MySQL:主从复制结构双主复制结构利用SSL实现安全的MySQL主从复制

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了MySQL:主从复制结构双主复制结构利用SSL实现安全的MySQL主从复制相关的知识,希望对你有一定的参考价值。

主从复制结构、双主复制结构、利用SSL实现安全的MySQL主从复制


一、主从复制结构实验


1.主服务器配置

可以先更改server_id


在/etc/my.cnf文件中,添加

server_id=11


重启服务,在mysql命令行查看


MariaDB [(none)]> select @@server_id;

+-------------+

| @@server_id |

+-------------+

|        11 |

+-------------+

1 row in set (0.00 sec)


授权从服务器

MariaDB [(none)]> grant replication slave,replication client on *.* to 'repluser'@'172.16.1.10'identified by 'replpass';

Query OK, 0 rows affected (0.00 sec)


刷新

MariaDB [(none)]> flush privileges;

Query OK, 0 rows affected (0.00 sec)


2.从服务器配置

在[mysqld]段落添加


server_id=22

relay_log=/var/log/mariadb/relay-log

skip_name_resolve=ON

innodb_file_per_table=ON


重启服务,在mysql命令行查看


MariaDB [(none)]> select @@server_id;

+-------------+

| @@server_id |

+-------------+

|        22 |

+-------------+

1 row in set (0.00 sec)


指定主服务器

MariaDB [(none)]> change master to master_host='172.16.1.4',master_user='repluser',master_password='replpass',master_log_file='binlog.000001',master_log_pos=245;


查看相关信息

MariaDB [(none)]> show slave status\G;


开启io线程

MariaDB [(none)]> start slave io_thread;


执行重放

MariaDB [(none)]> start slave sql_thread;


于是就可以在主服务器上插入信息,在从服务器上看到了。

-----------------------------------------------------------------------------------------------------------------------------------------


二、主主模型实验


1.两台服务器的配置文件

Server1:/etc/my.cnf

[mysqld]


innodb-file-per-table = ON

skip-name-resolve=ON

log_bin=/var/log/mariadb/binlog

server_id=11

relay_log=/var/log/mariadb/relaylog

auto_increment_offset=1

auto_increment_increment=2


Server2:/etc/my.cnf

[mysqld]


innodb-file-per-table = ON

skip-name-resolve=ON

log_bin=/var/log/mariadb/binlog

server_id=22

relay_log=/var/log/mariadb/relaylog

auto_increment_offset=2

auto_increment_increment=2


2.两台服务器的SQL语句

Server1:

 mysql> grant replication slave,replication client on *.* to 'repluser'@'172.16.1.3' identified by 'replpass';

 mysql> change master to master_host='172.16.1.3',master_user='repluser',master_password='replpass',master_log_file='bin-log.000001',master_log_pos=427;

 mysql> start slave [io_thread|sql_thread];


Server2:

 mysql> grant replication slave,replication client on *.* to 'repluser'@'172.16.1.2' identified by 'replpass';

 mysql> change master to master_host='172.16.1.2',master_user='repluser',master_password='replpass',master_log_file='bin-log.000024',master_log_pos=245;

 mysql> start slave [io_thread|sql_thread];

--------------------------------------------------------------------------------------------------------------------------------------


三、利用SSL实现安全的MySQL主从复制


MySQL的主从复制是直接利用明文传输的,如果我们在生产环境下,跨网络传输会非常不安全,所以就需要基于SSL加密传输,提高安全性。


1.修改配置文件

  在Master上:

vim /etc/my.cnf

[mysqld]

log-bin=master-bin

binlog_format=mixed

server-id=1

ssl

  

[[email protected] ~]# systemctl restart mariadb


   在Slave上:

vim /etc/my.cnf

[mysqld]

log-bin=slave-bin

binlog_format=mixed

server-id=10

ssl


[[email protected] ~]# systemctl restart mariadb


2.将master服务器自己做成CA服务器

[[email protected] ~]# cd /etc/pki/CA/

[[email protected] CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)

Generating RSA private key, 2048 bit long modulus

...........+++

................................................................+++

e is 65537 (0x10001)

[[email protected] CA]# 

[[email protected] CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:HeBei

Locality Name (eg, city) [Default City]:QinHuangdao

Organization Name (eg, company) [Default Company Ltd]:zrs.com

Organizational Unit Name (eg, section) []:tech

Common Name (eg, your name or your server's hostname) []:master.zrs.com

Email Address []:

[[email protected] CA]# touch index.txt

[[email protected] CA]# echo 01 > serial


3.为master创建证书申请并由CA服务器签发证书

[[email protected] CA]# mkdir -pv /usr/local/mysql/ssl

mkdir: 已创建目录 "/usr/local/mysql"

mkdir: 已创建目录 "/usr/local/mysql/ssl"

[[email protected] CA]# 

[[email protected] CA]# cd /usr/local/mysql/ssl/

[[email protected] ssl]# (umask 077;openssl genrsa -out master.key 2048)

Generating RSA private key, 2048 bit long modulus

...........................................................................................................................................+++

..............+++

e is 65537 (0x10001)

[[email protected] ssl]# openssl req -new -key master.key -out master.csr -days 365

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:HeBei

Locality Name (eg, city) [Default City]:QinHuangdao

Organization Name (eg, company) [Default Company Ltd]:zrs.com

Organizational Unit Name (eg, section) []:tech

Common Name (eg, your name or your server's hostname) []:master.zrs.com

Email Address []:


Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

[[email protected] ssl]# 


[[email protected] ssl]# openssl ca -in master.csr -out master.crt -days 365

Using configuration from /etc/pki/tls/openssl.cnf

Check that the request matches the signature

Signature ok

Certificate Details:

        Serial Number: 1 (0x1)

        Validity

            Not Before: Jan 15 13:35:39 2018 GMT

            Not After : Jan 15 13:35:39 2019 GMT

        Subject:

            countryName               = CN

            stateOrProvinceName       = HeBei

            organizationName          = zrs.com

            organizationalUnitName    = tech

            commonName                = master.zrs.com

        X509v3 extensions:

            X509v3 Basic Constraints: 

                CA:FALSE

            Netscape Comment: 

                OpenSSL Generated Certificate

            X509v3 Subject Key Identifier: 

                31:F0:A8:85:CD:6C:29:EF:3A:70:E6:C8:BB:5F:B4:04:61:32:86:48

            X509v3 Authority Key Identifier: 

                keyid:66:56:36:59:90:6D:94:DC:4E:19:A3:BA:2C:1E:53:DC:1A:8A:58:AE


Certificate is to be certified until Jan 15 13:35:39 2019 GMT (365 days)

Sign the certificate? [y/n]:y



1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

[[email protected] ssl]# 


4.为slave服务器创建证书申请

[[email protected] ~]# mkdir -pv /usr/local/mysql/ssl

mkdir: 已创建目录 "/usr/local/mysql"

mkdir: 已创建目录 "/usr/local/mysql/ssl"

[[email protected] ~]# cd /usr/local/mysql/ssl/

[[email protected] ssl]# (umask 077;openssl genrsa -out slave.key 2048)

Generating RSA private key, 2048 bit long modulus

....+++

...................................................................................................+++

e is 65537 (0x10001)

[[email protected] ssl]# openssl req -new -key slave.key -out slave.csr -days 365

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:HeBei

Locality Name (eg, city) [Default City]:QinHuangdao

Organization Name (eg, company) [Default Company Ltd]:zrs.com

Organizational Unit Name (eg, section) []:tech

Common Name (eg, your name or your server's hostname) []:slave.zrs.com

Email Address []:


Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

[[email protected] ssl]# 


5.为slave服务器签署证书

将证书申请请求拷贝到CA服务器签署


在slave上

[[email protected] ssl]# scp slave.csr 172.16.1.7:/tmp/


在master上

[[email protected] ssl]# openssl ca -in /tmp/slave.csr -out /tmp/slave.crt -days 365

Using configuration from /etc/pki/tls/openssl.cnf

Check that the request matches the signature

Signature ok

Certificate Details:

        Serial Number: 2 (0x2)

        Validity

            Not Before: Jan 15 13:41:19 2018 GMT

            Not After : Jan 15 13:41:19 2019 GMT

        Subject:

            countryName               = CN

            stateOrProvinceName       = HeBei

            organizationName          = zrs.com

            organizationalUnitName    = tech

            commonName                = slave.zrs.com

        X509v3 extensions:

            X509v3 Basic Constraints: 

                CA:FALSE

            Netscape Comment: 

                OpenSSL Generated Certificate

            X509v3 Subject Key Identifier: 

                90:B1:B5:44:92:99:24:4A:50:A7:AB:3F:36:B9:CD:C7:87:1E:CE:4A

            X509v3 Authority Key Identifier: 

                keyid:66:56:36:59:90:6D:94:DC:4E:19:A3:BA:2C:1E:53:DC:1A:8A:58:AE


Certificate is to be certified until Jan 15 13:41:19 2019 GMT (365 days)

Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated


6.签署好证书申请拷贝到slave服务器

[[email protected] ssl]# scp /tmp/slave.crt 172.16.1.8:/usr/local/mysql/ssl


7.将CA证书拷贝到slave服务器一份并为master拷贝一份

[[email protected] ssl]# scp /etc/pki/CA/cacert.pem 172.16.1.8:/usr/local/mysql/ssl/   

[[email protected] ssl]# cp /etc/pki/CA/cacert.pem /usr/local/mysql/ssl/


8.修改master和slave服务器证书属主、属组为"mysql"用户

在master上

[[email protected] ssl]# chown -R mysql.mysql /usr/local/mysql/ssl/

[[email protected] ssl]# ll /usr/local/mysql/ssl/

总用量 20

-rw-r--r--. 1 mysql mysql 1334 1月  15 21:45 cacert.pem

-rw-r--r--. 1 mysql mysql 4471 1月  15 21:36 master.crt

-rw-r--r--. 1 mysql mysql 1013 1月  15 21:34 master.csr

-rw-------. 1 mysql mysql 1679 1月  15 21:33 master.key


在slave上

[[email protected] ssl]# chown -R mysql.mysql /usr/local/mysql/ssl/

[[email protected] ssl]# ll /usr/local/mysql/ssl/

总用量 20

-rw-r--r--. 1 mysql mysql 1334 1月  15 21:45 cacert.pem

-rw-r--r--. 1 mysql mysql 4466 1月  15 21:43 slave.crt

-rw-r--r--. 1 mysql mysql 1009 1月  15 21:38 slave.csr

-rw-------. 1 mysql mysql 1679 1月  15 21:37 slave.key


9.在master与slave服务器修改主配置文件开启SSL加密功能

修改master数据库配置文件

[[email protected] ssl]# vim /etc/my.cnf

ssl_ca=/usr/local/mysql/ssl/cacert.pem

ssl_cert=/usr/local/mysql/ssl/master.crt

ssl_key=/usr/local/mysql/ssl/master.key


[[email protected] ssl]# systemctl restart mariadb


修改slave数据库配置文件

[[email protected] ssl]# vim /etc/my.cnf

ssl_ca=/usr/local/mysql/ssl/cacert.pem

ssl_cert=/usr/local/mysql/ssl/slave.crt

ssl_key=/usr/local/mysql/ssl/slave.key


[[email protected] ssl]# systemctl restart mariadb


10.在master服务器查看SSL加密是否开启,然后创建授权一个基于密钥认证的用户


MariaDB [(none)]> show variables like '%ssl%';

+---------------+---------------------------------+

| Variable_name | Value                    |

+---------------+---------------------------------+

| have_openssl  | YES                      |

| have_ssl     | YES                      |

| ssl_ca       | /usr/local/mysql/ssl/cacert.pem |

| ssl_capath    |                        |

| ssl_cert      | /usr/local/mysql/ssl/master.crt |

| ssl_cipher    |                      |

| ssl_key       | /usr/local/mysql/ssl/master.key |

+---------------+---------------------------------+


MariaDB [(none)]> grant replication client,replication slave on *.* to 'slave'@'172.16.1.8' identified by '12345678' require ssl;


MariaDB [(none)]> flush privileges;


11.查看master服务器二进制日志文件和事件位置用于的slave服务器链接从这个位置开始复制

MariaDB [(none)]> show master status;

+-------------------+----------+--------------+------------------+

| File          | Position | Binlog_Do_DB | Binlog_Ignore_DB |

+-------------------+----------+--------------+------------------+

| master-bin.000002 |    502 |         |             |

+-------------------+----------+--------------+------------------+


12.测试使用加密用户指定的密钥链接服务器

在slave上


[[email protected] ~]# mysql -uroot -p12345678 -h 172.16.1.7 --ssl-ca=/usr/local/mysql/ssl/cacert.pem --ssl-cert=/usr/local/mysql/ssl/slave.crt --ssl-key=/usr/local/mysql/ssl/slave.key

Welcome to the MariaDB monitor.  Commands end with ; or \g.

Your MariaDB connection id is 41

Server version: 5.5.56-MariaDB MariaDB Server


Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.


Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.


MariaDB [(none)]> 


13.查看slave服务器SSL是否开启并连接master服务器

查看是否开启SSL

MariaDB [(none)]> show variables like '%ssl%';

+---------------+---------------------------------+

| Variable_name | Value                    |

+---------------+---------------------------------+

| have_openssl  | YES                     |

| have_ssl      | YES                    |

| ssl_ca        | /usr/local/mysql/ssl/cacert.pem |

| ssl_capath    |                       |

| ssl_cert      | /usr/local/mysql/ssl/master.crt |

| ssl_cipher    |                       |

| ssl_key       | /usr/local/mysql/ssl/master.key |

+---------------+---------------------------------+


链接master服务器

MariaDB [(none)]> change master to

    -> master_host='172.16.1.7',master_user='slave',master_password='12345678',

    -> master_log_file='master-bin.000002',master_log_pos=502,master_ssl=1,

    -> master_ssl_ca='/usr/local/mysql/ssl/cacert.pem',

    -> master_ssl_cert='/usr/local/mysql/ssl/slave.crt',

    -> master_ssl_key='/usr/local/mysql/ssl/slave.key';

Query OK, 0 rows affected (0.04 sec)


帮助文档

MariaDB [(none)]> help change master to;

  | MASTER_SSL = {0|1}                     #是否使用SSL功能

  | MASTER_SSL_CA = 'ca_file_name'            #CA证书位置

  | MASTER_SSL_CERT = 'cert_file_name'        #指定自己的证书文件

  | MASTER_SSL_KEY = 'key_file_name'          #指定自己的密钥文件


14.查看slave服务器的状态

MariaDB [(none)]> start slave;

Query OK, 0 rows affected (0.02 sec)


MariaDB [(none)]> show slave status\G;

*************************** 1. row ***************************

               Slave_IO_State: Waiting for master to send event

                  Master_Host: 172.16.1.7

                  Master_User: slave

                  Master_Port: 3306

                Connect_Retry: 60

              Master_Log_File: master-bin.000002

          Read_Master_Log_Pos: 2028

               Relay_Log_File: mariadb-relay-bin.000002

                Relay_Log_Pos: 2056

        Relay_Master_Log_File: master-bin.000002

             Slave_IO_Running: Yes

            Slave_SQL_Running: Yes

              Replicate_Do_DB: 

          Replicate_Ignore_DB: 

           Replicate_Do_Table: 

       Replicate_Ignore_Table: 

      Replicate_Wild_Do_Table: 

  Replicate_Wild_Ignore_Table: 

                   Last_Errno: 0

                   Last_Error: 

                 Skip_Counter: 0

          Exec_Master_Log_Pos: 2028

              Relay_Log_Space: 2352

              Until_Condition: None

               Until_Log_File: 

                Until_Log_Pos: 0

           Master_SSL_Allowed: Yes

           Master_SSL_CA_File: /usr/local/mysql/ssl/cacert.pem

           Master_SSL_CA_Path: 

              Master_SSL_Cert: /usr/local/mysql/ssl/slave.crt

            Master_SSL_Cipher: 

               Master_SSL_Key: /usr/local/mysql/ssl/slave.key

        Seconds_Behind_Master: 0

Master_SSL_Verify_Server_Cert: No

                Last_IO_Errno: 0

                Last_IO_Error: 

               Last_SQL_Errno: 0

               Last_SQL_Error: 

  Replicate_Ignore_Server_Ids: 

             Master_Server_Id: 1

1 row in set (0.00 sec)


15.利用SSL实现安全的MySQL主从复制

在master服务器上创建数据库

[[email protected] ~]# mysql -uroot -p12345678 -e 'create database this_is_a_test_db;'

[[email protected] ~]# mysql -uroot -p12345678 -e 'show databases';

+--------------------+

| Database        |

+--------------------+

| information_schema |

| mysql          |

| performance_schema |

| this_is_a_test_db  |

+--------------------+


登录slave服务器验证slave数据库是否存在

[[email protected] ~]# mysql -uroot -p12345678 -e 'show databases';

+--------------------+

| Database        |

+--------------------+

| information_schema |

| mysql           |

| performance_schema |

| this_is_a_test_db  |

+--------------------+


以上是关于MySQL:主从复制结构双主复制结构利用SSL实现安全的MySQL主从复制的主要内容,如果未能解决你的问题,请参考以下文章

mysql主主复制(双主复制)配置步骤

mysql学习-mysql8.0配置双主复制+keepalived实现高可用架构

Mycat实现MySQL主从复制和读写分离(双主双从)

mysql主从复制及双主复制

Mysql主从复制,双主热备

MySQL的主从复制+双主模式