基於SSL的Mysql主從複製
1、實驗目的:html
1.跨越互聯網加密複製mysql
mysql基於SSL加密鏈接,爲安全從服配置證書,從服拿帳號到主服複製時,必須獲得主服驗證。雙方創建SSL會話。sql
2、實驗架構數據庫
在分佈式架構中,時間必須同步vim
主節點: station20:192.168.1.20安全
從節點: station21:192.168.1.21服務器
3、實驗步驟架構
1.創建ssh互信ssh
[root@station20 ~]# echo -e"192.168.1.21\tstation21\tstation21.example.com" >> /etc/hosts [root@station20 ~]# echo -e"192.168.1.20\tmaster\tmaster.example.com" >> /etc/hosts [root@station20 ~]# echo -e"192.168.1.21\tslave\tslave.example.com" >> /etc/hosts [root@station20 ~]# mkdir .ssh [root@station20 ~]# chmod 700 .ssh [root@station20 ~]# ssh-keygen -t rsa [root@station20 ~]# service network reload [root@station21 ~]# echo -e"192.168.1.20\tstation20\tstation20.example.com" >> /etc/hosts [root@station21 ~]# echo -e"192.168.1.20\tmaster\tmaster.example.com" >> /etc/hosts [root@station21 ~]# echo -e"192.168.1.21\tslave\tslave.example.com" >> /etc/hosts [root@station21 ~]# mkdir .ssh &&chmod 700 .ssh [root@station21 ~]# service network reload [root@station20 ~]# cat.ssh/id_rsa.pub>> .ssh/authorized_keys [root@station20 ~]# ssh root@slave cat.ssh/id_rsa.pub >> .ssh/authorized_keys [root@station20 ~]# scp .ssh/authorized_keysroot@slave:.ssh/ [root@station20 ~]# hostname station20.example.com [root@station20 ~]# ssh root@slave'hostname' station21.example.com
2. ntp源同步socket
[root@master~]# yum -y install ntp [root@master~]# ssh root@192.168.1.21 "yum -y install ntp" [root@master~]# service ntpd start [root@master~]# ssh root@192.168.1.21 "service ntpd start" #http://www.cnblogs.com/JemBai/archive/2012/04/15/2450045.html #北京郵電大學ntp源 #s1a.time.edu.cn [root@master~]# ntpdate 202.112.10.60 23 May06:26:20 ntpdate[2228]: the NTP socket is in use, exiting [root@master~]# crontab -e */30 * ** * /usr/sbin/ntpdate 202.112.10.60 &>/dev/null [root@slave~]# crontab -e */30 * ** * /usr/sbin/ntpdate 202.112.10.60 &>/dev/null [root@master~]# service crond reload [root@master~]# ssh root@192.168.1.21 "service crond reload"
3.用腳本安裝mysql,修改配置文件
[root@master~]# source install-mysql.sh [root@master~]# scp install-mysql.sh 192.168.1.21:/root/ [root@slave~]# source install-mysql.sh [root@master~]# vi /etc/my.cnf [mysqld] datadir = /mydata/data default_storage_engine = innodb innodb_file_per_table = 1 sync_binlog = 1 # Trynumber of CPU's*2 for thread_concurrency thread_concurrency= 2 binlog_format=mixed 配置主服務器 1.建立具備複製權限的用戶賬號; 2. 設置server-id; 3. 啓用二進制日誌; 主server-id = 1 主log-bin=/mydata/binlogs/master-bin二進制日誌和中繼日誌必定要絕對路徑,爲安全必須掛載另外卷與數據卷分離 [root@master~]# service mysqld restart [root@master~]# mysql mysql>GRANT REPLICATIONSLAVE,REPLICATION CLIENT ON *.* TO repluser@'192.168.1.%' IDENTIFIED BY'replpass'; mysql>FLUSH PRIVILEGES; mysql> show master status; +-------------------+----------+--------------+------------------+ | File | Position | Binlog_Do_DB |Binlog_Ignore_DB | +-------------------+----------+--------------+------------------+ | master-bin.000002 | 107 | | | +-------------------+----------+--------------+------------------+ [root@master ~]# ls /mydata/binlogs/ master-bin.000001 master-bin.000002 master-bin.index 從服務器: 啓用中繼日誌;(可選:關閉二進制日誌,只讀) 設置server-id; 啓動複製線程; 從server-id =2 從#log-bin=/mydata/binlogs/slave-bin 從庫只啓中繼,不用二進制日誌 從relay-log=/mydata/relaylogs/relay 從read-only = 1 從庫只讀 從skip_slave_start 跳過slave自啓動,不讓從庫I/O線程和 SQL線程自啓動 [root@slave~]# service mysqld restart [root@slave~]# mysql 從庫鏈接主庫 mysql> CHANGE MASTER TO \ MASTER_HOST='192.168.1.20', \ MASTER_USER='repluser', \ MASTER_PASSWORD='replpass'; 主從庫都是空庫,由於從當前主庫二進制日誌的開始位置複製,無需加master_log_file='master-bin.000002',master_log_pos=107起始位置參數,不然主庫mysqldump>db.sql,從庫關閉二進制日誌並導入,再打開二志,從庫鏈接主庫的指定二志當前位置開始 mysql>START SLAVE; 啓動從庫複製進程 mysql>SHOW SLAVE STATUS\G; ***************************1. row *************************** Slave_IO_State: Waiting formaster to send event Master_Host: 192.168.1.20 Master_User: repluser Master_Port: 3306 Connect_Retry: 60 Master_Log_File:master-bin.000002 讀取主庫二進制文件 Read_Master_Log_Pos: 107 讀取日誌位置 Relay_Log_File: relay.000003 寫入中繼日誌文件 Relay_Log_Pos: 254 寫入中繼日誌位置 Relay_Master_Log_File:master-bin.000002 從庫複製主庫哪一個二進制日誌 Slave_IO_Running: Yes 主從複製I/O線程 Slave_SQL_Running: Yes 主從複製SQL線程
4. 配置master(192.168.1.20)成CA證書服務器
[root@master~]# ls /etc/pki/CA certs crl newcerts private [root@master~]# cd /etc/pki/CA [root@masterCA]# (umask 077;openssl genrsa -out private/cakey.pem2048) GeneratingRSA private key, 2048 bit long modulus [root@masterCA]# openssl req -new -x509 -key private/cakey.pem -outcacert.pem -days 36500 You areabout to be asked to enter information that will be incorporated intoyour certificate request. What youare about to enter is what is called a Distinguished Name or a DN. Thereare quite a few fields but you can leave some blank For somefields there will be a default value, If youenter '.', the field will be left blank. ----- CountryName (2 letter code) [XX]:CN State orProvince Name (full name) []:Shanghai LocalityName (eg, city) [Default City]:Shanghai OrganizationName (eg, company) [Default Company Ltd]:sina OrganizationalUnit Name (eg, section) []:mysql CommonName (eg, your name or your server's hostname) []:master.example.com EmailAddress []: [root@masterCA]# touch index.txt serial crlnumber [root@masterCA]# echo 01 > serial [root@masterCA]# ls cacert.pem certs crl crlnumber index.txt newcerts private serial
5.爲master(192.168.1.20)簽發證書
[root@masterCA]# mkdir /usr/local/mysql/ssl [root@masterCA]# cd /usr/local/mysql/ssl [root@masterssl]# (umask 077;openssl genrsa -out master.key 2048) GeneratingRSA private key, 2048 bit long modulus [root@masterssl]# openssl req -new -key master.key -out master.csr-days 36500 You areabout to be asked to enter information that will be incorporated intoyour certificate request. What youare about to enter is what is called a Distinguished Name or a DN. Thereare quite a few fields but you can leave some blank For somefields there will be a default value, If youenter '.', the field will be left blank. ----- CountryName (2 letter code) [XX]:CN State orProvince Name (full name) []:Shanghai LocalityName (eg, city) [Default City]:Shanghai OrganizationName (eg, company) [Default Company Ltd]:sina OrganizationalUnit Name (eg, section) []:mysql CommonName (eg, your name or your server's hostname) []:master.example.com EmailAddress []: Pleaseenter the following 'extra' attributes to besent with your certificate request Achallenge password []: Anoptional company name []: [root@masterssl]# ls master.csr master.key [root@masterssl]# openssl ca -in master.csr -out master.crt -days36500 Usingconfiguration from /etc/pki/tls/openssl.cnf Checkthat the request matches the signature Signatureok CertificateDetails: Serial Number: 1 (0x1) Validity Not Before: May 23 06:41:59 2014GMT Not After : Apr 29 06:41:59 2114GMT Subject: countryName = CN stateOrProvinceName = Shanghai organizationName = sina organizationalUnitName = mysql commonName = master.example.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 63:A4:FC:A2:E2:D4:10:7E:67:6A:92:5B:EF:D2:64:41:04:04:6C:0E X509v3 Authority Key Identifier: keyid:5B:F9:87:AE:B4:BA:65:07:F9:9E:89:19:A9:16:3B:D5:E7:53:2F:CC Certificateis to be certified until Apr 29 06:41:59 2114 GMT (36500 days) Sign thecertificate? [y/n]:y 1 out of1 certificate requests certified, commit? [y/n]y Writeout database with 1 new entries DataBase Updated
6.slave(192.168.1.20)生成證書申請請求
[root@slave~]# mkdir /usr/local/mysql/ssl [root@slave~]# cd /usr/local/mysql/ssl [root@slavessl]# (umask 077;openssl genrsa -out slave.key 2048) GeneratingRSA private key, 2048 bit long modulus [root@slavessl]# openssl req -new -key slave.key -out slave.csr-days 36500 You areabout to be asked to enter information that will be incorporated intoyour certificate request. What youare about to enter is what is called a Distinguished Name or a DN. Thereare quite a few fields but you can leave some blank For somefields there will be a default value, If youenter '.', the field will be left blank. ----- CountryName (2 letter code) [XX]:CN State orProvince Name (full name) []:Shanghai LocalityName (eg, city) [Default City]:Shanghai OrganizationName (eg, company) [Default Company Ltd]:sina OrganizationalUnit Name (eg, section) []:mysql CommonName (eg, your name or your server's hostname) []:slave.example.com EmailAddress []: Pleaseenter the following 'extra' attributes to besent with your certificate request Achallenge password []: Anoptional company name []: [root@slavessl]# scp slave.csr root@192.168.1.20:/root
7.爲slave(192.168.1.21)簽發證書
[root@master~]# openssl ca -in slave.csr -out slave.crt -days 36500 Usingconfiguration from /etc/pki/tls/openssl.cnf Checkthat the request matches the signature Signatureok CertificateDetails: Serial Number: 2 (0x2) Validity Not Before: May 23 06:55:25 2014GMT Not After : Apr 29 06:55:25 2114GMT Subject: countryName = CN stateOrProvinceName = Shanghai organizationName = sina organizationalUnitName = mysql commonName = slave.example.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 19:64:2A:A8:8B:E3:B8:F8:67:4A:5F:4F:2F:CE:DC:A0:4C:06:60:F8 X509v3 Authority Key Identifier: keyid:5B:F9:87:AE:B4:BA:65:07:F9:9E:89:19:A9:16:3B:D5:E7:53:2F:CC Certificateis to be certified until Apr 29 06:55:25 2114 GMT (36500 days) Sign thecertificate? [y/n]:y 1 out of1 certificate requests certified, commit? [y/n]y Writeout database with 1 new entries DataBase Updated [root@master~]# scp slave.crt root@192.168.1.21:/usr/local/mysql/ssl/ [root@master~]# ls /usr/local/mysql/ssl/ master.crt master.csr master.key [root@master~]# ssh root@192.168.1.21 "ls /usr/local/mysql/ssl/" slave.crt slave.csr slave.key
8.爲master和slave提供CA證書
[root@master~]# ls /etc/pki/CA cacert.pem certs crl crlnumber index.txt index.txt.attr index.txt.attr.old index.txt.old newcerts private serial serial.old [root@master~]# cp /etc/pki/CA/cacert.pem /usr/local/mysql/ssl/ [root@master~]# scp /etc/pki/CA/cacert.pem root@192.168.1.21:/usr/local/mysql/ssl/ [root@master~]# chown -R mysql.mysql /usr/local/mysql/ssl [root@master~]# ll /usr/local/mysql/ssl 總用量 20 -rw-r--r--1 mysql mysql 1342 5月 23 15:04 cacert.pem -rw-r--r--1 mysql mysql 4476 5月 23 14:42 master.crt -rw-r--r--1 mysql mysql 1013 5月 23 14:39 master.csr -rw-------1 mysql mysql 1679 5月 23 14:37 master.key [root@master~]# ssh root@192.168.1.21 "chown -R mysql.mysql /usr/local/mysql/ssl" [root@master~]# ssh root@192.168.1.21 "ls -l /usr/local/mysql/ssl" 總用量 20 -rw-r--r--1 mysql mysql 1342 5月 23 15:04 cacert.pem -rw-r--r--1 mysql mysql 4471 5月 23 14:57 slave.crt -rw-r--r--1 mysql mysql 1013 5月 23 14:51 slave.csr -rw-------1 mysql mysql 1679 5月 23 14:50 slave.key
9.修改mysql配置文件開啓SSL加密
[root@master~]# vim /etc/my.cnf [mysqld]最後添加 ssl ssl_ca =/usr/local/mysql/ssl/cacert.pem ssl_key= /usr/local/mysql/ssl/master.key ssl_cert= /usr/local/mysql/ssl/master.crt [root@master~]# service mysqld restart [root@slave~]# vim /etc/my.cnf [mysqld]最後添加 ssl ssl_ca =/usr/local/mysql/ssl/cacert.pem ssl_key= /usr/local/mysql/ssl/slave.key ssl_cert= /usr/local/mysql/ssl/slave.crt [root@slave~]# service mysqld restart
10. 在master上驗證開啓SSL加密功能並建立基於密鑰認證用戶
mysql>SHOW VARIABLES LIKE '%ssl%'; +---------------+----------------------------------+ |Variable_name | Value | +---------------+----------------------------------+ |have_openssl | YES | |have_ssl | YES | |ssl_ca |/usr/local/mysql/ssl/cacert.pem | |ssl_capath | | |ssl_cert |/usr/local/mysql/ssl/master.crt | |ssl_cipher | | |ssl_key | /usr/local/mysql/ssl/master.key | +---------------+----------------------------------+ mysql>grant replicationslave,replication client on *.* to 'repluser'@'192.168.1.%' identified by'replpass' require ssl; mysql>flush privileges; mysql>show master status; +-------------------+----------+--------------+------------------+ |File | Position |Binlog_Do_DB | Binlog_Ignore_DB | +-------------------+----------+--------------+------------------+ |master-bin.000004 | 107 | | | +-------------------+----------+--------------+------------------+
11. 在slave上驗證開啓SSL加密功能
[root@slave~]# mysql mysql>SHOW VARIABLES LIKE '%ssl%'; +---------------+----------------------------------+ |Variable_name | Value | +---------------+----------------------------------+ |have_openssl | YES | |have_ssl | YES | |ssl_ca |/usr/local/mysql/ssl/cacert.pem | |ssl_capath | | |ssl_cert |/usr/local/mysql/ssl/slave.crt | |ssl_cipher | | |ssl_key |/usr/local/mysql/ssl/slave.key | +---------------+----------------------------------+
12.slave從新鏈接master
mysql>stop slave; mysql>change master to \ master_host='192.168.1.20', \ master_user='repluser', \ master_password='replpass', \ master_log_file='master-bin.000004', \ master_log_pos=107,master_ssl=1, \ master_ssl_ca='/usr/local/mysql/ssl/cacert.pem', \ master_ssl_cert='/usr/local/mysql/ssl/slave.crt', \ master_ssl_key='/usr/local/mysql/ssl/slave.key'; mysql>start slave; mysql>show slave status\G; ***************************1. row *************************** Slave_IO_State: Waiting formaster to send event Master_Host: 192.168.1.20 Master_User: repluser Master_Port: 3306 Connect_Retry: 60 Master_Log_File:master-bin.000005 Read_Master_Log_Pos: 107 Relay_Log_File: relay.000003 Relay_Log_Pos: 254 Relay_Master_Log_File:master-bin.000005 Slave_IO_Running: Yes Slave_SQL_Running: Yes Replicate_Do_DB: Replicate_Ignore_DB: Replicate_Do_Table: Replicate_Ignore_Table: Replicate_Wild_Do_Table: Replicate_Wild_Ignore_Table: Last_Errno: 0 Last_Error: Skip_Counter: 0 Exec_Master_Log_Pos: 107 Relay_Log_Space: 547 Until_Condition: None Until_Log_File: Until_Log_Pos: 0 Master_SSL_Allowed: Yes Master_SSL_CA_File:/usr/local/mysql/ssl/cacert.pem Master_SSL_CA_Path: Master_SSL_Cert:/usr/local/mysql/ssl/slave.crt Master_SSL_Cipher: Master_SSL_Key:/usr/local/mysql/ssl/slave.key Seconds_Behind_Master: 0 Master_SSL_Verify_Server_Cert:No Last_IO_Errno: 0 Last_IO_Error: Last_SQL_Errno: 0 Last_SQL_Error: Replicate_Ignore_Server_Ids: Master_Server_Id: 1 1 row inset (0.00 sec)
13.同步驗證
13.1 在master上新建數據庫school
mysql>create database school; mysql>show databases; +--------------------+ |Database | +--------------------+ |information_schema | |mysql | |performance_schema | |school | |test | +--------------------+
13.2在slave上驗證自動複製成功
mysql>show databases; +--------------------+ |Database | +--------------------+ |information_schema | |mysql | |performance_schema | |school | |test | +--------------------+
相關文章
- 1. mysql基於ssl的主從複製
- 2. 基於SSL的mysql(MariaDB)主從複製
- 3. 基於 SSL 實現MySQL主從複製
- 4. mysql基於SSL實現主從複製
- 5. mysql(mariadb)基於ssl主從複製
- 6. MySQL基於SSL的主從複製、半同步複製
- 7. MySQL主從複製 半同步 基於ssL加密複製
- 8. mysql+ssl主從複製
- 9. mysql5.5搭建主從複製,半同步複製,基於ssl的主從複製
- 10. mysql的主從複製-基於GTID的異步主從複製
- 更多相關文章...
- • Redis主從複製的配置方法和執行過程 - Redis教程
- • Spring基於Annotation裝配Bean - Spring教程
- • 漫談MySQL的鎖機制
- • ☆基於Java Instrument的Agent實現
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
歡迎關注本站公眾號,獲取更多信息
