首页 > 数据库 > mysql > 正文

MySQL主从复制(异步)、半同步复制、基于ssl (下)
2014-06-12 19:25:19   来源:   评论:0 点击: 收藏

SSL复制要求主从服务器各自都要有证书和私钥;默认情况下主从服务器的SSL功能是没有启用的,需要先启用。123456789101112mysql>showvariabl...
SSL复制

    要求主从服务器各自都要有证书和私钥;默认情况下主从服务器的SSL功能是没有启用的,需要先启用。

1
2
3
4
5
6
7
8
9
10
11
12
    mysql> show variables like '%ssl%';
    +---------------+----------+
    | Variable_name | Value    |
    +---------------+----------+
    | have_openssl  | DISABLED |
    | have_ssl      | DISABLED |
    | ssl_ca        |          |
    | ssl_capath    |          |
    | ssl_cert      |          |
    | ssl_cipher    |          |
    | ssl_key       |          |
    +---------------+----------+

1、配置Master为CA证书服务器

1
2
3
4
5
6
7
8
9
10
11
12
13
# vim /etc/pki/tls/openssl.cnf
# cd /etc/pki/CA/
# (umask 077; openssl genrsa 1024 >private/cakey.pem)
# openssl req -new -x509 -key private/cakey.pem -out cacert.pem
    Country Name (2 letter code) [GB]:CN 
    State or Province Name (full name) [Berkshire]:GD
    Locality Name (eg, city) [Newbury]:ZS
    Organization Name (eg, company) [My Company Ltd]:NEO
    Organizational Unit Name (eg, section) []:tech
    Common Name (eg, your name or your server's hostname) []:station01.neo.com
# mkdir newcerts certs crl
# touch index.txt
# echo 01 >serial

2、为Master上的MySQL准备私钥以及颁发证书

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
# mkdir /usr/local/mysql/ssl
# cd /usr/local/mysql/ssl/
#(umask 077; openssl genrsa 1024 > mysql.key)
# openssl req -new -key mysql.key -out mysql.csr -days 3650
    Country Name (2 letter code) [GB]:CN
    State or Province Name (full name) [Berkshire]:GD
    Locality Name (eg, city) [Newbury]:ZS
    Organization Name (eg, company) [My Company Ltd]:NEO
    Organizational Unit Name (eg, section) []:tech
    Common Name (eg, your name or your server's hostname) []:station01.neo.com
    Email Address []:
    
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:
# openssl ca -in mysql.csr -out mysql.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: May 28 02:26:17 2014 GMT
            Not After : May 28 02:26:17 2015 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = GD
            organizationName          = NEO
            organizationalUnitName    = tech
            commonName                = station01.neo.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                A4:B7:A6:98:9F:60:08:BE:86:87:65:5F:B6:13:BC:4A:5B:D4:44:3A
            X509v3 Authority Key Identifier: 
                keyid:4F:D8:57:42:D9:39:17:7D:39:44:91:01:A4:01:DE:32:92:D6:F9:DF
 
Certificate is to be certified until May 28 02:26:17 2015 GMT (365 days)
Sign the certificate? [y/n]:y
 
 
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
# chown mysql.mysql *

3、Slave上申请证书

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
# mkdir /usr/local/mysql/ssl
# (umask 077; openssl genrsa 1024 >mysql.key)
# openssl req -new -key mysql.key -out mysql.csr -days 3650
    Country Name (2 letter code) [GB]:CN
    State or Province Name (full name) [Berkshire]:GD
    Locality Name (eg, city) [Newbury]:ZS
    Organization Name (eg, company) [My Company Ltd]:NEO
    Organizational Unit Name (eg, section) []:tech
    Common Name (eg, your name or your server's hostname) []:station02.neo.com
    Email Address []:
    
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:
# scp mysql.csr 192.168.100.11:/root/

4、Master上为Slave签发证书

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
# openssl ca -in mysql.csr -out mysql.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 2 (0x2)
        Validity
            Not Before: May 28 02:36:24 2014 GMT
            Not After : May 28 02:36:24 2015 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = GD
            organizationName          = NEO
            organizationalUnitName    = tech
            commonName                = station02.neo.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                81:9F:5B:E7:06:D0:64:B7:E6:81:3F:98:95:71:D4:DF:C6:B8:CE:3D
            X509v3 Authority Key Identifier: 
                keyid:4F:D8:57:42:D9:39:17:7D:39:44:91:01:A4:01:DE:32:92:D6:F9:DF
 
Certificate is to be certified until May 28 02:36:24 2015 GMT (365 days)
Sign the certificate? [y/n]:yes
 
 
1 out of 1 certificate requests certified, commit? [y/n]yes
Write out database with 1 new entries
Data Base Updated
# scp mysql.crt 192.168.100.12:/usr/local/mysql/ssl/
# scp /etc/pki/CA/cacert.pem 192.168.100.12:/usr/local/mysql/ssl/

 

5、Master上编缉/etc/my.cnf启用ssl,并设置主从

 

1
2
3
4
5
6
7
8
9
10
# vim /etc/my.cnf
[mysqld] 
log-bin=mysql-bin 
sync_binlog = 1                          ##二进制日志 
server-id = 1                            ##此id必须全局唯一 
innodb_flush_log_at_trx_commit=1         ##每秒将事务日志立刻刷写到磁盘 
ssl                                      ##启用ssl默认是不开启的,mysql中show variables like '%ssl%'查看 
ssl_ca =/usr/local/mysql/ssl/cacert.pem      ##ca文件的位置 
ssl_cert= /usr/local/mysql/ssl/mysql.crt     ##证书文件的位置 
ssl_key = /usr/local/mysql/ssl/mysql.key     ##私钥文件的位置

 

 

 

 

 

 

6、启动mysql,并查看ssl信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
# service mysqld start 
# mysql 
mysql> show variables like '%ssl%'
+---------------+---------------------------------+ 
| Variable_name | Value                           | 
+---------------+---------------------------------+ 
| have_openssl  | YES                             | 
| have_ssl      | YES                             | 
| ssl_ca        | /usr/local/mysql/ssl/cacert.pem | 
| ssl_capath    |                                 | 
| ssl_cert      | /usr/local/mysql/ssl/mysql.crt  | 
| ssl_cipher    |                                 | 
| ssl_key       | /usr/local/mysql/ssl/mysql.key  | 
+---------------+---------------------------------+

 

 

7、为同步建立一最小权限账户,并要求ssl

1
2
3
4
5
mysql> create user 'backup_ssl'@'192.168.100.12' identified by 'redhat'
mysql> revoke all privileges,grant option from 'backup_ssl'@'192.168.100.12'
mysql> grant replication slave,replication client on *.* to 'backup_ssl'@'192.168.100.12' require ssl; 
mysql> flush privileges;
mysql> flush logs;

 

8、Slave上编缉/etc/my.cnf,启用ssl,并设置主从

1
2
3
4
5
6
7
8
9
10
11
# vim /etc/my.cnf
[mysqld] 
server-id = 2                        ##此id必须全局唯一 
##log-bin = mysql-bin                ##注释掉,从服务器不需要二进制日志
relay-log = mysql-relay              ##中继日志 
relay-log-index = mysql-ralay.index  ##中继目录 
read-only = 1                        ##从服务器只读
ssl                                  ##启用ssl默认是不开启的,mysql中show variables like '%ssl%'查看 
ssl_ca =/usr/local/mysql/ssl/cacert.pem  ##ca文件的位置 
ssl_cert= /usr/local/mysql/ssl/mysql.crt ##证书文件的位置 
ssl_key = /usr/local/mysql/ssl/mysql.key ##私钥文件的位置

 


   

 

9、启用mysqld并查看ssl相关信息

1
2
3
4
5
6
7
8
9
10
11
12
13
# servie mysqld start 
mysql> show variables like '%ssl%'
+---------------+---------------------------------+ 
| Variable_name | Value                           | 
+---------------+---------------------------------+ 
| have_openssl  | YES                             | 
| have_ssl      | YES                             | 
| ssl_ca        | /usr/local/mysql/ssl/cacert.pem | 
| ssl_capath    |                                 | 
| ssl_cert      | /usr/local/mysql/ssl/mysql.crt  | 
| ssl_cipher    |                                 | 
| ssl_key       | /usr/local/mysql/ssl/mysql.key  | 
+---------------+---------------------------------+

10、启动slave同步进程,连接主服务器

1
2
3
4
5
6
7
8
9
10
11
mysql> change master to  
    -> master_host='192.168.100.11'
    -> master_user='backup_ssl'
    -> master_password='redhat'
    -> master_log_file='mysql-bin.000004'
    -> master_ssl=1, 
    -> master_ssl_ca='/usr/local/mysql/ssl/cacert.pem'
    -> master_ssl_cert='/usr/local/mysql/ssl/mysql.crt'
    -> master_ssl_key='/usr/local/mysql/ssl/mysql.key'
mysql> start slave 
mysql> show slave status\G; ##查看slave状态

 


   

 

11、关注以下参数:

1
2
3
4
5
6
7
8
Slave_IO_Running: Yes                                  ##IOthread是否运行,如果为No代表slave运行不正常 
Slave_SQL_Running: Yes                                 ##SQLthread是否运行,如果为No代表slave运行不正常 
Master_SSL_CA_File: /usr/local/mysql/ssl/cacert.pem    ##是否启用了ssl 
Master_SSL_Cert: /usr/local/mysql/ssl/mysql.crt 
Master_SSL_Key: /usr/local/mysql/ssl/mysql.key 
Master_Log_File: mysql-bin.00005                       ##最后接收的主服务器的二进制 
Exec_Master_Log_Pos: 338                               ##最后执行的位置,查看master中是不是该位置 
Last_IO_Errno: 0                                       ##最后一次IOthread有没有报错

 

 

本文出自 “jun.wang” 博客,请务必保留此出处http://junwang.blog.51cto.com/5050337/1424711

相关热词搜索:主从 MySQL 主从复制

上一篇:MySQL主从复制(异步)、半同步复制、基于ssl (上)
下一篇:MySQL性能优化的最佳21条经验