Shulou(Shulou.com)06/01 Report--

Whether you are compiling installation, binary installation, or yum,rpm, it is necessary to initialize the installation of mysql.

Here's how to initialize the installation of mysql. Remember to prepare the my.cnf file before installation. How to configure my.cnf, you can see my another article, there are many people in order to take care of beginners, directly skip the configuration description of my.cnf, I think it is unreasonable, the database can not be used, is the need to understand the benefits and meaning of their own definition, I sincerely suggest that you read that article to find what you want.

However, it should be noted that due to the difference between the release and version numbers, some parameters may be different or unavailable, which will lead to initialization failure. You need to check mysql.err in the initialization data directory to see which parameter is wrong, then mask it and reinitialize it again.

-pre-steps (if you have done, you can ignore it)

# create the data directory mkdir-p / data/mysql/data# to establish the mysql user group, and change the permissions groupadd mysqluseradd-g mysql-s / sbin/nologin mysqlchown-R mysql.mysql / data/mysql/datamkdir / data/mysql/tmpchown-R mysql.mysql / data/mysql/tmp/# to copy the service startup files. For yum and rpm installation, my.cnf can be edited without cp-ar / usr/local/mysql/support-files/mysql.server / etc/init.d/mysql# You can refer to my other article to see how to set it up, or you can use the template file cp-ar / usr/local/mysql/support-files/my-default.cnf / usr/local/mysql/my.cnfvim / usr/local/mysql/my.cnf

-Note: make sure there is no interference from other mysql distributions before operation, especially for yum installation and rpm installation

# check rpm-qa in the installed rpm package without mysql and mariadb | grep-E 'mysql | mariadb'mariadb-libs-5.5.44-2.el7.centos.x86_64# delete the found rpm installation package rpm-e-- nodeps mariadb-libs-5.5.44-2.el7.centos.x86_64rpm-e-- nodeps mysql.x86_64

Additional note:-- nodeps does not check dependencies, don't be afraid, even if you rely on your own installation package, you must have it. Just make a soft connection.

Ln-s / usr/local/mysql/lib/libmysqlclient.so.20 / usr/lib64/libmysqlclient.so.18

To pay extra attention to one thing, if there are ~ / .my.cnf and ~ / .mylogin.cnf, the cnf configuration file is used first by default, and ~ / .my.cnf takes precedence, even if you put it in the program directory and specify the configuration file with the-- defaults-file option, it will take precedence here instead of what you specify. However, in general, this will not happen, and the system will not put files here by default, so this strange situation is basically only due to human reasons.

-No matter what version is on this dividing line, you have to do it!

-5.6 and previous version initialization steps (including 5.6)

Make sure the mysql process is stopped

Service mysql stop

Ensure that the initialized data directory has no data, the data directory defined by my.cnf

Rm-rf / data/mysql/data/*

Execute initialization script, add parameters, and remember to edit my.cnf first

/ usr/local/mysql/scripts/mysql_install_db-defaults-file=/usr/local/mysql/my.cnf-basedir=/usr/local/mysql/-datadir=/data/mysql/data-user=mysql > / dev/null 2 > & 1

Start mysql

Service mysql start

Initialize password

/ usr/local/mysql/bin/mysqladmin-u root password 'new password'

# initialization completed. Try to log in

/ usr/local/mysql/bin/mysql-uroot-p 'new password'

-- I'm the dividing line--

Initialize in a new way after 5.7

Make sure the mysql process is stopped

Service mysql stop

Ensure that the initialized data directory has no data, the data directory defined by my.cnf

Rm-rf / data/mysql/data/*

Execute the initialization command, specify the defaults-file and must be placed first, remember to edit the my.cnf first

Mysqld-defaults-file=/usr/local/mysql/my.cnf-initialize

The initialization of 5.7 adopts a new mode, which is more cumbersome but more secure.

The program automatically generates a password without which you cannot log in unless you break it in safe mode.

Or change the parameter-initialize to-initialize-insecure. After initialization, you can log in without a password. You can test it slowly without going into details here.

The method to view the initialized password (the password information is at the end of the line)

The password is recorded in the mysql.err of the data directory. Suppose my data directory definition is / data/mysql/data, so the password should be recorded in / data/mysql/data/mysql.err. I intercepted it directly and read it.

Sed-n'/ password/p' / data/mysql/data/mysql.err.A temporary password is generated for root@localhost: GVedtgXDZ1-

Change the owner permissions of the data directory. This initialization method does not change the owner problem, but if you do not change it, it will not start.

Chown-R mysql:mysql / data/mysql/data/

Start mysql

Service mysql start

The password needs to be initialized. Although there is already a password when initializing the database, you can log in directly, but the initialization has not been really completed, otherwise you will report an error and constantly prompt you to change your password.

Mysql-uroot-pendant GVedtgXDZ1

Since the user table of the system has changed after 5.7. it is not possible to use password directly, so it must be changed in the following way, otherwise it cannot be changed.

Mysql > alter user 'root'@'localhost' identified by' 123 leaders political MySQL > set password for 'root'@'localhost'=password (' 123') mysql > update mysql.user set authentication_string=password ('123') where user='root' and Host =' localhost';mysql > flush privileges

At this time, the initialization is complete. Try to log in with the new password you set.

Mysql-uroot-pendant 123'

-extended reading: mysql 5.7adds two fields password_last_changed and password_lifetime to improve the security policy. You can set the parameter default_password_lifetime to extend the usage period.

ALTER USER 'root'@'localhost' PASSWORD EXPIRE INTERVAL 90 DAYS;ALTER USER' root'@'localhost' PASSWORD EXPIRE NEVER;ALTER USER 'root'@'localhost' PASSWORD EXPIRE DEFAULT

-- I'm a split line, too--

-Safety reinforcement.

Secure reinforcement of mysql database (best after initialization)

5.6Ge 5.7 Universal reinforcement method

1. Delete any unrelated administrator users and administrator users with empty passwords, and open them only if necessary.

Mysql > delete from mysql.user where user= "root" and hosts = "localhost"; # in the old environment of 5.6, there may be users with empty passwords, which is obviously not allowed, while 5.7 users do not have such users and can not do mysql > delete from mysql.user where user= "root" and password= "; mysql > flush privileges

two。 Delete the test library (5.7no), because this library is allowed to read and write by default, and there is a vulnerability.

Mysql > drop database test

3. Delete the table information that holds the database, because there is no database information yet, so it is not good if it is injected.

Mysql > delete from mysql.db

4.SSL encryption settings, the purpose is to encrypt the data to prevent interception after cracking, 5.6to add ssl to specify the file location configuration, 5.7automatically open, and then execute the command on it.

# execute the command and create a key file in the data directory. The following command encapsulates the whole creation process, so you don't have to do so many complicated things. # but this command file is newly added in 5.7. there is no such command file in 5.6, but it can be used on 5.6. It's convenient. / usr/local/mysql/bin/mysql_ssl_rsa_setup-- datadir=/data/mysql/data/# and see if mysql > SHOW VARIABLES LIKE 'have_ssl' is turned on. | | have_ssl | YES | # enter mysql and authorize ssl private user mysql > grant all privileges on *. * to 'sslroot'@'%' identified by' 123123 'require ssl;# logs in to mysql-usslroot-pendant 123123'-h227.0.0." with ssl dedicated user to view the current status. SSL has enabled mysql >\ sCurrent user: sslroot@127.0.0.1SSL: Cipher in use is ECDHE-RSA-AES128-GCM-SHA256

However, you need to be cautious to enable SSL, because the data is encrypted. There is no doubt that the server needs to consume resources to verify the ciphertext. Officially, the performance may drop by 25%, which is still relatively high.

For the environment with high concurrency, the performance is obviously degraded. Unless the security requirement is very high, it is not recommended to turn it on. Generally speaking, the security problem can be solved as long as the authorization to restrict access to the IP is on the intranet.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.