surroundings:
| 192.168.1.65 | master |
|---|---|
| 192.168.1.67 | slave |
MySQL master operation
1. Create SSL/RSA file in main mysql
[root@master data]# cd /usr/local/mysql/bin/
[root@master bin]# mysql_ssl_rsa_setup --user=mysql --basedir=/usr/local/mysql --datadir=/usr/local/mysql/data
[root@master data]# ls
auto.cnf ca.pem client-key.pem ibdata1 ib_logfile1 mysql mysql.pid performance_schema public_key.pem server-key.pem
ca-key.pem client-cert.pem ib_buffer_pool ib_logfile0 ibtmp1 mysqld.err mytest private_key.pem server-cert.pem sys
Grant server-key.pem permissions
[root@master data]# chmod +r /usr/local/mysql/data/server-key.pem
[root@master data]# ll server-key.pem
-rw-r--r--. 1 root root 1679 Feb 25 20:08 server-key.pem
Log in to MySQL to check if ssl is supported
mysql> show variables like '%ssl%';
+---------------+-----------------+
| Variable_name | Value |
+---------------+-----------------+
| have_openssl | YES | 支持
| have_ssl | YES | 支持
| ssl_ca | ca.pem |
| ssl_capath | |
| ssl_cert | server-cert.pem |
| ssl_cipher | |
| ssl_crl | |
| ssl_crlpath | |
| ssl_key | server-key.pem |
+---------------+-----------------+
9 rows in set (0.00 sec)
Note: Enabling mysql to support ssl secure connection is mainly used for mysql master-slave replication (local area network can be non-ssh connection or plaintext replication, but ssl connection is recommended for internet replication)
2. Create users for master-slave replication
mysql> grant replication slave on *.* to 'rep'@'192.168.1.%' identified by '123.com' require ssl;
3. Enable the binary log on the master
[root@master ~]# cat /etc/my.cnf
[mysqld]
......
server_id = 1
log-bin=mysql-bin
!重启MySQL
4. View the status of MySQL
mysql> show master status;
+------------------+----------+--------------+------------------+-------------------+
| File | Position | Binlog_Do_DB | Binlog_Ignore_DB | Executed_Gtid_Set |
+------------------+----------+--------------+------------------+-------------------+
| mysql-bin.000001 | 154 | | | |
+------------------+----------+--------------+------------------+-------------------+
1 row in set (0.00 sec)
To remember the file and position values shown in the figure above, configure the slave server to use
5. Configure firewall communication
[root@master ~]# firewall-cmd --add-port=3306/tcp --permanent
success
[root@master ~]# firewall-cmd --reload
success
Configure from the server
1.my.cnf file content
[root@slave ~]# cat /etc/my.cnf
.....
server_id = 2 #唯一性
relay-log = /usr/local/mysql/data/relay-log-bin #中继日志 ,默认开启
relay-log-index = /usr/local/mysql/data/slave-relay-bin.index
server_id must be unique, and cannot be duplicated with other mysql hosts
2. Copy the certificate on the master host to the slave server (master host operation)
[root@master data]# pwd
/usr/local/mysql/data
[root@master data]# scp ca.pem client-cert.pem client-key.pem [email protected]:/usr/local/mysql/data
3. View the copied certificate and empower
[root@slave ~]# ls /usr/local/mysql/data/
auto.cnf client-key.pem ib_logfile1 mysql.pid public_key.pem
ca-key.pem ib_buffer_pool ibtmp1 mytest server-cert.pem
ca.pem ibdata1 mysql performance_schema server-key.pem
client-cert.pem ib_logfile0 mysqld.err private_key.pem sys
[root@slave data]# chmod +r client-key.pem
//赋予client-key.pem 的 r 权限
4. Add ssl configuration in /etc/my.cnf file
ssl-ca = /usr/local/mysql/data/ca.pem
ssl-cert = /usr/local/mysql/data/client-cert.pem
ssl-key = /usr/local/mysql/data/client-key.pem
!重启MySQL
5. Check if ssl is supported
mysql> show variables like '%ssl%';
+---------------+---------------------------------------+
| Variable_name | Value |
+---------------+---------------------------------------+
| have_openssl | YES |
| have_ssl | YES |
| ssl_ca | /usr/local/mysql/data/ca.pem |
| ssl_capath | |
| ssl_cert | /usr/local/mysql/data/client-cert.pem |
| ssl_cipher | |
| ssl_crl | |
| ssl_crlpath | |
| ssl_key | /usr/local/mysql/data/client-key.pem |
+---------------+---------------------------------------+
9 rows in set (0.00 sec)
6. Test the sql account
test whether the account created on the master can be logged in on the slave
[root@slave data]# mysql --ssl-ca=ca.pem --ssl-cert=client-cert.pem --ssl-key=client-key.pem -urep -p123.com -h 192.168.1.65
7. Change master to
mysql> change master to master_host='192.168.1.65',
-> master_user='rep',
-> master_password='123.com',
-> master_log_file='mysql-bin.000004',
-> master_log_pos=623,
-> master_ssl=1,
-> master_ssl_ca='/usr/local/mysql/data/ca.pem',
-> master_ssl_cert='/usr/local/mysql/data/client-cert.pem',
-> master_ssl_key='/usr/local/mysql/data/client-key.pem';
Query OK, 0 rows affected, 2 warnings (0.02 sec)
mysql> start slave
-> ;
Query OK, 0 rows affected (0.00 sec)
View the status of the slave. The following two values must be yes, which means that the slave server can connect to the master server normally.
Slave_IO_Running:Yes
Slave_SQL_Running:Yes
mysql> show slave status\G
*************************** 1. row ***************************
Slave_IO_State: Waiting for master to send event
Master_Host: 192.168.1.65
Master_User: rep
Master_Port: 3306
Connect_Retry: 60
Master_Log_File: mysql-bin.000004
Read_Master_Log_Pos: 623
Relay_Log_File: slave-relay-bin.000002
Relay_Log_Pos: 320
Relay_Master_Log_File: mysql-bin.000004
Slave_IO_Running: Yes
Slave_SQL_Running: Yes
Replicate_Do_DB:
Replicate_Ignore_DB:
Replicate_Do_Table:
Replicate_Ignore_Table:
Replicate_Wild_Do_Table:
Replicate_Wild_Ignore_Table:
Last_Errno: 0
Last_Error:
Skip_Counter: 0
Exec_Master_Log_Pos: 623
Relay_Log_Space: 527
Until_Condition: None
Until_Log_File:
Until_Log_Pos: 0
Master_SSL_Allowed: Yes
Master_SSL_CA_File: /usr/local/mysql/data/ca.pem
Master_SSL_CA_Path:
Master_SSL_Cert: /usr/local/mysql/data/client-cert.pem
Master_SSL_Cipher:
Master_SSL_Key: /usr/local/mysql/data/client-key.pem
Seconds_Behind_Master: 0
Master_SSL_Verify_Server_Cert: No
Last_IO_Errno: 0
Last_IO_Error:
Last_SQL_Errno: 0
Last_SQL_Error:
Replicate_Ignore_Server_Ids:
Master_Server_Id: 1
Master_UUID: a5383d98-2b2e-11eb-9c6d-000c29578d1c
Master_Info_File: /usr/local/mysql/data/master.info
SQL_Delay: 0
SQL_Remaining_Delay: NULL
Slave_SQL_Running_State: Slave has read all relay log; waiting for more updates
Master_Retry_Count: 86400
Master_Bind:
Last_IO_Error_Timestamp:
Last_SQL_Error_Timestamp:
Master_SSL_Crl:
Master_SSL_Crlpath:
Retrieved_Gtid_Set:
Executed_Gtid_Set:
Auto_Position: 0
Replicate_Rewrite_DB:
Channel_Name:
Master_TLS_Version:
1 row in set (0.01 sec)
8. Create a database on the master and check whether it is created on the slave
// Created on the master
mysql> create database qin;
Query OK, 1 row affected (0.00 sec)
//Verify on slave
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| mytest |
| performance_schema |
| qin |
| sys |
+--------------------+
6 rows in set (0.01 sec)