十九、VPN服务
1、firewalld和最新技术nft实现防火墙功能(65分钟)
2、open-v-p-n介绍和环境准备(48分钟)
3、open-v-p-n实现CA证书(45分钟)
4、open-v-p-n服务和客户端实现(65分钟)
5、open-v-p-n高级管理功能(49分钟)
6、阿里云释放资源(7分钟)
7、数据库基础原理(47分钟)
8、关系型数据库理论(44分钟)
二十、Mysql数据库一
1、MySQL安装和安全加固(58分钟)
2、MySQL的基本使用和二进制安装(54分钟)
3、MySQL的编译安装和SQL语言介绍(44分钟)
4、MySQL多实例和SQL语句分类(54分钟)
5、SQL的数据库管理和表创建(55分钟)
6、DML和DQL语句(45分钟)
7、SQL的单表和多表查询(62分钟)
就业(全程班)第十周作业
一、在阿里云服务器搭建openv-p-n(有条件的同学再做)
实验搭建图
1.配置阿里服务器及环境
2.连接阿里云服务器,并实现3台主机的key验证
#连接阿里云公网服务器
[root@centos8 ~]#ssh 47.92.28.209
The authenticity of host '47.92.28.209 (47.92.28.209)' can't be established.
ECDSA key fingerprint is SHA256:iqkaIyE2yXmNj6RDF4x7785Gmd/uSmXUqi2INxPgfwI.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '47.92.28.209' (ECDSA) to the list of known hosts.
root@47.92.28.209's password:
Welcome to Alibaba Cloud Elastic Compute Service !
Activate the web console with: systemctl enable --now cockpit.socket
Last login: Mon Aug 8 20:36:26 2022 from 47.96.60.214
[root@openvpn-server-main ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:16:3e:04:8c:93 brd ff:ff:ff:ff:ff:ff
inet 172.30.0.1/24 brd 172.30.0.255 scope global dynamic noprefixroute eth0
valid_lft 315357152sec preferred_lft 315357152sec
inet6 fe80::216:3eff:fe04:8c93/64 scope link
valid_lft forever preferred_lft forever
[root@openvpn-server-main ~]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:gWYPRHt0Dilr/dLbjR4D3q1K4FSjGqE7DaL8sQF+1T8 root@openvpn-server-main
The key's randomart image is:
+---[RSA 3072]----+
| .o o.. |
| ..+.+ |
| B+o + |
| ++=.+ . |
| .. oo..So. |
|o....+ =oooo . |
|.o +o o .Eoo+o. |
| o +. .o o+. |
| o .oo |
+----[SHA256]-----+
[root@openvpn-server-main ~]#
[root@openvpn-server-main ~]#
[root@openvpn-server-main ~]# ssh-copy-id 127.0.0.1
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:iqkaIyE2yXmNj6RDF4x7785Gmd/uSmXUqi2INxPgfwI.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@127.0.0.1's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh '127.0.0.1'"
and check to make sure that only the key(s) you wanted were added.
[root@openvpn-server-main ~]# cd .ssh
[root@openvpn-server-main .ssh]# ls
authorized_keys id_rsa id_rsa.pub known_hosts
[root@openvpn-server-main ~]# rsync -av .ssh 172.30.0.100:/root/
root@172.30.0.100's password:
sending incremental file list
.ssh/
.ssh/authorized_keys
.ssh/id_rsa
.ssh/id_rsa.pub
.ssh/known_hosts
sent 4,619 bytes received 102 bytes 269.77 bytes/sec
total size is 4,285 speedup is 0.91
[root@openvpn-server-main ~]# rsync -av .ssh 172.30.0.200:/root/
root@172.30.0.200's password:
sending incremental file list
.ssh/
.ssh/authorized_keys
.ssh/id_rsa
.ssh/id_rsa.pub
.ssh/known_hosts
sent 4,619 bytes received 102 bytes 858.36 bytes/sec
total size is 4,285 speedup is 0.91
[root@openvpn-server-main ~]# ssh 172.30.0.100
Welcome to Alibaba Cloud Elastic Compute Service !
Activate the web console with: systemctl enable --now cockpit.socket
Last failed login: Mon Aug 8 21:47:22 CST 2022 from 172.30.0.1 on ssh:notty
There was 1 failed login attempt since the last successful login.
Last login: Mon Aug 8 21:45:38 2022 from 172.30.0.1
3.安装OpenVPN及证书管理工具
#OpenVPN服务器端
[root@openvpn-server-main ~]#yum -y install openvpn
#证书管理工具
[root@openvpn-server-main ~]#yum -y install easy-rsa
4.准备相关配置文件
#生成服务器配置文件
[root@openvpn-server-main ~]# cp /usr/share/doc/openvpn/sample/sample-config-files/server.conf
/etc/openvpn/
#准备证书签发相关文件
[root@openvpn-server-main ~]# cp -r /usr/share/easy-rsa/ /etc/openvpn/easy-rsa-server
#准备签发证书相关变量的配置文件
[root@openvpn-server-main ~]# cp /usr/share/doc/easy-rsa/vars.example /etc/openvpn/easy-rsa-server/3/vars
[root@openvpn-server-main ~]# vim /etc/openvpn/easy-rsa-server/3/vars
#建议修改给CA和OpenVPN服务器颁发的证书的有效期,可适当加长
[root@centos8 ~]#vim /etc/openvpn/easy-rsa-server/3/vars
#CA的证书有效期默为为10年,可以适当延长,比如:36500天
#set_var EASYRSA_CA_EXPIRE 3650
set_var EASYRSA_CA_EXPIRE 36500
#服务器证书默为为825天,可适当加长,比如:3650天
#set_var EASYRSA_CERT_EXPIRE 825
#将上面行修改为下面
set_var EASYRSA_CERT_EXPIRE 3650
[root@openvpn-server-main ~]# tree /etc/openvpn/
/etc/openvpn/
├── client
├── easy-rsa-server
│ ├── 3 -> 3.0.8
│ ├── 3.0 -> 3.0.8
│ └── 3.0.8
│ ├── easyrsa
│ ├── openssl-easyrsa.cnf
│ ├── vars
│ └── x509-types
│ ├── ca
│ ├── client
│ ├── code-signing
│ ├── COMMON
│ ├── email
│ ├── kdc
│ ├── server
│ └── serverClient
├── server
└── server.conf
7 directories, 12 files
4.1初始化PKI
[root@openvpn-server-main 3]# cd /etc/openvpn/easy-rsa-server/3/
[root@openvpn-server-main 3]# ls
easyrsa openssl-easyrsa.cnf vars x509-types
#初始化数据,在当前目录下生成pki目录及相关文件
[root@openvpn-server-main 3]# ./easyrsa init-pki
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa-server/3/pki
[root@openvpn-server-main 3]# tree
.
├── easyrsa
├── openssl-easyrsa.cnf
├── pki #生成一个新目录及相关文件
│ ├── openssl-easyrsa.cnf
│ ├── private
│ ├── reqs
│ └── safessl-easyrsa.cnf
├── vars
└── x509-types
├── ca
├── client
├── code-signing
├── COMMON
├── email
├── kdc
├── server
└── serverClient
4 directories, 13 files
[root@openvpn-server-main 3]# cd /etc/openvpn/easy-rsa-server/3
[root@openvpn-server-main 3]# tree pki
pki
├── openssl-easyrsa.cnf
├── private
├── reqs
└── safessl-easyrsa.cnf
2 directories, 2 files
4.2创建CA并自签名
#创建CA并自签名
[root@openvpn-server-main 3]# ./easyrsa build-ca nopass
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars
Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020
Generating RSA private key, 2048 bit long modulus (2 primes)
.......................................................................+++++
........................................+++++
e is 65537 (0x010001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa-server/3/pki/ca.crt #生成的CA证书
[root@openvpn-server-main 3]# tree pki
pki
├── ca.crt
├── certs_by_serial
├── index.txt
├── index.txt.attr
├── issued
├── openssl-easyrsa.cnf
├── private
│ └── ca.key
├── renewed
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── reqs
├── revoked
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── safessl-easyrsa.cnf
└── serial
12 directories, 7 files
[root@openvpn-server-main 3]# openssl x509 -in pki/ca.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
5a:89:6b:65:55:9d:b9:45:d3:f9:4a:fc:6c:b2:d2:22:77:7c:36:c0
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = Easy-RSA CA
Validity
Not Before: Aug 8 14:40:16 2022 GMT
Not After : Aug 5 14:40:16 2032 GMT
Subject: CN = Easy-RSA CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:a1:b9:92:73:8e:7d:fc:51:45:18:eb:f3:8e:31:
14:42:2b:ed:84:ec:a4:90:8c:ee:38:79:5f:27:95:
d8:10:ac:56:fa:74:fc:8d:1d:36:4b:01:0d:ab:07:
5c:81:7d:78:1f:3d:4f:40:90:ca:95:27:71:18:61:
73:6b:38:a9:5f:5d:11:5b:6d:9c:b5:82:76:9a:b0:
95:1e:4c:48:5b:97:94:1f:32:c1:fa:12:41:1c:8b:
27:9e:19:ae:54:76:62:63:ce:7f:c9:bf:4d:42:76:
93:b7:bd:03:3f:56:2c:84:1d:4f:2b:0d:c9:b0:76:
bb:92:37:2d:5e:fc:e6:82:2c:cd:b5:b6:09:f8:ff:
7f:49:10:14:3f:cf:ec:04:2d:36:9c:2f:d8:1e:76:
a2:1e:05:bb:69:08:76:9c:4b:09:f5:ef:97:e2:56:
5c:ca:6e:48:09:cb:50:63:5f:77:5b:0d:33:b9:a3:
db:d8:93:05:ca:51:a0:34:2c:87:06:3d:63:ee:09:
2c:15:4f:f3:08:e1:7d:6e:f4:8f:00:9e:21:85:2b:
44:8f:e1:2b:37:e6:6f:8e:66:19:e8:4b:4d:a4:3c:
84:56:81:a4:35:f6:31:b6:85:dc:78:bd:f9:8a:91:
41:34:9a:3f:3a:ae:68:6f:a1:6c:3c:6f:8a:ec:f7:
f2:8b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
DE:DD:41:BE:B6:AD:6B:08:EF:DB:7D:48:9B:A9:22:3A:79:7E:02:81
X509v3 Authority Key Identifier:
keyid:DE:DD:41:BE:B6:AD:6B:08:EF:DB:7D:48:9B:A9:22:3A:79:7E:02:81
DirName:/CN=Easy-RSA CA
serial:5A:89:6B:65:55:9D:B9:45:D3:F9:4A:FC:6C:B2:D2:22:77:7C:36:C0
X509v3 Basic Constraints:
CA:TRUE
X509v3 Key Usage:
Certificate Sign, CRL Sign
Signature Algorithm: sha256WithRSAEncryption
2c:63:db:ad:e6:fb:0c:ae:eb:42:0c:fb:8d:2e:e3:14:15:54:
1c:55:be:f4:c9:b4:7b:e4:37:67:74:e9:e6:37:08:45:05:82:
a2:72:87:82:4c:82:7c:f0:73:45:65:a7:23:05:0d:2e:3d:3d:
5f:92:03:2d:19:e1:50:e0:35:ef:39:25:d2:8c:c7:27:dd:da:
5b:31:a1:f7:09:45:a5:c4:be:0f:69:76:f8:5b:93:4c:3e:8e:
e8:f5:04:0a:45:e4:5b:8e:f9:aa:07:24:1b:7e:a7:59:58:9b:
85:3c:bd:e9:28:8b:3b:25:a5:b6:6c:e8:5c:ad:57:73:74:e6:
ff:85:3c:1a:b7:6e:8f:9d:6a:a7:b1:15:a6:61:cf:f5:89:fd:
dc:40:cd:ba:ec:71:c8:90:c0:51:f3:2d:5c:9f:5d:8e:2e:eb:
62:b3:2f:81:ab:8c:89:5e:25:ce:b3:c6:6f:3b:e7:3c:dd:4c:
84:0e:f8:da:ee:e8:82:c9:f1:67:70:a4:79:7a:35:7d:87:1a:
f4:2d:33:6f:55:14:e0:3e:81:28:01:5b:b4:10:f6:64:b5:05:
a3:a1:ac:54:1e:52:07:99:9b:80:62:3b:a1:58:ad:be:10:d9:
92:63:fe:19:61:f2:47:41:42:fa:fd:53:51:02:93:7a:fe:ac:
b2:2a:33:48
#查看生成的自签名证书
[root@openvpn-server-main 3]#cat pki/ca.crt
[root@openvpn-server-main 3]# sz pki/ca/crt
-bash: sz: command not found
[root@openvpn-server-main 3]# yum -y install lrzsz #安装sz工具
14 directories, 18 files
[root@openvpn-server-main 3]sz pki/ca.crt #拷到win下
[root@openvpn-server-main 3]#
5 创建服务器端证书申请
[root@openvpn-server-main 3]# cd /etc/openvpn/easy-rsa-server/3
#创建服务器证书申请文件,其中server是文件前缀
[root@openvpn-server-main 3]# ./easyrsa gen-req server nopass
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars
Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020
Generating a RSA private key
.................................................................................................+++++
........................+++++
writing new private key to '/etc/openvpn/easy-rsa-server/3/pki/easy-rsa-26484.lfNdNM/tmp.BZuLss'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]:
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa-server/3/pki/reqs/server.req
key: /etc/openvpn/easy-rsa-server/3/pki/private/server.key
[root@openvpn-server-main 3]# tree pki
pki
├── ca.crt
├── certs_by_serial
├── index.txt
├── index.txt.attr
├── issued
├── openssl-easyrsa.cnf
├── private
│ ├── ca.key
│ └── server.key #服务器私钥文件
├── renewed
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── reqs
│ └── server.req #服务器请求文件
├── revoked
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── safessl-easyrsa.cnf
└── serial
12 directories, 9 files
#将上面server.req的申请,颁发server类型的证书
[root@openvpn-server-main 3]# ./easyrsa sign server server
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars
Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate for 825 days:
subject=
commonName = server
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /etc/openvpn/easy-rsa-server/3/pki/easy-rsa-26514.sJWU62/tmp.tKyEVX
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'server'
Certificate is to be certified until Nov 10 14:55:40 2024 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa-server/3/pki/issued/server.crt
[root@openvpn-server-main 3]# tree pki
pki
├── ca.crt
├── certs_by_serial
│ └── ACC5AB97F9C4E738AD99B57FF352BF91.pem
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── issued
│ └── server.crt
├── openssl-easyrsa.cnf
├── private
│ ├── ca.key
│ └── server.key
├── renewed
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── reqs
│ └── server.req
├── revoked
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── safessl-easyrsa.cnf
├── serial
└── serial.old
12 directories, 14 files
[root@openvpn-server-main 3]# tree
.
├── easyrsa
├── openssl-easyrsa.cnf
├── pki
│ ├── ca.crt
│ ├── certs_by_serial
│ │ └── ACC5AB97F9C4E738AD99B57FF352BF91.pem #服务器证书文件
│ ├── index.txt
│ ├── index.txt.attr
│ ├── index.txt.attr.old
│ ├── index.txt.old
│ ├── issued
│ │ └── server.crt #服务器证书文件
│ ├── openssl-easyrsa.cnf
│ ├── private
│ │ ├── ca.key
│ │ └── server.key
│ ├── renewed
│ │ ├── certs_by_serial
│ │ ├── private_by_serial
│ │ └── reqs_by_serial
│ ├── reqs
│ │ └── server.req
│ ├── revoked
│ │ ├── certs_by_serial
│ │ ├── private_by_serial
│ │ └── reqs_by_serial
│ ├── safessl-easyrsa.cnf
│ ├── serial
│ └── serial.old
├── vars
└── x509-types
├── ca
├── client
├── code-signing
├── COMMON
├── email
├── kdc
├── server
└── serverClient
14 directories, 25 files
[root@openvpn-server-main 3]# cat pki/index.txt
V 241110145540Z ACC5AB97F9C4E738AD99B57FF352BF91 unknown /CN=server
6 创建 Diffie-Hellman 密钥
[root@openvpn-server-main ~]# cd /etc/openvpn/easy-rsa-server/3
[root@openvpn-server-main 3]# 3]#./easyrsa gen-dh
-bash: 3]#./easyrsa: No such file or directory
[root@openvpn-server-main 3]# ./easyrsa gen-dh
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars
Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
.............................................................................+.................................+........+.........................................................................+...............................................+......++*++*++*++*
DH parameters of size 2048 created at /etc/openvpn/easy-rsa-server/3/pki/dh.pem
[root@openvpn-server-main 3]# ll pki/dh.pem
-rw------- 1 root root 424 Aug 9 09:31 pki/dh.pem
7准备客户端证书环境
7.1配置客户端证书
[root@openvpn-server-main ~]# cp -r /usr/share/easy-rsa/ /etc/openvpn/easy-rsa-client
#切到客户端目录
[root@openvpn-server-main ~]# cd /etc/openvpn//easy-rsa-client/3/
[root@openvpn-server-main 3]# tree
.
├── easyrsa
├── openssl-easyrsa.cnf
└── x509-types
├── ca
├── client
├── code-signing
├── COMMON
├── email
├── kdc
├── server
└── serverClient
1 directory, 10 files
#生成证书申请所需目录pki和文件
[root@openvpn-server-main 3]# ./easyrsa init-pki
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa-client/3/pki
[root@openvpn-server-main 3]# tree
.
├── easyrsa
├── openssl-easyrsa.cnf
├── pki
│ ├── openssl-easyrsa.cnf
│ ├── private
│ ├── reqs
│ └── safessl-easyrsa.cnf
└── x509-types
├── ca
├── client
├── code-signing
├── COMMON
├── email
├── kdc
├── server
└── serverClient
4 directories, 12 files
#生成客户端用户的证书申请
[root@openvpn-server-main 3]# ./easyrsa gen-req bruce nopass
Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020
Generating a RSA private key
...............+++++
.+++++
writing new private key to '/etc/openvpn/easy-rsa-client/3/pki/easy-rsa-1338.u4LE79/tmp.Tyx63D'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [bruce]:
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa-client/3/pki/reqs/bruce.req #证书申请文件
key: /etc/openvpn/easy-rsa-client/3/pki/private/bruce.key #私钥文件
[root@openvpn-server-main 3]# tree
.
├── easyrsa
├── openssl-easyrsa.cnf
├── pki
│ ├── openssl-easyrsa.cnf
│ ├── private
│ │ └── bruce.key #私钥文件
│ ├── reqs
│ │ └── bruce.req #证书申请文件
│ └── safessl-easyrsa.cnf
└── x509-types
├── ca
├── client
├── code-signing
├── COMMON
├── email
├── kdc
├── server
└── serverClient
4 directories, 14 files
[root@openvpn-server-main 3]# pwd
/etc/openvpn/easy-rsa-client/3
#回到服务器端
[root@openvpn-server-main 3]# cd /etc/openvpn/easy-rsa-server/3
[root@openvpn-server-main 3]# pwd
/etc/openvpn/easy-rsa-server/3
#将客户端证书请求文件复制到CA的工作目录(也可以用cp复制到相应目录)
[root@openvpn-server-main 3]# ./easyrsa import-req /etc/openvpn/easy-rsa-client/3/pki/reqs/bruce.req bruce
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars
Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020
The request has been successfully imported with a short name of: bruce
You may now use this name to perform signing operations on this request.
[root@openvpn-server-main 3]# tree pki
pki
├── ca.crt
├── certs_by_serial
│ └── ACC5AB97F9C4E738AD99B57FF352BF91.pem
├── dh.pem
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── issued
│ └── server.crt
├── openssl-easyrsa.cnf
├── private
│ ├── ca.key
│ └── server.key
├── renewed
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── reqs
│ ├── bruce.req #导入的申请文件
│ └── server.req
├── revoked
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── safessl-easyrsa.cnf
├── serial
└── serial.old
12 directories, 16 files
#修改给客户端颁发的证书的有效期
[root@centos8 3]#vim vars
#建议修改给客户端颁发证书的有效期,可适当减少,比如:90天
#set_var EASYRSA_CERT_EXPIRE 825
#将上面行修改为下面
set_var EASYRSA_CERT_EXPIRE 90
#签发客户端证书
[root@openvpn-server-main 3]# ./easyrsa sign client bruce
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars
Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a client certificate for 90 days:
subject=
commonName = bruce
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /etc/openvpn/easy-rsa-server/3/pki/easy-rsa-1432.B5ZAzK/tmp.cDgOFn
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'bruce'
Certificate is to be certified until Nov 7 01:45:02 2022 GMT (90 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa-server/3/pki/issued/bruce.crt #已生成客户端证书
[root@openvpn-server-main 3]# tree
.
├── easyrsa
├── openssl-easyrsa.cnf
├── pki
│ ├── ca.crt
│ ├── certs_by_serial
│ │ ├── ACC5AB97F9C4E738AD99B57FF352BF91.pem
│ │ └── F953A07AB54009224A331A4A56488058.pem
│ ├── dh.pem
│ ├── index.txt
│ ├── index.txt.attr
│ ├── index.txt.attr.old
│ ├── index.txt.old
│ ├── issued
│ │ ├── bruce.crt
│ │ └── server.crt
│ ├── openssl-easyrsa.cnf
│ ├── private
│ │ ├── ca.key
│ │ └── server.key
│ ├── renewed
│ │ ├── certs_by_serial
│ │ ├── private_by_serial
│ │ └── reqs_by_serial
│ ├── reqs
│ │ ├── bruce.req
│ │ └── server.req
│ ├── revoked
│ │ ├── certs_by_serial
│ │ ├── private_by_serial
│ │ └── reqs_by_serial
│ ├── safessl-easyrsa.cnf
│ ├── serial
│ └── serial.old
├── vars
└── x509-types
├── ca
├── client
├── code-signing
├── COMMON
├── email
├── kdc
├── server
└── serverClient
14 directories, 29 files
7.2客户端证书自动颁发脚本
(PDF复制出来脚本格式不对)
vim 打开 输出 :set paste
[root@openvpn-server-main ~]# vim openvpn-user-crt.sh
#!/bin/bash
read -p "请输入用户的姓名拼音(如:${NAME}): " NAME
cd /etc/openvpn/easy-rsa-client/3
./easyrsa gen-req ${NAME} nopass <<EOF
EOF
cd /etc/openvpn/easy-rsa-server/3
./easyrsa import-req /etc/openvpn/easy-rsa-client/3/pki/reqs/${NAME}.req ${NAME}
./easyrsa sign client ${NAME} <<EOF
yes
EOF
8 将CA和服务器证书相关文件复制到服务器相应的目录
[root@openvpn-server-main ~]# mkdir /etc/openvpn/certs
[root@openvpn-server-main ~]# cp /etc/openvpn/easy-rsa-server/3/pki/ca.crt /etc/openvpn/certs/
[root@openvpn-server-main ~]# cp /etc/openvpn/easy-rsa-server/3/pki/issued/server.crt /etc/openvpn/certs/
[root@openvpn-server-main ~]# cp /etc/openvpn/easy-rsa-server/3/pki/private/server.key /etc/openvpn/certs/
[root@openvpn-server-main ~]# cp /etc/openvpn/easy-rsa-server/3/pki/dh.pem /etc/openvpn/certs/
[root@openvpn-server-main ~]# ll /etc/openvpn/certs/
total 20
-rw------- 1 root root 1204 Aug 9 11:20 ca.crt
-rw------- 1 root root 424 Aug 9 11:22 dh.pem
-rw------- 1 root root 4608 Aug 9 11:20 server.crt
-rw------- 1 root root 1704 Aug 9 11:21 server.key
将客户端私钥与证书相关文件复制到服务器相关的目录
[root@openvpn-server-main client]# mkdir /etc/openvpn/client/bruce/
[root@openvpn-server-main ~]#find /etc/openvpn/ -name "bruce.key" -o -name "bruce.crt" -o -name ca.crt
[root@openvpn-server-main client]# find /etc/openvpn/ \( -name "bruce.key" -o -name "bruce.crt" -o -name ca.crt \) -exec cp {} /etc/openvpn/client/bruce \;
[root@openvpn-server-main client]# tree /etc/openvpn/client/bruce
/etc/openvpn/client/bruce
├── bruce.crt
├── bruce.key
└── ca.crt
0 directories, 3 files
[root@openvpn-server-main client]#
9准备 OpenVPN 服务器配置文件
9.1服务器端配置文件说明
[root@openvpn-server-main ~]# vim /etc/openvpn/server.conf
#脚本先清空原有的,vim输入:%d
port 1194
proto tcp
dev tun
ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/server.crt
key /etc/openvpn/certs/server.key # This file should be kept secret
dh /etc/openvpn/certs/dh.pem
server 10.8.0.0 255.255.255.0
push "route 172.30.0.0 255.255.255.0"
keepalive 10 120
cipher AES-256-CBC
compress lz4-v2
push "compress lz4-v2"
max-clients 2048
user openvpn
group openvpn
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3
mute 20
#准备目志相关目录
[root@openvpn-server-main ]# getent passwd openvpn
openvpn:x:989:985:OpenVPN:/etc/openvpn:/sbin/nologin
[root@openvpn-server-main ]# mkdir /var/log/openvpn
[root@openvpn-server-main ]# chown openvpn.openvpn /var/log/openvpn
[root@openvpn-server-main ]# ll -d /var/log/openvpn
drwxr-xr-x 2 openvpn openvpn 6 Aug 9 16:53 /var/log/openvpn
9.2准备 iptables 规则和内核参数
#在服务器开启ip_forward转发功能
[root@openvpn-server-main ~]# echo net.ipv4.ip_forward = 1 >> /etc/sysctl.conf
[root@openvpn-server-main ~]# sysctl -p
vm.swappiness = 0
kernel.sysrq = 1
net.ipv4.neigh.default.gc_stale_time = 120
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.arp_announce = 2
net.ipv4.conf.lo.arp_announce = 2
net.ipv4.conf.all.arp_announce = 2
net.ipv4.tcp_max_tw_buckets = 5000
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 1024
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_slow_start_after_idle = 0
net.ipv4.ip_forward = 1
#添加SNAT规则
[root@openvpn-server-main ~]# echo 'iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE' >> /etc/rc.d/rc.local
[root@openvpn-server-main ~]# chmod +x /etc/rc.d/rc.local
[root@openvpn-server-main ~]# /etc/rc.d/rc.local
[root@openvpn-server-main ~]# iptables -vnL -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * * 10.8.0.0/24 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
10启动 OpenVPN 服务
[root@centos7 ~]#rpm -ql openvpn|grep systemd
/usr/lib/systemd/system/openvpn-client@.service
/usr/lib/systemd/system/openvpn-server@.service
/usr/lib/systemd/system/openvpn@.service #缺少此配置文件
/usr/share/doc/openvpn-2.4.9/README.systemd
#CentOS8 缺失unit文件,从CentOS7复制文件或自己创建一个
[root@openvpn-server-main ~]# rpm -ql openvpn|grep systemd
/usr/lib/systemd/system/openvpn-client@.service
/usr/lib/systemd/system/openvpn-server@.service
/usr/share/doc/openvpn/README.systemd
[root@centos7 ~]#cat /usr/lib/systemd/system/openvpn@.service
[Unit]
Description=OpenVPN Robust And Highly Flexible Tunneling Application On %I
After=network.target
[Service]
Type=notify
PrivateTmp=true
ExecStart=/usr/sbin/openvpn --cd /etc/openvpn/ --config %i.conf
[Install]
WantedBy=multi-user.target
#创建一个配置文件
[root@openvpn-server-main ~]# vim /usr/lib/systemd/system/openvpn@.service
[Unit]
Description=OpenVPN Robust And Highly Flexible Tunneling Application On %I
After=network.target
[Service]
Type=notify
PrivateTmp=true
ExecStart=/usr/sbin/openvpn --cd /etc/openvpn/ --config %i.conf
[Install]
WantedBy=multi-user.target
#启动OpenVPN服务,注意service名称和文件名不一致
[root@openvpn-server-main ~]# systemctl daemon-reload
[root@openvpn-server-main ~]# systemctl enable --now openvpn@server
Created symlink /etc/systemd/system/multi-user.target.wants/openvpn@server.service → /usr/lib/systemd/system/openvpn@.service.
#查看服务状态
[root@openvpn-server-main ~]# systemctl status openvpn@server
● openvpn@server.service - OpenVPN Robust And Highly Flexible Tunneling Application On server
Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2022-08-09 17:30:17 CST; 24s ago
Main PID: 1384 (openvpn)
Status: "Initialization Sequence Completed"
Tasks: 1 (limit: 22988)
Memory: 2.5M
CGroup: /system.slice/system-openvpn.slice/openvpn@server.service
└─1384 /usr/sbin/openvpn --cd /etc/openvpn/ --config server.conf
Aug 09 17:30:17 openvpn-server-main systemd[1]: Starting OpenVPN Robust And Highly Flexible Tunneling Application On server...
Aug 09 17:30:17 openvpn-server-main systemd[1]: Started OpenVPN Robust And Highly Flexible Tunneling Application On server.
[root@openvpn-server-main ~]# ss -ntulp
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 0 0 127.0.0.1:323 0.0.0.0:* users:(("chronyd",pid=728,fd=6))
udp UNCONN 0 0 [::1]:323 [::]:* users:(("chronyd",pid=728,fd=7))
tcp LISTEN 0 32 0.0.0.0:1194 0.0.0.0:* users:(("openvpn",pid=1384,fd=8))
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=1027,fd=5))
[root@openvpn-server-main ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:16:3e:04:8c:93 brd ff:ff:ff:ff:ff:ff
inet 172.30.0.1/24 brd 172.30.0.255 scope global dynamic noprefixroute eth0
valid_lft 315356714sec preferred_lft 315356714sec
inet6 fe80::216:3eff:fe04:8c93/64 scope link
valid_lft forever preferred_lft forever
3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
link/none
inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::1e70:f96d:5b21:6a0/64 scope link stable-privacy
valid_lft forever preferred_lft forever
10.1生成客户端用户的配置文件
root@centos8 ~]#cat /etc/openvpn/client/wangxiaochun/client.ovpn
client
dev tun
proto tcp
remote 10.0.0.8 1194 #生产中为OpenVPN公网IP
resolv-retry infinite
nobind
#persist-key
#persist-tun
ca ca.crt
cert wangxiaochun.crt
key wangxiaochun.key
remote-cert-tls server
#tls-auth ta.key 1
cipher AES-256-CBC
verb 3 #此值不能随意指定,否则无法通信
compress lz4-v2 #此项在OpenVPN2.4.X版本使用,需要和服务器端保持一致,如不
指定,默认使用comp-lz压缩
#自己创建client.ovpn
[root@openvpn-server-main ~]# vim /etc/openvpn/client/bruce/client.ovpn
client
dev tun
proto tcp
remote 47.92.87.184 1194
resolv-retry infinite
nobind
#persist-key
#persist-tun
ca ca.crt
cert bruce.crt
key bruce.key
remote-cert-tls server
#tls-auth ta.key 1
cipher AES-256-CBC
verb 3
compress lz4-v2
11 Windows 安装 OpenVPN 客户端
官方客户端下载地址:
https://openvpn.net/community-downloads/
Windows 客户端配置准备
保存证书到openvpn 客户端安装目录:C:\Program Files\OpenVPN\config
#在服务器打包证书并下载发送给windows客户端
[root@openvpn-server-main ~]# cd /etc/openvpn/client/bruce/
[root@openvpn-server-main bruce]# tar cf bruce.tar ./
tar: ./bruce.tar: file is the archive; not dumped
[root@openvpn-server-main bruce]# ll
total 40
-rw------- 1 root root 4491 Aug 9 11:39 bruce.crt
-rw------- 1 root root 1704 Aug 9 11:39 bruce.key
-rw-r--r-- 1 root root 20480 Aug 9 21:06 bruce.tar
-rw------- 1 root root 1204 Aug 9 11:39 ca.crt
-rw-r--r-- 1 root root 230 Aug 9 18:06 client.ovpn
[root@openvpn-server-main bruce]# tar tf bruce.tar
./
./bruce.crt
./ca.crt
./bruce.key
./client.ovpn
12账户证书管理
主要是证书的创建和吊销,对应的员工的入职和离职
12.1证书自动过期
过期时间以服务器时间为准,如果过期,需要重新颁发证书
[root@openvpn-server-main ~]# grep EASYRSA_CERT_EXPIRE /etc/openvpn/easy-rsa-server/3/vars
set_var EASYRSA_CERT_EXPIRE 90
如果证书过期,在服务器端可以看到以下日志
#让服务器时间改为2年后时间
[root@centos8 ~]#date -s '2 year'
Thu Aug 4 17:41:04 CST 2022
#服务器端日志中会显示用户证书过期
[root@centos8 ~]#tail -n0 /var/log/openvpn/openvpn.log -f
Thu Aug 4 17:42:22 2022 TCP connection established with [AF_INET]10.0.0.1:11324
Thu Aug 4 17:42:23 2022 10.0.0.1:11324 TLS: Initial packet from
[AF_INET]10.0.0.1:11324, sid=a2957674 874cf1f7
Thu Aug 4 17:42:24 2022 10.0.0.1:11324 VERIFY OK: depth=1, CN=Easy-RSA CA
Thu Aug 4 17:42:24 2022 10.0.0.1:11324 VERIFY ERROR: depth=0, error=certificate
has expired: CN=magedu
Thu Aug 4 17:42:24 2022 10.0.0.1:11324 OpenSSL: error:1417C086:SSL
routines:tls_process_client_certificate:certificate verify failed
Thu Aug 4 17:42:24 2022 10.0.0.1:11324 TLS_ERROR: BIO read tls_read_plaintext
error
Thu Aug 4 17:42:24 2022 10.0.0.1:11324 TLS Error: TLS object -> incoming
plaintext read error
Thu Aug 4 17:42:24 2022 10.0.0.1:11324 TLS Error: TLS handshake failed
Thu Aug 4 17:42:24 2022 10.0.0.1:11324 Fatal TLS error (check_tls_errors_co),
restarting
Thu Aug 4 17:42:24 2022 10.0.0.1:11324 SIGUSR1[soft,tls-error] received,
client-instance restarting
12.2证书手动注销
查看当前证书的有效性,有效为V,无效为R
[root@openvpn-server-main ~]# cat /etc/openvpn/easy-rsa-server/3/pki/index.txt
V 241110145540Z ACC5AB97F9C4E738AD99B57FF352BF91 unknown /CN=server
V 221107014502Z F953A07AB54009224A331A4A56488058 unknown /CN=bruce
V 221107022916Z 3645DBC6FED12AC04ABD4A568B3A0768 unknown /CN=magee
V 221107124656Z B17B331DC38C53B9ED7C21F301691FB2 unknown /CN=li
吊销指定的用户的证书
3]#./easyrsa revoke
[root@openvpn-server-main 3]# cat /etc/openvpn/easy-rsa-server/3/pki/index.txt
V 241110145540Z ACC5AB97F9C4E738AD99B57FF352BF91 unknown /CN=server
R 221107014502Z 220809131517Z F953A07AB54009224A331A4A56488058 unknown /CN=bruce
V 221107022916Z 3645DBC6FED12AC04ABD4A568B3A0768 unknown /CN=magee
V 221107124656Z B17B331DC38C53B9ED7C21F301691FB2 unknown /CN=li
#当前断开客户端连接,magedu用户仍然能连接成功
生成证书吊销列表
将吊销列表文件发布
#第一次吊销证时需要编辑配置文件调用吊销证书的文件,后续吊销无需此步
[root@openvpn-server-main 3]# vim /etc/openvpn/server.conf
crl-verify /etc/openvpn/easy-rsa-server/3/pki/crl.pem #末尾添加
[root@openvpn-server-main 3]# systemctl restart openvpn@server.service
用户端连接失败,吊销成功
13释放服务器
清华源镜像地址:https://mirrors.tuna.tsinghua.edu.cn/mysql/
进入网站有三个大分类,下面来介绍一下:
![(https://img2022.cnblogs.com/blog/2703403/202208/2703403-20220814152742013-1894679305.png)
因为我们需要安装二进制包,因此我们选用"downloads"。
‘
1、先查看自己的系统是多少位的
[root@node3 ~]# uname -i
x86_64
12
2、下载对应64位的免编译二进制包
[root@node3 ~]# yum install -y wget
[root@node3 ~]# wget https://mirrors.tuna.tsinghua.edu.cn/mysql/downloads/MySQL-5.7/mysql-5.7.35-linux-glibc2.12-x86_64.tar.gz --no-check-certificate #有的不需要"--no-check-certificate",表示不用证书检查。
初始化
基本操作
tar -xzvf mysql-5.7.35-linux-glibc2.12-x86_64.tar.gz
[root@centos7 ~]#mv mysql-5.7.35-linux-glibc2.12-x86_64 /usr/local/mysql
[root@centos7 ~]#useradd -s /sbin/nologin mysql #创建mysql用户,因为启动mysql需要该用户
[root@centos7 ~]#mkdir -p /data/mysql #创建datadir,数据库文件会放在这里
[root@centos7 ~]#chown -R mysql:mysql /data/mysql/ #更改权限,此文件需要使用mysql用户进行操作,要不然操作会报错
[root@centos7 ~]#vim my.cnf
[mysqld]
datadir=/data/mysql #存放数据库文件的目录
socket=/tmp/mysql.sock #mysql的套接字文件路径,套接字用于mysql进程之间通信,用于mysql Server和Client之间通信。
innodb_buffer_pool_size=128M #缓存池大小
port=3306 #定义mysql端口,如果不写,默认也是3306
basedir=/usr/local/mysql/ #存档mysql程序的目录
pid_file = /data/mysql/mysql.pid
# Disabling symbolic-links is recommended to prevent assorted security risks
symbolic-links=0
# Settings user and group are ignored when systemd is used.
# If you need to run mysqld under a different user or group,
# customize your systemd unit file for mariadb according to the
# instructions in http://fedoraproject.org/wiki/Systemd
[mysqld_safe]
log-error=/var/log/mariadb/mariadb.log
pid-file=/var/run/mariadb/mariadb.pid
#
# include all files from the config directory
#
!includedir /etc/my.cnf.d
2、创建pid,log文件,并授权
以下操作对应的是/etc/my.cnf文件中的[mysqld_safe]部分
[root@centos7 ~]#mkdir /var/log/mariadb/
[root@centos7 ~]#touch /var/log/mariadb/mariadb.log
[root@centos7 ~]#mkdir /var/run/mariadb/
[root@centos7 ~]#touch /var/run/mariadb/mariadb.pid
[root@centos7 ~]#chown -R mysql:mysql /var/log/mariadb/
[root@centos7 ~]#chown -R mysql:mysql /var/run/mariadb/
3、初始化mysql
[root@centos7 ~]#yum install -y libaio #安装初始化mysql所依赖的包
[root@centos7 ~]#/usr/local/mysql/bin/mysqld --initialize --user=mysql --basedir=/usr/local/mysql --datadir=/data/mysql
#初始化mysql,初始化成功会在/data/mysql下面生成一大堆目录和文件,该命令执行成功后会有一个临时密码,用于登陆mysql
2022-08-14T05:24:06.349511Z 0 [Warning] TIMESTAMP with implicit DEFAULT value is deprecated. Please use --explicit_defaults_for_timestamp server option (see documentation for more details).
2022-08-14T05:24:06.568705Z 0 [Warning] InnoDB: New log files created, LSN=45790
2022-08-14T05:24:06.602675Z 0 [Warning] InnoDB: Creating foreign key constraint system tables.
2022-08-14T05:24:06.669161Z 0 [Warning] No existing UUID has been found, so we assume that this is the first time that this server has been started. Generating a new UUID: 514ef9bb-1b91-11ed-b444-000c292ae00e.
2022-08-14T05:24:06.669799Z 0 [Warning] Gtid table is not ready to be used. Table 'mysql.gtid_executed' cannot be opened.
2022-08-14T05:24:08.191170Z 0 [Warning] A deprecated TLS version TLSv1 is enabled. Please use TLSv1.2 or higher.
2022-08-14T05:24:08.191191Z 0 [Warning] A deprecated TLS version TLSv1.1 is enabled. Please use TLSv1.2 or higher.
2022-08-14T05:24:08.191795Z 0 [Warning] CA certificate ca.pem is self signed.
2022-08-14T05:24:08.285714Z 1 [Note] A temporary password is generated for root@localhost: ZSb6#qWi*s/(
# A temporary password is generated for root@localhost: ZSb6#qWi*s/( ZSb6#qWi*s/( 为临时密码
补充:如果发现初始化写错了咋办?直接删除数据库的数据即可
rm -rf /data/mysql/*
3、启动mysql服务
vim .bash_profile
PATH=$PATH:$HOME/bin:/usr/local/mysql/bin #将/usr/loca/mysql/bin添加上
#刷新变量
source .bash_profile
#复制启动项
cp /usr/local/mysql/support-files/mysql.server /etc/init.d/mysqld
#添加启动项
chkconfig --add mysqld
#开启mysql服务
systemctl restart mysqld
#如果出现See "systemctl status mysqld.service" and "journalctl -xe" for details,检查vim my.cnf配置文件内容
#查看端口3306
[root@node3 ~]# ss -ntpul
...
tcp LISTEN 0 80 [::]:3306 [::]:* users:(("mysqld",pid=1173,fd=28))
...
[root@centos7 ~]#systemctl status mysqld
● mysqld.service - LSB: start and stop MySQL
Loaded: loaded (/etc/rc.d/init.d/mysqld; bad; vendor preset: disabled)
Active: active (running) since Sun 2022-08-14 13:53:35 CST; 2h 5min ago
Docs: man:systemd-sysv-generator(8)
Process: 835 ExecStart=/etc/rc.d/init.d/mysqld start (code=exited, status=0/SUCCESS)
CGroup: /system.slice/mysqld.service
├─ 865 /bin/sh /usr/local/mysql//bin/mysqld_safe --datadir=/data/mysql --pid-file=/data/mysql/centos7.magedu.org.pid
└─1173 /usr/local/mysql/bin/mysqld --basedir=/usr/local/mysql/ --datadir=/data/mysql --plugin-dir=/usr/local/mysql//lib/plugin --user=mysql --log-error=/...
4、设置新密码,并登录进mysql
[root@centos7 ~]#mysqladmin -uroot -p`ZSb6#qWi*s/(` passwd `123456`
[root@node3 ~]# mysql -uroot -p123456
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 4
Server version: 5.7.35 MySQL Community Server (GPL)
Copyright (c) 2000, 2021, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> #可以看到成功登陆
mysql> create database test; #创建个数据库
Query OK, 1 row affected (0.00 sec)
#安装相关依赖包
[root@centos17 ~]#yum -y install gcc gcc-c++ cmake bison bison-devel zlib-devel libcurl-devel libarchive-devel boost-devel ncurses-devel gnutls-devel libxml2-devel openssl-devel libevent-devel libaio-devel perl-Data-Dumper ncurses-static ncurses-term
#做准备用户和数据目录
[root@centos17 ~]#useradd -r -s /sbin/nologin -d /data/mysql mysql
#准备数据库目录
[root@centos17 ~]#mkdir /data/mysql
[root@centos17 ~]#chown mysql.mysql /data/mysql
#下载并解压缩源码包,需带boost版本
[root@centos17 ~]#wget https://cdn.mysql.com/archives/mysql-5.7/mysql-boost-5.7.36.tar.gz
[root@centos17 ~]#tar xf mysql-boost-5.7.36.tar.gz -C /usr/local/src/
#源码编译安装 MySQL,需增加-DWITH_BOOST这个选项,与mysql5.6不同点
[root@centos27 ~]#cd /usr/local/src/mysql-5.7.36/
[root@centos27 ~]#cmake . \
-DCMAKE_INSTALL_PREFIX=/apps/mysql \
-DMYSQL_DATADIR=/data/mysql/ \
-DSYSCONFDIR=/etc/ \
-DMYSQL_USER=mysql \
-DWITH_INNOBASE_STORAGE_ENGINE=1 \
-DWITH_ARCHIVE_STORAGE_ENGINE=1 \
-DWITH_BLACKHOLE_STORAGE_ENGINE=1 \
-DWITH_PARTITION_STORAGE_ENGINE=1 \
-DWITHOUT_MROONGA_STORAGE_ENGINE=1 \
-DWITH_DEBUG=0 \
-DWITH_READLINE=1 \
-DWITH_SSL=system \
-DWITH_ZLIB=system \
-DWITH_LIBWRAP=0 \
-DENABLED_LOCAL_INFILE=1 \
-DMYSQL_UNIX_ADDR=/data/mysql/mysql.sock \
-DDEFAULT_CHARSET=utf8 \
-DDEFAULT_COLLATION=utf8_general_ci \
-DWITH_BOOST=./boost/boost_1_59_0
提示:如果出错,执行rm -f CMakeCache.txt
#编译需要较长时间,内存4G以上,CPU 核数越多越好
[root@centos17 mysql-5.7.36]#make && make install
#准备环境变量
[root@centos17 ~]#echo 'PATH=/apps/mysql/bin:$PATH' > /etc/profile.d/mysql.sh
[root@centos17 ~]#. /etc/profile.d/mysql.sh
#生成数据库文件
[root@centos17 ~]#cd /apps/mysql/bin/
[root@centos17 bin]#./mysqld --initialize-insecure --user=mysql --datadir=/data/mysql
#准备配置文件
[root@centos17 ~]#cat > /etc/my.cnf <<EOF
[mysqld]
datadir=/data/mysql
skip_name_resolve=1
socket=/data/mysql/mysql.sock
log-error=/data/mysql/mysql.log
pid-file=/data/mysql/mysql.pid
skip-grant-tables #比5.6多这一行
EOF
#准备启动脚本,并启动服务
[root@centos17 ~]#cp -b /apps/mysql/support-files/mysql.server /etc/init.d/mysqld
[root@centos17 ~]#chkconfig --add mysqld
[root@centos17 ~]#service mysqld start
#安全初始化
[root@centos17 ~]#mysql_secure_installation
#登录
[root@centos27 bin]#mysql
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 2
Server version: 5.7.36 Source distribution
Copyright (c) 2000, 2021, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql>
#安装相关包
[root@centos8 ~]#yum install libaio numactl-libs ncurses-compat-libs ncurses-c++-libs -y
#用户和组
[root@centos8 ~]#groupadd mysql
[root@centos8 ~]#useradd -r -g mysql -s /bin/false mysql
#准备数据库目录
[root@centos8 ~]#mkdir /data/mysql
[root@centos8 ~]#chown mysql.mysql /data/mysql
#下载mariadb并解压改权限
[root@centos8 ~]#wget https://mirrors.aliyun.com/mariadb/mariadb-10.9.2/bintar-linux-systemd-x86_64/mariadb-10.9.2-linux-systemd-x86_64.tar.gz
[root@centos8 ~]#tar xf mariadb-10.9.2-linux-systemd-x86_64.tar.gz -C /usr/local/
[root@centos8 ~]#cd /usr/local
[root@centos8 local]#ln -s mariadb-10.9.2-linux-systemd-x86_64/ mysql
[root@centos8 local]#chown -R root.root /usr/local/mysql/
#准备环境变量
[root@centos8 local]#echo 'PATH=/usr/local/mysql/bin:$PATH' > /etc/profile.d/mysql.sh
[root@centos8 local]#. /etc/profile.d/mysql.sh
#准备配置文件
[root@centos8 local]#cat > /etc/my.cnf <<EOF
[mysqld]
datadir=/data/mysql
skip_name_resolve=1
socket=/data/mysql/mysql.sock
log-error=/data/mysql/mysql.log
pid-file=/data/mysql/mysql.pid
[client]
socket=/data/mysql/mysql.sock
EOF
[root@centos8 local]#cd mysql
[root@centos8 mysql]#pwd
/usr/local/mysql
#生成 root 空密码
[root@centos8 mysql]#scripts/mariadb-install-db --datadir=/data/mysql --user=mysql
Installing MariaDB/MySQL system tables in '/data/mysql' ...
OK
#准备服务脚本和启动
[root@centos8 mysql]#cp /usr/local/mysql/support-files/mysql.server /etc/init.d/mysqld
[root@centos8 mysql]#chkconfig --add mysql
error reading information on service mysql: No such file or directory
[root@centos8 mysql]#chkconfig --add mysqld
[root@centos8 mysql]#service mysqld start
Starting mysqld (via systemctl): [ OK ]
#修改前面生成的空密码为指定密码
[root@centos8 mysql]#mysqladmin -uroot password magedu
#再次登陆
[root@centos8 mysql]#mysql -u root -pmagedu
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 5
Server version: 10.9.2-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> Ctrl-C -- exit!
点击查看代码
手机扫一扫
移动阅读更方便
你可能感兴趣的文章