红帽全球峰会2.8. Replicating MySQL with TLS encryption
You can set up MySQL replication with TLS encryption to create secure data replication between source and replica servers.
Replication itself is not a sufficient backup solution. Replication protects source servers against hardware failures, but it does not ensure protection against data loss.
2.8.1. Configuring a MySQL source server
You can set configuration options required for a MySQL source server to properly run and replicate all changes made on the database server through the TLS protocol.
Prerequisites
- The source server is installed.
The source server has TLS set up.
重要The source and replica certificates must be signed by the same certificate authority.
Procedure
Include the following options in the
/etc/my.cnf.d/mysql-server.cnffile under the[mysqld]section:bind-address=source_ip_adressThis option is required for connections made from replicas to the source.
server-id=idThe id must be unique.
log_bin=path_to_source_server_logThis option defines a path to the binary log file of the MySQL source server. For example:
log_bin=/var/log/mysql/mysql-bin.log.gtid_mode=ONThis option enables global transaction identifiers (GTIDs) on the server.
enforce-gtid-consistency=ONThe server enforces GTID consistency by allowing execution of only statements that can be safely logged by using a GTID.
Optional:
binlog_do_db=db_nameUse this option if you want to replicate only selected databases. To replicate more than one selected database, specify each of the databases separately:
binlog_do_db=db_name1 binlog_do_db=db_name2 binlog_do_db=db_name3Optional:
binlog_ignore_db=db_nameUse this option to exclude a specific database from replication.
Restart the
mysqldservice:# systemctl restart mysqld.service
2.8.2. Configuring a MySQL replica server
You can set configuration options required for a MySQL replica server to ensure a successful replication.
Prerequisites
- The replica server is installed.
The replica server has TLS set up.
重要The source and replica certificates must be signed by the same certificate authority.
Procedure
Include the following options in the
/etc/my.cnf.d/mysql-server.cnffile under the[mysqld]section:server-id=idThe id must be unique.
relay-log=path_to_replica_server_logThe relay log is a set of log files created by the MySQL replica server during replication.
log_bin=path_to_replica_sever_logThis option defines a path to the binary log file of the MySQL replica server. For example:
log_bin=/var/log/mysql/mysql-bin.log.This option is not required in a replica but strongly recommended.
gtid_mode=ONThis option enables global transaction identifiers (GTIDs) on the server.
enforce-gtid-consistency=ONThe server enforces GTID consistency by allowing execution of only statements that can be safely logged by using a GTID.
log-replica-updates=ONThis option ensures that updates received from the source server are logged in the replica’s binary log.
skip-replica-start=ONThis option ensures that the replica server does not start the replication threads when the replica server starts.
Optional:
binlog_do_db=db_nameUse this option if you want to replicate only certain databases. To replicate more than one database, specify each of the databases separately:
binlog_do_db=db_name1 binlog_do_db=db_name2 binlog_do_db=db_name3Optional:
binlog_ignore_db=db_nameUse this option to exclude a specific database from replication.
Restart the
mysqldservice:# systemctl restart mysqld.service
You must create a replication user with appropriate permissions on the MySQL source server to enable replica servers to connect and receive data changes.
Prerequisites
- The source server is installed and configured as described in Configuring a MySQL source server.
Procedure
Create a replication user:
mysql> CREATE USER 'replication_user'@'replica_server_hostname' IDENTIFIED WITH mysql_native_password BY 'password';Grant the user replication permissions:
mysql> GRANT REPLICATION SLAVE ON *.* TO 'replication_user'@'replica_server_hostname';*Reload the grant tables in the MySQL database:
mysql> FLUSH PRIVILEGES;Set the source server to read-only state:
mysql> SET @@GLOBAL.read_only = ON;
You must configure the replica server with source server credentials and start replication to establish a connection between the MySQL replica and source servers.
Prerequisites
- The source server is installed and configured as described in Configuring a MySQL source server.
- The replica server is installed and configured as described in Configuring a MySQL replica server.
- You have created a replication user. See Creating a replication user on the MySQL source server.
Procedure
Set the replica server to read-only state:
mysql> SET @@GLOBAL.read_only = ON;Configure the replication source:
mysql> CHANGE REPLICATION SOURCE TO SOURCE_HOST='source_hostname', SOURCE_USER='replication_user', SOURCE_PASSWORD='password', SOURCE_AUTO_POSITION=1, SOURCE_SSL=1, SOURCE_SSL_CA='path_to_ca_on_source', SOURCE_SSL_CAPATH='path_to_directory_with_certificates', SOURCE_SSL_CERT='path_to_source_certificate', SOURCE_SSL_KEY='path_to_source_key';Start the replica thread in the MySQL replica server:
mysql> START REPLICA;Unset the read-only state on both the source and replica servers:
mysql> SET @@GLOBAL.read_only = OFF;Optional: Inspect the status of the replica server for debugging purposes:
mysql> SHOW REPLICA STATUS\G;注意If the replica server fails to start or connect, you can skip a certain number of events following the binary log file position displayed in the output of the
SHOW MASTER STATUScommand. For example, skip the first event from the defined position:mysql> SET GLOBAL SQL_SLAVE_SKIP_COUNTER=1;Afterwards, try to start the replica server again.
Optional: Stop the replica thread in the replica server:
mysql> STOP REPLICA;
2.8.5. Verifying replication on a MySQL server
You can verify that MySQL replication works correctly by creating test databases and checking replication status on source and replica servers.
Procedure
Create an example database on the source server:
mysql> CREATE DATABASE test_db_name;-
Verify that the
test_db_namedatabase replicates on the replica server. Display status information about the binary log files of the MySQL server by executing the following command on either of the source or replica servers:
mysql> SHOW MASTER STATUS;The
Executed_Gtid_Setcolumn, which shows a set of GTIDs for transactions executed on the source, must not be empty.注意The same set of GTIDs is displayed in the
Executed_Gtid_Setrow when you use theSHOW REPLICA STATUSon the replica server.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}