centos编译安装配置支持ssl加密的mysql replication

参考文章：http://www.howtoforge.com/how-to-set-up-mysql-database-replication-with-ssl-encryption-on-centos-5.4

外国人写文章真严谨，步骤详尽，讲解明了，我除了安装方式使用了源代码编译，其余部分基本都是照做，操作步骤写在这里，仅做记录。

测试环境准备：

准备两台计算机，一台master，一台slave，配置随便，反正centos只安装字符界面，不需要太好配置，当然配置越低，编译安装速度越慢，如果你找不到计算机，手头只有一台计算机，那么用virtualbox虚拟然后搭网桥一样可以模拟一台局域网计算机，为了学习技术，有条件上，没有条件也要创造条件上！

master服务器

192.168.90.216

centOS 5.3 x86_64

mysql-5.0.67

slave服务器

192.168.90.89

centOS 5.3 x86_64

mysql-5.0.67

编译安装mysql，主从服务器的操作都一样

tar zxvf mysql-5.0.67.tgz

cd mysql-5.0.67

./configure --prefix=/usr/local/mysql --sysconfdir=/etc --with-openssl --with-vio

make

make install

准备配置文件和启动脚本

cp support-files/my-medium.cnf /etc/my.cnf

cp support-files/mysql.server /etc/rc.d/init.d/mysqld

设置自动启动

chmod 700 /etc/rc.d/init.d/mysqld

chkconfig --add mysqld

chkconfig --level 345 mysqld on

初始化授权表

cd /usr/local/mysql/bin

./mysql_install_db --user=mysql

启动mysql

service mysqld start

加入环境变量

for i in *; do ln -s /usr/local/mysql/bin/$i /usr/bin/$i; done

给数据库root用户加上密码

mysqladmin -u root password 密码

登录mysql检查

mysql -u root -p

Enter password:

Welcome to the MySQL monitor. Commands end with ; or \g.

Your MySQL connection id is 2

Server version: 5.0.67-log Source distribution

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> show variables like '%ssl%';

+---------------+----------+

| Variable_name | Value |

+---------------+----------+

| have_openssl | DISABLED |

| have_ssl | DISABLED |

| ssl_ca | |

| ssl_capath | |

| ssl_cert | |

| ssl_cipher | |

| ssl_key | |

+---------------+----------+

7 rows in set (0.00 sec)

如果mysql输出如上所述，那么继续操作开启ssl；如果不是，重新编译安装mysql，注意生成makefile时填写参数正确。

退出mysql，编辑/etc/my.cnf

在[mysqld]章节最后，即[mysqld]和[mysqldump]之间，加入下列配置信息：

user=mysql

# Default to using old password format for compatibility with mysql 3.x

# clients (those using the mysqlclient10 compatibility package).

old_passwords=1

ssl

[mysqld_safe]

log-error=/var/log/mysqld.log

pid-file=/var/run/mysqld/mysqld.pid

保存后重新启动mysql，再次登录mysql

mysql -u root -p

Enter password:

Welcome to the MySQL monitor. Commands end with ; or \g.

Your MySQL connection id is 1

Server version: 5.0.67-log Source distribution

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> show variables like '%ssl%';

+---------------+-------+

| Variable_name | Value |

+---------------+-------+

| have_openssl | YES |

| have_ssl | YES |

| ssl_ca | |

| ssl_capath | |

| ssl_cert | |

| ssl_cipher | |

| ssl_key | |

+---------------+-------+

7 rows in set (0.00 sec)

输出结果显示YES，现在ssl被完美启动起来了。

对主从服务器进行配置

在master服务器上为mysql的bin-log创建存放日志的目录

mkdir /var/log/mysql

chown mysql:mysql /var/log/mysql

在master服务器上生成ssl秘钥

mkdir -p /etc/mysql/newcerts

cd /etc/mysql/newcerts

openssl genrsa 2048 > ca-key.pem

openssl req -new -x509 -nodes -days 1000 -key ca-key.pem > ca-cert.pem

openssl req -newkey rsa:2048 -days 1000 -nodes -keyout server-key.pem > server-req.pem

openssl x509 -req -in server-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem

openssl req -newkey rsa:2048 -days 1000 -nodes -keyout client-key.pem > client-req.pem

openssl x509 -req -in client-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem

查看一下都生成了什么文件

ls -alh

total 40K

drwxr-xr-x 2 root root 4.0K Feb 20 15:08 .

drwxr-xr-x 3 root root 4.0K Feb 20 15:02 ..

-rw-r--r-- 1 root root 1.6K Feb 20 15:06 ca-cert.pem

-rw-r--r-- 1 root root 1.7K Feb 20 15:03 ca-key.pem

-rw-r--r-- 1 root root 1.3K Feb 20 15:08 client-cert.pem

-rw-r--r-- 1 root root 1.7K Feb 20 15:08 client-key.pem

-rw-r--r-- 1 root root 1.1K Feb 20 15:08 client-req.pem

-rw-r--r-- 1 root root 1.3K Feb 20 15:07 server-cert.pem

-rw-r--r-- 1 root root 1.7K Feb 20 15:07 server-key.pem

-rw-r--r-- 1 root root 1.1K Feb 20 15:07 server-req.pem

好了，秘钥生成了，下面需要做的是把ca-cert.pem、client-cert.pem、and client-key.pem拷贝到slave服务器上，首先我们在slave服务器上创建同样的文件夹。

mkdir -p /etc/mysql/newcerts

现在在master服务器上把秘钥文件拷贝到slave服务器上

scp /etc/mysql/newcerts/ca-cert.pem /etc/mysql/newcerts/client-cert.pem /etc/mysql/newcerts/client-key.pem root@192.168.0.101:/etc/mysql/newcerts

我们继续修改master服务器上的mysql配置文件，打开/etc/my.cnf

在我们刚才添加的配置代码中增加三行，如下：

user=mysql

# Default to using old password format for compatibility with mysql 3.x

# clients (those using the mysqlclient10 compatibility package).

old_passwords=1

ssl

ssl-ca=/etc/mysql/newcerts/ca-cert.pem

ssl-cert=/etc/mysql/newcerts/server-cert.pem

ssl-key=/etc/mysql/newcerts/server-key.pem

[mysqld_safe]

log-error=/var/log/mysqld.log

pid-file=/var/run/mysqld/mysqld.pid

重新启动mysql

现在我们在master服务器上登录mysql，创建帐号并提供给slave服务器以便访问master服务器。

mysql -u root -p

输入如下命令创建帐号：

GRANT REPLICATION SLAVE ON *.* TO 'slave用户名'@'%' IDENTIFIED BY 'slave密码' REQUIRE SSL;

FLUSH PRIVILEGES;

quit;

我们继续修改master服务器的mysql配置文件，填写需要读写分离的数据库名。打开/etc/my.cnf，

修改我们前面填写的配置代码如下：

user=mysql

# Default to using old password format for compatibility with mysql 3.x

# clients (those using the mysqlclient10 compatibility package).

old_passwords=1

ssl

ssl-ca=/etc/mysql/newcerts/ca-cert.pem

ssl-cert=/etc/mysql/newcerts/server-cert.pem

ssl-key=/etc/mysql/newcerts/server-key.pem

server-id = 1

log_bin = /var/log/mysql/mysql-bin.log

expire_logs_days = 10

max_binlog_size = 100M

binlog_do_db = test

[mysqld_safe]

log-error=/var/log/mysqld.log

pid-file=/var/run/mysqld/mysqld.pid

重新启动master服务器上的mysql

登录mysql，把需要读写分离的数据库导出生成sql文件并提供给slave服务器用，操作期间需要锁表，等操作完毕，再解锁。

mysql -u root -p

USE test;

FLUSH TABLES WITH READ LOCK;

继续查看master状态，查看mysql输出信息如下：

mysql> show master status;

+------------------+----------+--------------+------------------+

| File | Position | Binlog_Do_DB | Binlog_Ignore_DB |

+------------------+----------+--------------+------------------+

| mysql-bin.000002 | 98 | test | |

+------------------+----------+--------------+------------------+

1 row in set (0.00 sec)

连接mysql的shell别关闭，因为一旦关闭mysql就解锁了。再打开一个终端窗口，导出sql文件并拷贝到slave服务器上。

cd /tmp

mysqldump -u root -p密码 --opt test > test.sql

scp test.sql root@192.168.90.89:/tmp

好了，现在我们可以把master服务器上的mysql终端关闭退出了，继续输入：

UNLOCK TABLES;

quit;

让我们开始配置slave服务器，打开编辑mysql的配置文件/etc/my.cnf

在[mysqld]和[mysqldump]之间的章节加入如下配置代码：

user=mysql

# Default to using old password format for compatibility with mysql 3.x

# clients (those using the mysqlclient10 compatibility package).

old_passwords=1

ssl

# server-id　必须唯一，尤其要与master服务器上的配置区别开来

server-id=2

master-connect-retry=60

replicate-do-db=test

[mysqld_safe]

log-error=/var/log/mysqld.log

pid-file=/var/run/mysqld/mysqld.pid

重新启动slave服务器上的mysql

接下来我们首先停掉slave服务器上的mysql slave服务

mysqladmin --user=root --password=密码 stop-slave

然后我们导入sql文件

mysql -u root -p密码 test < test.sql

现在登录slave服务器上的mysql

mysql -u root -p

参考刚才在master服务器mysql终端输入show master status命令打印出来的结果，我们输入以下命令并执行：

CHANGE MASTER TO MASTER_HOST='master服务器地址', MASTER_USER='slave用户名', MASTER_PASSWORD='slave密码', MASTER_LOG_FILE='打印结果的File值', MASTER_LOG_POS=打印结果的Position值, MASTER_SSL=1, MASTER_SSL_CA = '/etc/mysql/newcerts/ca-cert.pem', MASTER_SSL_CERT = '/etc/mysql/newcerts/client-cert.pem', MASTER_SSL_KEY = '/etc/mysql/newcerts/client-key.pem';

启动slave服务：

START SLAVE;

现在来看一下slave的状态，mysql返回结果为：

mysql> show slave status\G;

*************************** 1. row ***************************

Slave_IO_State: Waiting for master to send event

Master_Host: 192.168.90.216

Master_User: slaveusr

Master_Port: 3306

Connect_Retry: 60

Master_Log_File: mysql-bin.000002

Read_Master_Log_Pos: 98

Relay_Log_File: slave-relay-bin.000002

Relay_Log_Pos: 235

Relay_Master_Log_File: mysql-bin.000002

Slave_IO_Running: Yes

Slave_SQL_Running: Yes

Replicate_Do_DB: test

Replicate_Ignore_DB:

Replicate_Do_Table:

Replicate_Ignore_Table:

Replicate_Wild_Do_Table:

Replicate_Wild_Ignore_Table:

Last_Errno: 0

Last_Error:

Skip_Counter: 0

Exec_Master_Log_Pos: 98

Relay_Log_Space: 235

Until_Condition: None

Until_Log_File:

Until_Log_Pos: 0

Master_SSL_Allowed: Yes

Master_SSL_CA_File: /etc/mysql/newcerts/ca-cert.pem

Master_SSL_CA_Path:

Master_SSL_Cert: /etc/mysql/newcerts/client-cert.pem

Master_SSL_Cipher:

Master_SSL_Key: /etc/mysql/newcerts/client-key.pem

Seconds_Behind_Master: 0

1 row in set (0.00 sec)

好了，现在我们在master服务器上操作mysql插入一条数据，slave服务器的mysql也会更新同样的一条数据，删除亦会同步，mysql replication配置完毕。