Blog roll
R-bloggers, Debian Weekly![[Valid RSS]](valid-rss-rogers.png "Validate my RSS feed")
Last modified:
maj 30, 2020
Sources: https://mariadb.com/kb/en/library/setting-up-replication/, /usr/share/doc/mariadb-server-10.1/README.Debian.gz
1. Allow network access to the server
/etc/mysql/mariadb.conf.d/50-server.cnf[mysqld] #bind-address = 127.0.0.1 bind-address = 0.0.0.0
2. Set the server-id; specify that only database twitter show be replicated in the log; enable the binary log. The best format appears to be MIXED (https://mariadb.com/kb/en/library/binary-log-formats/).
If binlog-do-db is not specified, all changes is recorded, which is not what I wanted here (since the slave has other stuff as well).
Again, edit /etc/mysql/mariadb.conf.d/50-server.cnf
[mariadb] server-id = 1 log-basename = pimaster1 log_bin # Keep bin logs until the binlog reaches it maximum allowed value expire_logs_days = 0 ## Allow for 1GB of binlogs max_binlog_size = 1024M binlog_format = MIXED binlog-do-db = twitter
3. Grant access for the slave(s), by issuing a SQL query like this as root user on the master.
GRANT REPLICATION SLAVE ON *.* TO replication_user IDENTIFIED BY 'really good password here';
4. Set the server-id to something unique. On the slave, edit /etc/mysql/mariadb.conf.d/50-server.cnf
[mariadb] 1 is pi (master), we are 2 and slave server-id = 2
FLUSH TABLES WITH READ LOCK
SHOW MASTER STATUS;
$ mysqldump -p --databases twitter > twitter.sql
$ mysql -p < twitter.sql
Issue this query (change the data to fit your situation) on the slave
CHANGE MASTER TO MASTER_HOST='master.hostname', MASTER_USER='replication_user', MASTER_PASSWORD='bigs3cret', MASTER_PORT=3306, MASTER_LOG_FILE='mariadb-bin.000096', MASTER_LOG_POS=568, MASTER_CONNECT_RETRY=10;
Issue this query on the slave
START SLAVE;
SHOW SLAVE STATUS\G
SHOW MASTER STATUS;
This section is based on http://llawlor.github.io/2016/03/14/mysql-ssl-replication.html
On the master, create the SSL-keys:
mkdir /etc/ssl/certs/mysql chown mysql /etc/ssl/certs/mysql cd /etc/ssl/certs/mysql openssl req -x509 -newkey rsa:2048 -keyout master-private.pem -out master-public.pem -nodes -days 3650 # convert the key to the correct format for mysql openssl rsa -in master-private.pem -out master-private.pem cp master-public.pem ca-cert.pem chown mysql:mysql *
On the slave, add the SSL keys:
mkdir /etc/ssl/certs/mysql chown mysql /etc/ssl/certs/mysql cd /etc/ssl/certs/mysql # transfer the certificate from the master database server to the slave database server scp MASTER_USER@MASTER_IP_ADDRESS:/etc/ssl/certs/mysql/ca-cert.pem . # create the slave's ssl keys openssl req -x509 -newkey rsa:2048 -keyout slave-private.pem -out slave-public.pem -nodes -days 3650 # convert the key to the correct format for mysql openssl rsa -in slave-private.pem -out slave-private.pem # append the public key to the certificate bash -c "cat slave-public.pem >> ca-cert.pem" # change file ownerships back to mysql chown mysql:mysql /etc/ssl/certs/mysql -R # copy back file to master scp ca-cert.pem foo.bar:/etc/ssl/certs/mysql/
At the master, change file ownership of the returned file
chown mysql:mysql ca-cert.pem
Update the configuration file /etc/mysql/maria.conf.d/50-server on the master to use SSL
[mysqld] ssl-ca=/etc/ssl/certs/mysql/ca-cert.pem ssl-cert=/etc/ssl/certs/mysql/master-public.pem ssl-key=/etc/ssl/certs/mysql/master-private.pem # Accept only connections using the latest and most secure TLS protocol version. # ..when MariaDB is compiled with OpenSSL: # ssl-cipher=TLSv1.2 # ..when MariaDB is compiled with YaSSL (default in Debian): ssl=on
Restart the master
systemctl restart mysql
On the slave give mysql permission to read a certificate
nano /etc/apparmor.d/usr.sbin.mysqld
Add this line:
/etc/ssl/certs/mysql/*.pem r,
Update the configuration file on the slave /etc/mysql/maria.conf.d/50-server to use SSL
ssl-ca=/etc/ssl/certs/mysql/ca-cert.pem ssl-cert=/etc/ssl/certs/mysql/slave-public.pem ssl-key=/etc/ssl/certs/mysql/slave-private.pem # Accept only connections using the latest and most secure TLS protocol version. # ..when MariaDB is compiled with OpenSSL: # ssl-cipher=TLSv1.2 # ..when MariaDB is compiled with YaSSL (default in Debian): ssl=on
Restart the slave
systemctl restart mysql
Active the replication by issuing this on the slave
CHANGE MASTER TO MASTER_HOST='hansekbrand.se', MASTER_USER='replication_user', MASTER_PASSWORD='really good password here', MASTER_PORT=3306, MASTER_LOG_FILE='pimaster1-bin.000021', MASTER_LOG_POS=1487, MASTER_SSL=1, MASTER_SSL_CA='/etc/ssl/certs/mysql/ca-cert.pem', MASTER_CONNECT_RETRY=10;
mysql> SHOW SLAVE STATUS \G ... Slave_SQL_Running: No ...
mysql> STOP SLAVE;
mysql> SET GLOBAL SQL_SLAVE_SKIP_COUNTER = 1;
mysql> START SLAVE;
mysql> SHOW SLAVE STATUS \G ... Slave_SQL_Running: Yes ...