主主mysql搭建我就不多叙述了
由于公司需求要基于公网的mysql主主复制,对数据隐私保护的要求极为严格,通过局域网或广域网复制数据都需要加密,一般都是基于公网才做,需用到ssl隧道。废话不多说
环境:Centos6.5
master1:192.168.1.10
master2: 192.168.1.30
查看是否开启ssl
show variables like '%ssl%';
开启ssl
vim /etc/my.cnf
[mysqld]
ssl
配置CA服务器
vim /etc/pki/tls/openssl.cnf
dir=/etc/pki/CA
mkdir certs newcerts crl
touch index.txt
echo 01 > serial
1、生成密钥:CA私钥的存储位置为/etc/pki/CA/private下一般存储名字为cakey.pem的名字权限只有属主有权限(因为和配置文件中的文件保持一直)
(umask 077;openssl genrsa -out private/cakey.pem 1024)
命令解释:
umask 077:设置生成的文件的权限
genrsa:生成私钥
-out:私钥存放路径
2048:2048字节计算(默认为1024)
openssl req -x509 -new -key private/cakey.pem -out cacert.pem -days 365
命令解释:
req:生成证书签署请求
-new:新请求
-key /path/to/keyfile:指定私钥文件位置
-out /path/to/somefile:指定证书文件存放在位置
-x509:生成自签证书
-days n:指定过期天数
国家--省份--地区--公司名称--公司部门名称--CA服务器主机名--管理员邮箱
------------------------------------------------
2、为主服务器RS1准备私钥并颁发证书
mkdir /var/lib/mysql/ssl
cd /var/lib/mysql/ssl/
生成密钥
(umask 077;openssl genrsa 1024 > master1.key)
生成证书签署请求
openssl req -new -key master1.key -out master1.csr
A challenge password []:-----------证书请求密钥,CA读取证书的时候需要输入密码
An optional company name[]:-----------公司名称,CA读取证书的时候需要输入名称
openssl ca -in master1.csr -out master1.crt -days 365
cp /etc/pki/CA/cacert.pem /var/lib/mysql/ssl/
chown -R mysql:mysql /var/lib/mysql/ssl
-----------------------------------------------
3、为slave上的mysql准备私钥及申请证书
创建存放证书的位置
mkdir /var/lib/mysql/ssl
cd /var/lib/mysql/ssl
创建所需要的证书
(umask 077;openssl genrsa 1024 > master2.key)
openssl req -new -key master2.key -out master2.csr
scp ./master2.csr 192.168.1.10:/root/
在master1上为master2签发证书
openssl ca -in master2.csr -out master2.crt
scp master2.crt /etc/pki/CA/cacert.pem 192.168.1.30:/var/lib/mysql/ssl
chown -R mysql.mysql ssl
-------------------------------------------
4、修改配置文件
vim /etc/my.cnf
加入
ssl-ca=/var/lib/mysql/ssl/cacert.pem
ssl-cert=/var/lib/mysql/ssl/master1.crt
ssl-key=/var/lib/mysql/ssl/master1.key
show variables like '%ssl%';
+---------------+--------------------------------+
| Variable_name | Value |
+---------------+--------------------------------+
| have_openssl | YES |
| have_ssl | YES |
| ssl_ca | /var/lib/mysql/ssl/cacert.pem |
| ssl_capath | |
| ssl_cert | /var/lib/mysql/ssl/master1.crt |
| ssl_cipher | |
| ssl_key | /var/lib/mysql/ssl/master1.key |
+---------------+--------------------------------+
grant replication slave,replication client on *.* to repluser@'192.168.1.%' identified by '123456' require ssl;
flush privileges;
show master status;
change master to master_host='192.168.1.10',
master_user='repluser',
master_password='123456',
master_log_file='mysql-bin.000008',
master_log_pos=308,
master_ssl=1,
master_ssl_ca='/var/lib/mysql/ssl/cacert.pem',
master_ssl_cert='/var/lib/mysql/ssl/master2.crt',
master_ssl_key='/var/lib/mysql/ssl/master2.key';
(自己的)
start slave;
show slave status\G