1)主节点
[root@master ~]# vim /etc/my.cnf [mysqld] log_bin binlog_format=ROW log-basename=master server_id=1 relay_log=relay-log relay_log_index=relay-log.index [root@master ~]# systemctl restart mariadb MariaDB [(none)]> GRANT REPLICATION SLAVE ON *.* TO repluser@'192.168.0.%' IDENTIFIED BY 'replpass'; MariaDB [(none)]> SHOW MASTER LOGS; +-------------------+-----------+ | Log_name | File_size | +-------------------+-----------+ | master-bin.000001 | 26753 | | master-bin.000002 | 921736 | | master-bin.000003 | 401 | +-------------------+-----------+ MariaDB [(none)]> INSTALL PLUGIN rpl_semi_sync_master SONAME 'semisync_master.so'; #安装模块 MariaDB [(none)]> SET GLOBAL rpl_semi_sync_master_enabled=1; #开启半同步功能 MariaDB [(none)]> SHOW GLOBAL VARIABLES LIKE '%semi%'; +------------------------------------+-------+ | Variable_name | Value | +------------------------------------+-------+ | rpl_semi_sync_master_enabled | ON | #已开启 | rpl_semi_sync_master_timeout | 10000 | | rpl_semi_sync_master_trace_level | 32 | | rpl_semi_sync_master_wait_no_slave | ON | +------------------------------------+-------+ MariaDB [(none)]> SHOW GLOBAL STATUS LIKE '%semi%'; +--------------------------------------------+-------+ | Variable_name | Value | +--------------------------------------------+-------+ | Rpl_semi_sync_master_clients | 0 | | Rpl_semi_sync_master_net_avg_wait_time | 0 | | Rpl_semi_sync_master_net_wait_time | 0 | | Rpl_semi_sync_master_net_waits | 0 | | Rpl_semi_sync_master_no_times | 0 | | Rpl_semi_sync_master_no_tx | 0 | | Rpl_semi_sync_master_status | ON | | Rpl_semi_sync_master_timefunc_failures | 0 | | Rpl_semi_sync_master_tx_avg_wait_time | 0 | | Rpl_semi_sync_master_tx_wait_time | 0 | | Rpl_semi_sync_master_tx_waits | 0 | | Rpl_semi_sync_master_wait_pos_backtraverse | 0 | | Rpl_semi_sync_master_wait_sessions | 0 | | Rpl_semi_sync_master_yes_tx | 0 | +--------------------------------------------+-------+
2)从节点1
[root@slave1 ~]# vim /etc/my.cnf
[mysqld]
read_only=ON
log_bin
binlog_format=ROW
log-basename=slave
server_id=2
relay_log=relay-log
relay_log_index=relay-log.index
[root@slave1 ~]# systemctl restart mariadb
MariaDB [(none)]> CHANGE MASTER TO
-> MASTER_HOST='192.168.0.7',
-> MASTER_USER='repluser',
-> MASTER_PASSWORD='replpass',
-> MASTER_PORT=3306,
-> MASTER_LOG_FILE='master-bin.000003',
-> MASTER_LOG_POS=401,
-> MASTER_CONNECT_RETRY=10;
MariaDB [(none)]> INSTALL PLUGIN rpl_semi_sync_slave SONAME 'semisync_slave.so';
MariaDB [(none)]> SET GLOBAL rpl_semi_sync_slave_enabled=1;
MariaDB [(none)]> START SLAVE;
MariaDB [(none)]> SHOW MASTER LOGS;
+------------------+-----------+
| Log_name | File_size |
+------------------+-----------+
| slave-bin.000001 | 26753 |
| slave-bin.000002 | 921736 |
| slave-bin.000003 | 245 |
+------------------+-----------+
MariaDB [(none)]> GRANT REPLICATION SLAVE ON *.* TO repluser@'192.168.0.%' IDENTIFIED BY 'replpass';
3)从节点2
[root@slave2 ~]# vim /etc/my.cnf
[mysqld]
read_only=ON
server_id=3
relay_log=relay-log
relay_log_index=relay-log.index
[root@slave2 ~]# systemctl restart mariadb
MariaDB [(none)]> CHANGE MASTER TO
-> MASTER_HOST='192.168.0.8',
-> MASTER_USER='repluser',
-> MASTER_PASSWORD='replpass',
-> MASTER_PORT=3306,
-> MASTER_LOG_FILE='slave-bin.000003',
-> MASTER_LOG_POS=245,
-> MASTER_CONNECT_RETRY=10;
MariaDB [(none)]> START SLAVE;
4)从节点3
[root@slave3 ~]# vim /etc/my.cnf
[mysqld]
read_only=ON
server_id=4
relay_log=relay-log
relay_log_index=relay-log.index
[root@slave3 ~]# systemctl restart mariadb
MariaDB [(none)]> CHANGE MASTER TO
-> MASTER_HOST='192.168.0.8',
-> MASTER_USER='repluser',
-> MASTER_PASSWORD='replpass',
-> MASTER_PORT=3306,
-> MASTER_LOG_FILE='slave-bin.000003',
-> MASTER_LOG_POS=245,
-> MASTER_CONNECT_RETRY=10;
MariaDB [(none)]> START SLAVE;
六、加密传输复制的实现
在默认的主从复制过程或远程连接到MySQL/MariaDB所有的链接通信中的数据都是明文的,外网里访问数据或则复制,存在安全隐患。通过SSL/TLS加密的方式进行复制的方法,来进一步提高数据的安全性
主服务器开启SSL:[mysqld] 加一行ssl
主服务器配置证书和私钥;并且创建一个要求必须使用SSL连接的复制账号
从服务器使用CHANGER MASTER TO 命令时指明ssl相关选项
MariaDB [(none)]> SHOW VARIABLES LIKE '%ssl%'; +---------------+----------+ | Variable_name | Value | +---------------+----------+ | have_openssl | DISABLED | | have_ssl | DISABLED | | ssl_ca | | | ssl_capath | | | ssl_cert | | | ssl_cipher | | | ssl_key | | +---------------+----------+特别提示:在配置之前先检查mysql服务是否支持ssl功能,如果have_ssl的值为'DISABLED'则支持;如果为'NO'则不支持,需要再重新编译安装或者安装具有ssl功能的版本
1)CA
[root@CA ~]# mkdir /etc/my.cnf.d/ssl/
[root@CA ~]# cd /etc/my.cnf.d/ssl/
[root@CA ssl]# openssl genrsa 2048 > cakey.pem
[root@CA ssl]# openssl req -new -x509 -key cakey.pem -out cacert.pem -days 3650 #自签证书
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:testmysqlca
Organizational Unit Name (eg, section) []:opt
Common Name (eg, your name or your server's hostname) []:ca.testmysqlca.com
[root@CA ssl]# openssl req -newkey rsa:2048 -days 365 -nodes -keyout master.key > master.csr
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:testmysqlca
Organizational Unit Name (eg, section) []:opt
Common Name (eg, your name or your server's hostname) []:master.testmysqlca.com
[root@CA ssl]# openssl x509 -req -in master.csr -CA cacert.pem -CAkey cakey.pem -set_serial 01 > master.crt #签署master证书
[root@CA ssl]# openssl req -newkey rsa:2048 -days 365 -nodes -keyout slave.key > slave.csr
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:testmysqlca
Organizational Unit Name (eg, section) []:opt
Common Name (eg, your name or your server's hostname) []:slave.testmysqlca.com
[root@CA ssl]# openssl x509 -req -in slave.csr -CA cacert.pem -CAkey cakey.pem -set_serial 02 > slave.crt #签署slave证书
[root@CA ssl]# openssl req -newkey rsa:2048 -days 365 -nodes -keyout slave2.key > slave2.csr
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:testmysqlca
Organizational Unit Name (eg, section) []:opt
Common Name (eg, your name or your server's hostname) []:slave2.testmysqlca.com
[root@CA ssl]# openssl x509 -req -in slave2.csr -CA cacert.pem -CAkey cakey.pem -set_serial 03 > slave2.crt #签署slave2证书
[root@CA ssl]# openssl verify -CAfile cacert.pem master.crt slave.crt slave2.crt #检查证书是否可用
master.crt: OK
slave.crt: OK
slave2.crt: OK
先在各个节点上创建/etc/my.cnf.d/ssl/文件夹,将各自的证书,CA的证书和各自的秘钥文件复制过去
[root@CA ssl]# scp cacert.pem master.crt master.key root@192.168.0.7:/etc/my.cnf.d/ssl/
[root@CA ssl]# scp cacert.pem slave.crt slave.key root@192.168.0.8:/etc/my.cnf.d/ssl/
[root@CA ssl]# scp cacert.pem slave2.crt slave2.key root@192.168.0.9:/etc/my.cnf.d/ssl/
2)master
[root@master ~]# mkdir /etc/my.cnf.d/ssl/ [root@master ~]# vim /etc/my.cnf [mysqld] log_bin binlog_format=ROW log-basename=master server_id=1 ssl #开启ssl功能 ssl-ca=/etc/my.cnf.d/ssl/cacert.pem #指定CA证书的路径 ssl-cert=/etc/my.cnf.d/ssl/master.crt #指定自己的证书的路径 ssl-key=/etc/my.cnf.d/ssl/master.key #指定自己的秘钥文件路径 [root@master ~]# systemctl restart mariadb MariaDB [(none)]> GRANT REPLICATION SLAVE ON *.* TO repluser@'192.168.0.%' IDENTIFIED BY 'replpass' REQUIRE SSL; #授权用户并且强制迫使用户开启ssl登录 MariaDB [(none)]> SHOW MASTER LOGS; +-------------------+-----------+ | Log_name | File_size | +-------------------+-----------+ | master-bin.000001 | 26753 | | master-bin.000002 | 921736 | | master-bin.000003 | 413 | +-------------------+-----------+
3)slave1
[root@slave1 ~]# mkdir /etc/my.cnf.d/ssl/
[root@slave1 ~]# mysql -urepluser -preplpass -h192.168.0.7 --ssl-ca=/etc/my.cnf.d/ssl/cacert.pem --ssl-cert=/etc/my.cnf.d/ssl/slave.crt --ssl-key=/etc/my.cnf.d/ssl/slave.key
[root@slave1 ~]# vim /etc/my.cnf
[mysqld]
read_only=ON
server_id=2
relay_log=relay-log
relay_log_index=relay-log.index
ssl
ssl-ca=/etc/my.cnf.d/ssl/cacert.pem
ssl-cert=/etc/my.cnf.d/ssl/slave.crt
ssl-key=/etc/my.cnf.d/ssl/slave.key
[root@slave1 ~]# systemctl restart mariadb
MariaDB [(none)]> CHANGE MASTER TO
-> MASTER_HOST='192.168.0.7',
-> MASTER_USER='repluser',
-> MASTER_PASSWORD='replpass',
-> MASTER_PORT=3306,
-> MASTER_LOG_FILE='master-bin.000003',
-> MASTER_LOG_POS=413,
-> MASTER_CONNECT_RETRY=10,
-> MASTER_SSL=1; #注意,需要指明开启ssl链接
MariaDB [(none)]> START SLAVE;
4)slave2
[root@slave2 ~]# mkdir /etc/my.cnf.d/ssl/
[root@slave2 ~]# mysql -urepluser -preplpass -h192.168.0.7 --ssl-ca=/etc/my.cnf.d/ssl/cacert.pem --ssl-cert=/etc/my.cnf.d/ssl/slave2.crt --ssl-key=/etc/my.cnf.d/ssl/slave2.key
[root@slave2 ~]# vim /etc/my.cnf
[mysqld]
read_only=ON
server_id=3
relay_log=relay-log
relay_log_index=relay-log.index
ssl
ssl-ca=/etc/my.cnf.d/ssl/cacert.pem
ssl-cert=/etc/my.cnf.d/ssl/slave2.crt
ssl-key=/etc/my.cnf.d/ssl/slave2.key
[root@slave2 ~]# systemctl restart mariadb
MariaDB [(none)]> CHANGE MASTER TO
-> MASTER_HOST='192.168.0.7',
-> MASTER_USER='repluser',
-> MASTER_PASSWORD='replpass',
-> MASTER_PORT=3306,
-> MASTER_LOG_FILE='master-bin.000003',
-> MASTER_LOG_POS=413,
-> MASTER_CONNECT_RETRY=10,
-> MASTER_SSL=1;
MariaDB [(none)]> START SLAVE;
七、MySQL复制的相关指令和变量总结
选项:
- log_bin 启用二进制日志,在主节点或级联复制中间的从节点必须要开启
- binlog_format=ROW 二进制日志记录方式为基于行的方式记录,强烈建议开启
- log-basename=master | slave ... 二进制日志的前缀名,不是必须向,但建议标识
- server_id = # 服务器ID,各个节点的ID必须唯一
- relay_log = relay-log 开启中继日志,并以relay-log为文件名开头,从节点开启
- relay_log_index = relay-log.index 中继日志索引文件
- log_slave_updates 作用是SQL线程重读中继日志时将改变数据的操作记录为二进制日志,在级联复制中使用
- ssl 开启ssl功能
- ssl-ca=/etc/my.cnf.d/ssl/cacert.pem
- ssl-cert=/etc/my.cnf.d/ssl/master.crt
- ssl-key=/etc/my.cnf.d/ssl/master.key
- sync_binlog=1 每次写后立即同步二进制日志到磁盘
- innodb_flush_log_at_trx_commit=1 每次事务提交立即同步日志写磁盘
- sync_master_info=# #次事件后master.info同步到磁盘
- skip_slave_start=ON 不自动启动slave
- sync_relay_log=# #次写后同步relay log到磁盘
- sync_relay_log_info=# #次事务后同步relay-log.info到磁盘
- auto_increment_offset=1 自动增长开始点,在主主复制中使用
变量:
- replicate_do_db= 指定复制库的白名单
- replicate_ignore_db= 指定复制库黑名单
- replicate_do_table= 指定复制表的白名单
- replicate_ignore_table= 指定复制表的黑名单
- replicate_wild_do_table= foo%.bar% 支持通配符
- replicate_wild_ignore_table= 指定复制的表,黑名单
- rpl_semi_sync_slave_enabled=1 开启半同步复制,需要安装模块
指令:
- START SLAVE; 启动主从复制
- STOP SLAVE; 停止复制
- SHOW SLAVE STATUS; 查看复制状态
- Seconds_Behind_Master: 0 从服务器是否落后于主服务
- RESET SLAVE ALL; 重置从服务器的配置
- MASTER_SSL=1, 配合 CHANGE MASTER TO 使用,开启ssl加密复制
- MASTER_SSL_CA = '/etc/my.cnf.d/ssl/cacert.pem',
- MASTER_SSL_CERT = '/etc/my.cnf.d/ssl/slave.crt',
- MASTER_SSL_KEY = '/etc/my.cnf.d/ssl/slave.key';
- PURGE { BINARY | MASTER } LOGS { TO 'log_name' | BEFORE datetime_expr } 删除二进制日志,谨慎操作
- SHOW MASTER STATUS 查看二进制日志状态
- SHOW BINLOG EVENTS 查看二进制日志
- SHOW BINARY LOGS 查看二进制日志
到此这篇关于MySQL系列之十三 MySQL的复制的文章就介绍到这了,更多相关MySQL的复制内容请搜索
更多相关Mysql内容来自木庄网络博客
标签:Mysql
相关阅读 >>
mysql8.0连接协议及3306、33060、33062端口的作用解析
mysql中database()和current_user()函数的示例详解
更多相关阅读请进入《mysql》频道 >>
数据库系统概念 第6版
本书主要讲述了数据模型、基于对象的数据库和XML、数据存储和查询、事务管理、体系结构等方面的内容。
