一、节点信息:
Master1:192.168.80.143/24 + CA
Master2:192.168.80.144/24
这里两节点同为master,并且是对方节点的slave
二、基本配置:
(1)首先2台都安装mysql
- # pvcreate /dev/sda5
- # vgcreate myvg /dev/sda5
- # lvcreate -L 10G -n mydata myvg
- # mkdir -p /data/mydata
- # mke2fs -j /dev/myvg/mydata
- # mount /dev/myvg/mydata /data/mydata/
- # tar xf mysql-5.5.24-linux2.6-i686.tar.gz -C /usr/local/
- # cd /usr/local/
- # ln -s mysql-5.5.24-linux2.6-i686/ mysql
- # cd mysql
- # useradd -r mysql
- # chown -R mysql.mysql .
- # scripts/mysql_install_db --datadir=/data/mydata/ --user=mysql
- # chown -R root .
- # cp support-files/my-large.cnf /etc/my.cnf
- # vim /etc/my.cnf
- thread_concurrency = 2
- datadir = /data/mydata
- # cp support-files/mysql.server /etc/rc.d/init.d/mysqld
- # chmod +x /etc/rc.d/init.d/mysqld
- # service mysqld start
(2)在master1上配置CA服务
- # vim /etc/pki/tls/openssl.cnf
- dir = /etc/pki/CA
- # cd /etc/pki/CA/
- # mkdir certs newcerts crl
- # touch index.txt
- # echo 01 > serial
- # (umask 077;openssl genrsa -out private/cakey.pem 1024)
- # openssl req -x509 -new -key private/cakey.pem
- # mkdir /usr/local/mysql/ssl
- # cd /usr/local/mysql/ssl
- 主从服务器都需要证书,所以需要4个
- # (umask 077;openssl genrsa 1024 > master1.key)
- # openssl req -new -key master1.key -out master1.csr
- # openssl ca -in master1.csr -out master1.crt -days 365
- # (umask 077;openssl genrsa 1024 > master1slave.key)
- # openssl req -new -key master1slave.key -out master1slave.csr
- # openssl ca -in master1slave.csr -out master1slave.crt -days 365
- # (umask 077;openssl genrsa 1024 > master2.key)
- # openssl req -new -key master2.key -out master2.csr
- # openssl ca -in master2.csr -out master2.crt -days 365
- # (umask 077;openssl genrsa 1024 > master2slave.key)
- # openssl req -new -key master2slave.key -out master2slave.csr
- # openssl ca -in master2slave.csr -out master2slave.crt -days 365
- # cp /etc/pki/CA/cacert.pem .
- # chown -R mysql.mysql /user/local/mysql/ssl
- # scp -p /etc/pki/CA/cacert.pem master1slave.* master2.* 192.168.80.144:/usr/local/mysql/ssl/
三、两节点配置:
Master1:
- # vim /etc/my.cnf
- skip-slave-start=1 //设置重启服务不自动开启线程,需要手动开启
- ssl //指定ssl,CA信息
- ssl-ca=/usr/local/mysql/ssl/cacert.pem
- ssl-cert=/usr/local/mysql/ssl/master1.crt
- ssl-key=/usr/local/mysql/ssl/master1.key
- log-bin=mysql-bin
- relay-log=mysql-relay //开启中继日志
- auto-increment-increment = 2 //每次ID加2
- auto-increment-offset = 1 //设置起始自动增长ID
- server-id = 1
Master2:
- # vim /etc/my.cnf
- skip-slave-start=1
- ssl
- ssl-ca=/usr/local/mysql/ssl/cacert.pem
- ssl-cert=/usr/local/mysql/ssl/master2.crt
- ssl-key=/usr/local/mysql/ssl/master2.key
- log-bin=mysql-bin
- relay-log=mysql-relay
- auto-increment-increment = 2
- auto-increment-offset = 2
- server-id = 2
重启服务生效
# service mysqld restart
共同配置复制用户信息,并指定通过SSL:
- mysql> GRANT REPLICATION SLAVE,REPLICATION CLIENT ON *.* TO repluser@'192.168.80.%' IDENTIFIED BY 'redhat' REQUIRE SSL;
- mysql> flush privileges;
分别查看日志位置信息:
Master1:
- mysql>show master status;
- +------------------+----------+--------------+------------------+
- | File | Position | Binlog_Do_DB | Binlog_Ignore_DB |
- +------------------+----------+--------------+------------------+
- | mysql-bin.000011 | 107 | | |
- +------------------+----------+--------------+------------------+
- 1 row in set (0.00 sec
Master2:
- mysql>show master status;
- +------------------+----------+--------------+------------------+
- | File | Position | Binlog_Do_DB | Binlog_Ignore_DB |
- +------------------+----------+--------------+------------------+
- | mysql-bin.000017 | 107 | | |
- +------------------+----------+--------------+------------------+
- 1 row in set (0.00 sec
在Master2上配置Master1的slave信息:
- mysql> CHANGE MASTER TO MASTER_HOST = '192.168.80.143' , //指定主服务器
- -> MASTER_USER = 'repluser' , //指定用户
- -> MASTER_PASSWORD = 'redhat' , //密码
- -> MASTER_LOG_FILE = 'mysql-bin.000017' , //指定日志
- -> MASTER_LOG_POS = 107 , //指定日志位
- -> MASTER_SSL = 1 ,
- -> MASTER_SSL_CA = '/usr/local/mysql/ssl/cacert.pem' ,
- -> MASTER_SSL_CERT = '/usr/local/mysql/ssl/master1slave.crt' ,
- -> MASTER_SSL_KEY = '/usr/local/mysql/ssl/master1slave.key';
在Master1上配置Master2的slave信息:
- mysql> CHANGE MASTER TO MASTER_HOST = '192.168.80.144' ,
- -> MASTER_USER = 'repluser' ,
- -> MASTER_PASSWORD = 'redhat' ,
- -> MASTER_LOG_FILE = 'mysql-bin.000011' ,
- -> MASTER_LOG_POS = 107 ,
- -> MASTER_SSL = 1 ,
- -> MASTER_SSL_CA = '/usr/local/mysql/ssl/cacert.pem' ,
- -> MASTER_SSL_CERT = '/usr/local/mysql/ssl/master2slave.crt' ,
- -> MASTER_SSL_KEY = '/usr/local/mysql/ssl/master2slave.key';
2节点查看信息:
- mysql> show slave status\G
- *************************** 1. row ***************************
- Slave_IO_State: Waiting for master to send event
- Master_Host: 192.168.80.144
- Master_User: repluser
- Master_Port: 3306
- Connect_Retry: 60
- Master_Log_File: mysql-bin.000011
- Read_Master_Log_Pos: 107
- Relay_Log_File: mysql-relay.000002
- Relay_Log_Pos: 557
- Relay_Master_Log_File: mysql-bin.000011
- Slave_IO_Running: No
- Slave_SQL_Running: No
- Replicate_Do_DB:
- Replicate_Ignore_DB:
- Replicate_Do_Table:
- Replicate_Ignore_Table:
- Replicate_Wild_Do_Table:
- Replicate_Wild_Ignore_Table:
- Last_Errno: 0
- Last_Error:
- Skip_Counter: 0
- Exec_Master_Log_Pos: 411
- Relay_Log_Space: 709
- Until_Condition: None
- Until_Log_File:
- Until_Log_Pos: 0
- Master_SSL_Allowed: Yes
- Master_SSL_CA_File: /usr/local/mysql/ssl/cacert.pem
- Master_SSL_CA_Path:
- Master_SSL_Cert: /usr/local/mysql/ssl/master2slave.crt
- Master_SSL_Cipher:
- Master_SSL_Key: /usr/local/mysql/ssl/master2slave.key
- Seconds_Behind_Master: 0
- Master_SSL_Verify_Server_Cert: No
- Last_IO_Errno: 0
- Last_IO_Error:
- Last_SQL_Errno: 0
- Last_SQL_Error:
- Replicate_Ignore_Server_Ids:
- Master_Server_Id: 2
- 1 row in set (0.00 sec)
确认无误后启动slave :
- mysql> start slave;
- mysql> show slave status\G
- ...
- Slave_IO_Running: Yes
- Slave_SQL_Running: Yes
- ...
四、测试:
在Master1上建立数据库:
mysql> create database tb;
在Master2上查看已经有了:
在Master2上建立表:
- mysql> use tb
- mysql> create table aa (name varchar(10));
- mysql> insert into aa ('centos'),('jin');
在Master1上查看:
至于验证SSL的话,可以用SSL连接试验,如下:
可以看到已经有SSL
SSL: Cipher in use is DHE-RSA-AES256-SHA
至此myslq主-主复制 + ssl认证 就已经OK了,如有错误请指出,非常感谢!
