1.在阿里云服务器搭建openv-p-n(有条件的同学再做),本次使用的是 VMware Workstation 搭建的环境
环境拓扑图
安装相关软件包
安装openvpn 和证书管理包easy-rsa (需要提前配置epel-release 源)
[root@centos84 ~]# yum list openvpn
Last metadata expiration check: 0:06:54 ago on Sat 19 Feb 2022 10:24:31 PM CST.
Installed Packages
openvpn.x86_64 2.4.11-1.el8 @epel
[root@centos84 ~]# yum list easy-rsa
Last metadata expiration check: 0:07:09 ago on Sat 19 Feb 2022 10:24:31 PM CST.
Installed Packages
easy-rsa.noarch 3.0.8-1.el8
[root@centos84 ~]# yum install openvpn easy-rsa -y
##查看安装的相关包的文件信息
[root@centos84 ~]# rpm -qi openvpn easy-rsa
[root@centos84 ~]# rpm -ql openvpn
[root@centos84 ~]# rpm -ql easy-ras
准备相关文件
##生成服务器配置文件
[root@centos84 ~]# cp /usr/share/doc/openvpn/sample/sample-config-files/server.conf /etc/openvpn/
##准备证书签发相关文件
[root@centos84 ~]# cp -r /usr/share/easy-rsa/ /etc/openvpn/easy-rsa-server
##准备签发证书相关变量的配置文件
[root@centos84 ~]# cp /usr/share/doc/easy-rsa/vars.example /etc/openvpn/easy-rsa-server/3/vars
#建议修改给CA和OpenVPN服务器颁发的证书的有效期,可适当加长
#CA的证书有效期默为为10年,可以适当延长,比如:36500天
#set_var EASYRSA_CA_EXPIRE 3650
set_var EASYRSA_CA_EXPIRE 36500
#服务器证书默为为825天,可适当加长,比如:3650天
#set_var EASYRSA_CERT_EXPIRE 825
#将上面行修改为下面
set_var EASYRSA_CERT_EXPIRE 3650
准备证书及相关文件
初始化PKI和CA证书签发环境
## 脚本easyrsa帮助用法
[root@centos84 ~]# cd /etc/openvpn/easy-rsa-server/3/
[root@centos84 3]# ls
easyrsa openssl-easyrsa.cnf vars x509-types
[root@centos84 3]# pwd
/etc/openvpn/easy-rsa-server/3
[root@centos84 3]# ./easyrsa
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars
Easy-RSA 3 usage and overview
USAGE: easyrsa [options] COMMAND [command-options]
A list of commands is shown below. To get detailed usage and help for a
command, run:
./easyrsa help COMMAND
For a listing of options that can be supplied before the command, use:
./easyrsa help options
Here is the list of commands available with a short syntax reminder. Use the
'help' command above to get full usage details.
init-pki
build-ca [ cmd-opts ]
gen-dh
gen-req <filename_base> [ cmd-opts ]
sign-req <type> <filename_base>
build-client-full <filename_base> [ cmd-opts ]
build-server-full <filename_base> [ cmd-opts ]
revoke <filename_base> [cmd-opts]
renew <filename_base> [cmd-opts]
build-serverClient-full <filename_base> [ cmd-opts ]
gen-crl
update-db
show-req <filename_base> [ cmd-opts ]
show-cert <filename_base> [ cmd-opts ]
show-ca [ cmd-opts ]
import-req <request_file_path> <short_basename>
export-p7 <filename_base> [ cmd-opts ]
export-p8 <filename_base> [ cmd-opts ]
export-p12 <filename_base> [ cmd-opts ]
set-rsa-pass <filename_base> [ cmd-opts ]
set-ec-pass <filename_base> [ cmd-opts ]
upgrade <type>
DIRECTORY STATUS (commands would take effect on these locations)
EASYRSA: /etc/openvpn/easy-rsa-server/3.0.8
PKI: /etc/openvpn/easy-rsa-server/3/pki
##初始化数据,在当前目录下生成pki目录及相关文件
[root@centos84 3]# ./easyrsa init-pki
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa-server/3/pki
[root@centos84 3]# tree
.
├── easyrsa
├── openssl-easyrsa.cnf
├── pki
│ ├── openssl-easyrsa.cnf
│ ├── private
│ ├── reqs
│ └── safessl-easyrsa.cnf
├── vars
└── x509-types
├── ca
├── client
├── code-signing
├── COMMON
├── kdc
├── server
└── serverClient
4 directories, 13 files
创建CA机构
[root@centos84 3]# tree pki/
pki/
├── openssl-easyrsa.cnf
├── private
├── reqs
└── safessl-easyrsa.cnf
2 directories, 2 files
[root@centos84 3]# ./easyrsa build-ca nopass
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars
Using SSL: openssl OpenSSL 1.1.1k FIPS 25 Mar 2021
Generating RSA private key, 2048 bit long modulus (2 primes)
..............................+++++
.....+++++
e is 65537 (0x010001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]: ##直接回车
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa-server/3/pki/ca.crt
[root@centos84 3]# tree pki/
pki/
├── ca.crt
├── certs_by_serial
├── index.txt
├── index.txt.attr
├── issued
├── openssl-easyrsa.cnf
├── private
│ └── ca.key
├── renewed
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── reqs
├── revoked
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── safessl-easyrsa.cnf
└── serial
##生成CA相关的文件
[root@centos84 3]# cat pki/serial
01
[root@centos84 3]# ll pki/index.txt
-rw-------. 1 root root 0 Feb 19 22:51 pki/index.txt
[root@centos84 3]# ll pki/ca.crt pki/private/ca.key
-rw-------. 1 root root 1204 Feb 19 22:51 pki/ca.crt
-rw-------. 1 root root 1675 Feb 19 22:51 pki/private/ca.key
[root@centos84 3]#
#查看生成的自签名证书
[root@centos84 3]# cat pki/ca.crt
-----BEGIN CERTIFICATE-----
MIIDTTCCAjWgAwIBAgIUai3V56c3bgaGkAAJmHYtBI2eiQYwDQYJKoZIhvcNAQEL
BQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwIBcNMjIwMjE5MTQ1MTU0WhgPMjEy
MjAxMjYxNDUxNTRaMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs2sx4I8g8cxlvjWWwe8NuBLWOScU5P+wcZaf
ReA1WUrx59ICTjRx8U8EOMnU/8/Eb0DpjP/sYmxR5ERy4jiqcgPtNteP3O+T5wk6
Uv3axPEJxPTcShHXBer4NtGR2VdOrfM3y/lu8bTVi9xLapF/2OqNKasr2axMWs7c
m4QLNZrk+vwEDYgkdfopBoGgF5gLHQl6yt3WmnaCeIcjFY38LdXGBK0rF8M5xupA
+Fehsw3dcIJ/gnpsBC6jfXEPw9gvY7lumyhRJPyZ/MQi93jjWSwItFMV7+qOlWFf
jiZbxbsyWr4g7GeGR4fPaxce1vnJFtn48t1XsaTA1eqWWeFCAQIDAQABo4GQMIGN
MB0GA1UdDgQWBBSc+HVFvEMLRMTxxENmdG1txg2aYzBRBgNVHSMESjBIgBSc+HVF
vEMLRMTxxENmdG1txg2aY6EapBgwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0GCFGot
1eenN24GhpAACZh2LQSNnokGMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0G
CSqGSIb3DQEBCwUAA4IBAQCi0tTEidOtuLvu3IqrcckF2jveRFK7I8i3i8HuC1N6
yqm1exXSXVd16kNYHpDdsJlSPYYCAOdw65WJSWfHCx4aOgKIQLLjAck3oNoXdOfX
kNvoWwd5qoLHhpZEgP0KmRvQQo1hymL8TG+KC8h+Vu2djMxZ8/LtKBmMALGvoi2h
JNqbs+fMMKveIEFdv7pLh3iP3qqYaidcrNmdRFt2EoFT5oJyfQeMHRzr/sZ/EnB2
RRIHCdslR5C1VoTElEqLD0fqySUDtbK58SsACQqp3bTBHeBQRs8j7XlugRNRe5k2
bi7m8Kk7JZH211/JV+uSPujS6j1/O9+512g2KibYwVr+
-----END CERTIFICATE-----
[root@centos84 3]# openssl x509 -in pki/ca.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
6a:2d:d5:e7:a7:37:6e:06:86:90:00:09:98:76:2d:04:8d:9e:89:06
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = Easy-RSA CA
Validity
Not Before: Feb 19 14:51:54 2022 GMT
Not After : Jan 26 14:51:54 2122 GMT
Subject: CN = Easy-RSA CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:b3:6b:31:e0:8f:20:f1:cc:65:be:35:96:c1:ef:
0d:b8:12:d6:39:27:14:e4:ff:b0:71:96:9f:45:e0:
35:59:4a:f1:e7:d2:02:4e:34:71:f1:4f:04:38:c9:
d4:ff:cf:c4:6f:40:e9:8c:ff:ec:62:6c:51:e4:44:
72:e2:38:aa:72:03:ed:36:d7:8f:dc:ef:93:e7:09:
3a:52:fd:da:c4:f1:09:c4:f4:dc:4a:11:d7:05:ea:
f8:36:d1:91:d9:57:4e:ad:f3:37:cb:f9:6e:f1:b4:
d5:8b:dc:4b:6a:91:7f:d8:ea:8d:29:ab:2b:d9:ac:
4c:5a:ce:dc:9b:84:0b:35:9a:e4:fa:fc:04:0d:88:
24:75:fa:29:06:81:a0:17:98:0b:1d:09:7a:ca:dd:
d6:9a:76:82:78:87:23:15:8d:fc:2d:d5:c6:04:ad:
2b:17:c3:39:c6:ea:40:f8:57:a1:b3:0d:dd:70:82:
7f:82:7a:6c:04:2e:a3:7d:71:0f:c3:d8:2f:63:b9:
6e:9b:28:51:24:fc:99:fc:c4:22:f7:78:e3:59:2c:
08:b4:53:15:ef:ea:8e:95:61:5f:8e:26:5b:c5:bb:
32:5a:be:20:ec:67:86:47:87:cf:6b:17:1e:d6:f9:
c9:16:d9:f8:f2:dd:57:b1:a4:c0:d5:ea:96:59:e1:
42:01
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
9C:F8:75:45:BC:43:0B:44:C4:F1:C4:43:66:74:6D:6D:C6:0D:9A:63
X509v3 Authority Key Identifier:
keyid:9C:F8:75:45:BC:43:0B:44:C4:F1:C4:43:66:74:6D:6D:C6:0D:9A:63
DirName:/CN=Easy-RSA CA
serial:6A:2D:D5:E7:A7:37:6E:06:86:90:00:09:98:76:2D:04:8D:9E:89:06
X509v3 Basic Constraints:
CA:TRUE
X509v3 Key Usage:
Certificate Sign, CRL Sign
Signature Algorithm: sha256WithRSAEncryption
a2:d2:d4:c4:89:d3:ad:b8:bb:ee:dc:8a:ab:71:c9:05:da:3b:
de:44:52:bb:23:c8:b7:8b:c1:ee:0b:53:7a:ca:a9:b5:7b:15:
d2:5d:57:75:ea:43:58:1e:90:dd:b0:99:52:3d:86:02:00:e7:
70:eb:95:89:49:67:c7:0b:1e:1a:3a:02:88:40:b2:e3:01:c9:
37:a0:da:17:74:e7:d7:90:db:e8:5b:07:79:aa:82:c7:86:96:
44:80:fd:0a:99:1b:d0:42:8d:61:ca:62:fc:4c:6f:8a:0b:c8:
7e:56:ed:9d:8c:cc:59:f3:f2:ed:28:19:8c:00:b1:af:a2:2d:
a1:24:da:9b:b3:e7:cc:30:ab:de:20:41:5d:bf:ba:4b:87:78:
8f:de:aa:98:6a:27:5c:ac:d9:9d:44:5b:76:12:81:53:e6:82:
72:7d:07:8c:1d:1c:eb:fe:c6:7f:12:70:76:45:12:07:09:db:
25:47:90:b5:56:84:c4:94:4a:8b:0f:47:ea:c9:25:03:b5:b2:
b9:f1:2b:00:09:0a:a9:dd:b4:c1:1d:e0:50:46:cf:23:ed:79:
6e:81:13:51:7b:99:36:6e:2e:e6:f0:a9:3b:25:91:f6:d7:5f:
c9:57:eb:92:3e:e8:d2:ea:3d:7f:3b:df:b9:d7:68:36:2a:26:
d8:c1:5a:fe
创建服务端证书申请
#创建服务器证书申请文件,其中server是文件前缀
[root@centos84 3]# ./easyrsa gen-req server nopass
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars
Using SSL: openssl OpenSSL 1.1.1k FIPS 25 Mar 2021
Generating a RSA private key
....................................................+++++
...................................................................................+++++
writing new private key to '/etc/openvpn/easy-rsa-server/3/pki/easy-rsa-33171.wPUECJ/tmp.KarQTX'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]: ## 直接回车
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa-server/3/pki/reqs/server.req
key: /etc/openvpn/easy-rsa-server/3/pki/private/server.key
[root@centos84 3]# tree pki/
pki/
├── ca.crt
├── certs_by_serial
├── index.txt
├── index.txt.attr
├── issued
├── openssl-easyrsa.cnf
├── private
│ ├── ca.key
│ └── server.key
├── renewed
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── reqs
│ └── server.req
├── revoked
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── safessl-easyrsa.cnf
└── serial
12 directories, 9 files
签发服务端证书
## 查看颁发证书命令用法
[root@centos84 3]# ./easyrsa help sign
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars
sign-req <type> <filename_base>
Sign a certificate request of the defined type. <type> must be a known
type such as 'client', 'server', 'serverClient', or 'ca' (or a user-added type.)
This request file must exist in the reqs/ dir and have a .req file
extension. See import-req below for importing reqs from other sources.
## 颁发服务端证书
[root@centos84 3]# ./easyrsa sign server server
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars
Using SSL: openssl OpenSSL 1.1.1k FIPS 25 Mar 2021
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate for 3650 days:
subject=
commonName = server
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes ##输入yes,回车
Using configuration from /etc/openvpn/easy-rsa-server/3/pki/easy-rsa-33250.Gqf7zl/tmp.UuLuJe
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'server'
Certificate is to be certified until Feb 17 15:02:04 2032 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa-server/3/pki/issued/server.crt
## 验证结果
[root@centos84 3]# tree pki
pki
├── ca.crt
├── certs_by_serial
│ └── E78ED7E8D03CAEE125630247106A2594.pem
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── issued
│ └── server.crt
├── openssl-easyrsa.cnf
├── private
│ ├── ca.key
│ └── server.key
├── renewed
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── reqs
│ └── server.req
├── revoked
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── safessl-easyrsa.cnf
├── serial
└── serial.old
12 directories, 14 files
[root@centos84 3]# diff pki/certs_by_serial/E78ED7E8D03CAEE125630247106A2594.pem pki/issued/server.crt
[root@centos84 3]# ll !*
ll pki/certs_by_serial/E78ED7E8D03CAEE125630247106A2594.pem pki/issued/server.crt
-rw-------. 1 root root 4608 Feb 19 23:02 pki/certs_by_serial/E78ED7E8D03CAEE125630247106A2594.pem
-rw-------. 1 root root 4608 Feb 19 23:02 pki/issued/server.crt
## 证书相关文件
[root@centos84 3]# cat pki/serial
E78ED7E8D03CAEE125630247106A2595
[root@centos84 3]# cat pki/index.txt
V 320217150204Z E78ED7E8D03CAEE125630247106A2594 unknown /CN=server
## 创建 Diffie-Hellman 密钥
[root@centos84 3]# ./easyrsa gen-dh
## 或
[root@centos84 3]# openssl dhparam -out /etc/openvpn/dh2048.pem 2048
准备客户端证书环境
## 配置客户端证书
[root@centos84 3]# cp -r /usr/share/easy-rsa/ /etc/openvpn/easy-rsa-client
[root@centos84 3]#
[root@centos84 3]# cp /usr/share/doc/easy-rsa/
ChangeLog COPYING.md README.md README.quickstart.md vars.example
[root@centos84 3]# cp /usr/share/doc/easy-rsa/vars.example /etc/openvpn/easy-rsa-client/3/vars
[root@centos84 3]#
[root@centos84 3]# cd /etc/openvpn/easy-rsa-client/3/
[root@centos84 3]# pwd
/etc/openvpn/easy-rsa-client/3
[root@centos84 3]# tree
.
├── easyrsa
├── openssl-easyrsa.cnf
├── vars
└── x509-types
├── ca
├── client
├── code-signing
├── COMMON
├── kdc
├── server
└── serverClient
1 directory, 11 files
## 生成证书申请所需目录pki和文件
[root@centos84 3]# ./easyrsa init-pki
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-client/3.0.8/vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa-client/3/pki
[root@centos84 3]# tree
.
├── easyrsa
├── openssl-easyrsa.cnf
├── pki
│ ├── openssl-easyrsa.cnf
│ ├── private
│ ├── reqs
│ └── safessl-easyrsa.cnf
├── vars
└── x509-types
├── ca
├── client
├── code-signing
├── COMMON
├── kdc
├── server
└── serverClient
4 directories, 13 files
创建客户端证书申请
[root@centos84 3]# ./easyrsa gen-req win10 nopass
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-client/3.0.8/vars
Using SSL: openssl OpenSSL 1.1.1k FIPS 25 Mar 2021
Generating a RSA private key
...+++++
........................................+++++
writing new private key to '/etc/openvpn/easy-rsa-client/3/pki/easy-rsa-33706.57CwPu/tmp.NJfQde'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [win10]:
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa-client/3/pki/reqs/win10.req
key: /etc/openvpn/easy-rsa-client/3/pki/private/win10.key
[root@centos84 3]# tree
.
├── easyrsa
├── openssl-easyrsa.cnf
├── pki
│ ├── openssl-easyrsa.cnf
│ ├── private
│ │ └── win10.key
│ ├── reqs
│ │ └── win10.req
│ └── safessl-easyrsa.cnf
├── vars
└── x509-types
├── ca
├── client
├── code-signing
├── COMMON
├── kdc
├── server
└── serverClient
4 directories, 15 files
签发客户端证书
[root@centos84 3]# cd /etc/openvpn/easy-rsa-server/3/
[root@centos84 3]# pwd
/etc/openvpn/easy-rsa-server/3
[root@centos84 3]# ./easyrsa import-req /etc/openvpn/easy-rsa-client/3/pki/reqs/win10.req win10
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars
Using SSL: openssl OpenSSL 1.1.1k FIPS 25 Mar 2021
The request has been successfully imported with a short name of: win10
You may now use this name to perform signing operations on this request.
[root@centos84 3]# tree pki
pki
├── ca.crt
├── certs_by_serial
│ └── E78ED7E8D03CAEE125630247106A2594.pem
├── dh.pem
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── issued
│ └── server.crt
├── openssl-easyrsa.cnf
├── private
│ ├── ca.key
│ └── server.key
├── renewed
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── reqs
│ ├── server.req
│ └── win10.req
├── revoked
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── safessl-easyrsa.cnf
├── serial
└── serial.old
12 directories, 16 files
[root@centos84 3]# ll pki/reqs/win10.req /etc/openvpn/easy-rsa-client/3/pki/reqs/win10.req
-rw-------. 1 root root 887 Feb 19 23:29 /etc/openvpn/easy-rsa-client/3/pki/reqs/win10.req
-rw-------. 1 root root 887 Feb 19 23:32 pki/reqs/win10.req
#修改给客户端颁发的证书的有效期
[root@centos84 3]#vim vars
#建议修改给客户端颁发证书的有效期,可适当减少,比如:90天
#set_var EASYRSA_CERT_EXPIRE 825
#将上面行修改为下面
set_var EASYRSA_CERT_EXPIRE 90
#签发客户端证书
[root@centos84 3]# ./easyrsa sign client win10
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars
Using SSL: openssl OpenSSL 1.1.1k FIPS 25 Mar 2021
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a client certificate for 90 days:
subject=
commonName = win10
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /etc/openvpn/easy-rsa-server/3/pki/easy-rsa-33907.8qvJnH/tmp.QpSKXb
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'win10'
Certificate is to be certified until May 20 15:38:04 2022 GMT (90 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa-server/3/pki/issued/win10.crt
[root@centos84 3]# tree pki
pki
├── ca.crt
├── certs_by_serial
│ ├── 4EF860F51DE341ED2ACB80CFF459AEEC.pem
│ └── E78ED7E8D03CAEE125630247106A2594.pem
├── dh.pem
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── issued
│ ├── server.crt
│ └── win10.crt
├── openssl-easyrsa.cnf
├── private
│ ├── ca.key
│ └── server.key
├── renewed
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── reqs
│ ├── server.req
│ └── win10.req
├── revoked
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── safessl-easyrsa.cnf
├── serial
└── serial.old
12 directories, 18 files
[root@centos84 3]# cat pki/index.txt
V 320217150204Z E78ED7E8D03CAEE125630247106A2594 unknown /CN=server
V 220520153804Z 4EF860F51DE341ED2ACB80CFF459AEEC unknown /CN=win10
[root@centos84 3]# cat pki/issued/
cat: pki/issued/: Is a directory
[root@centos84 3]# ll pki/issued/
total 16
-rw-------. 1 root root 4608 Feb 19 23:02 server.crt
-rw-------. 1 root root 4487 Feb 19 23:38 win10.crt
[root@centos84 3]# ll pki/certs_by_serial/
total 16
-rw-------. 1 root root 4487 Feb 19 23:38 4EF860F51DE341ED2ACB80CFF459AEEC.pem
-rw-------. 1 root root 4608 Feb 19 23:02 E78ED7E8D03CAEE125630247106A2594.pem
[root@centos84 3]# cat pki/issued/win10.crt
将CA和服务器证书相关文件复制到服务器相应的目录
[root@centos84 3]# mkdir /etc/openvpn/certs
[root@centos84 3]# cp /etc/openvpn/easy-rsa-server/3/pki/ca.crt /etc/openvpn/certs
[root@centos84 3]# cp /etc/openvpn/easy-rsa-server/3/pki/issued/server.crt /etc/openvpn/certs
[root@centos84 3]# cp /etc/openvpn/easy-rsa-server/3/pki/private/server.key /etc/openvpn/certs
[root@centos84 3]# cp /etc/openvpn/easy-rsa-server/3/pki/dh.pem /etc/openvpn/certs 或 [root@centos84 3]# cp /etc/openvpn/dh2048.pem /etc/openvpn/certs
[root@centos84 3]# ll /etc/openvpn/certs
total 24
-rw-------. 1 root root 1204 Feb 19 23:41 ca.crt
-rw-r--r--. 1 root root 424 Feb 19 23:43 dh2048.pem
-rw-------. 1 root root 424 Feb 19 23:42 dh.pem
-rw-------. 1 root root 4608 Feb 19 23:41 server.crt
-rw-------. 1 root root 1704 Feb 19 23:42 server.key
#生成ta.key 可选操作,生成的ta.key主要用于防御DoS、UDP淹没等恶意行为
[root@centos84 certs]# openvpn --genkey --secret ta.key
[root@centos84 certs]# ls -l
total 28
-rw-------. 1 root root 1204 Feb 19 23:41 ca.crt
-rw-r--r--. 1 root root 424 Feb 19 23:43 dh2048.pem
-rw-------. 1 root root 424 Feb 19 23:42 dh.pem
-rw-------. 1 root root 4608 Feb 19 23:41 server.crt
-rw-------. 1 root root 1704 Feb 19 23:42 server.key
-rw-------. 1 root root 636 Feb 19 23:57 ta.key
将客户端私钥与证书相关文件复制到服务器相关的目录
[root@centos84 3]# mkdir /etc/openvpn/client/win10/
[root@centos84 3]#
[root@centos84 3]# find /etc/openvpn/ -name "win10.key" -o -name "win10.crt" -o -name "ca.crt"
/etc/openvpn/easy-rsa-server/3.0.8/pki/issued/win10.crt
/etc/openvpn/easy-rsa-server/3.0.8/pki/ca.crt
/etc/openvpn/easy-rsa-client/3.0.8/pki/private/win10.key
/etc/openvpn/certs/ca.crt
[root@centos84 3]#
[root@centos84 3]#
[root@centos84 3]# find /etc/openvpn/ \( -name "win10.key" -o -name "win10.crt" -o -name "ca.crt" \) -exec cp {} /etc/openvpn/client/win10 \;
[root@centos84 3]# ls -l /etc/openvpn/client/win10/
total 16
-rw-------. 1 root root 1204 Feb 19 23:47 ca.crt
-rw-------. 1 root root 4487 Feb 19 23:47 win10.crt
-rw-------. 1 root root 1704 Feb 19 23:47 win10.key
[root@centos84 ~]# cp /etc/openvpn/certs/ta.key /etc/openvpn/client/win10/
[root@centos84 ~]# ls -l /etc/openvpn/client/win10/
total 24
-rw-------. 1 root root 1204 Feb 19 23:47 ca.crt
-rw-r--r--. 1 root root 228 Feb 20 00:28 client.ovpn
-rw-------. 1 root root 636 Feb 20 00:29 ta.key
-rw-------. 1 root root 4487 Feb 19 23:47 win10.crt
-rw-------. 1 root root 1704 Feb 19 23:47 win10.key
准备 OpenVPN 服务器配置文件
#服务器端配置文件说明
#server.conf文件中以#或;开头的行都为注释
[root@centos8 ~]#grep -Ev "^#|^$" /etc/openvpn/server.conf
;local a.b.c.d #本机监听IP,默认为本机所有IP
port 1194 #端口
;proto tcp #协议,生产推荐使用TCP
proto udp #默认协议
;dev tap #创建一个以太网隧道,以太网使用tap,一个tap设备允许完整的以太网帧通过Openvpn隧道,
可提供非ip协议的支持,比如IPX协议和AppleTalk协议,tap等同于一个以太网设备,它操作第二层数据包
如以太网数据帧。
dev tun #创建一个路由IP隧道,生产推存使用tun.互联网使用tun,一个tun设备大多时候,被用于基
于IP协议的通讯。tun模拟了网络层设备,操作第三层数据包比如IP数据封包。
;dev-node MyTap #TAP-Win32适配器。非windows不需要配置
ca ca.crt #ca证书文件
cert server.crt #服务器证书文件
key server.key #服务器私钥文件
dh dh2048.pem #dh参数文件
;topology subnet
server 10.8.0.0 255.255.255.0 #客户端连接后分配IP的地址池,服务器默认会占用第一个IP
10.8.0.1将做为客户端的网关
ifconfig-pool-persist ipp.txt #为客户端分配固定IP,不需要配置,建议注释
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100 #配置网桥模式,不需要配置,建议注释
;server-bridge
;push "route 192.168.10.0 255.255.255.0" #给客户端生成的到达服务器后面网段的静态路由,下一跳为openvpn服务器的10.8.0.1
;push "route 192.168.20.0 255.255.255.0" #推送路由信息到客户端,以允许客户端能够连接到服务器背后的其它私有子网
;client-config-dir ccd #为指定的客户端添加路由,此路由通常是客户端后面的内网网段而不是服务端的,也不需要设置
;route 192.168.40.128 255.255.255.248
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
;learn-address ./script #运行外部脚本,创建不同组的iptables规则,无需配置
;push "redirect-gateway def1 bypass-dhcp" #启用后,客户端所有流量都将通过VPN服务器,因此生产一般无需配置此项
;push "dhcp-option DNS 208.67.222.222" #推送DNS服务器,不需要配置
;push "dhcp-option DNS 208.67.220.220"
;client-to-client #允许不同的client直接通信,不安全,生产环境一般无需要配置
;duplicate-cn #多个用户共用一个证书,一般用于测试环境,生产环境都是一个用户一个证书,无需开启
keepalive 10 120 #设置服务端检测的间隔和超时时间,默认为每10秒ping一次,如果 120 秒没有回应则认为对方已经down
tls-auth ta.key 0 #访止DoS等行为的安全增强配置,可以使用以下命令来生成:openvpn --
genkey --secret ta.key #服务器和每个客户端都需要拥有该密钥的一个拷贝。第二个参数在服务器端应该为’0’,在客户端应该为’1’
cipher AES-256-CBC #加密算法
;compress lz4-v2 #启用Openvpn2.4.X新版压缩算法
;push "compress lz4-v2" #推送客户端使用新版压缩算法,和下面的comp-lzo不要同时使用
;comp-lzo #旧户端兼容的压缩配置,需要客户端配置开启压缩,openvpn2.4.X等新版可以不用开启
;max-clients 100 #最大客户端数
;user nobody #运行openvpn服务的用户和组
;group nobody
persist-key #重启VPN服务时默认会重新读取key文件,开启此配置后保留使用第一次的key文件,生产环境无需开启
persist-tun #启用此配置后,当重启vpn服务时,一直保持tun或者tap设备是up的,否则会先down然后再up,生产环境无需开启
status openvpn-status.log #openVPN状态记录文件,每分钟会记录一次
;log openvpn.log #第一种日志记录方式,并指定日志路径,log会在openvpn启动的时候清空日志文件,不建议使用
;log-append openvpn.log #第二种日志记录方式,并指定日志路径,重启openvpn后在之前的日志后面追加新的日志,生产环境建议使用
verb 3 #设置日志级别,0-9,级别越高记录的内容越详细,0 表示静默运行,只记录致命错误,4 表示合理的常规用法,5 和 6 可以帮助调试连接错误。9 表示极度冗余,输出非常详细的日志信息
;mute 20 #相同类别的信息只有前20条会输出到日志文件中
explicit-exit-notify 1 #通知客户端,在服务端重启后自动重新连接,仅能用于udp模式,tcp模式不需要配置即可实现断开重新连接,且开启此项后tcp配置后将导致openvpn服务无法启动,所以tcp时必须不能开启此项
配置文件修改如下:
[root@centos84 openvpn]# vim server.conf
[root@centos84 openvpn]# grep '^[a-Z].*' server.conf
[root@centos84 ~]# grep '^[a-Z].*' /etc/openvpn/server.conf
port 1194
proto tcp
dev tun
ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/server.crt
key /etc/openvpn/certs/server.key
dh /etc/openvpn/certs/dh2048.pem
server 172.16.10.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 172.16.0.0 255.255.0.0"
push "route 192.168.10.0 255.255.255.0"
keepalive 10 120
tls-auth /etc/openvpn/certs/ta.key 0 # This file is secret
cipher AES-256-GCM
compress lz4-v2
push "compress lz4-v2"
max-clients 100
user openvpn
group openvpn
persist-key
persist-tun
status openvpn-status.log
log /var/log/openvpn/openvpn.log
log-append /var/log/openvpn/openvpn.log
verb 3
mute 20
## 准备目志相关目录
[root@centos84 openvpn]# getent passwd openvpn
openvpn:x:975:974:OpenVPN:/etc/openvpn:/sbin/nologin
[root@centos84 openvpn]# mkdir /var/lo
local/ lock/ log/
[root@centos84 openvpn]# mkdir /var/log/openvpn
[root@centos84 openvpn]# chown openvpn.openvpn /var/log/openvpn
[root@centos84 openvpn]# ll -d /var/log/openvpn
drwxr-xr-x. 2 openvpn openvpn 6 Feb 20 00:12 /var/log/openvpn
## 准备 iptables 规则和内核参数
## 在服务器开启ip_forward转发功能
[root@centos84 openvpn]# echo net.ipv4.ip_forward = 1 >> /etc/sysctl.conf
[root@centos84 openvpn]# sysctl -p
net.ipv4.ip_forward = 1
[root@centos84 ~]# echo 'iptables -t nat -A POSTROUTING -s 172.16.10.0/24 -j MASQUERADE' >> /etc/rc.d/rc.local
[root@centos84 ~]# chmod +x /etc/rc.d/rc.local
[root@centos84 ~]#/etc/rc.d/rc.local
[root@centos84 ~]# iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 76 packets, 5295 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 58 packets, 3867 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 72 packets, 5314 bytes)
pkts bytes target prot opt in out source destination
1 60 MASQUERADE all -- * * 172.16.10.0/24 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 72 packets, 5314 bytes)
pkts bytes target prot opt in out source destination
启动 OpenVPN 服务
准备服务启动文件
##准备服务启动文件
[root@centos84 openvpn]# vim /usr/lib/systemd/system/openvpn@.service
[root@centos84 openvpn]# cat /usr/lib/systemd/system/openvpn@.service
[Unit]
Description=OpenVPN Robust And Highly Flexible Tunneling Application On %I
After=network.target
[Service]
Type=notify
PrivateTmp=true
ExecStart=/usr/sbin/openvpn --cd /etc/openvpn/ --config %i.conf
[Install]
WantedBy=multi-user.target
[root@centos84 openvpn]# systemctl daemon-reload
##启动服务
[root@centos84 openvpn]# systemctl start openvpn@server
[root@centos84 openvpn]# systemctl status openvpn@server
● openvpn@server.service - OpenVPN Robust And Highly Flexible Tunneling Application On server
Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; disabled; vendor preset: disabled)
Active: active (running) since Sun 2022-02-20 00:19:34 CST; 59s ago
Main PID: 34872 (openvpn)
Status: "Initialization Sequence Completed"
Tasks: 1 (limit: 4639)
Memory: 2.0M
CGroup: /system.slice/system-openvpn.slice/openvpn@server.service
└─34872 /usr/sbin/openvpn --cd /etc/openvpn/ --config server.conf
Feb 20 00:19:34 centos84 systemd[1]: Starting OpenVPN Robust And Highly Flexible Tunneling Application On server...
Feb 20 00:19:34 centos84 systemd[1]: Started OpenVPN Robust And Highly Flexible Tunneling Application On server.
[root@centos84 ~]# ss -ntlp
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 32 0.0.0.0:1194 0.0.0.0:* users:(("openvpn",pid=3369,fd=9))
LISTEN 0 128 0.0.0.0:111 0.0.0.0:* users:(("rpcbind",pid=871,fd=4),("systemd",pid=1,fd=29))
LISTEN 0 32 192.168.122.1:53 0.0.0.0:* users:(("dnsmasq",pid=1582,fd=6))
LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=1023,fd=5))
LISTEN 0 5 127.0.0.1:631 0.0.0.0:* users:(("cupsd",pid=1018,fd=10))
LISTEN 0 128 127.0.0.1:6010 0.0.0.0:* users:(("sshd",pid=3014,fd=15))
LISTEN 0 128 127.0.0.1:6011 0.0.0.0:* users:(("sshd",pid=3106,fd=15))
LISTEN 0 128 [::]:111 [::]:* users:(("rpcbind",pid=871,fd=6),("systemd",pid=1,fd=31))
LISTEN 0 128 [::]:22 [::]:* users:(("sshd",pid=1023,fd=7))
LISTEN 0 5 [::1]:631 [::]:* users:(("cupsd",pid=1018,fd=9))
LISTEN 0 128 [::1]:6010 [::]:* users:(("sshd",pid=3014,fd=14))
LISTEN 0 128 [::1]:6011 [::]:* users:(("sshd",pid=3106,fd=14))
[root@centos84 openvpn]# ifconfig tun0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 172.16.10.1 netmask 255.255.255.255 destination 172.16.10.2
inet6 fe80::6f87:e0bf:add3:999f prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 7 bytes 336 (336.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Kernel IP routing table
[root@centos84 openvpn]# route -n
[root@centos84 ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
172.16.0.0 0.0.0.0 255.255.0.0 U 104 0 0 ens160
172.16.10.0 172.16.10.2 255.255.255.0 UG 0 0 0 tun0
172.16.10.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
192.168.10.0 0.0.0.0 255.255.255.0 U 105 0 0 ens224
192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr0
准备客户端配置文件
[root@centos84 ~]# grep '^[a-Z].*' /usr/share/doc/openvpn/sample/sample-config-files/client.conf
client
dev tun
proto udp
remote my-server-1 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
verb 3
##生成客户端用户的配置文件
[root@centos84 ~]# grep '^[a-Z].*' /usr/share/doc/openvpn/sample/sample-config-files/client.conf > /etc/openvpn/client/win10/client.ovpn
[root@centos84 ~]# vim /etc/openvpn/client/win10/client.ovpn
[root@centos84 ~]# cat /etc/openvpn/client/win10/client.ovpn
client
dev tun
proto tcp
remote 172.16.0.10 1194
resolv-retry infinite
nobind
#persist-key
#persist-tun
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
verb 3
compress lz4-v2
## 从服务器上把client证书文件及配置文件进行打包拷贝到win10 client 配置目录下
[root@centos84 ~]# zip -r win10.zip /etc/openvpn/client/win10/*
安装配置客户端
2、通过编译、二进制安装MySQL5.7
二进制安装
创建用户
[root@centos84 ~]# groupadd mysql
[root@centos84 ~]# useradd -r -g mysql -s /bin/nologin mysql
[root@centos84 ~]# id mysql
uid=975(mysql) gid=1001(mysql) groups=1001(mysql)
准备程序文件
[root@centos84 ~]# wget http://mirrors.163.com/mysql/Downloads/MySQL-5.7/mysql-5.7.35-linux-glibc2.12-x86_64.tar.gz
--2022-02-13 05:47:25-- http://mirrors.163.com/mysql/Downloads/MySQL-5.7/mysql-5.7.35-linux-glibc2.12-x86_64.tar.gz
Resolving mirrors.163.com (mirrors.163.com)... 101.71.33.11
Connecting to mirrors.163.com (mirrors.163.com)|101.71.33.11|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 666328842 (635M) [application/octet-stream]
Saving to: ‘mysql-5.7.35-linux-glibc2.12-x86_64.tar.gz’
mysql-5.7.35-linux-glibc2.12-x86_64.t 100%[=========================================================================>] 635.46M 14.7MB/s in 62s
2022-02-13 05:48:27 (10.3 MB/s) - ‘mysql-5.7.35-linux-glibc2.12-x86_64.tar.gz’ saved [666328842/666328842]
[root@centos84 ~]# tar zxf mysql-5.7.35-linux-glibc2.12-x86_64.tar.gz -C /usr/local/
[root@centos84 ~]# cd /usr/local/
[root@centos84 local]# ln -s mysql-5.7.35-linux-glibc2.12-x86_64 mysql
设置环境变量
[root@centos84 local]# echo 'PATH=/usr/local/mysql/bin:$PATH' > /etc/profile.d/mysql.sh
[root@centos84 local]# source /etc/profile.d/mysql.sh
准备配置文件和数据库目录
[root@centos84 local]# vim /etc/my.cnf
[root@centos84 local]# mkdir -pv /data/mysql
mkdir: created directory '/data'
mkdir: created directory '/data/mysql'
[root@centos84 local]# chown mysql:mysql /data/mysql
[root@centos84 local]# chmod go-rwx /data/mysql
[root@centos84 local]# cat /etc/my.cnf
[mysqld]
datadir=/data/mysql
skip_name_resolve=1
socket=/data/mysql/mysql.sock
log-error=/data/mysql/mysql.log
pid-file=/data/mysql/mysql.pid
[client]
socket=/data/mysql/mysql.sock
[root@centos84 local]#
初始化数据库和口令
[root@centos84 mysql]# mysqld --initialize --user=mysql --basedir=/usr/local/mysql --datadir=/data/mysql
[root@centos84 mysql]# ll
total 110664
-rw-r-----. 1 mysql mysql 56 Feb 13 06:19 auto.cnf
-rw-------. 1 mysql mysql 1680 Feb 13 06:19 ca-key.pem
-rw-r--r--. 1 mysql mysql 1112 Feb 13 06:19 ca.pem
-rw-r--r--. 1 mysql mysql 1112 Feb 13 06:19 client-cert.pem
-rw-------. 1 mysql mysql 1676 Feb 13 06:19 client-key.pem
-rw-r-----. 1 mysql mysql 436 Feb 13 06:19 ib_buffer_pool
-rw-r-----. 1 mysql mysql 12582912 Feb 13 06:19 ibdata1
-rw-r-----. 1 mysql mysql 50331648 Feb 13 06:19 ib_logfile0
-rw-r-----. 1 mysql mysql 50331648 Feb 13 06:19 ib_logfile1
drwxr-x---. 2 mysql mysql 4096 Feb 13 06:19 mysql
-rw-r-----. 1 mysql mysql 1108 Feb 13 06:19 mysql.log
drwxr-x---. 2 mysql mysql 8192 Feb 13 06:19 performance_schema
-rw-------. 1 mysql mysql 1680 Feb 13 06:19 private_key.pem
-rw-r--r--. 1 mysql mysql 452 Feb 13 06:19 public_key.pem
-rw-r--r--. 1 mysql mysql 1112 Feb 13 06:19 server-cert.pem
-rw-------. 1 mysql mysql 1680 Feb 13 06:19 server-key.pem
drwxr-x---. 2 mysql mysql 8192 Feb 13 06:19 sys
[root@centos84 mysql]# cat mysql.log
2022-02-12T22:19:35.488930Z 0 [Warning] TIMESTAMP with implicit DEFAULT value is deprecated. Please use --explicit_defaults_for_timestamp server option (see documentation for more details).
2022-02-12T22:19:35.679806Z 0 [Warning] InnoDB: New log files created, LSN=45790
2022-02-12T22:19:35.709069Z 0 [Warning] InnoDB: Creating foreign key constraint system tables.
2022-02-12T22:19:35.774466Z 0 [Warning] No existing UUID has been found, so we assume that this is the first time that this server has been started. Generating a new UUID: dc4a6010-8c51-11ec-a563-000c29688702.
2022-02-12T22:19:35.775603Z 0 [Warning] Gtid table is not ready to be used. Table 'mysql.gtid_executed' cannot be opened.
2022-02-12T22:19:36.631879Z 0 [Warning] A deprecated TLS version TLSv1 is enabled. Please use TLSv1.2 or higher.
2022-02-12T22:19:36.631892Z 0 [Warning] A deprecated TLS version TLSv1.1 is enabled. Please use TLSv1.2 or higher.
2022-02-12T22:19:36.632286Z 0 [Warning] CA certificate ca.pem is self signed.
2022-02-12T22:19:36.775047Z 1 [Note] A temporary password is generated for root@localhost: q)j)AN>,53Np
配置启动脚本
[root@centos84 mysql]# cp /usr/local/mysql/support-files/mysql.server /etc/init.d/mysqld
[root@centos84 mysql]# chkconfig --add mysqld
[root@centos84 mysql]#
[root@centos84 mysql]#
[root@centos84 mysql]# service mysqld stop
Shutting down MySQL.. SUCCESS!
[root@centos84 mysql]# service mysqld start
Starting MySQL. SUCCESS!
[root@centos84 mysql]#
修改口令
[root@centos84 mysql]# mysqladmin -uroot -p'q)j)AN>,53Np' password mysql123
#或者
[root@centos84 mysql]# mysql -uroot -p'mysql123'
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 3
Server version: 5.7.35 MySQL Community Server (GPL)
Copyright (c) 2000, 2021, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> alter user 'root'@'localhost' identified by '123456';
Query OK, 0 rows affected (0.01 sec)
mysql> exit
Bye
[root@centos84 mysql]# mysql -uroot -p'123456'
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 4
Server version: 5.7.35 MySQL Community Server (GPL)
Copyright (c) 2000, 2021, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql>
问题1:启动后第一次登录出现了此错误
[root@centos84 mysql]# mysql -uroot -p
mysql: error while loading shared libraries: libncurses.so.5: cannot open shared object file: No such file or directory
##处理方法:
[root@centos84 yum.repos.d]# yum install libncurses*
Last metadata expiration check: 0:00:29 ago on Sun 13 Feb 2022 06:38:19 AM CST.
Package ncurses-libs-6.1-9.20180224.el8.x86_64 is already installed.
Dependencies resolved.
=========================================================================================================================================================================
Package Architecture Version Repository Size
=========================================================================================================================================================================
Installing:
ncurses-c++-libs x86_64 6.1-9.20180224.el8 base 58 k
ncurses-compat-libs x86_64 6.1-9.20180224.el8 base 328 k
Transaction Summary
=========================================================================================================================================================================
Install 2 Packages
Total download size: 386 k
Installed size: 1.1 M
Is this ok [y/N]: y
Downloading Packages:
(1/2): ncurses-c++-libs-6.1-9.20180224.el8.x86_64.rpm 406 kB/s | 58 kB 00:00
(2/2): ncurses-compat-libs-6.1-9.20180224.el8.x86_64.rpm 62 kB/s | 328 kB 00:05
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 73 kB/s | 386 kB 00:05
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : ncurses-compat-libs-6.1-9.20180224.el8.x86_64 1/2
Installing : ncurses-c++-libs-6.1-9.20180224.el8.x86_64 2/2
Running scriptlet: ncurses-c++-libs-6.1-9.20180224.el8.x86_64 2/2
Verifying : ncurses-c++-libs-6.1-9.20180224.el8.x86_64 1/2
Verifying : ncurses-compat-libs-6.1-9.20180224.el8.x86_64 2/2
Installed products updated.
Installed:
ncurses-c++-libs-6.1-9.20180224.el8.x86_64 ncurses-compat-libs-6.1-9.20180224.el8.x86_64
Complete!
安全初始化:
[root@centos84 bin]# mysql_secure_installation
Securing the MySQL server deployment.
Enter password for user root:
VALIDATE PASSWORD PLUGIN can be used to test passwords
and improve security. It checks the strength of password
and allows the users to set only those passwords which are
secure enough. Would you like to setup VALIDATE PASSWORD plugin?
Press y|Y for Yes, any other key for No:
Using existing password for root.
Change the password for root ? ((Press y|Y for Yes, any other key for No) :
... skipping.
By default, a MySQL installation has an anonymous user,
allowing anyone to log into MySQL without having to have
a user account created for them. This is intended only for
testing, and to make the installation go a bit smoother.
You should remove them before moving into a production
environment.
Remove anonymous users? (Press y|Y for Yes, any other key for No) : y
Success.
Normally, root should only be allowed to connect from
'localhost'. This ensures that someone cannot guess at
the root password from the network.
Disallow root login remotely? (Press y|Y for Yes, any other key for No) : y
Success.
By default, MySQL comes with a database named 'test' that
anyone can access. This is also intended only for testing,
and should be removed before moving into a production
environment.
Remove test database and access to it? (Press y|Y for Yes, any other key for No) : y
- Dropping test database...
Success.
- Removing privileges on test database...
Success.
Reloading the privilege tables will ensure that all changes
made so far will take effect immediately.
Reload privilege tables now? (Press y|Y for Yes, any other key for No) : y
Success.
All done!
[root@centos84 bin]# mysql -uroot -p'123456'
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 7
Server version: 5.7.35 MySQL Community Server (GPL)
Copyright (c) 2000, 2021, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| sys |
+--------------------+
4 rows in set (0.01 sec)
mysql>
编译安装
创建账户和数据库目录
[root@centos79 ~]# useradd -r -s /sbin/nologin -d /data/mysql mysql
[root@centos79 ~]# id mysql
uid=998(mysql) gid=996(mysql) groups=996(mysql)
[root@centos79 ~]# mkdir -pv /data/mysql
mkdir: created directory ‘/data’
mkdir: created directory ‘/data/mysql’
[root@centos79 ~]# chown mysql:mysql /data/mysql
[root@centos79 ~]#
准备安装介质,解压源码包到指定的目录
[root@centos79 ~]# ls -l
total 86792
-rw-------. 1 root root 1571 Dec 20 17:54 anaconda-ks.cfg
-rw-r--r--. 1 root root 32411131 Feb 14 23:37 mysql-5.6.51.tar.gz
-r--r--r--. 1 root root 56457489 Dec 20 17:55 tmp
[root@centos79 ~]# tar -zxvf mysql-5.6.51.tar.gz -C /usr/local/src
安装相关依赖包
yum -y install gcc gcc-c++ cmake bison bison-devel zlib-devel libcurl-devel libarchive-devel boost-devel ncurses-devel gnutls-devel libxml2-devel openssl-devel libevent-devel libaio-devel perl-Data-Dumper
进入到源码包目录进行编译安装
[root@centos79 ~]# cd /usr/local/src/mysql-5.6.51/
[root@centos79 mysql-5.6.51]# cmake . \
> -DCMAKE_INSTALL_PREFIX=/apps/mysql \
> -DMYSQL_DATADIR=/data/mysql/ \
> -DSYSCONFDIR=/etc/ \
> -DMYSQL_USER=mysql \
> -DWITH_INNOBASE_STORAGE_ENGINE=1 \
> -DWITH_ARCHIVE_STORAGE_ENGINE=1 \
> -DWITH_BLACKHOLE_STORAGE_ENGINE=1 \
> -DWITH_PARTITION_STORAGE_ENGINE=1 \
> -DWITHOUT_MROONGA_STORAGE_ENGINE=1 \
> -DWITH_DEBUG=0 \
> -DWITH_READLINE=1 \
> -DWITH_SSL=system \
> -DWITH_ZLIB=system \
> -DWITH_LIBWRAP=0 \
> -DENABLED_LOCAL_INFILE=1 \
> -DMYSQL_UNIX_ADDR=/data/mysql/mysql.sock \
> -DDEFAULT_CHARSET=utf8 \
> -DDEFAULT_COLLATION=utf8_general_ci
-- Running cmake version 2.8.12.2
-- Could NOT find Git (missing: GIT_EXECUTABLE)
-- The C compiler identification is GNU 4.8.5
-- The CXX compiler identification is GNU 4.8.5
-- Check for working C compiler: /usr/bin/cc
-- Check for working C compiler: /usr/bin/cc -- works
-- Detecting C compiler ABI info
-- Detecting C compiler ABI info - done
-- Check for working CXX compiler: /usr/bin/c++
-- Check for working CXX compiler: /usr/bin/c++ -- works
-- Detecting CXX compiler ABI info
-- Detecting CXX compiler ABI info - done
…….
-- Generating done
CMake Warning:
Manually-specified variables were not used by the project:
MYSQL_USER
WITHOUT_MROONGA_STORAGE_ENGINE
WITH_READLINE
-- Build files have been written to: /usr/local/src/mysql-5.6.51
[root@centos79 mysql-5.6.51]# make && make install
Scanning dependencies of target INFO_BIN
[ 0%] Built target INFO_BIN
Scanning dependencies of target INFO_SRC
[ 0%] Built target INFO_SRC
Scanning dependencies of target abi_check
[ 0%] Built target abi_check
[ 0%] Generating common.h
[ 0%] Generating help.c
[ 0%] Generating help.h
[ 0%] Generating vi.h
[ 1%] Generating emacs.h
[ 1%] Generating fcns.c
[ 1%] Generating fcns.h
Scanning dependencies of target edit
……
-- Installing: /apps/mysql/sql-bench/innotest2b
-- Installing: /apps/mysql/sql-bench/run-all-tests
-- Installing: /apps/mysql/sql-bench/server-cfg
-- Installing: /apps/mysql/sql-bench/test-ATIS
-- Installing: /apps/mysql/sql-bench/test-alter-table
-- Installing: /apps/mysql/sql-bench/test-big-tables
-- Installing: /apps/mysql/sql-bench/test-connect
-- Installing: /apps/mysql/sql-bench/test-create
-- Installing: /apps/mysql/sql-bench/test-insert
-- Installing: /apps/mysql/sql-bench/test-select
-- Installing: /apps/mysql/sql-bench/test-transactions
-- Installing: /apps/mysql/sql-bench/test-wisconsin
配置环境变量
[root@centos79 mysql-5.6.51]# echo 'PATH=/apps/mysql/bin:$PATH' > /etc/profile.d/mysql.sh
[root@centos79 mysql-5.6.51]# source /etc/profile.d/mysql.sh
生成数据文件
[root@centos79 mysql-5.6.51]# cd /apps/mysql/
[root@centos79 mysql]# script
script scriptreplay
[root@centos79 mysql]# scripts/mysql_install_db --datadir=/data/mysql/ --user=mysql
Installing MySQL system tables...2022-02-15 00:14:18 0 [Warning] TIMESTAMP with implicit DEFAULT value is deprecated. Please use --explicit_defaults_for_timestamp server option (see documentation for more details).
2022-02-15 00:14:18 0 [Note] Ignoring --secure-file-priv value as server is running with --bootstrap.
2022-02-15 00:14:18 0 [Note] ./bin/mysqld (mysqld 5.6.51) starting as process 18653 ...
2022-02-15 00:14:18 18653 [Note] InnoDB: Using atomics to ref count buffer pool pages
2022-02-15 00:14:18 18653 [Note] InnoDB: The InnoDB memory heap is disabled
2022-02-15 00:14:18 18653 [Note] InnoDB: Mutexes and rw_locks use GCC atomic builtins
2022-02-15 00:14:18 18653 [Note] InnoDB: Memory barrier is not used
2022-02-15 00:14:18 18653 [Note] InnoDB: Compressed tables use zlib 1.2.7
…….
New default config file was created as ./my.cnf and
will be used by default by the server when you start it.
You may edit this file to change server settings
WARNING: Default config file /etc/my.cnf exists on the system
This file will be read by default by the MySQL server
If you do not want to use this, either remove it, or use the
--defaults-file argument to mysqld_safe when starting the server
准备配置文件
[root@centos79 mysql]# cp -b /apps/mysql/support-files/my-default.cnf /etc/my.cnf准备启动脚本和服务
[root@centos79 mysql]# cp /apps/mysql/support-files/mysql.server /etc/init.d/mysqld
[root@centos79 mysql]# chkconfig --add mysqld
[root@centos79 mysql]# service mysqld start
Starting MySQL.Logging to '/data/mysql/centos79.err'.
SUCCESS!
安全初始化并修改root口令
[root@centos79 mysql]# mysql_secure_installation
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MySQL
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!
In order to log into MySQL to secure it, we'll need the current
password for the root user. If you've just installed MySQL, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.
Enter current password for root (enter for none):
OK, successfully used password, moving on...
Setting the root password ensures that nobody can log into the MySQL
root user without the proper authorisation.
Set root password? [Y/n] y
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
... Success!
By default, a MySQL installation has an anonymous user, allowing anyone
to log into MySQL without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.
Remove anonymous users? [Y/n] y
... Success!
Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.
Disallow root login remotely? [Y/n] y
... Success!
By default, MySQL comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.
Remove test database and access to it? [Y/n] y
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!
Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.
Reload privilege tables now? [Y/n] y
... Success!
All done! If you've completed all of the above steps, your MySQL
installation should now be secure.
Thanks for using MySQL!
Cleaning up...
[root@centos79 mysql]#
登录mysql验证
[root@centos79 mysql]# mysql -uroot -p'123456'
Warning: Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 12
Server version: 5.6.51 Source distribution
Copyright (c) 2000, 2021, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> status
--------------
mysql Ver 14.14 Distrib 5.6.51, for Linux (x86_64) using EditLine wrapper
Connection id: 12
Current database:
Current user: root@localhost
SSL: Not in use
Current pager: stdout
Using outfile: ''
Using delimiter: ;
Server version: 5.6.51 Source distribution
Protocol version: 10
Connection: Localhost via UNIX socket
Server characterset: utf8
Db characterset: utf8
Client characterset: utf8
Conn. characterset: utf8
UNIX socket: /data/mysql/mysql.sock
Uptime: 2 min 11 sec
Threads: 1 Questions: 40 Slow queries: 0 Opens: 68 Flush tables: 1 Open tables: 61 Queries per second avg: 0.305
--------------
mysql>
3、二进制安装mariadb10.4
下载安装介质并解压到指定的目录
[root@centos84 ~]# wget https://mirrors.aliyun.com/mariadb//mariadb-10.4.24/bintar-linux-systemd-x86_64/mariadb-10.4.24-linux-systemd-x86_64.tar.gz
--2022-02-15 04:19:21-- https://mirrors.aliyun.com/mariadb//mariadb-10.4.24/bintar-linux-systemd-x86_64/mariadb-10.4.24-linux-systemd-x86_64.tar.gz
Resolving mirrors.aliyun.com (mirrors.aliyun.com)... 125.39.216.242, 125.39.216.1, 125.39.216.248, ...
Connecting to mirrors.aliyun.com (mirrors.aliyun.com)|125.39.216.242|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1143754354 (1.1G) [application/octet-stream]
Saving to: ‘mariadb-10.4.24-linux-systemd-x86_64.tar.gz’
mariadb-10.4.24-linux-systemd-x 100%[====================================================>] 1.06G 9.06MB/s in 2m 23s
2022-02-15 04:21:44 (7.61 MB/s) - ‘mariadb-10.4.24-linux-systemd-x86_64.tar.gz’ saved [1143754354/1143754354]
[root@centos84 ~]# tar -zxf mariadb-10.4.24-linux-systemd-x86_64.tar.gz -C /usr/local/
[root@centos84 ~]# cd /usr/local/
[root@centos84 local]# ln -s mariadb-10.4.24-linux-systemd-x86_64 mysql
配置环境变量
[root@centos84 local]# echo 'PATH=/usr/local/mysql/bin:$PATH' > /etc/profile.d/mysql.sh
[root@centos84 local]# source /etc/profile.d/mariadb.sh
创建mysql账户和数据库目录
[root@centos84 local]# useradd -r -s /sbin/nologin -d /data/mariadb mysql
[root@centos84 local]# mkdir -pv /data/mariadb
mkdir: created directory '/data'
mkdir: created directory '/data/mariadb'
[root@centos84 local]# chown mysql:mysql /data/mariadb
初始化数据库
[root@centos84 local]# ./mysql/scripts/mysql_install_db --user=mysql --basedir=/usr/local/mysql --datadir=/data/mariadb
Installing MariaDB/MySQL system tables in '/data/mariadb' ...
OK
To start mysqld at boot time you have to copy
support-files/mysql.server to the right place for your system
Two all-privilege accounts were created.
One is root@localhost, it has no password, but you need to
be system 'root' user to connect. Use, for example, sudo mysql
The second is mysql@localhost, it has no password either, but
you need to be the system 'mysql' user to connect.
After connecting you can set the password, if you would need to be
able to connect as any of these users with a password and without sudo
See the MariaDB Knowledgebase at http://mariadb.com/kb
You can start the MariaDB daemon with:
cd '/usr/local/mariadb' ; /usr/local/mariadb/bin/mysqld_safe --datadir='/data/mariadb'
You can test the MariaDB daemon with mysql-test-run.pl
cd '/usr/local/mariadb/mysql-test' ; perl mysql-test-run.pl
Please report any problems at http://mariadb.org/jira
The latest information about MariaDB is available at http://mariadb.org/.
Consider joining MariaDB's strong and vibrant community:
https://mariadb.org/get-involved/
工作目录授权
[root@centos84 local]# chown -R mysql:mysql /data/mariadb/ /usr/local/mysql/ /usr/local/mariadb-10.4.24-linux-systemd-x86_64/配置启动配置文件
[root@centos84 local]#cat > /etc/my.cnf <<EOF
[mysqld]
basedir=/usr/local/mysql
datadir=/data/mariadb
socket=/data/mariadb/mariadb.sock
log-error=/data/mariadb/mariadb.log
pid-file=/data/mariadb/mariadb.pid
[client]
socket=/data/mariadb/mariadb.sock
EOF
配置启动文件,并启动服务,进行登录测试
[root@centos84 local]# cp /usr/local/mysql/support-files/systemd/mariadb.service /usr/lib/systemd/system/
[root@centos84 local]# systemctl daemon-reloed
[root@centos84 local]# systemctl start mariadb.service
[root@centos84 mariadb]# systemctl status mariadb.service
● mariadb.service - MariaDB 10.4.24 database server
Loaded: loaded (/usr/lib/systemd/system/mariadb.service; disabled; vendor preset: disabled)
Active: active (running) since Tue 2022-03-01 02:04:53 CST; 1min 53s ago
Docs: man:mysqld(8)
https://mariadb.com/kb/en/library/systemd/
Process: 3820 ExecStartPost=/bin/sh -c systemctl unset-environment _WSREP_START_POSITION (code=exited, status=0/SUCCESS)
Process: 3760 ExecStartPre=/bin/sh -c [ ! -e /usr/local/mysql/bin/galera_recovery ] && VAR= || VAR=`cd /usr/local/mysql/bin/..; /u>
Process: 3758 ExecStartPre=/bin/sh -c systemctl unset-environment _WSREP_START_POSITION (code=exited, status=0/SUCCESS)
Main PID: 3788 (mysqld)
Status: "Taking your SQL requests now..."
Tasks: 31 (limit: 4639)
Memory: 65.8M
CGroup: /system.slice/mariadb.service
└─3788 /usr/local/mysql/bin/mysqld
Mar 01 02:04:52 centos84 systemd[1]: Starting MariaDB 10.4.24 database server...
Mar 01 02:04:52 centos84 mysqld[3788]: 2022-03-01 2:04:52 0 [Note] /usr/local/mysql/bin/mysqld (mysqld 10.4.24-MariaDB-log) starting >
Mar 01 02:04:53 centos84 systemd[1]: Started MariaDB 10.4.24 database server.
lines 1-18/18 (END)
[root@centos84 local]# mysql
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 10
Server version: 10.4.24-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> exit
Bye
安全初始化
[root@centos84 local]# mysql_secure_installation
print: /usr/local/mariadb/bin/my_print_defaults
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!
In order to log into MariaDB to secure it, we'll need the current
password for the root user. If you've just installed MariaDB, and
haven't set the root password yet, you should just press enter here.
Enter current password for root (enter for none):
OK, successfully used password, moving on...
Setting the root password or using the unix_socket ensures that nobody
can log into the MariaDB root user without the proper authorisation.
You already have your root account protected, so you can safely answer 'n'.
Switch to unix_socket authentication [Y/n] n
... skipping.
You already have your root account protected, so you can safely answer 'n'.
Change the root password? [Y/n] y
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
... Success!
By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.
Remove anonymous users? [Y/n] y
... Success!
Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.
Disallow root login remotely? [Y/n] y
... Success!
By default, MariaDB comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.
Remove test database and access to it? [Y/n] y
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!
Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.
Reload privilege tables now? [Y/n] y
... Success!
Cleaning up...
All done! If you've completed all of the above steps, your MariaDB
installation should now be secure.
Thanks for using MariaDB!
[root@centos84 local]# mysql -uroot -p123456
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 19
Server version: 10.4.24-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
+--------------------+
3 rows in set (0.005 sec)
问题2:安全初始化错误
[root@centos84 local]# mysql_secure_installation
FATAL ERROR: Could not find /usr/local/mysql/bin/my_print_defaults
If you compiled from source, you need to run 'make install' to
copy the software into the correct location ready for operation.
If you are using a binary release, you must either be at the top
level of the extracted archive, or pass the --basedir option::
pointing to that location.
##处理办法:
[root@centos84 local]# vim /usr/local/mariadb/bin/mysql_secure_installation
24 rootpass=""
25 echo_n=
26 echo_c=
27 basedir=/usr/local/mysql ##补全basedir目录路径
28 defaults_file=
29 defaults_extra_file=
30 no_defaults=
问题3:安全初始化错误
[root@centos84 ~]# mysql_secure_installation
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!
In order to log into MariaDB to secure it, we'll need the current
password for the root user. If you've just installed MariaDB, and
haven't set the root password yet, you should just press enter here.
Enter current password for root (enter for none):
ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/tmp/mysql.sock' (2)
Enter current password for root (enter for none):
Aborting!
##处理办法:
[root@centos84 local]# vim /usr/local/mariadb/bin/mysql_secure_installation
248 make_config() {
249 echo "# mysql_secure_installation config file" >$config
250 echo "[mysql]" >>$config
251 echo "user=root" >>$config
252 esc_pass=`basic_single_escape "$rootpass"`
253 echo "password='$esc_pass'" >>$config
254 echo "socket=/data/mariadb/mariadb.sock" >>$config ##增加此行
问题4:安全初始化后,plugin 也采用mysql_native_password,但是不用输入账户和口令,还可以登录.
[root@centos84 mariadb]# mysql
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 19
Server version: 10.4.24-MariaDB-log MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> select user,host,password,plugin from mysql.user;
+-------------+-----------+-------------------------------------------+-----------------------+
| User | Host | Password | plugin |
+-------------+-----------+-------------------------------------------+-----------------------+
| mariadb.sys | localhost | | mysql_native_password |
| root | localhost | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 | mysql_native_password |
| mysql | localhost | invalid | mysql_native_password |
+-------------+-----------+-------------------------------------------+-----------------------+
3 rows in set (0.004 sec)
##官方的kb解释 https://mariadb.com/kb/en/authentication-plugin-unix-socket/
##此时再进行一次口令修改才可生效
MariaDB [(none)]> alter user 'root'@'localhost' identified by '123456';
Query OK, 0 rows affected (0.001 sec)
MariaDB [(none)]> exit
Bye
[root@centos84 mariadb]# mysql
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO)
[root@centos84 mariadb]# mysql -uroot -p'123456'
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 10
Server version: 10.4.24-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]>
