skip_Counter: 0
Exec_Master_Log_Pos: 7897
Relay_Log_Space: 827
Until_Condition: None
Until_Log_File:
Until_Log_Pos: 0
Master_SSL_Allowed: Yes
Master_SSL_CA_File: /etc/my.cnf.d/ssl/cacert.pem
Master_SSL_CA_Path:
Master_SSL_Cert: /etc/my.cnf.d/ssl/slave.crt
Master_SSL_Cipher:
Master_SSL_Key: /etc/my.cnf.d/ssl/slave.key
Seconds_Behind_Master: 0
Master_SSL_Verify_Server_Cert: No
Last_IO_Errno: 0
Last_IO_Error:
Last_SQL_Errno: 0
Last_SQL_Error:
Replicate_Ignore_Server_Ids:
Master_Server_Id: 150
在master上創建用戶:
MariaDB [(none)]> create database db1;
Query OK, 1 row affected (0.00 sec)
slave上馬上回顯示:
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| db1 |
| hellodb |
| mysql |
| performance_schema |
+--------------------+
5 rows in set (0.00 sec)
至此,本實驗結束!
20190225 實驗:實現基於SSL加密的主從復制