This tutorial describes how to set up database replication for MySQL using SSL on Ubuntu 12.04. There are some tutorials out there, but I found out they are a little outdated and don't work as well any more (at least not for Ubuntu specifically). So I decided to write down my experience for other developers who find them selves setting up MySQL database replication to make their lives easier.
First, we start with setting up the master server. Last, we set up the slave server to download database changes from the master server. For the purpose of this tutorial we are going to replicate a database called 'exampledb' from a server at master.webdevelopersdiary.com to a server at slave.webdevelopersdiary.com.
First, we start with setting up the master server. Last, we set up the slave server to download database changes from the master server. For the purpose of this tutorial we are going to replicate a database called 'exampledb' from a server at master.webdevelopersdiary.com to a server at slave.webdevelopersdiary.com.
Set up the master server
Setting up the master consists of the following steps:
- Generate SSL certificates.
- Edit MySQL configuration my.cnf.
- Restart MySQL server process.
- Set up database replication privileges (and force SSL).
- Perform initial database backup to start replication from.
- Finish up.
The SSL certificates have to be placed in the /etc/mysql/ directory if you want them to work out-of-the-box. If you want to place them elsewhere, you first have to update the MySQL Apparmor settings, or SSL will fail. For the purpose of this tutorial, we will assume all the certificates will be in /etc/mysql/. The MySQL Manual explains very well how to generate the SSL certificates. I copied the steps here for your convenience. First, we generate the CA certificate:
$ mkdir ~/mysql-tutorial/ && cd ~/mysql-tutorial/
$ openssl genrsa 2048 > ca-key.pem
$ openssl req -new -x509 -nodes -days 1000 \
-key ca-key.pem -out ca-cert.pem
Then create the server certificate, remove its passphrase and sign it:
$ openssl req -newkey rsa:2048 -days 1000 \
-nodes -keyout server-key.pem -out server-req.pem
$ openssl rsa -in server-key.pem -out server-key.pem
$ openssl x509 -req -in server-req.pem -days 1000 \
-CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
Create the client certificate, remove its passphrase and sign it:
$ openssl req -newkey rsa:2048 -days 1000 \
-nodes -keyout client-key.pem -out client-req.pem
$ openssl rsa -in client-key.pem -out client-key.pem
$ openssl x509 -req -in client-req.pem -days 1000 \
-CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem
Install the certificates into to /etc/mysql/ directory:
$ sudo cp *.pem /etc/mysql/
Open /etc/mysql/my.cnf and make sure MySQL is listening on all interfaces so that the backup server can reach the database from the outside. Typically, there is a line like:
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address = 127.0.0.1
The line starting with “bind-address” should be commented out if present.
Also add the following in the [mysqld] section of the config file:
Also add the following in the [mysqld] section of the config file:
# The following can be used as easy to replay backup logs or for replication.
# note: if you are setting up a replication slave, see README.Debian about
# other settings you may need to change.
server-id = 1
log_bin = /var/log/mysql/mysql-bin.log
expire_logs_days = 10
max_binlog_size = 100M
binlog_do_db = exampledb
And enable SSL by editing:
# For generating SSL certificates I recommend the OpenSSL GUI "tinyca".
ssl-ca=/etc/mysql/ca-cert.pem
ssl-cert=/etc/mysql/server-cert.pem
ssl-key=/etc/mysql/server-key.pem
Close /etc/mysql/my.cnf and restart MySQL to apply changes to the config by executing the command:
$ sudo service mysql restart
Next, we create a database dump of the database we want to replicate (exampledb). During the dump, we need to lock the database to determine the exact position from which we need to start replicating (corresponding to the database dump). So we write down the log ‘position’ column from which to start replicating on the slave.
Login to the mysql server (located at master.webdevelopersdiary.com) as root from command line (or use a web-based admin tool like phpMyAdmin to execute the required commands):
Login to the mysql server (located at master.webdevelopersdiary.com) as root from command line (or use a web-based admin tool like phpMyAdmin to execute the required commands):
$ mysql -h localhost -u root -p
Execute the following SQL commands:
GRANT REPLICATION SLAVE ON *.*
TO 'slave_user'@'slave.webdevelopersdiary.com'
IDENTIFIED BY 'slave_password'
REQUIRE SSL;
FLUSH PRIVILEGES;
USE exampledb;
FLUSH TABLES WITH READ LOCK;
SHOW MASTER STATUS;
Write down the output of the last statement, you're going to need it later. An example output looks like:
+------------------+----------+-----------------+------------------+
| File | Position | Binlog_Do_DB | Binlog_Ignore_DB |
+------------------+----------+-----------------+------------------+
| mysql-bin.000002 | 1337 | exampledb | |
+------------------+----------+-----------------+------------------+
1 row in set (0.00 sec)
Write down the output. Bring the MySQL console to the background (press CTRL+Z) and make the database dump:
$ mysqldump -h localhost -u root -p --opt exampledb > ~/mysql-tutorial/exampledb.sql
$ fg
`fg` returns you to the MySQL shell, execute the following SQL to finish up:
UNLOCK TABLES;
quit;
Copy exampledb.sql, ca-cert.pem, client-cert.pem and client-key.pem from the ~/mysql-tutorial/ directory to the slave server located at slave.webdevelopersdiary.com. Convince yourself there is no firewall running that is blocking SQL connections from the outside. That's it for the master server.
Set up the slave server
The steps for the slave server are:
Place all the .pem files you copied from master server into the directory /etc/mysql/ on the slave server. Start of your favourite editor and edit /etc/mysql/my.cnf and add the following lines:
- Setup the SSL certificates.
- Edit MySQL server configuration my.cnf.
- Restart MySQL server.
- Configure and start slave server.
- Finish up.
Place all the .pem files you copied from master server into the directory /etc/mysql/ on the slave server. Start of your favourite editor and edit /etc/mysql/my.cnf and add the following lines:
server-id=2
replicate-do-db=exampledb
Save and close /etc/mysql/my.cnf and restart the MySQL server. Then start up the MySQL console:
$ sudo service mysql restart
$ mysql -h localhost -u root -p
Execute following SQL to import database and start slave. Make sure you replace the correct values at MASTER_HOST, MASTER_USER, MASTER_PASSWORD, MASTER_LOG_FILE (from earlier written down value) and MASTER_LOG_POS (also from earlier written down value).
STOP SLAVE;
CREATE DATABASE IF NOT EXISTS exampledb;
USE exampledb;
SOURCE /path/to/exampledb.sql;
CHANGE MASTER TO
MASTER_HOST='master.webdevelopersdiary.com',
MASTER_USER='slave_user',
MASTER_PASSWORD='slave_password',
MASTER_CONNECT_RETRY=60,
MASTER_LOG_FILE='mysql-bin.000002',
MASTER_LOG_POS=1337,
MASTER_SSL=1,
MASTER_SSL_CA='/etc/mysql/ca-cert.pem',
MASTER_SSL_CERT='/etc/mysql/client-cert.pem',
MASTER_SSL_KEY='/etc/mysql/client-key.pem';
START SLAVE;
SHOW SLAVE STATUS \G;
That's it, database replication should be up and running!