July 2025
M T W T F S S
 123456
78910111213
14151617181920
21222324252627
28293031  

Categories

July 2025
M T W T F S S
 123456
78910111213
14151617181920
21222324252627
28293031  

Migrating the Apache from 2.2 to 2.4 and write the procedure.

Migrating the Apache from 2.2 to 2.4 and write the procedure.

Also I think it can be used as SSL / TLS security setting example (2015).

table of contents
Introduction
environment
Preliminary preparation
Package Upgrade
Apache2.4 setting
Tomcat8 setting
Starting the Server
Confirmation
Summary
Related article
Introduction

May  Logjam Attack  on measures to, (or higher recommended 2048 bits as Logjam Attack measures) that DH parameters in Apache 2.2 is a problem that the 1024-bit fixed was discovered.
It was left for the state to which there is no time while I tried to 2.4, it has moved to 2.4 Now that you have finally time.
I have written the following procedure.
Since Apache transition incidentally also Tomcat and java have upgraded leave wrote also to about this.
environment

Environment below.
Migration is the installation of the front and rear together with yum. It does not build or the like from the source (since the management cost increases).
OS    Amazon Linux (64bit)
Pre-migration
Apache    2.2.29-1.5.amzn1
Tomcat    7.0.62-1.10.amzn1
Java    1.7.0.85-2.6.1.3.61.amzn1
After migration
Apache    2.4.12-1.60.amzn1
Tomcat    8.0.23-1.54.amzn1
Java    1.8.0.51-1.b16.6.amzn1
Preliminary preparation

backup

Please go back up, etc. appropriate server and the necessary data.
For our migration target is running on AWS EC2, to create an AMI from pre-migration server with the appropriate means (copy), we are working to start the instance from this image.
The following will be working in this copied instance.
Service outage

Apache, and, to stop the Tomcat.
$ Sudo /etc/rc.d/init.d/httpd stop
$ Sudo /etc/rc.d/init.d/tomcat7 stop
Application, and a copy of the configuration file (backup)

Current status of the application, and, you have copy the configuration to the appropriate directory.
Apache-related
/etc/httpd/conf under the configuration file
Configuration files under /etc/httpd/conf.d
Tomcat-related
/ Usr / share / tomcat7 / webapps under the Web application
/ Usr / share / tomcat7 / conf under the configuration file
Package Upgrade

Upgrade of Java

Java1.8 installation of
Because there is a case in which prior to remove the Java1.7 the problem comes out in the dependencies and install the 1.8.
$ Sudo yum install java-1.8.0-openjdk
Uninstall Java1.7
Uninstall the old java (if necessary).
$ Sudo yum erase java-1.7.0-openjdk
Tomcat upgrade of

Tomcat8 installation of
Tomcat8 Install.
$ Sudo yum install tomcat8
Related package includes the following are also installed.
tomcat8-lib
tomcat8-servlet-3.1-api
tomcat8-jsp-2.3-api
tomcat8-el-3.0-api
Uninstall Tomcat7
Below you uninstall the package (please go yum erase, etc.).
tomcat7
tomcat7-lib
tomcat7-servlet-3.0-api
tomcat7-jsp-2.2-api
tomcat7-el-2.2-api
Apache upgrade of

Uninstall Apache2.2
2.2 for is not even able to install the conflict in an attempt to install a 2.4 in a state in which it is installed, uninstall the earlier 2.2.
Below to uninstall the package. Also you uninstall module class.
httpd
httpd-tools
Apache2.4 installation of
Below to install the package (httpd24-tools are also installed together).
httpd24
Apache2.4 installation of modules
The following packages (mod_ssl, and, mos_security) to install.
? The following are those that are available in our company. Please change as appropriate in conjunction with the environment.
For mod_security ? protect a Web site from a vulnerability in the WAF (Web Application Firewall) see
mod24_ssl
mod24_security
mod_security_crs
mod_security_crs-extras
Apache2.4 setting

Configure the settings of Apache2.4.
As changes in the configuration file that I noticed when I went to migrate to 2.4 are as follows.
LoadModule setting conf.modules.d / *. Changes to the form to be set in the conf
has been changed into a form that is not set in httpd.conf.
AddIconByType, mod_autoindex-related directives such as AddIcon moved to conf.d / autoindex.conf
for directory index function is not used, these settings I think in many cases it is commented out. 2.2 era had commented out working hard, but now can be handled by that you want to delete / rename the autoindex.conf in 2.4.
conf.d / userdir.conf additional
userdir.conf under the conf.d directory has been added. mod_userdir I think that in many cases you want to disable, but, in that case let’s equal to the autoindex.conf same delete / rename.
You configure the settings based on these changes.
httpd.conf configuration of

Set the httpd.conf (/etc/httpd/conf/httpd.conf).
Below and set the item (excerpt)
Prod ServerTokens                   # same manner as in the case of 2.2
ServerAdmin Aaaattoagilegroup.Co.Jp    # <= administrator e-mail address set
ServerName Www.Agilegroup.Co.Jp:80 # server name setting
<Directory “/ var / www / html”>
#Options Indexes FollowSymLinks
FollowSymLinks Options     # <= Indexes is deleted, the directory listing is disabled

</ Directory>
? ServerSignature is now in the 2.4 default off.
DOS attack (slowloris) measures
Reqtimeout_module in Apache 2.2.15 and later are likely to add. You can take measures for the DOS attack (slowloris) by using this module.
You may be set as needed.
RequestReadTimeout header = 20-40, MinRate = 500 body = 20, MinRate = 500
The above is the default value
becomes an error if the header / body does not complete the transmission in 20 seconds.
500 while the bytes / sec or more data is being sent will be extended to a maximum time-out value.
Module settings

Setup is now placed in the following /etc/httpd/conf.modules.d/ directory.
The following is divided in the configuration file.
? 00-ssl.conf, 10-mod_security.conf each mod_ssl, during mod_security installation
file name    Overview
00-base.conf    Basic module
00-dav.conf    WebDAV related module
00-lua.conf    mod_lua
00-mpm.conf    MPM related
prefork, worker, has become available for selection the event.
00-optional.conf    Module, which is generally thought to it is less likely to be used
00-proxy.conf    Proxy-related modules
01-cgi.conf    CGI-related modules
00-ssl.conf    mod_ssl related
10-mod_security.conf    mod_security related
For unnecessary modules will be carried out an equal editing to comment out the LoadModule setting.
00-base.conf
Edit the 00-base.conf.
? The following is an example that focuses almost minimal module. Please appropriately changed depending on the environment.
LoadModule access_compat_module modules / mod_access_compat.so
#LoadModule Actions_module modules / mod_actions.so
LoadModule alias_module modules / mod_alias.so
#LoadModule Allowmethods_module modules / mod_allowmethods.so
#LoadModule Auth_basic_module modules / mod_auth_basic.so
#LoadModule Auth_digest_module modules / mod_auth_digest.so
#LoadModule Authn_anon_module modules / mod_authn_anon.so
LoadModule authn_core_module modules / mod_authn_core.so
#LoadModule Authn_dbd_module modules / mod_authn_dbd.so
#LoadModule Authn_dbm_module modules / mod_authn_dbm.so
#LoadModule Authn_file_module modules / mod_authn_file.so
#LoadModule Authn_socache_module modules / mod_authn_socache.so
LoadModule authz_core_module modules / mod_authz_core.so
#LoadModule Authz_dbd_module modules / mod_authz_dbd.so
#LoadModule Authz_dbm_module modules / mod_authz_dbm.so
#LoadModule Authz_groupfile_module modules / mod_authz_groupfile.so
#LoadModule Authz_host_module modules / mod_authz_host.so
#LoadModule Authz_owner_module modules / mod_authz_owner.so
#LoadModule Authz_user_module modules / mod_authz_user.so
#LoadModule Autoindex_module modules / mod_autoindex.so
#LoadModule Cache_module modules / mod_cache.so
#LoadModule Cache_disk_module modules / mod_cache_disk.so
#LoadModule Data_module modules / mod_data.so
#LoadModule Dbd_module modules / mod_dbd.so
#LoadModule Deflate_module modules / mod_deflate.so
LoadModule dir_module modules / mod_dir.so
#LoadModule Dumpio_module modules / mod_dumpio.so
#LoadModule Echo_module modules / mod_echo.so
#LoadModule Env_module modules / mod_env.so
LoadModule expires_module modules / mod_expires.so
#LoadModule Ext_filter_module modules / mod_ext_filter.so
#LoadModule Filter_module modules / mod_filter.so
LoadModule headers_module modules / mod_headers.so
LoadModule include_module modules / mod_include.so
#LoadModule Info_module modules / mod_info.so
LoadModule log_config_module modules / mod_log_config.so
#LoadModule Logio_module modules / mod_logio.so
#LoadModule Macro_module modules / mod_macro.so
#LoadModule Mime_magic_module modules / mod_mime_magic.so
LoadModule mime_module modules / mod_mime.so
#LoadModule Negotiation_module modules / mod_negotiation.so
#LoadModule Remoteip_module modules / mod_remoteip.so
LoadModule reqtimeout_module modules / mod_reqtimeout.so
#LoadModule Request_module modules / mod_request.so
LoadModule rewrite_module modules / mod_rewrite.so
LoadModule setenvif_module modules / mod_setenvif.so
#LoadModule Slotmem_plain_module modules / mod_slotmem_plain.so
#LoadModule Slotmem_shm_module modules / mod_slotmem_shm.so
#LoadModule Socache_dbm_module modules / mod_socache_dbm.so
#LoadModule Socache_memcache_module modules / mod_socache_memcache.so
LoadModule socache_shmcb_module modules / mod_socache_shmcb.so
LoadModule status_module modules / mod_status.so
#LoadModule Substitute_module modules / mod_substitute.so
#LoadModule Suexec_module modules / mod_suexec.so
# This module will cause Apache to fail to load if there is no DNS
# LoadModule unique_id_module modules / mod_unique_id.so
LoadModule unixd_module modules / mod_unixd.so
#LoadModule Userdir_module modules / mod_userdir.so
LoadModule version_module modules / mod_version.so
LoadModule vhost_alias_module modules / mod_vhost_alias.so
00-dav.conf
All commented out you do not use the WebDAV
00-lua.conf
Comment If you do not use the mod_lua
Note: to intervene in the Apache in mod_lua of Apache 2.4.1 (end of mod_rewrite?)
00-mpm.conf
MPM is to enable the ones you want to use.
? default had become prefork.
00-optional.conf
Default are commented out in total. The setting if there is something you want to use.
00-proxy.conf
All comment out If you do not use a proxy.
Apache is in our environment, since the cooperation by using the Tomcat, to enable the following
mod_proxy
mod_proxy_ajp
00-ssl.conf
If effectively to use the ssl / tls
01-cgi.conf
All commented out if not using CGI
10-mod_security.conf
If effectively utilizing the mod_seciruty
conf.d below the set of

conf.d below the following files will be installed.
? mod_security.conf, ssl.conf each mod_security, when mod_ssl installation
file name    Overview
autoindex.conf    mod_autoindex related settings. If you want to disable the directory listing, as I wrote above, Chaimashou renamed so that they are not Include either delete the file.
notrace.conf    TraceEnable off settings have been described.
This setting for a cross-site tracing measures should be left in effect.
userdir.conf    mod_userdir related settings. If you do not want to use, as well as the autoindex.conf delete or rename.
welcome.conf    Apache default of the top page for display.
This guy also let you disable and delete or rename.
mod_security.conf    mod_security-related settings
ssl.conf    ssl / tls-related settings
mod_security.conf
For mod_security, if the settings of the Apache 2.2 is okay the same.
It would be OK if return the configuration file that you backed up.
If LoadModule setting is described, (because it is set in the conf.modules.d / 10-mod_security.conf) Let’s commented out.
Reference: protect the Web site from a vulnerability in the WAF (Web Application Firewall)
ssl.conf
I think that it may be performed setting below (excerpt).
Basic
SSLProtocol all -SSLv2 -SSLv3 # SSLv2, SSLv3 is prohibited (-SSLv3 postscript)
# SSLCipherSuite one example (recommended security type of IPA), revised on the basis of the pre-migration configuration
SSLCipherSuite SSLCipherSuite DHE-RSA-AES128-GCM-SHA256: DHE-RSA-AES128-SHA256: DHE-RSA-CAMELLIA128-SHA: DHE-RSA-AES128-SHA: AES128-GCM-SHA256: AES128-SHA256: CAMELLIA128-SHA: AES128-SHA: DHE-RSA-AES256-GCM-SHA384: DHE-RSA-AES256-SHA256: DHE-RSA-CAMELLIA256-SHA: DHE-RSA-AES256-SHA: AES256-GCM-SHA384: AES256-SHA256: CAMELLIA256- SHA: AES256-SHA
Priority specified SSLHonorCipherOrder on # cipher suite

# Various certificate-related file settings – describes the pre-migration configuration
SSLCertificateFile …
SSLCertificateKeyFile …
SSLCACertificateFile …

# HTTP Strict Transport Security (HSTS) setting – if necessary
Header always set Strict-Transport-Security “max-age = 15768000; includeSubDomains”
Actual SSLCipherSuite the SSL / TLS setting (2015/5) of the Web server , please also reference per.

OCSP Stapling
Because became possible OCSP Stapling set in the Apache 2.3.3 or later, this setting also enables.
Reference: Apache – Enable OCSP Stapling
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache shmcb: / var / run / ocsp (128000)
Whether OCSP Stapling is enabled, you can check with the following command (Please change as appropriate host name).
$ Openssl s_client -connect localhost: 443 -tls1 -status | head

OCSP response:
======================================
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)

If OCSP Stapling is invalid, it is output as follows.
OCSP response: no response sent

DH Parameter
If the Apache 2.4.8 migration, Logjam Attack measures , but I thought for performing a particular configuration of the following parameters DH, which is one of the,
SSLOpenSSLConfCmd DHParameters “{path to dhparams.pem}”
openssl could not be required there setting or later 1.0.2.
? In article writing is openssl of the Amazon Linux 1.0.1k-10.87

Public Key Pinning
Public Key Pinning also I wanted to try to set, that the second pin of the specified for Examining backup is essential and, because it is likely to Dohamari in operation and not from the falling neatly the procedure / system this time, we removed from the configuration.
Reference: Public Key Pinning

Other Settings
Setting of the Web application, returns from the backup destination settings other than the above.
Check the settings

When you are finished editing the settings Make sure that there is no problem.
$ Sudo httpd -t
Syntax OK
Tomcat8 setting

Edit the configuration file

And edit it as needed.
tomcat8.conf
Edit the /usr/share/tomcat8/conf/tomcat8.conf (following excerpt).
? JAVA_OPTS is edited for Magnolia CMS
JAVA_OPTS=”- server -Dfile.encoding=UTF-8 -Xmx512m -Xminf0.1 -Xmaxf0.3 -Djava.library.path=/usr/lib”
LANG = “ja_JP.UTF-8”

? MaxPermSize option of support was removed from the specified as it was no longer a Java8.
logging.properties

Edit the /usr/share/tomcat8/conf/logging.properties (following excerpt).
Normal console handler as long as not a development environment will remove because it is unnecessary.
# .handlers = 1catalina.org.apache.juli.AsyncFileHandler, java.util.logging.ConsoleHandler
.handlers = 1catalina.org.apache.juli.AsyncFileHandler
Configuration file other than the above is also appropriately set in accordance with the requirements of the application.
Deploying Applications

Deploy the application that has been backed up.
/usr/share/tomcat8/webapps to copy the application that had been backed up to under the directory.
After copying the tomcat ownership: Change in tomcat.
(The following is the case of webapps / ROOT application)
$ Sudo chown tomcat:tomcat /usr/share/tomcat8/webapps/ROOT -R
Starting the Server

When you have finished setting the start the server.
Let’s also automatic startup settings as needed.
Tomcat8

$ Sudo /etc/rc.d/init.d/tomcat8 start
Apache2.4

$ Sudo /etc/rc.d/init.d/httpd start
Confirmation

When you start the server, let’s check the operation.
Check the operation of the application

First, let’s see if Web site, the Web application is running correctly.
SSL / TSL setting confirmation

Let whether to confirm or SSL / TLS settings are properly adapted.
For SSL / TLS settings of the server can be at the following site.
SSL Server Test – QUALYS SSL LABS
I was able to confirm that that is a valid OCSP stapling also in the above site.
Also try to run again check made in Logjam Attack measures.
Below you can check the site.
Guide to Deploying Diffie-Hellman for TLS
Although pre-migration is DHE had become a warning for a Common 1024-bit Prime, after the migration is 2048-bits next to the warning display has disappeared.
Summary

Our company was able to successfully upgrade the above procedure.
And after the operation verification reassign the Elastic IP, server migration is complete.
Or there is no 1024-bit limit of DH parameters in it to migrate to 2.4.x from 2.2.x, and or can be added to OCSP Stapling setting, I think it will be said to have become a little configurations of the more problematic in terms of security.
I think also there is to try the migration aimed at the improvement of the security aspects.

October 6th, 2016 | Category: Apache | Leave a comment

Full Backup using MySQL Enterprise Backup

Full Backup using MySQL Enterprise Backup

As you might know, I am primarily an Oracle guy. This means that for all my backup needs, I am using Oracle Recovery Manager (RMAN). I recently had the task to implement MySQL Enterprise Backup for a MySQL database (mysql-advanced-5.6.15-linux-glibc2.5-x86_64). My most important resource for this task was the MySQL Enterprise Backup User’s Guide.

Install the software

Before we can configure backups and the like, you’ll need to install the MySQL Enterprise Backup software. Do so by following this guide:

$ tar xvzf meb-3.9.0-linux2.6-x86-64bit.tar.gz 
meb-3.9.0-linux2.6-x86-64bit/
meb-3.9.0-linux2.6-x86-64bit/bin/
meb-3.9.0-linux2.6-x86-64bit/bin/mysqlbackup
meb-3.9.0-linux2.6-x86-64bit/README.txt
meb-3.9.0-linux2.6-x86-64bit/LICENSE.mysql
meb-3.9.0-linux2.6-x86-64bit/manual.html
meb-3.9.0-linux2.6-x86-64bit/mysql-html.css

I then placed the mysqlbackup binary in my MySQL “bin” directory (typically /usr/local/mysql/bin if you installed MySQL as described in the documentation):

$ cp meb-3.9.0-linux2.6-x86-64bit/bin/mysqlbackup /usr/local/mysql/bin/
$ which mysqlbackup 
/usr/local/mysql/bin/mysqlbackup

Now we’ve installed the software, we can go on and prepare our database for backup.

Gather information, create backup user

Use this guide to review your configuration and figure out where you want to place your backup. In this example, I needed the following information:

  • MySQL port (often “3306“)
  • Backup user and password (“backup/mysupersecret” in this example)
  • Location for backup data (“/var/backups/mysql/backups” in this example)

Since I did not yet have a backup user for the database, I had to create one. Log into the database as root and create the backup user (named backup in my case) and grant the necessary privileges:

$ mysql -u root -p
mysql> CREATE USER 'backup'@'localhost' IDENTIFIED BY 'mysupersecret';
mysql> GRANT RELOAD ON *.* TO 'backup'@'localhost';
mysql> GRANT CREATE, INSERT, DROP, UPDATE ON mysql.ibbackup_binlog_marker TO 'backup'@'localhost';
mysql> GRANT CREATE, INSERT, DROP, UPDATE ON mysql.backup_progress TO 'backup'@'localhost';
mysql> GRANT CREATE, INSERT, SELECT, DROP, UPDATE ON mysql.backup_history TO 'backup'@'localhost';
mysql> GRANT REPLICATION CLIENT ON *.* TO 'backup'@'localhost';
mysql> GRANT SUPER ON *.* TO 'backup'@'localhost';
mysql> GRANT CREATE TEMPORARY TABLES ON mysql.* TO 'backup'@'localhost';
mysql> FLUSH PRIVILEGES;

With these steps complete, we can now create a shell script to automate our backups.

Shell script for full backup

Based on your backup concept (you have one, right?), you might want to schedule the following shell script to run multiple times per day, daily or weekly. The most important command in the script is the following:

/usr/local/mysql/bin/mysqlbackup --port=3306 --protocol=tcp --user=$BACKUP_USER --password=$BACKUP_PASS --with-timestamp --backup-dir=$BACKUP_DIR backup-and-apply-log

This command calls the mysqlbackup binary with the following arguments (also see here):

Argument Description
--port Port used to connect to the database instance during backup operations.
--protocol Protocol used to connect to the database.
--user, --password ID and password of privileged MySQL user.
--with-timestamp Creates a subdirectory underneath the backup directory, with a name formed from the timestamp of the backup operation. Useful to maintain a single backup directory containing many backup snapshots.
--backup-dir The directory under which to store the backup data. This is a crucial parameter required for most kinds of backup operations.
backup-and-apply-log This option performs an extra stage after the initial backup, to bring all InnoDB tables up-to-date with any changes that occurred during the backup operation, so that the backup is immediately ready to be restored.

Make sure to educate yourself on the backup operations supported by MySQL Enterprise Backup. The full script looks something like this:

#!/bin/bash

BACKUP_DIR=/var/backups/mysql/backups
BACKUP_PASS=mysupersecret
BACKUP_USER=backup

DATE_DAY=$(date +"%Y-%m-%d")
DATE_HOUR=$(date +"%H")

EMAIL_RECIPIENT=simon@krenger.ch

/usr/local/mysql/bin/mysqlbackup --port=3306 --protocol=tcp --user=$BACKUP_USER --password=$BACKUP_PASS --with-timestamp --backup-dir=$BACKUP_DIR backup-and-apply-log

NO_OF_COMPLETE_OK_MESSAGES=$(cat $BACKUP_DIR/${DATE_DAY}_${DATE_HOUR}*/meta/MEB_${DATE_DAY}.${DATE_HOUR}*.log | grep "mysqlbackup completed OK" | wc -l)

# Note that the string "mysqlbackup completed OK" must occur 2 times in the log in order for the backup to be OK
if [ $NO_OF_COMPLETE_OK_MESSAGES -eq 2 ]; then
        # Backup successful, find backup directory
        echo "Backup succeeded"
        exit 0
else
        echo "MySQL backup failed, see attached logfile" | mail -s "ERROR: MySQL Backup Failed!" ${EMAIL_RECIPIENT}
        exit 1
fi

You can then schedule it to run daily (crontab -e) at 04:00 in the morning for example:

0 4 * * * /var/backups/mysql/make-mysql-backup.sh
October 6th, 2016 | Category: MYSQL | Leave a comment

Mysql Secure Installation for non default socket.

Mysql Secure Installation for non default socket.

SECURING MYSQL SERVER –

mysql_secure_installation is a script useful to

  • set root password
  • disallowing root login remotely
  • removing anonymous user accounts after first installation
  • removing test database which can be accessed by any users

Above script would work for default socket location i.e /var/lib/mysql/mysql.sock

If the server is started with a non-default socket location, mysql_secure_installation does not consider any socket options you specify and the script would fail (For example -> mysql_secure_installation –socket=/mysql/socket/mysql.sock)

We should also consider this situation in case if we need to install more than one instance of mysql on a single server.

For the secure installation script to work for a non default socket location, we need to create a softlink /var/lib/mysql/mysql.sock -> <non-default socket>

1) ln -s /mysql/socket/mysqld.sock /var/lib/mysql/mysql.sock

Then run mysql_secure_installation directly

2) mysql_secure_installation
September 26th, 2016 | Category: mariadb, MYSQL | Leave a comment

MYSQL mariadb CENTOS 7

MYSQL CENTOS 7

wget http://repo.mysql.com/mysql-community-release-el7-5.noarch.rpm
rpm -ivh mysql-community-release-el7-5.noarch.rpm
yum update
yum install mysql-server

systemctl start mysqld

[root@clusterserver1 ~]# systemctl start mysqld
[root@clusterserver1 ~]# systemctl enable mysqld
[root@clusterserver1 ~]# systemctl status mysqld

[root@clusterserver1 ~]# mysql_secure_installation

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MySQL
SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!

In order to log into MySQL to secure it, we’ll need the current
password for the root user.  If you’ve just installed MySQL, and
you haven’t set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none):
OK, successfully used password, moving on…

Setting the root password ensures that nobody can log into the MySQL
root user without the proper authorisation.

Set root password? [Y/n] y
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
… Success!

By default, a MySQL installation has an anonymous user, allowing anyone
to log into MySQL without having to have a user account created for
them.  This is intended only for testing, and to make the installation
go a bit smoother.  You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] y
… Success!

Normally, root should only be allowed to connect from ‘localhost’.  This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] y
… Success!

By default, MySQL comes with a database named ‘test’ that anyone can
access.  This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n] y
– Dropping test database…
ERROR 1008 (HY000) at line 1: Can’t drop database ‘test’; database doesn’t exist
… Failed!  Not critical, keep moving…
– Removing privileges on test database…
… Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n] y
… Success!

All done!  If you’ve completed all of the above steps, your MySQL
installation should now be secure.

Thanks for using MySQL!

Cleaning up…
[root@clusterserver1 ~]# systemctl restart mysqld

[root@clusterserver1 ~]# mysql -u root -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 2
Server version: 5.6.33 MySQL Community Server (GPL)

Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.

mysql>

create database testdb;
create user ‘testuser’@’localhost’ identified by ‘password’;
grant all on testdb.* to ‘testuser’ identified by ‘password’;

mysql> create database testdb;
Query OK, 1 row affected (0.00 sec)

mysql> create user ‘testuser’@’localhost’ identified by ‘password’;
Query OK, 0 rows affected (0.00 sec)

mysql> grant all on testdb.* to ‘testuser’ identified by ‘password’;
Query OK, 0 rows affected (0.00 sec)

mysql>

create database testdb;
grant all on testdb.* to ‘testuser’ identified by ‘password’;

mysql -u testuser -p

use testdb;
create table customers (customer_id INT NOT NULL AUTO_INCREMENT PRIMARY KEY, first_name TEXT, last_name TEXT);

[root@clusterserver1 ~]# mysql -u testuser -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 4
Server version: 5.6.33 MySQL Community Server (GPL)

Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.

mysql> use testdb;
Database changed
mysql> create table customers (customer_id INT NOT NULL AUTO_INCREMENT PRIMARY KEY, first_name TEXT, last_name TEXT);
Query OK, 0 rows affected (0.01 sec)

mysql>

Reset the MySQL Root Password

If you forget your root MySQL password, it can be reset.

Stop the current MySQL server instance, then restart it with an option to not ask for a password.

systemctl stop mysqld
mysqld_safe –skip-grant-tables &

Reconnect to the MySQL server with the MySQL root account.

mysql -u root

Use the following commands to reset root’s password. Replace password with a strong password.

use mysql;
update user SET PASSWORD=PASSWORD(“password”) WHERE USER=’root’;
flush privileges;
exit

Then restart MySQL.

systemctl start mysqld

Tune MySQL

MySQL Tuner is a Perl script that connects to a running instance of MySQL and provides configuration recommendations based on workload. Ideally, the MySQL instance should have been operating for at least 24 hours before running the tuner. The longer the instance has been running, the better advice MySQL Tuner will give.

Download MySQL Tuner to your home directory.

wget https://raw.githubusercontent.com/major/MySQLTuner-perl/master/mysqltuner.pl

To run it:

perl ./mysqltuner.pl

You will be asked for the MySQL root user’s name and password. The output will show two areas of interest: General recommendations and Variables to adjust.

MySQL Tuner is an excellent starting point to optimize a MySQL server but it would be prudent to perform additional research for configurations tailored to the application(s) utilizing MySQL on

 

 

 

recently upgraded my development laptop to CentOS 7 and while I was at it built a spare laptop running the same operating system. After manually creating a dozen MySQL databases and users and then importing their data from dump files on one laptop, I wasn’t interested in going through exactly the same process again on the second laptop.

As is now the default on CentOS 7, the databases were actually MariaDB (a community-developed fork of MySQL) rather than MySQL, but that’s not relevant here. The following procedure describes how I migrated an entire MariaDB/MySQL RDBMS installation in one go without recreating any databases or users or dumping and re-importing any files. The same procedure would of course work for migrating similar data between CentOS 7 servers.

Before proceeding I should emphasise that this data migration was between two machines with identical freshly installed operating systems. In cases where the operating systems, distributions or version were different things might not go so smoothly. One concern would be that global database configuration parameters on both machines were compatible.

Original Database Server

1: Create a directory to hold the data being migrated:

# mkdir mariadbdata

2: Stop the MariaDB/MySQL server:

# systemctl stop mariadb

3: Copy contents of /var/lib/mysql to the directory just created:

# cp -r /var/lib/mysql/* mariadbdata

4: Restart the MariaDB/MySQL server again:

# systemctl start mariadb

5: Compress the data:

 # tar -czvf mariadbdata.tar.gz mariadbdata

6: Copy the compressed file to new server.

 

New Database Server

1: Install MariaDB but don’t start it yet.

2: Uncompress data file:

# tar -xzvf mariadbdata.tar.gz

3: Move contents of data directory to /var/lib/mysql:

# mv mariadbdata/* /var/lib/data

4: Change ownership of all files in /var/lib/mysql to mysql user:

# chown -R mysql.mysql /var/lib/mysql/*

5: Restore correct SELinux security contexts:

# restorecon -R /var/lib/mysql/

6: Enable and start MariaDB:

# systemctl enable mariadb
# systemctl start mariadb

Typically the mysql database are located in /var/lib/mysql

I want to change it to /var/data/mysql 

Modify the paths as required in the below commands

stop mysql

systemctl stop mysqld.service

create new mysql data directory

mkdir /var/data/mysql

modify /etc/my.cnf and point to new data directory – add the client section to the top

[client]
port=3306
socket=/var/data/mysql/mysql.sock

[mysqld]
datadir=/var/data/mysql
socket=/var/data/mysql/mysql.sock

copy all files from /var/lib/mysql to the new directory /var/data/mysql

cp -r /var/lib/mysql/* /var/data/mysql

permissions for the new directory

chown -R mysql /var/data/mysql;
chgrp -R mysql /var/data/mysql;
chmod -R g+rw /var/data/mysql;

also modify SELINUX settings to allow mysql to use the different path

# add context and make it permanent 
semanage fcontext -a -s system_u -t mysqld_db_t "/var/data/mysql(/.*)?"
restorecon -Rv /var/data/mysql

start mysql

systemctl start mysqld.service
September 18th, 2016 | Category: Centos RHEL 7, mariadb | Leave a comment

XFS CENTOS 7

Last login: Mon Sep  5 22:48:00 2016 from 192.168.1.1
clusterserver1 without LVM
Create an “clusterserver1” file system
We have “/dev/sdb” as a free hard drive :

[root@clusterserver1 ~]# lsblk -f
NAME            FSTYPE      LABEL           UUID                                   MOUNTPOINT
fd0
sda
??sda1          clusterserver1                         aba69d25-b3de-4d89-ba25-e50a8dcf10eb   /boot
??sda2          LVM2_member                 EE31dY-Ubnm-LwCA-8J9J-vK9B-XNzz-OZSt75
??centos-swap swap                        2e1fb731-0f59-4d10-9f2f-e302a671de57   [SWAP]
??centos-root clusterserver1                         8e1d8c59-5cd0-4716-92dd-de7c1417dc74   /
sdb
sr0             iso9660     CentOS 7 x86_64 2014-07-06-17-32-07-00
[root@clusterserver1 ~]#

Create a full partition on this drive :

[root@clusterserver1 ~]# parted -s /dev/sdb mklabel gpt
[root@clusterserver1 ~]# parted -s /dev/sdb mkpart primary clusterserver1 0% 100%
[root@clusterserver1 ~]#
[root@clusterserver1 ~]#  mkfs.clusterserver1 /dev/sdb1
meta-data=/dev/sdb1              isize=256    agcount=4, agsize=1310592 blks
=                       sectsz=512   attr=2, projid32bit=1
=                       crc=0        finobt=0
data     =                       bsize=4096   blocks=5242368, imaxpct=25
=                       sunit=0      swidth=0 blks
naming   =version 2              bsize=4096   ascii-ci=0 ftype=0
log      =internal log           bsize=4096   blocks=2560, version=2
=                       sectsz=512   sunit=0 blks, lazy-count=1
realtime =none                   extsz=4096   blocks=0, rtextents=0
[root@clusterserver1 ~]# mount -o inode64,nobarrier /dev/sdb1 /mnt
[root@clusterserver1 ~]# df -TH /mnt/
Filesystem     Type  Size  Used Avail Use% Mounted on
/dev/sdb1      clusterserver1    22G   34M   22G   1% /mnt
[root@clusterserver1 ~]#

[root@clusterserver1 ~]# lsblk -f /dev/sdb
NAME   FSTYPE LABEL UUID                                 MOUNTPOINT
sdb
??sdb1 clusterserver1          23356c78-b7eb-4dc8-bd29-3d9933ac848b /mnt
[root@clusterserver1 ~]#

[root@clusterserver1 ~]# umount /mnt

[root@clusterserver1 ~]# mkdir -p /other/data
[root@clusterserver1 ~]# vi /etc/fstab
[root@clusterserver1 ~]# grep /dev/sdb1 /etc/fstab
/dev/sdb1       /other/data                     clusterserver1     inode64,nobarrier                                                                                                0 0
[root@clusterserver1 ~]# grep /dev/sdb1 /etc/fstab
/dev/sdb1       /other/data                     clusterserver1     inode64,nobarrier       0 0
[root@clusterserver1 ~]#

[root@clusterserver1 ~]# mount /other/data
[root@clusterserver1 ~]#  df -hT /other/data
Filesystem     Type  Size  Used Avail Use% Mounted on
/dev/sdb1      clusterserver1    20G   33M   20G   1% /other/data

[root@clusterserver1 ~]# parted -s /dev/sdb print free
Model: VMware, VMware Virtual S (scsi)
Disk /dev/sdb: 21.5GB
Sector size (logical/physical): 512B/512B
Partition Table: gpt
Disk Flags:

Number  Start   End     Size    File system  Name     Flags
17.4kB  1049kB  1031kB  Free Space
1      1049kB  21.5GB  21.5GB  clusterserver1          primary
21.5GB  21.5GB  1032kB  Free Space

[root@clusterserver1 ~]#

Umount the file system :

[root@clusterserver1 ~]# umount /other/data
One minute after, we see the new drive size (here : 6 GB) :

[root@clusterserver1 ~]# parted /dev/sdb
GNU Parted 3.1
Using /dev/sdb
Welcome to GNU Parted! Type ‘help’ to view a list of commands.
(parted) print free
Error: The backup GPT table is not at the end of the disk, as it should be.  This might mean that another operating system believes the disk is smaller.  Fix, by moving the
backup to the end (and removing the old backup)?
Fix/Ignore/Cancel? fix
Warning: Not all of the space available to /dev/sdb appears to be used, you can fix the GPT to use all of the space (an extra 4194304 blocks) or continue with the current
setting?
Fix/Ignore? fix
Model: VMware Virtual disk (scsi)
Disk /dev/sdb: 6442MB
Sector size (logical/physical): 512B/512B
Partition Table: gpt
Disk Flags:

Number  Start   End     Size    File system  Name     Flags
17.4kB  1049kB  1031kB  Free Space
1      1049kB  4294MB  4293MB  clusterserver1          primary
4294MB  6442MB  2149MB  Free Space
Switch to sectors values :

(parted) unit s
Display all partitions :

(parted) print free
Model: VMware Virtual disk (scsi)
Disk /dev/sdb: 12582912s
Sector size (logical/physical): 512B/512B
Partition Table: gpt
Disk Flags:

Number  Start     End        Size      File system  Name     Flags
34s       2047s      2014s     Free Space
1      2048s     8386559s   8384512s  clusterserver1          primary
8386560s  12582878s  4196319s  Free Space
Remove this partition :

(parted) rm 1
Recreate the partition :

(parted) mkpart primary 2048s 100%
Switch to kB values :

(parted) unit kB
We can see a 6GB new partition :

(parted) print free
Model: VMware Virtual disk (scsi)
Disk /dev/sdb: 6442451kB
Sector size (logical/physical): 512B/512B
Partition Table: gpt
Disk Flags:

Number  Start      End        Size       File system  Name     Flags
17.4kB     1049kB     1031kB     Free Space
1      1049kB     6441402kB  6440354kB  clusterserver1          primary
6441402kB  6442434kB  1032kB     Free Space
Quit “parted” :

(parted) q
Information: You may need to update /etc/fstab.
Rebuild this clusterserver1 file system :

[root@clusterserver1 ~]# clusterserver1_repair /dev/sdb1
Phase 1 – find and verify superblock…
Phase 2 – using internal log
– zero log…
– scan filesystem freespace and inode maps…
– found root inode chunk
Phase 3 – for each AG…
– scan and clear agi unlinked lists…
– process known inodes and perform inode discovery…
– agno = 0
– agno = 1
– agno = 2
– agno = 3
– process newly discovered inodes…
Phase 4 – check for duplicate blocks…
– setting up duplicate extent list…
– check for inodes claiming duplicate blocks…
– agno = 0
– agno = 1
– agno = 2
– agno = 3
Phase 5 – rebuild AG headers and trees…
– reset superblock…
Phase 6 – check inode connectivity…
– resetting contents of realtime bitmap and summary inodes
– traversing filesystem …
– traversal finished …
– moving disconnected inodes to lost+found …
Phase 7 – verify and correct link counts…
done
Remount this file system :

[root@clusterserver1 ~]# mount /other/data
The file system size didn’t grow :

[root@clusterserver1 ~]# df -hT /other/data
Filesystem     Type  Size  Used Avail Use% Mounted on
/dev/sdb1      clusterserver1   4.0G   33M  4.0G   1% /other/data
We need now to extend this clusterserver1 file system :

[root@clusterserver1 ~]# clusterserver1_growfs /other/data
meta-data=/dev/sdb1              isize=256    agcount=4, agsize=262016 blks
=                       sectsz=512   attr=2, projid32bit=1
=                       crc=0        finobt=0
data     =                       bsize=4096   blocks=1048064, imaxpct=25
=                       sunit=0      swidth=0 blks
naming   =version 2              bsize=4096   ascii-ci=0 ftype=0
log      =internal               bsize=4096   blocks=2560, version=2
=                       sectsz=512   sunit=0 blks, lazy-count=1
realtime =none                   extsz=4096   blocks=0, rtextents=0
data blocks changed from 1048064 to 1572352
It’s done :

[root@clusterserver1 ~]# df -hT /other/data
Filesystem     Type  Size  Used Avail Use% Mounted on
/dev/sdb1      clusterserver1   6.0G   33M  6.0G   1% /other/data
No data lost :

[root@clusterserver1 ~]# cat /other/data/file
here is a file in an clusterserver1 file system

yum -y install system-storage-manager
mkdir -p /other/data
fdisk -l

[root@clusterserver1 ~]#  ssm create -n data_lv –fstype xfs -p data_vg /dev/sdb /other/data
File descriptor 7 (/dev/urandom) leaked on lvm invocation. Parent PID 10096: /usr/bin/python
Physical volume “/dev/sdb” successfully created
Volume group “data_vg” successfully created
File descriptor 7 (/dev/urandom) leaked on lvm invocation. Parent PID 10096: /usr/bin/python
Logical volume “data_lv” created.
meta-data=/dev/data_vg/data_lv   isize=256    agcount=4, agsize=1310464 blks
=                       sectsz=512   attr=2, projid32bit=1
=                       crc=0        finobt=0
data     =                       bsize=4096   blocks=5241856, imaxpct=25
=                       sunit=0      swidth=0 blks
naming   =version 2              bsize=4096   ascii-ci=0 ftype=0
log      =internal log           bsize=4096   blocks=2560, version=2
=                       sectsz=512   sunit=0 blks, lazy-count=1
realtime =none                   extsz=4096   blocks=0, rtextents=0
[root@clusterserver1 ~]# df -hT /other/data
[root@clusterserver1 ~]# vgdisplay -v data_vg
Using volume group(s) on command line.
— Volume group —
VG Name               data_vg
System ID
Format                lvm2
Metadata Areas        1
Metadata Sequence No  2
VG Access             read/write
VG Status             resizable
MAX LV                0
Cur LV                1
Open LV               1
Max PV                0
Cur PV                1
Act PV                1
VG Size               20.00 GiB
PE Size               4.00 MiB
Total PE              5119
Alloc PE / Size       5119 / 20.00 GiB
Free  PE / Size       0 / 0
VG UUID               wlEg2R-Bydn-UbFn-AI63-MeA4-dgNy-q30uWb

— Logical volume —
LV Path                /dev/data_vg/data_lv
LV Name                data_lv
VG Name                data_vg
LV UUID                BvQo50-0ehc-Ub92-QUNo-Qmn4-4roI-qHpkjX
LV Write Access        read/write
LV Creation host, time clusterserver1.rmohan.com, 2016-09-19 00:38:25 +0800
LV Status              available
# open                 1
LV Size                20.00 GiB
Current LE             5119
Segments               1
Allocation             inherit
Read ahead sectors     auto
– currently set to     8192
Block device           253:2

— Physical volumes —
PV Name               /dev/sdb
PV UUID               kYBGc2-EZNF-JtdX-lKj4-WRJR-tKxP-vu8wJP
PV Status             allocatable
Total PE / Free PE    5119 / 0

root@clusterserver1 ~]# lsblk -f
NAME   FSTYPE   LABEL          UUID                                   MOUNTPOINT
fd0
sda
??sda1 xfs                     aba69d25-b3de-4d89-ba25-e50a8dcf10eb   /boot
??sda2 LVM2_mem                EE31dY-Ubnm-LwCA-8J9J-vK9B-XNzz-OZSt75
??centos-swap
swap                    2e1fb731-0f59-4d10-9f2f-e302a671de57   [SWAP]
??centos-root
xfs                     8e1d8c59-5cd0-4716-92dd-de7c1417dc74   /
sdb    LVM2_mem                kYBGc2-EZNF-JtdX-lKj4-WRJR-tKxP-vu8wJP
??data_vg-data_lv
xfs                     49460e67-1b86-444d-9dcb-7b7fd014303e
sdc
sr0    iso9660  CentOS 7 x86_64
2014-07-06-17-32-07-00
[root@clusterserver1 ~]# ssm add -p data_vg /dev/sdc
File descriptor 7 (/dev/urandom) leaked on lvm invocation. Parent PID 2200: /usr/bin/python
Physical volume “/dev/sdc” successfully created
Volume group “data_vg” successfully extended
[root@clusterserver1 ~]#
[root@clusterserver1 ~]# ssm list pool
—————————————————-
Pool     Type  Devices      Free      Used     Total
—————————————————-
centos   lvm   1         0.00 KB  19.51 GB  19.51 GB
data_vg  lvm   2        20.00 GB  20.00 GB  39.99 GB
—————————————————-
[root@clusterserver1 ~]# ssm resize -s +2G /dev/data_vg/data_lv
File descriptor 7 (/dev/urandom) leaked on lvm invocation. Parent PID 2256: /usr/bin/python
Phase 1 – find and verify superblock…
Phase 2 – using internal log
– scan filesystem freespace and inode maps…
– found root inode chunk
Phase 3 – for each AG…
– scan (but don’t clear) agi unlinked lists…
– process known inodes and perform inode discovery…
– agno = 0
– agno = 1
– agno = 2
– agno = 3
– process newly discovered inodes…
Phase 4 – check for duplicate blocks…
– setting up duplicate extent list…
– check for inodes claiming duplicate blocks…
– agno = 0
– agno = 1
– agno = 2
– agno = 3
No modify flag set, skipping phase 5
Phase 6 – check inode connectivity…
– traversing filesystem …
– traversal finished …
– moving disconnected inodes to lost+found …
Phase 7 – verify link counts…
No modify flag set, skipping filesystem flush and exiting.
Size of logical volume data_vg/data_lv changed from 20.00 GiB (5119 extents) to 22.00 GiB (5631 extents).
Logical volume data_lv successfully resized.
meta-data=/dev/mapper/data_vg-data_lv isize=256    agcount=4, agsize=1310464 blks
=                       sectsz=512   attr=2, projid32bit=1
=                       crc=0        finobt=0
data     =                       bsize=4096   blocks=5241856, imaxpct=25
=                       sunit=0      swidth=0 blks
naming   =version 2              bsize=4096   ascii-ci=0 ftype=0
log      =internal               bsize=4096   blocks=2560, version=2
=                       sectsz=512   sunit=0 blks, lazy-count=1
realtime =none                   extsz=4096   blocks=0, rtextents=0
data blocks changed from 5241856 to 5766144
[root@clusterserver1 ~]# ssm resize -s +2093056K /dev/data_vg/data_lv
File descriptor 7 (/dev/urandom) leaked on lvm invocation. Parent PID 2429: /usr/bin/python
Phase 1 – find and verify superblock…
Phase 2 – using internal log
– scan filesystem freespace and inode maps…
– found root inode chunk
Phase 3 – for each AG…
– scan (but don’t clear) agi unlinked lists…
– process known inodes and perform inode discovery…
– agno = 0
– agno = 1
– agno = 2
– agno = 3
– agno = 4
– process newly discovered inodes…
Phase 4 – check for duplicate blocks…
– setting up duplicate extent list…
– check for inodes claiming duplicate blocks…
– agno = 0
– agno = 1
– agno = 2
– agno = 3
– agno = 4
No modify flag set, skipping phase 5
Phase 6 – check inode connectivity…
– traversing filesystem …
– traversal finished …
– moving disconnected inodes to lost+found …
Phase 7 – verify link counts…
No modify flag set, skipping filesystem flush and exiting.
Size of logical volume data_vg/data_lv changed from 22.00 GiB (5631 extents) to 23.99 GiB (6142 extents).
Logical volume data_lv successfully resized.
meta-data=/dev/mapper/data_vg-data_lv isize=256    agcount=5, agsize=1310464 blks
=                       sectsz=512   attr=2, projid32bit=1
=                       crc=0        finobt=0
data     =                       bsize=4096   blocks=5766144, imaxpct=25
=                       sunit=0      swidth=0 blks
naming   =version 2              bsize=4096   ascii-ci=0 ftype=0
log      =internal               bsize=4096   blocks=2560, version=2
=                       sectsz=512   sunit=0 blks, lazy-count=1
realtime =none                   extsz=4096   blocks=0, rtextents=0
data blocks changed from 5766144 to 6289408
[root@clusterserver1 ~]#

[root@clusterserver1 ~]#  xfs_growfs /other/data
meta-data=/dev/mapper/centos-root isize=256    agcount=4, agsize=1147392 blks
=                       sectsz=512   attr=2, projid32bit=1
=                       crc=0        finobt=0
data     =                       bsize=4096   blocks=4589568, imaxpct=25
=                       sunit=0      swidth=0 blks
naming   =version 2              bsize=4096   ascii-ci=0 ftype=0
log      =internal               bsize=4096   blocks=2560, version=2
=                       sectsz=512   sunit=0 blks, lazy-count=1
realtime =none                   extsz=4096   blocks=0, rtextents=0

[root@clusterserver1 ~]# df -TH
Filesystem                  Type      Size  Used Avail Use% Mounted on
/dev/mapper/centos-root     xfs        19G  1.7G   18G   9% /
devtmpfs                    devtmpfs  2.0G     0  2.0G   0% /dev
tmpfs                       tmpfs     2.0G     0  2.0G   0% /dev/shm
tmpfs                       tmpfs     2.0G  9.0M  2.0G   1% /run
tmpfs                       tmpfs     2.0G     0  2.0G   0% /sys/fs/cgroup
/dev/sda1                   xfs       521M  279M  243M  54% /boot
tmpfs                       tmpfs     390M     0  390M   0% /run/user/0
/dev/mapper/data_vg-data_lv xfs        26G   34M   26G   1% /other/data
[root@clusterserver1 ~]# cd /other/data/
[root@clusterserver1 data]# ls
file
[root@clusterserver1 data]# cat file
we are using LVM
[root@clusterserver1 data]#

September 18th, 2016 | Category: Centos, Centos RHEL 7 | Leave a comment

CentOS7 under yum successfully installed MySQL 5.7

1. Download the YUM library

shell> wget http://dev.mysql.com/get/mysql57-community-release-el7-7.noarch.rpm

2. Install YUM library

shell> yum localinstall -y mysql57-community-release-el7-7.noarch.rpm

3. Install Database

shell> yum install -y mysql-community-server

4. Start MySQL service

shell> systemctl start mysqld.service

5. The default blank password

shell> mysql -uroot -p

6. Reset the root password to restart the mysql service

shell> update mysql.user set authentication_string = password ( “yourpassword”) where user = “root” and Host = “localhost”;

shell> flush privileges;

shell> quit;

shell> systemctl restart mysqld;

If the hand cheap or do not know what reason the following questions arise:

ERROR 1045 (28000): Access denied for user ‘root’ @ ‘localhost’ (using password: NO)

Please edit my.cnf, add the skip-grant-tables and skip-networking:

shell> vi /etc/my.cnf

[Mysqld]

skip-grant-tables

skip-networking

Restart mysql, and then repeat the above steps to change the password, remember to modify finished, remove the two lines of my.cnf add.

Part II: Configuration

1, add a remote login user (login Mysql)

use mysql;

. GRANT ALL PRIVILEGES ON * * TO ‘root’ @ ‘%’ IDENTIFIED BY ‘your password’ WITH GRANT OPTION;

Note: ‘%’ represents any address, you can specify IP

2, check the user table, memory refresh permission

select host, user from user;

FLUSH PRIVILEGES;

3, set the firewall (CentOS7 not recommended)

vi / etc / sysconfig / iptables

Before -A RH-Firewall-1-INPUT -j REJECT -reject-with icmp-host-prohibited, add

-A INPUT -m state –state NEW -m tcp -p tcp –dport 3306 -j ACCEPT

Restart the firewall

service iptables restart

NOTE: centos7 using a firewall Firewall

systemctl stop firewalld.service # Stop

systemctl disable firewalld.service # disable

4, set the character set and encoding are case sensitive

4.1 modify the mysql configuration file (set the character set encoding)

The default location: /etc/my.cnf

Etc into the folder >> vim my.cnf

[Mysqld]

character-set-server = utf8

collation-server = utf8_general_ci

* Systemctl restart mysql.service # restart MySQL

* View current mysql running state

mysql> status

Parameter Description:

haracter_set_client: character set the client requests data.

character_set_connection: receives data from the client, and then transfers the character set.

character_set_database: default character set of the database, regardless of how to change the default database, all the character sets; if there is no default database, make character_set_server specified character set, no need to set this parameter.

character_set_filesystem: the operating system file name is converted to the character set that is character_set_client conversion character_set_filesystem, the default binary can.

character_set_results: character set of the result set.

character_set_server: the default character set of the database server.

character_set_system: This value is always utf8, no need to set the character set, the storage system metadata.

4.2 modify the mysql configuration file (setting is case-sensitive)

lower_case_table_names Detailed parameters:

0: case sensitive

1: case-insensitive

September 18th, 2016 | Category: Centos RHEL 7 | Leave a comment

MySQL change the default blank password to open Remote Access

mysql -u root -p

use mysql

update user set password=PASSWORD(‘abcde’) where user = ‘root’;

mysql
update user set password=PASSWORD(‘123456′) where user=’root’

mysqld -install

 

 

mysql> show variables like ‘char%’;
mysql>set character_set_client=gbk;
mysql>set character_set_results=gbk;

September 18th, 2016 | Category: MYSQL | Leave a comment

HaProxy high availability cluster configuration Redis notes

HaProxy high availability cluster configuration Redis notes

Goal is to make a high-availability cluster for redis sensu use. redis cluster using Sentinel + Redis three-node configuration.
Blog post before configuring details

Sentinel can be done when the master hang up automatically elect a new master, then it is not a proxy.
Therefore, we need a proxy ip to provide a client used herein HaProxy the agent.
Taking into account the HaProxy single node failure, the use of master-slave HaProxy Keepalived do in order to achieve a high-availability cluster Redis.

tar zxvf haproxy-1.4.21.tar.gz
mv haproxy-1.4.21 /usr/local/haproxy
cd /usr/local/haproxy
make install

mkdir conf
cd conf
vim haproxy.cfg

global
log 127.0.0.1   local0
log 127.0.0.1   local1 notice
#log loghost    local0 info
maxconn 4096
chroot /usr/local/haproxy
uid 99
gid 99
daemon
#debug
#quiet

defaults
log     global
mode    tcp
option  redispatch
option  dontlognull
retries 2
maxconn 2000
balance roundrobin
contimeout      5000
clitimeout      50000
srvtimeout      50000

listen  proxy 10.166.224.37:6379
#redis
server redis_10.122.224.36 10.166.224.36:6379 check inter 2000 rise 2 fall 5
server redis_10.122.224.35 10.166.224.35:6379 check inter 2000 rise 2 fall 5
server redis_10.122.224.33 10.166.224.33:6379 check inter 2000 rise 2 fall 5

/usr/local/haproxy/haproxy -f /usr/local/haproxy/conf/haproxy.cfg

[root@app2 ~]# redis-cli -h 192.168.1.11
192.168.1.11:6379> INFO
# Server
redis_version:2.8.19
redis_git_sha1:00000000
redis_git_dirty:0
redis_build_id:c0359e7aa3798aa2
redis_mode:standalone
os:Linux 3.10.0-327.28.3.el7.x86_64 x86_64
arch_bits:64
multiplexing_api:epoll
gcc_version:4.8.3
process_id:14574
run_id:399a903ee13ab0b442d81020b174cafd5d91701a
tcp_port:6379
uptime_in_seconds:2820
uptime_in_days:0
hz:10
lru_clock:14238870
config_file:/etc/redis.conf

# Clients
connected_clients:2
client_longest_output_list:0
client_biggest_input_buf:0
blocked_clients:0

# Memory
used_memory:857984
used_memory_human:837.88K
used_memory_rss:5955584
used_memory_peak:858120
used_memory_peak_human:838.01K
used_memory_lua:35840
mem_fragmentation_ratio:6.94
mem_allocator:jemalloc-3.6.0

# Persistence
loading:0
rdb_changes_since_last_save:0
rdb_bgsave_in_progress:0
rdb_last_save_time:1473855549
rdb_last_bgsave_status:ok
rdb_last_bgsave_time_sec:0
rdb_current_bgsave_time_sec:-1
aof_enabled:0
aof_rewrite_in_progress:0
aof_rewrite_scheduled:0
aof_last_rewrite_time_sec:-1
aof_current_rewrite_time_sec:-1
aof_last_bgrewrite_status:ok
aof_last_write_status:ok

# Stats
total_connections_received:7
total_commands_processed:51
instantaneous_ops_per_sec:0
total_net_input_bytes:22221
total_net_output_bytes:37208
instantaneous_input_kbps:0.00
instantaneous_output_kbps:0.00
rejected_connections:0
sync_full:0
sync_partial_ok:0
sync_partial_err:0
expired_keys:0
evicted_keys:0
keyspace_hits:1
keyspace_misses:1
pubsub_channels:0
pubsub_patterns:0
latest_fork_usec:821

# Replication
role:master
connected_slaves:0
master_repl_offset:0
repl_backlog_active:0
repl_backlog_size:1048576
repl_backlog_first_byte_offset:0
repl_backlog_histlen:0

# CPU
used_cpu_sys:1.03
used_cpu_user:0.69
used_cpu_sys_children:0.00
used_cpu_user_children:0.00

# Keyspace
db1:keys=5,expires=0,avg_ttl=0

September 14th, 2016 | Category: Redis | Leave a comment

How to configure Storage Tiers with Windows Server 2012 R2

Storage Spaces: How to configure Storage Tiers with Windows Server 2012 R2 | Ask Premier Field Engineering (PFE) Platforms

Storage Tiers allow for use of SSD and hard drive storage within the same storage pool as a new feature in Windows Server 2012 R2.  If you’ve not read Jose Barreto’s Step-by-step post on this subject already, it is a great source for links about Storage Tiers as well as a fantastic place to find examples of how to use PowerShell cmdlets to implement Storage Tiers with Storage Spaces.   In this episode, I’m going to show you how to implement Storage Tiers using mostly the UI.

If you’re not familiar with Storage Tiers, the idea is to be able to mix Solid State Disk (SSD) storage with conventional disks (HDD).  However, Storage Tiers provides the ability to store more frequently accessed data on SSD media…with both types of media used as block based storage for the same virtual disk: the best of both types of storage.   That’s a pretty high level summary…and a pretty awesome concept.  Previously, in my basement lab I had two different pools:  one for each type of storage.

If implementing tiers using PowerShell, some calculations may be required…and it looks a bit complicated if you’re just attempting to try out.   Granted, below are quite a few screen shots and this is a lengthy post.  However, the process using the UI is fairly easy.   I made one diversion into PowerShell to show how to define MediaTypes for storage devices if they’re not detected automatically.  The technique I use for that is very similar to Jose’s example but is another variation to show that you’re not limited to just one technique.

If you’ve read my recent post about expanding a storage pool, you may have a better understanding of how Storage Spaces uses columns.  Using the UI to configure Storage Tiers will attempt to use the defaults for the number of columns.  Using some quick and easy PowerShell during the creation process, you may change the column defaults for a specific storage pool.

Remember: If you have difficulty reading any of the screenshots below, you can obtain a full size image by clicking on them.

Creating Tiered Storage

1. The first step involves attaching the devices you intend to use.  You must have at least one SSD and one physical drive attached.   For this example, I chose 4 SSD devices, and 9 1 TB drives.   This is indeed an odd arrangement but I’ve chosen it with a purpose: to show the layout of a defined virtual disk, and to show that Storage Spaces will use what it can from this arrangement and leave remaining space for other uses.   In this example, I’ve connected the devices and can see them within Server Manager.

store01 store02 store03 store04 store05 store06 store07 store08 store09 store10 store11 store12 store13 store014 store015 store016 store017 store018 store019 store021 store022 store023 store024 store025 store026 store027 store028

September 14th, 2016 | Category: 2012 SERVER | Leave a comment

PVLAN Isolation

 PVLAN Isolation

Introduction

In VMM 2012 SP1 you can isolate VM Networks using either traditional VLAN/PVLANS or, if you are using Windows Server 2012 as your host operating system, you can choose to implement Network Virtualization. The latter option addressing the scale limitations associated with a traditional VLANs solution as well as allowing tenants to “bring their own network” or otherwise extend their network into your environment. The diagram at the link below shows each of these options and acts as a reference for the detailed discussion that follows.

http://www.microsoft.com/en-us/download/details.aspx?id=37137

In Part III – Network Isolation, we covered how to configure your Logical Network for “No Isolation” in cases where you do not need to separate workloads and what you should do / how you should design your logical network solution when you want to use traditional VLANS. In this post, we focus our attention on isolation using PVLANs.

PVLAN Isolation

Private Virtual LANs (PVLANS) are often used by Service Providers (Hosters) to work around the scale limitations of VLANS that we discussed in Part III. They essentially allow network administrators to divide a VLAN into a number of separate and isolated sub-networks which can then be allocated to individual customers (tenants). PVLANs share the IP subnet that was allocated to the parent VLAN, as you might expect, but, from a security perspective, although hosts connected to different PVLANs still belong to the same IP subnet, they require a router to communicate with each other and with resources on any other network.

A PVLAN consists of a Primary and Secondary VLAN pair – each machine that is part of a PVLAN pair can be configured in one of three modes as shown below. In Promiscuous mode, hosts are on the primary VLAN and are able to communicate directly with resources on the primary VLAN and also the secondary VLAN. In a Community mode, the secondary VLAN represents a community. Direct communication is permitted only with hosts in the same community and those that are connected to the Primary PVLAN in promiscuous mode. Isolated PVLANs are pretty much as described, in that direct communication is permitted only with promiscuous resources that exist in the Primary PVLAN.

hyp1

 

The Networks Sites page of the Create Logical Network wizard includes a subtle but important difference for PVLANs – in addition to the primary VLAN, the “Associated VLANs and IP Subnets” section now contains an additional column Secondary VLAN. You should associate each primary VLAN and secondary PVLAN with a Network site within the logical network (as shown below) – you can define multiple PVLANS in the same Network Site as needed.

 

hyp2

 

Note: Only one PVLAN can be in isolated mode per primary VLAN and you should take care to ensure that a different primary VLAN ID is used in each Network Site you create. The ID you use for the PVLAN, however, may be the same in each site – in fact using the same ID for the isolated PVLAN is recommended since it ensures consistency and simplifies management.

As before, VM Networks need to be created to allow virtual machines to connect to and use the Logical Network. Each VM Network you create is directly mapped to exactly one of the PVLANS that have been defined for that Logical Network. As a result, you can only have as many VM Networks as you have defined PVLANS. The create VM Wizard (below) will display only those PVLANS that have not already been allocated to an existing VM Network. The wizard does not offer the option for automatic assignment – even though the text suggests that this is actually possible.

 

hyp3

To briefly summarize, create a single Logical Network to support PVLAN isolation, configured such that “sites within the logical network are not connected” and “Network sites within the logical network contain Private VLANs”. You should create a Network Site, define primary and secondary VLAN pairs and create VM Networks for each one (as shown below). In our example, we have chosen to designate PVLAN 5 as the isolated PVLAN for consistency across all primary VLANs, your implementation may be different.

 

hyp4

 

As we discussed earlier, although each virtual machine you connect to one of these VM Networks will be assigned an IP address from the same subnet, it will only be able to communicate only with the default IP gateway. You should also be aware that If all of the virtual machines are present on the same physical host, isolation will be enforced through the Hyper-V Extensible Switch, otherwise you will need to make sure that each of the PVLANS you define in VMM are also configured for isolation mode on the Physical Switch.

To avoid potential IP conflicts with resources that exist on the primary VLAN (and any community VLANS that were created outside of VMM), it is recommended that you reserve a set of IP addresses / create a separate IP Pool for each PVLAN. As discussed, the IP addresses you reserve must be part of the IP subnet that was allocated to the primary VLAN.

Summary

SC VMM 2012 SP1 only supports isolation mode and has no concept of primary (promiscuous) or community PVLANS and you need to be aware of this restriction when designing your solution. That being said, there are a number of scenarios which work quite well in this configuration – the most common example of which is Front End Web Servers. In this specific scenario, all of the web servers in a web farm are placed on a single network subnet but are otherwise completely isolated from each other, PVLANs in this context helping to simplify management and improve overall security.

hyp5

September 11th, 2016 | Category: Hyper-V | Leave a comment
« Newer Entries  
  Older Entries »