centos编译安装配置支持ssl加密的mysql replication
2011-03-07 12:18
507 查看
参考文章:http://www.howtoforge.com/how-to-set-up-mysql-database-replication-with-ssl-encryption-on-centos-5.4
外国人写文章真严谨,步骤详尽,讲解明了,我除了安装方式使用了源代码编译,其余部分基本都是照做,操作步骤写在这里,仅做记录。
测试环境准备:
准备两台计算机,一台master,一台slave,配置随便,反正centos只安装字符界面,不需要太好配置,当然配置越低,编译安装速度越慢,如果你找不到计算机,手头只有一台计算机,那么用virtualbox虚拟然后搭网桥一样可以模拟一台局域网计算机,为了学习技术,有条件上,没有条件也要创造条件上!
master服务器
192.168.90.216
centOS 5.3 x86_64
mysql-5.0.67
slave服务器
192.168.90.89
centOS 5.3 x86_64
mysql-5.0.67
编译安装mysql,主从服务器的操作都一样
tar zxvf mysql-5.0.67.tgz
cd mysql-5.0.67
./configure --prefix=/usr/local/mysql --sysconfdir=/etc --with-openssl --with-vio
make
make install
准备配置文件和启动脚本
cp support-files/my-medium.cnf /etc/my.cnf
cp support-files/mysql.server /etc/rc.d/init.d/mysqld
设置自动启动
chmod 700 /etc/rc.d/init.d/mysqld
chkconfig --add mysqld
chkconfig --level 345 mysqld on
初始化授权表
cd /usr/local/mysql/bin
./mysql_install_db --user=mysql
启动mysql
service mysqld start
加入环境变量
for i in *; do ln -s /usr/local/mysql/bin/$i /usr/bin/$i; done
给数据库root用户加上密码
mysqladmin -u root password 密码
登录mysql检查
mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 2
Server version: 5.0.67-log Source distribution
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> show variables like '%ssl%';
+---------------+----------+
| Variable_name | Value |
+---------------+----------+
| have_openssl | DISABLED |
| have_ssl | DISABLED |
| ssl_ca | |
| ssl_capath | |
| ssl_cert | |
| ssl_cipher | |
| ssl_key | |
+---------------+----------+
7 rows in set (0.00 sec)
如果mysql输出如上所述,那么继续操作开启ssl;如果不是,重新编译安装mysql,注意生成makefile时填写参数正确。
退出mysql,编辑/etc/my.cnf
在[mysqld]章节最后,即[mysqld]和[mysqldump]之间,加入下列配置信息:
user=mysql
# Default to using old password format for compatibility with mysql 3.x
# clients (those using the mysqlclient10 compatibility package).
old_passwords=1
ssl
[mysqld_safe]
log-error=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid
保存后重新启动mysql,再次登录mysql
mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 1
Server version: 5.0.67-log Source distribution
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> show variables like '%ssl%';
+---------------+-------+
| Variable_name | Value |
+---------------+-------+
| have_openssl | YES |
| have_ssl | YES |
| ssl_ca | |
| ssl_capath | |
| ssl_cert | |
| ssl_cipher | |
| ssl_key | |
+---------------+-------+
7 rows in set (0.00 sec)
输出结果显示YES,现在ssl被完美启动起来了。
对主从服务器进行配置
在master服务器上为mysql的bin-log创建存放日志的目录
mkdir /var/log/mysql
chown mysql:mysql /var/log/mysql
在master服务器上生成ssl秘钥
mkdir -p /etc/mysql/newcerts
cd /etc/mysql/newcerts
openssl genrsa 2048 > ca-key.pem
openssl req -new -x509 -nodes -days 1000 -key ca-key.pem > ca-cert.pem
openssl req -newkey rsa:2048 -days 1000 -nodes -keyout server-key.pem > server-req.pem
openssl x509 -req -in server-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem
openssl req -newkey rsa:2048 -days 1000 -nodes -keyout client-key.pem > client-req.pem
openssl x509 -req -in client-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem
查看一下都生成了什么文件
ls -alh
total 40K
drwxr-xr-x 2 root root 4.0K Feb 20 15:08 .
drwxr-xr-x 3 root root 4.0K Feb 20 15:02 ..
-rw-r--r-- 1 root root 1.6K Feb 20 15:06 ca-cert.pem
-rw-r--r-- 1 root root 1.7K Feb 20 15:03 ca-key.pem
-rw-r--r-- 1 root root 1.3K Feb 20 15:08 client-cert.pem
-rw-r--r-- 1 root root 1.7K Feb 20 15:08 client-key.pem
-rw-r--r-- 1 root root 1.1K Feb 20 15:08 client-req.pem
-rw-r--r-- 1 root root 1.3K Feb 20 15:07 server-cert.pem
-rw-r--r-- 1 root root 1.7K Feb 20 15:07 server-key.pem
-rw-r--r-- 1 root root 1.1K Feb 20 15:07 server-req.pem
好了,秘钥生成了,下面需要做的是把ca-cert.pem、client-cert.pem、and client-key.pem拷贝到slave服务器上,首先我们在slave服务器上创建同样的文件夹。
mkdir -p /etc/mysql/newcerts
现在在master服务器上把秘钥文件拷贝到slave服务器上
scp /etc/mysql/newcerts/ca-cert.pem /etc/mysql/newcerts/client-cert.pem /etc/mysql/newcerts/client-key.pem root@192.168.0.101:/etc/mysql/newcerts
我们继续修改master服务器上的mysql配置文件,打开/etc/my.cnf
在我们刚才添加的配置代码中增加三行,如下:
user=mysql
# Default to using old password format for compatibility with mysql 3.x
# clients (those using the mysqlclient10 compatibility package).
old_passwords=1
ssl
ssl-ca=/etc/mysql/newcerts/ca-cert.pem
ssl-cert=/etc/mysql/newcerts/server-cert.pem
ssl-key=/etc/mysql/newcerts/server-key.pem
[mysqld_safe]
log-error=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid
重新启动mysql
现在我们在master服务器上登录mysql,创建帐号并提供给slave服务器以便访问master服务器。
mysql -u root -p
输入如下命令创建帐号:
GRANT REPLICATION SLAVE ON *.* TO 'slave用户名'@'%' IDENTIFIED BY 'slave密码' REQUIRE SSL;
FLUSH PRIVILEGES;
quit;
我们继续修改master服务器的mysql配置文件,填写需要读写分离的数据库名。打开/etc/my.cnf,
修改我们前面填写的配置代码如下:
user=mysql
# Default to using old password format for compatibility with mysql 3.x
# clients (those using the mysqlclient10 compatibility package).
old_passwords=1
ssl
ssl-ca=/etc/mysql/newcerts/ca-cert.pem
ssl-cert=/etc/mysql/newcerts/server-cert.pem
ssl-key=/etc/mysql/newcerts/server-key.pem
server-id = 1
log_bin = /var/log/mysql/mysql-bin.log
expire_logs_days = 10
max_binlog_size = 100M
binlog_do_db = test
[mysqld_safe]
log-error=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid
重新启动master服务器上的mysql
登录mysql,把需要读写分离的数据库导出生成sql文件并提供给slave服务器用,操作期间需要锁表,等操作完毕,再解锁。
mysql -u root -p
USE test;
FLUSH TABLES WITH READ LOCK;
继续查看master状态,查看mysql输出信息如下:
mysql> show master status;
+------------------+----------+--------------+------------------+
| File | Position | Binlog_Do_DB | Binlog_Ignore_DB |
+------------------+----------+--------------+------------------+
| mysql-bin.000002 | 98 | test | |
+------------------+----------+--------------+------------------+
1 row in set (0.00 sec)
连接mysql的shell别关闭,因为一旦关闭mysql就解锁了。再打开一个终端窗口,导出sql文件并拷贝到slave服务器上。
cd /tmp
mysqldump -u root -p密码 --opt test > test.sql
scp test.sql root@192.168.90.89:/tmp
好了,现在我们可以把master服务器上的mysql终端关闭退出了,继续输入:
UNLOCK TABLES;
quit;
让我们开始配置slave服务器,打开编辑mysql的配置文件/etc/my.cnf
在[mysqld]和[mysqldump]之间的章节加入如下配置代码:
user=mysql
# Default to using old password format for compatibility with mysql 3.x
# clients (those using the mysqlclient10 compatibility package).
old_passwords=1
ssl
# server-id 必须唯一,尤其要与master服务器上的配置区别开来
server-id=2
master-connect-retry=60
replicate-do-db=test
[mysqld_safe]
log-error=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid
重新启动slave服务器上的mysql
接下来我们首先停掉slave服务器上的mysql slave服务
mysqladmin --user=root --password=密码 stop-slave
然后我们导入sql文件
mysql -u root -p密码 test < test.sql
现在登录slave服务器上的mysql
mysql -u root -p
参考刚才在master服务器mysql终端输入show master status命令打印出来的结果,我们输入以下命令并执行:
CHANGE MASTER TO MASTER_HOST='master服务器地址', MASTER_USER='slave用户名', MASTER_PASSWORD='slave密码', MASTER_LOG_FILE='打印结果的File值', MASTER_LOG_POS=打印结果的Position值, MASTER_SSL=1, MASTER_SSL_CA = '/etc/mysql/newcerts/ca-cert.pem', MASTER_SSL_CERT = '/etc/mysql/newcerts/client-cert.pem', MASTER_SSL_KEY = '/etc/mysql/newcerts/client-key.pem';
启动slave服务:
START SLAVE;
现在来看一下slave的状态,mysql返回结果为:
mysql> show slave status\G;
*************************** 1. row ***************************
Slave_IO_State: Waiting for master to send event
Master_Host: 192.168.90.216
Master_User: slaveusr
Master_Port: 3306
Connect_Retry: 60
Master_Log_File: mysql-bin.000002
Read_Master_Log_Pos: 98
Relay_Log_File: slave-relay-bin.000002
Relay_Log_Pos: 235
Relay_Master_Log_File: mysql-bin.000002
Slave_IO_Running: Yes
Slave_SQL_Running: Yes
Replicate_Do_DB: test
Replicate_Ignore_DB:
Replicate_Do_Table:
Replicate_Ignore_Table:
Replicate_Wild_Do_Table:
Replicate_Wild_Ignore_Table:
Last_Errno: 0
Last_Error:
Skip_Counter: 0
Exec_Master_Log_Pos: 98
Relay_Log_Space: 235
Until_Condition: None
Until_Log_File:
Until_Log_Pos: 0
Master_SSL_Allowed: Yes
Master_SSL_CA_File: /etc/mysql/newcerts/ca-cert.pem
Master_SSL_CA_Path:
Master_SSL_Cert: /etc/mysql/newcerts/client-cert.pem
Master_SSL_Cipher:
Master_SSL_Key: /etc/mysql/newcerts/client-key.pem
Seconds_Behind_Master: 0
1 row in set (0.00 sec)
好了,现在我们在master服务器上操作mysql插入一条数据,slave服务器的mysql也会更新同样的一条数据,删除亦会同步,mysql replication配置完毕。
外国人写文章真严谨,步骤详尽,讲解明了,我除了安装方式使用了源代码编译,其余部分基本都是照做,操作步骤写在这里,仅做记录。
测试环境准备:
准备两台计算机,一台master,一台slave,配置随便,反正centos只安装字符界面,不需要太好配置,当然配置越低,编译安装速度越慢,如果你找不到计算机,手头只有一台计算机,那么用virtualbox虚拟然后搭网桥一样可以模拟一台局域网计算机,为了学习技术,有条件上,没有条件也要创造条件上!
master服务器
192.168.90.216
centOS 5.3 x86_64
mysql-5.0.67
slave服务器
192.168.90.89
centOS 5.3 x86_64
mysql-5.0.67
编译安装mysql,主从服务器的操作都一样
tar zxvf mysql-5.0.67.tgz
cd mysql-5.0.67
./configure --prefix=/usr/local/mysql --sysconfdir=/etc --with-openssl --with-vio
make
make install
准备配置文件和启动脚本
cp support-files/my-medium.cnf /etc/my.cnf
cp support-files/mysql.server /etc/rc.d/init.d/mysqld
设置自动启动
chmod 700 /etc/rc.d/init.d/mysqld
chkconfig --add mysqld
chkconfig --level 345 mysqld on
初始化授权表
cd /usr/local/mysql/bin
./mysql_install_db --user=mysql
启动mysql
service mysqld start
加入环境变量
for i in *; do ln -s /usr/local/mysql/bin/$i /usr/bin/$i; done
给数据库root用户加上密码
mysqladmin -u root password 密码
登录mysql检查
mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 2
Server version: 5.0.67-log Source distribution
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> show variables like '%ssl%';
+---------------+----------+
| Variable_name | Value |
+---------------+----------+
| have_openssl | DISABLED |
| have_ssl | DISABLED |
| ssl_ca | |
| ssl_capath | |
| ssl_cert | |
| ssl_cipher | |
| ssl_key | |
+---------------+----------+
7 rows in set (0.00 sec)
如果mysql输出如上所述,那么继续操作开启ssl;如果不是,重新编译安装mysql,注意生成makefile时填写参数正确。
退出mysql,编辑/etc/my.cnf
在[mysqld]章节最后,即[mysqld]和[mysqldump]之间,加入下列配置信息:
user=mysql
# Default to using old password format for compatibility with mysql 3.x
# clients (those using the mysqlclient10 compatibility package).
old_passwords=1
ssl
[mysqld_safe]
log-error=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid
保存后重新启动mysql,再次登录mysql
mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 1
Server version: 5.0.67-log Source distribution
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> show variables like '%ssl%';
+---------------+-------+
| Variable_name | Value |
+---------------+-------+
| have_openssl | YES |
| have_ssl | YES |
| ssl_ca | |
| ssl_capath | |
| ssl_cert | |
| ssl_cipher | |
| ssl_key | |
+---------------+-------+
7 rows in set (0.00 sec)
输出结果显示YES,现在ssl被完美启动起来了。
对主从服务器进行配置
在master服务器上为mysql的bin-log创建存放日志的目录
mkdir /var/log/mysql
chown mysql:mysql /var/log/mysql
在master服务器上生成ssl秘钥
mkdir -p /etc/mysql/newcerts
cd /etc/mysql/newcerts
openssl genrsa 2048 > ca-key.pem
openssl req -new -x509 -nodes -days 1000 -key ca-key.pem > ca-cert.pem
openssl req -newkey rsa:2048 -days 1000 -nodes -keyout server-key.pem > server-req.pem
openssl x509 -req -in server-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem
openssl req -newkey rsa:2048 -days 1000 -nodes -keyout client-key.pem > client-req.pem
openssl x509 -req -in client-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem
查看一下都生成了什么文件
ls -alh
total 40K
drwxr-xr-x 2 root root 4.0K Feb 20 15:08 .
drwxr-xr-x 3 root root 4.0K Feb 20 15:02 ..
-rw-r--r-- 1 root root 1.6K Feb 20 15:06 ca-cert.pem
-rw-r--r-- 1 root root 1.7K Feb 20 15:03 ca-key.pem
-rw-r--r-- 1 root root 1.3K Feb 20 15:08 client-cert.pem
-rw-r--r-- 1 root root 1.7K Feb 20 15:08 client-key.pem
-rw-r--r-- 1 root root 1.1K Feb 20 15:08 client-req.pem
-rw-r--r-- 1 root root 1.3K Feb 20 15:07 server-cert.pem
-rw-r--r-- 1 root root 1.7K Feb 20 15:07 server-key.pem
-rw-r--r-- 1 root root 1.1K Feb 20 15:07 server-req.pem
好了,秘钥生成了,下面需要做的是把ca-cert.pem、client-cert.pem、and client-key.pem拷贝到slave服务器上,首先我们在slave服务器上创建同样的文件夹。
mkdir -p /etc/mysql/newcerts
现在在master服务器上把秘钥文件拷贝到slave服务器上
scp /etc/mysql/newcerts/ca-cert.pem /etc/mysql/newcerts/client-cert.pem /etc/mysql/newcerts/client-key.pem root@192.168.0.101:/etc/mysql/newcerts
我们继续修改master服务器上的mysql配置文件,打开/etc/my.cnf
在我们刚才添加的配置代码中增加三行,如下:
user=mysql
# Default to using old password format for compatibility with mysql 3.x
# clients (those using the mysqlclient10 compatibility package).
old_passwords=1
ssl
ssl-ca=/etc/mysql/newcerts/ca-cert.pem
ssl-cert=/etc/mysql/newcerts/server-cert.pem
ssl-key=/etc/mysql/newcerts/server-key.pem
[mysqld_safe]
log-error=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid
重新启动mysql
现在我们在master服务器上登录mysql,创建帐号并提供给slave服务器以便访问master服务器。
mysql -u root -p
输入如下命令创建帐号:
GRANT REPLICATION SLAVE ON *.* TO 'slave用户名'@'%' IDENTIFIED BY 'slave密码' REQUIRE SSL;
FLUSH PRIVILEGES;
quit;
我们继续修改master服务器的mysql配置文件,填写需要读写分离的数据库名。打开/etc/my.cnf,
修改我们前面填写的配置代码如下:
user=mysql
# Default to using old password format for compatibility with mysql 3.x
# clients (those using the mysqlclient10 compatibility package).
old_passwords=1
ssl
ssl-ca=/etc/mysql/newcerts/ca-cert.pem
ssl-cert=/etc/mysql/newcerts/server-cert.pem
ssl-key=/etc/mysql/newcerts/server-key.pem
server-id = 1
log_bin = /var/log/mysql/mysql-bin.log
expire_logs_days = 10
max_binlog_size = 100M
binlog_do_db = test
[mysqld_safe]
log-error=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid
重新启动master服务器上的mysql
登录mysql,把需要读写分离的数据库导出生成sql文件并提供给slave服务器用,操作期间需要锁表,等操作完毕,再解锁。
mysql -u root -p
USE test;
FLUSH TABLES WITH READ LOCK;
继续查看master状态,查看mysql输出信息如下:
mysql> show master status;
+------------------+----------+--------------+------------------+
| File | Position | Binlog_Do_DB | Binlog_Ignore_DB |
+------------------+----------+--------------+------------------+
| mysql-bin.000002 | 98 | test | |
+------------------+----------+--------------+------------------+
1 row in set (0.00 sec)
连接mysql的shell别关闭,因为一旦关闭mysql就解锁了。再打开一个终端窗口,导出sql文件并拷贝到slave服务器上。
cd /tmp
mysqldump -u root -p密码 --opt test > test.sql
scp test.sql root@192.168.90.89:/tmp
好了,现在我们可以把master服务器上的mysql终端关闭退出了,继续输入:
UNLOCK TABLES;
quit;
让我们开始配置slave服务器,打开编辑mysql的配置文件/etc/my.cnf
在[mysqld]和[mysqldump]之间的章节加入如下配置代码:
user=mysql
# Default to using old password format for compatibility with mysql 3.x
# clients (those using the mysqlclient10 compatibility package).
old_passwords=1
ssl
# server-id 必须唯一,尤其要与master服务器上的配置区别开来
server-id=2
master-connect-retry=60
replicate-do-db=test
[mysqld_safe]
log-error=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid
重新启动slave服务器上的mysql
接下来我们首先停掉slave服务器上的mysql slave服务
mysqladmin --user=root --password=密码 stop-slave
然后我们导入sql文件
mysql -u root -p密码 test < test.sql
现在登录slave服务器上的mysql
mysql -u root -p
参考刚才在master服务器mysql终端输入show master status命令打印出来的结果,我们输入以下命令并执行:
CHANGE MASTER TO MASTER_HOST='master服务器地址', MASTER_USER='slave用户名', MASTER_PASSWORD='slave密码', MASTER_LOG_FILE='打印结果的File值', MASTER_LOG_POS=打印结果的Position值, MASTER_SSL=1, MASTER_SSL_CA = '/etc/mysql/newcerts/ca-cert.pem', MASTER_SSL_CERT = '/etc/mysql/newcerts/client-cert.pem', MASTER_SSL_KEY = '/etc/mysql/newcerts/client-key.pem';
启动slave服务:
START SLAVE;
现在来看一下slave的状态,mysql返回结果为:
mysql> show slave status\G;
*************************** 1. row ***************************
Slave_IO_State: Waiting for master to send event
Master_Host: 192.168.90.216
Master_User: slaveusr
Master_Port: 3306
Connect_Retry: 60
Master_Log_File: mysql-bin.000002
Read_Master_Log_Pos: 98
Relay_Log_File: slave-relay-bin.000002
Relay_Log_Pos: 235
Relay_Master_Log_File: mysql-bin.000002
Slave_IO_Running: Yes
Slave_SQL_Running: Yes
Replicate_Do_DB: test
Replicate_Ignore_DB:
Replicate_Do_Table:
Replicate_Ignore_Table:
Replicate_Wild_Do_Table:
Replicate_Wild_Ignore_Table:
Last_Errno: 0
Last_Error:
Skip_Counter: 0
Exec_Master_Log_Pos: 98
Relay_Log_Space: 235
Until_Condition: None
Until_Log_File:
Until_Log_Pos: 0
Master_SSL_Allowed: Yes
Master_SSL_CA_File: /etc/mysql/newcerts/ca-cert.pem
Master_SSL_CA_Path:
Master_SSL_Cert: /etc/mysql/newcerts/client-cert.pem
Master_SSL_Cipher:
Master_SSL_Key: /etc/mysql/newcerts/client-key.pem
Seconds_Behind_Master: 0
1 row in set (0.00 sec)
好了,现在我们在master服务器上操作mysql插入一条数据,slave服务器的mysql也会更新同样的一条数据,删除亦会同步,mysql replication配置完毕。
相关文章推荐
- CentOS 下编译安装 Apache 并配置 SSL 模块以支持 HTTPS
- centos中编译安装nginx并支持ssl
- CentOS下PHP7的编译安装,MySQL的支持和一些问题的解决
- 详解一:CentOS下编译安装PHP开发环境,配置LAMP
- 详解五:CentOS下编译安装PHP开发环境,配置LAMP
- Centos编译安装Apache 2.4.6笔记 配置
- Centos6.5 源码编译安装 Mysql5.7.11及配置
- centos 2.7 编译安装与配置
- CentOS 6.5 Nginx 的编译安装、以及让nginx 支持 SSI 相对路径写法
- CentOS编译安装Squid配置反向代理服务器
- CentOS7.1编译安装配置Tomcat8
- Centos6.5-----nagios快速安装编译配置文档-全部虚拟环境
- 编译安装haproxy开启支持SSL
- Centos6.5下tar包编译安装并配置mysql-5.7.17
- CentOS 5.9编译安装配置mysql-5.6.10
- CentOS下编译、安装与配置nginx
- CentOS和Ubuntu下安装配置Greenplum数据库集群(包括安装包和源码编译安装)
- centos6.5直接yum安装nginx,并且支持php访问的配置
- centos6.8服务器配置之编译安装PHP、配置nginx
- centos7.1 编译安装配置zbbix3.0.4