MairaDB之基于openssl的主從復制

kang ? ? Linux干貨

一、配置openssl 

 1、   在master server(node0)上根CA的搭建(及生成自簽名證書)

[root@node0 ~]# cd /etc/pki/CA/
[root@node0 CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
.................+++
..................+++
e is 65537 (0x10001)

[root@node0 CA]# touch index.txt 
[root@node0 CA]# echo 01 > serial

[root@node0 CA]# openssl req -new -x509 -key private/cakey.pem -out ./cacert.pem -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BJ
Locality Name (eg, city) [Default City]:BJ
Organization Name (eg, company) [Default Company Ltd]:rj
Organizational Unit Name (eg, section) []:rj
Common Name (eg, your name or your server's hostname) []:www.rj.com
Email Address []:

2、為master主機生成密鑰,并名為之簽名

[root@node0 CA]# cd /etc/my.cnf.d/
[root@node0 my.cnf.d]# (umask 077;openssl genrsa -out master.key 2048)
Generating RSA private key, 2048 bit long modulus
...............................................+++
................+++
e is 65537 (0x10001)

[root@node0 my.cnf.d]# openssl req -new -key /etc/my.cnf.d/master.key -out /etc/my.cnf.d/master.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BJ  
Locality Name (eg, city) [Default City]:BJ
Organization Name (eg, company) [Default Company Ltd]:rj
Organizational Unit Name (eg, section) []:rj
Common Name (eg, your name or your server's hostname) []:www.rj.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

3、根CA簽發master請求

[root@node0 my.cnf.d]# openssl ca -in master.csr -out master.crt -days 3650
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Feb 16 06:55:06 2017 GMT
            Not After : Feb 14 06:55:06 2027 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = BJ
            organizationName          = rj
            organizationalUnitName    = rj
            commonName                = www.rj.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                B4:A1:66:8C:5B:2B:F9:59:9D:F6:4F:F7:35:72:E2:87:9C:A5:95:F9
            X509v3 Authority Key Identifier: 
                keyid:71:DD:03:78:51:12:5F:58:C2:1B:53:76:A0:2B:E9:BF:60:D8:67:36

Certificate is to be certified until Feb 14 06:55:06 2027 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

3、為slave結點(node1)配置openssl 

[root@node1 CA]# cd /etc/my.cnf.d/
[root@node1 my.cnf.d]# (umask 077;openssl genrsa -out slave.key 2048)
Generating RSA private key, 2048 bit long modulus
.............+++
......................................................................................................................................................................................................................................................+++
e is 65537 (0x10001)
[root@node1 my.cnf.d]# openssl req -new -key slave.key -out slave.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BJ
Locality Name (eg, city) [Default City]:BJ
Organization Name (eg, company) [Default Company Ltd]:rj
Organizational Unit Name (eg, section) []:rj
Common Name (eg, your name or your server's hostname) []:www.rj.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@node1 my.cnf.d]# scp slave.csr node0:/tmp
The authenticity of host 'node0 (172.16.23.10)' can't be established.
ECDSA key fingerprint is 2b:98:49:35:5b:78:24:ed:f0:ab:fa:54:b1:8e:df:29.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'node0,172.16.23.10' (ECDSA) to the list of known hosts.
root@node0's password: 
slave.csr

4、為slave結點簽發請求

[root@node0 my.cnf.d]# mv /etc/pki/CA/serial /root/
[root@node0 my.cnf.d]# mv /etc/pki/CA/index.txt /root/
[root@node0 my.cnf.d]# touch /etc/pki/CA/index.txt
[root@node0 my.cnf.d]# echo 01 > /etc/pki/CA/serial
[root@node0 my.cnf.d]# openssl ca -in /tmp/slave.csr -out slave.crt -days 3650
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Feb 16 07:07:14 2017 GMT
            Not After : Feb 14 07:07:14 2027 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = BJ
            organizationName          = rj
            organizationalUnitName    = rj
            commonName                = www.rj.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                A5:FE:11:EB:4D:B5:F1:85:61:E7:18:E3:1D:B7:25:C6:1B:24:97:AF
            X509v3 Authority Key Identifier: 
                keyid:71:DD:03:78:51:12:5F:58:C2:1B:53:76:A0:2B:E9:BF:60:D8:67:36

Certificate is to be certified until Feb 14 07:07:14 2027 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

[root@node0 my.cnf.d]# scp slave.crt node1:/etc/my.cnf.d/
slave.crt                                                                                                                                                    100% 4382     4.3KB/s   00:00

此時主從結點的證書都已經準備好

二、配置mariadb主從服務器

1、工作拓撲圖

MairaDB之基于openssl的主從復制

2、主服務器配置

[root@node0 ~]# yum -y install mariadb
[root@node0 my.cnf.d]# vim /etc/my.cnf

將mysqld段中的配置修改為以下內容

[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
symbolic-links=0
innodb-file-per-table = ON
skip-name-resolve = ON
server-id = 1 
log-bin = master-log
ssl
ssl_ca=/etc/my.cnf.d/cacert.pem 
ssl_cert=/etc/my.cnf.d/master.crt
ssl_key=/etc/my.cnf.d/master.key 

[root@node0 my.cnf.d]# cp /etc/pki/CA/cacert.pem  .
[root@node0 my.cnf.d]# chown mysql.mysql cacert.pem master.*
[root@node0 my.cnf.d]# systemctl start mariadb

3、從服務配置

[root@node0 ~]# yum -y install mariadb
[root@node0 my.cnf.d]# vim /etc/my.cnf

將mysqld段中的配置修改為以下內容

[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
symbolic-links=0
skip_name_resolve = ON 
relay-log = relay-log
server-id = 2 注id號不能與主服務的一樣
ssl
ssl-ca = /etc/my.cnf.d/cacert.pem
ssl-cert = /etc/my.cnf.d/slave.crt
ssl-key = /etc/my.cnf.d/slave.key

[root@node0 my.cnf.d]# scp /etc/pki/CA/cacert.pem node1:/etc/my.cnf.d/
cacert.pem 
[root@node1 my.cnf.d]# cd /etc/my.cnf.d/ && chown mysql.mysql cacert.pem slave.*

[root@node1 my.cnf.d]# systemctl start mariadb

4、主服務器授權一個用戶可連接mysql拉取二進制文件

MariaDB [(none)]> GRANT REPLICATION SLAVE,REPLICATION CLIENT ON *.* TO 'rj'@'172.16.23.11' IDENTIFIED BY 'centos.123' REQUIRE ssl;

5、配置從服務器連接到主服務器,并拉取數據

    先查看主結點的二進制日志



    MariaDB [(none)]>  SHOW MASTER STATUS;+-------------------+----------+--------------+------------------+| File              | Position | Binlog_Do_DB | Binlog_Ignore_DB |+-------------------+----------+--------------+------------------+| master-log.000007 |      342 |              |                  |+-------------------+----------+--------------+------------------+


MariaDB [(none)]> CHANGE MASTER TO MASTER_HOST='172.16.23.10', MASTER_USER='rj', MASTER_PASSWORD='centos.123', MASTER_LOG_FILE='master-log.000007', MASTER_LOG_POS=245, MASTER_SSL=1, MASTER_SSL_CA='/etc/my.cnf.d/cacert.pem', MASTER_SSL_CERT='/etc/my.cnf.d/slave.crt', MASTER_SSL_KEY='/etc/my.cnf.d/slave.key';
Query OK, 0 rows affected (0.03 sec)

查看主從服務器的openssl的是用否用

MariaDB [(none)]> SHOW VARIABLES LIKE '%ssl%';
+---------------+--------------------------+
| Variable_name | Value                    |
+---------------+--------------------------+
| have_openssl  | YES                      |
| have_ssl      | YES                      |
| ssl_ca        | /etc/my.cnf.d/cacert.pem |
| ssl_capath    |                          |
| ssl_cert      | /etc/my.cnf.d/master.crt |
| ssl_cipher    |                          |
| ssl_key       | /etc/my.cnf.d/master.key |
+---------------+--------------------------+
MariaDB [(none)]> SHOW VARIABLES LIKE '%ssl%';
+---------------+--------------------------+
| Variable_name | Value                    |
+---------------+--------------------------+
| have_openssl  | YES                      |
| have_ssl      | YES                      |
| ssl_ca        | /etc/my.cnf.d/cacert.pem |
| ssl_capath    |                          |
| ssl_cert      | /etc/my.cnf.d/slave.crt  |
| ssl_cipher    |                          |
| ssl_key       | /etc/my.cnf.d/slave.key  |
+---------------+--------------------------+

6、啟用從服務器

MariaDB [(none)]> START SLAVE;
Query OK, 0 rows affected, 1 warning (0.00 sec)

MariaDB [(none)]> SHOW SLAVE STATUS \G
*************************** 1. row ***************************
               Slave_IO_State: Waiting for master to send event
                  Master_Host: 172.16.23.10
                  Master_User: rj
                  Master_Port: 3306
                Connect_Retry: 60
              Master_Log_File: master-log.000007
          Read_Master_Log_Pos: 245
               Relay_Log_File: relay-log.000003
                Relay_Log_Pos: 530
        Relay_Master_Log_File: master-log.000007
             Slave_IO_Running: Yes  注:IO SQL這兩項表示主從同步已經正學進行
            Slave_SQL_Running: Yes
              Replicate_Do_DB: 
          Replicate_Ignore_DB: 
           Replicate_Do_Table: 
       Replicate_Ignore_Table: 
      Replicate_Wild_Do_Table: 
  Replicate_Wild_Ignore_Table: 
                   Last_Errno: 0
                   Last_Error: 
                 Skip_Counter: 0
          Exec_Master_Log_Pos: 245
              Relay_Log_Space: 818
              Until_Condition: None
               Until_Log_File: 
                Until_Log_Pos: 0
           Master_SSL_Allowed: Yes
           Master_SSL_CA_File: /etc/my.cnf.d/cacert.pem
           Master_SSL_CA_Path: 
              Master_SSL_Cert: /etc/my.cnf.d/slave.crt
            Master_SSL_Cipher: 
               Master_SSL_Key: /etc/my.cnf.d/slave.key
        Seconds_Behind_Master: 0
Master_SSL_Verify_Server_Cert: No
                Last_IO_Errno: 0
                Last_IO_Error: 
               Last_SQL_Errno: 0
               Last_SQL_Error: 
  Replicate_Ignore_Server_Ids: 
             Master_Server_Id: 1
1 row in set (0.00 sec)

7、由于從服務器只能讀,所以需要開啟mariadb的只讀 

MariaDB [(none)]>  SHOW VARIABLES LIKE 'read_only';
+---------------+-------+
| Variable_name | Value |
+---------------+-------+
| read_only     | ON    |
+---------------+-------+
1 row in set (0.00 sec)

MariaDB [(none)]> SET GLOBAL read_only=ON;
Query OK, 0 rows affected (0.00 sec)

8、openssl進行測試

[root@node1 my.cnf.d]# mysql -urj -pcentos.123 -h172.16.23.10 --ssl-ca=/etc/my.cnf.d/cacert.pem --ssl-cert=/etc/my.cnf.d/slave.crt --ssl-key=/etc/my.cnf.d/slave.key
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 7
Server version: 5.5.44-MariaDB-log MariaDB Server

Copyright (c) 2000, 2015, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> SHOW DATABASES;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| test               |
+--------------------+
2 rows in set (0.00 sec)

9、主從同步測試

MariaDB [(none)]> CREATE DATABASE node0create;在主服務上創建了一個庫
Query OK, 1 row affected (0.00 sec)

MariaDB [(none)]> SHOW DATABASES; 在從服務器上也可以查看到了
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| node0create        |
| performance_schema |
| test               |
+--------------------+

原創文章,作者:kang,如若轉載,請注明出處:http://www.www58058.com/79175

(0)
kangkang
上一篇 2016-11-19 01:06
下一篇 2016-11-19 15:59

相關推薦

  • rsync+inotify實現實時同步案例

    隨著應用系統規模的不斷擴大,對數據的安全性和可靠性也提出的更好的要求,rsync在高端業務系統中也逐漸暴露出了很多不足,首先,rsync同步數據時,需要掃描所有文件后進行比對,進行差量傳輸。如果文件數量達到了百萬甚至千萬量級,掃描所有文件將是非常耗時的。而且正在發生變化的往往是其中很少的一部分,這是非常低效的方式。其次,rsync不能實時的去監測、同步數據,…

    Linux干貨 2016-10-30

  • 第八周網絡基礎以及腳本聯系

    1、請描述網橋、集線器、二層交換機、三層交換機、路由器的功能、使用場景與區別。 ![](http://i.imgur.com/5u2IMF8.png) 三層交換機:將路由技術和交換技術合二為一的技術,當對第一次數據流進行路由后,會產生一個MAC地址與IP地址相對應的映射表,當同樣的數據流再次通過時,將根據映射表進行數據交換而不在進行路由。 路由器:工作于網絡…

    Linux干貨 2017-03-30

  • 第二十一周作業

    1、回顧并詳細總結MySQL的存儲引擎、索引; 常用存儲引擎的對比: 特點 MyISAM InnoDB MEMORY MERGE NDB 存儲限制 有 64TB 有 沒有 有 事務安全 支持 鎖機制 表鎖 行鎖 表鎖 表鎖 行鎖 B樹索引 支持 支持 支持 支持 支持 哈希索引 支持 全文索引 支持 集群索引 支持 數據緩存 支持 支持 支持 索引緩存 支持…

    2017-07-19

  • 網絡N23期第四周grep

    1、復制/etc/skel目錄為/home/tuser1,要求/home/tuser1及其內部文件的屬組和其它用戶均沒有任何訪問權限。 [root@localhost ~]# cp -R /etc/skel /home/tuser1 && chmod g-r,o-r /home/tuser1 [root@localhost ~]# ls -l…

    系統運維 2016-12-05

  • N22-第四周作業

    1、復制/etc/skel目錄為/home/tuser1,要求/home/tuser1及其內部文件的屬組和其它用戶均沒有任何訪問權限。 ~]# cp -r /etc/skel /home/tuser1 ~]# chmod -R go= /home/tuser1/ 2、編輯/etc…

    Linux干貨 2016-09-06

  • bash中的算術運算及條件測試

    bash的算術運算 +, -, *, /, %取模(取余), **(乘方) 實現算術運算: (1) let var=算術表達式 (2) var=$[算術表達式] (3) var=$((算術表達式)) (4) var=$(expr arg1 arg2 arg3 …) (5) declare –i var = 數值 (6) echo ‘算術表達式’ …

    Linux干貨 2017-04-17
欧美性久久久久