大家都知道MySQL的主從複製是明文傳輸的,這對一些特殊業務來說是不允許的,下面來嘗試構建基於SSL的主從複製
環境:RHEL5.8 SELinux關閉,iptables關閉,MySQL 5.5.28-i686 tar包初始化安裝(非編譯)規劃:準備工作:hostname與規劃一致,配置/etc/hosts做好解析,時間要同步,過程不再贅述,見http://laoguang.blog.51cto.com/6013350/1073891,mysql安裝見http://laoguang.blog.51cto.com/6013350/1039208,資料目錄為/data/mydata 一.在master上配置CA伺服器,並為master,slave頒發認證1.1 master建立CA伺服器,過程見http://laoguang.blog.51cto.com/6013350/10356081.2 master的MySQL認證申請
- master: 172.16.1.18 master.laoguang.me
- slave: 172.16.1.19 slave.laoguang.me
1.3 slave上申請認證
- mkdir /data/mydata/ssl
- cd /data/mydata/ssl
- openssl genrsa 1024 > mysql.key
- openssl req -new -key mysql.key -out mysql.csr -days 3650
- ##接下來的輸入與建立CA時的一致,common name為master.laoguang.me
- openssl ca openssl ca -in mysql.csr -out mysql.crt ##為MySQL簽證
- cp /etc/pki/CA/cacert.pem . ##將CA的認證也拷過來
- chown mysql:mysql *
- chmod 600 *
1.4 master上為slave簽發
- mkdir /data/mydata/ssl
- cd /data/mydata/ssl
- openssl genrsa 1024 > mysql.key
- openssl req -new -key mysql.key -out mysql.csr -days 3650
- ##接下來的輸入與建立CA時的一致,common name為slave.laoguang.me
- scp mysql.csr master:/root
1.5 slave上更改許可權與屬主
- cd /root
- openssl ca -in mysql.csr -out mysql.crt
- scp mysql.crt slave:/data/mydata/ssl
- scp /etc/pki/CA/cacert.pem slave:/data/mydata/ssl
二.Master上編緝/etc/my.cnf啟用ssl, 並設定主從2.1 修改/etc/my.cnf
- chown mysql:mysql mysql.*
- chmod 600 mysql.*
2.2 啟動mysql,並查看ssl資訊
- [mysqld]
- log-bin=mysql-bin
- sync_binlog = 1 ##二進位日誌
- server-id = 1 ##此id必須全域唯一
- innodb_flush_log_at_trx_commit=1 ##每秒將交易記錄立刻刷寫到磁碟
- ssl ##啟用ssl預設是不開啟的,mysql中show variables like '%ssl%'查看
- ssl_ca =/data/mydata/ssl/cacert.pem ##ca檔案的位置
- ssl_cert= /data/mydata/ssl/mysql.crt ##認證檔案的位置
- ssl_key = /data/mydata/ssl/mysql.key ##私密金鑰檔案的位置
2.3 為同步建立一最小許可權賬戶,並要求ssl
- service mysqld start
- mysql
- mysql> show variables like '%ssl%';
- +---------------+-----------------------------+
- | Variable_name | Value |
- +---------------+-----------------------------+
- | have_openssl | YES |
- | have_ssl | YES |
- | ssl_ca | /data/mydata/ssl/cacert.pem |
- | ssl_capath | |
- | ssl_cert | /data/mydata/ssl/mysql.crt |
- | ssl_cipher | |
- | ssl_key | /data/mydata/ssl/mysql.key |
- +---------------+-----------------------------+
三.Slave上編緝/etc/my.cnf,啟用ssl,並設定主從3.1 編緝/etc/my.cnf
- mysql> create user 'backup_ssl'@'172.16.1.19' identified by 'redhat';
- mysql> revoke all privileges,grant option from 'backup_ssl'@'172.16.1.19';
- mysql> grant replication slave,replication client on *.* to 'backup_ssl'@'172.16.1.19' require ssl;
- mysql> flush privileges;
3.2 啟用mysqld並查看ssl相關資訊
- [mysqld]
- server-id = 2 ##此id必須全域唯一
##log-bin = mysql-bin ##注釋掉,從伺服器不需要二進位日誌- relay-log = mysql-ralay ##中繼日誌
- relay-log-index = mysql-ralay.index ##中繼目錄
- read-only = 1 ##從伺服器唯讀
- ssl ##啟用ssl預設是不開啟的,mysql中show variables like '%ssl%'查看
- ssl_ca =/data/mydata/ssl/cacert.pem ##ca檔案的位置
- ssl_cert= /data/mydata/ssl/mysql.crt ##認證檔案的位置
- ssl_key = /data/mydata/ssl/mysql.key ##私密金鑰檔案的位置
3.3 啟動slave同步進程,串連主伺服器
- servie mysqld start
- mysql> show variables like '%ssl%';
- +---------------+-----------------------------+
- | Variable_name | Value |
- +---------------+-----------------------------+
- | have_openssl | YES |
- | have_ssl | YES |
- | ssl_ca | /data/mydata/ssl/cacert.pem |
- | ssl_capath | |
- | ssl_cert | /data/mydata/ssl/mysql.crt |
- | ssl_cipher | |
- | ssl_key | /data/mydata/ssl/mysql.key |
- +---------------+-----------------------------+
關注以下參數:
- mysql> change master to
- -> master_host='172.16.1.18',
- -> master_user='backup_ssl',
- -> master_password='redhat',
- -> master_log_file='mysql-bin.000001',
- -> master_ssl=1,
- -> master_ssl_ca='/data/mydata/ssl/cacert.pem',
- -> master_ssl_cert='/data/mydata/ssl/mysql.crt',
- -> master_ssl_key='/data/mydata/ssl/mysql.key';
- mysql> start slave
- mysql> show slave status\G; ##查看slave狀態
如果與累似,slave基本正常,下面測試 四.測試4.1 主伺服器上建立一資料庫
- Slave_IO_Running: Yes ##IOthread是否運行,如果為No代表slave運行不正常
- Slave_SQL_Running: Yes ##SQLthread是否運行,如果為No代表slave運行不正常
- Master_SSL_CA_File: /data/mydata/ssl/cacert.pem ##是否啟用了ssl
- Master_SSL_Cert: /data/mydata/ssl/mysql.crt
- Master_SSL_Key: /data/mydata/ssl/mysql.key
- Master_Log_File: mysql-bin.000023 ##最後接收的主伺服器的二進位
- Exec_Master_Log_Pos: 1087 ##最後執行的位置,查看master中是不是該位置
- Last_IO_Errno: 0 ##最後一次IOthread有沒有報錯
4.2 從伺服器上查看有沒有同步過去
- mysql> create database testssl;
如果同步成功,說明沒有錯誤4.3 從伺服器mysql基於ssl串連主伺服器,查看串連狀態是否加密
- mysql> show databases;
查看串連狀態
- mysql -ubackup_ssl -predhat -h172.16.1.18 --ssl-cert=/data/mydata/ssl/mysql.crt \
- --ssl-key=/data/mydata/ssl/mysql.key
由此可知串連是加密的,可以用tcpdump抓包測試到此基於SSL的mysql主從同步構建完畢,如果你的從伺服器是新加的,先將主伺服器最近一次的完整備份恢複到從伺服器,並從同步完整備份後的二進位日誌,即change master時添加master_log_op=n, n代表完整備份後的二進位位置,其它的基本一致。 後記:今天嘗試只給slave簽發認證,master擁有有CA的認證,理論上應該能成功的,不過就是串連不上,所以暫時放棄,然後嘗試master的認證名字為master.crt,slave的認證為slave.crt結果也連不上,後來google,把master與slave的認證,私密金鑰都叫mysql.crt,mysql.key才得以完成,有瞭解的人說明一下,單認證為何不行,兩個認證名稱不一致也不行在原因,感謝!
- mysql> status;
- Current user: backup_ssl@slave.laoguang.me
- SSL: Cipher in use is DHE-RSA-AES256-SHA
本文出自 “Free Linux,Share Linux” 部落格,請務必保留此出處http://laoguang.blog.51cto.com/6013350/1079787
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
