Comment on page
Database Server
This documentation can be used as a reference to create your Primary Database Server and optional Replica Database Server on Red Hat Enterprise or CentOS 7 virtual machines.
The hostnames that will be referenced throughout this document will be
db01.med.university.edu
and db02.med.university.edu
. These hostnames should be replaced by your actual DNS hostnames.- 1.SSH into server and
sudo
to root:sudo -s - 2.Add the following lines to
/etc/hosts
file:127.0.0.1 db01.med.university.edu - 3.Edit the hostname of the virtual machine in the
/etc/hostname
file:db01.med.university.edu - 4.Install
screen
, update RHEL, and reboot:yum install screenscreenyum updatereboot - 5.SSH back into server, and install the Inline with Upstream Stable (IUS Community) package.sudo -sscreenyum -y install https://repo.ius.io/ius-release-el7.rpm \https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
- 6.Install MariaDB Client, Server, and NTP:yum install mariadb104 mariadb104-server ntp
- 7.Create a new file within the
/etc/my.cnf.d/
directory calledelentra.cnf
, and place the below configuration settings within the file. Do not forget to enter a unique 7-8 digit number (i.e. 1012801) in theserver-id
variable.[mysqld]# Innodbinnodb_buffer_pool_size = 6G # main memory buffer of Innodb, very imporantinnodb_log_file_size = 256M # transactional journal sizeinnodb_flush_method = O_DIRECT # avoid double buffering with the OSinnodb_flush_log_at_trx_commit = 2 # writes to OS, fsynced once per secondinnodb_buffer_pool_load_at_startup = oninnodb_buffer_pool_dump_at_shutdown = oninnodb_ft_min_token_size = 3# Basic Settingsthread_cache_size = 8table_open_cache = 4000table_definition_cache = 1800query_cache_size = 64Mquery_cache_type = 1max_allowed_packet = 8388608sql_mode = "NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION"# MariaDB performance tuning options for more connections. (OPTIONAL)#max_connections = 512# Replication (OPTIONAL)#server_id = 1012801 # the ip address of the server is a good idea.#log_bin = /var/lib/mysql/mysql-bin#expire_logs_days = 14#sync_binlog = 4 # 1: with every transaction 4 or 5: every 4th or 5th transaction.# Slow Query Logging / Tuningslow_query_log = onslow_query_log_file = /var/log/mysqld-slow-queries.loglog_slow_verbosity = 'innodb,query_plan'long_query_time = 7performance_schema = on - 8.The default
open_files_limit
for MariaDB is too low for the Elentra Platform due to the size of our databases. In order to increase this limit, create a new/usr/lib/systemd/system/mariadb.service.d
directory and place the below configuration settings within a new file calledlimit_nofile.conf
:mkdir -p /usr/lib/systemd/system/mariadb.service.dvim /usr/lib/systemd/system/mariadb.service.d/limit_nofile.confConfiguration settings withinlimit_nofile.conf
:[Service]LimitNOFILE=4096 - 9.Start MariaDB, and set to start on system startup:systemctl daemon-reloadsystemctl enable mariadbsystemctl start mariadb
- 10.Run the
mysql_secure_installation
script included with MariaDB to further lock down your database server./usr/bin/mysql_secure_installationHere is an example of amysql_secure_installation
hardening:[root@db01]# /usr/bin/mysql_secure_installation/usr/bin/mysql_secure_installation: line 379: find_mysql_client: command not foundNOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDBSERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!In order to log into MariaDB to secure it, we'll need the currentpassword for the root user. If you've just installed MariaDB, andyou haven't set the root password yet, the password will be blank,so you should just press enter here.Enter current password for root (enter for none):OK, successfully used password, moving on...Setting the root password ensures that nobody can log into the MariaDBroot user without the proper authorisation.Set root password? [Y/n] YNew password:Re-enter new password:Password updated successfully!Reloading privilege tables..... Success!By default, a MariaDB installation has an anonymous user, allowing anyoneto log into MariaDB without having to have a user account created forthem. This is intended only for testing, and to make the installationgo a bit smoother. You should remove them before moving into aproduction environment.Remove anonymous users? [Y/n] Y... Success!Normally, root should only be allowed to connect from 'localhost'. Thisensures that someone cannot guess at the root password from the network.Disallow root login remotely? [Y/n] Y... Success!By default, MariaDB comes with a database named 'test' that anyone canaccess. This is also intended only for testing, and should be removedbefore moving into a production environment.Remove test database and access to it? [Y/n] Y- Dropping test database...... Success!- Removing privileges on test database...... Success!Reloading the privilege tables will ensure that all changes made so farwill take effect immediately.Reload privilege tables now? [Y/n] Y... Success!Cleaning up...All done! If you've completed all of the above steps, your MariaDBinstallation should now be secure.Thanks for using MariaDB! - 11.Connect to MariaDB as the root user:mysql -uroot -p
- 12.Create the required
elentra_auth
,elentra_me
, andelentra_me_clerkship
databases as well as anelentra
user that can connect to these databases. DO NOT FORGET that you need to enter a password on the CREATE USER line.CREATE DATABASE `elentra_auth` CHARACTER SET utf8 COLLATE utf8_general_ci;CREATE DATABASE `elentra_admissions` CHARACTER SET utf8 COLLATE utf8_general_ci;CREATE DATABASE `elentra_cpd` CHARACTER SET utf8 COLLATE utf8_general_ci;CREATE DATABASE `elentra_me` CHARACTER SET utf8 COLLATE utf8_general_ci;CREATE DATABASE `elentra_me_clerkship` CHARACTER SET utf8 COLLATE utf8_general_ci;CREATE DATABASE `elentra_cbe` CHARACTER SET utf8 COLLATE utf8_general_ci;-- DO NOT FORGET to change the password in the following line.CREATE USER 'elentra'@'localhost' IDENTIFIED BY 'your-password-needs-to-go-here';GRANT ALL ON elentra_auth.* TO 'elentra'@'localhost';GRANT ALL ON elentra_admissions.* TO 'elentra'@'localhost';GRANT ALL ON elentra_cpd.* TO 'elentra'@'localhost';GRANT ALL ON elentra_me.* TO 'elentra'@'localhost';GRANT ALL ON elentra_me_clerkship.* TO 'elentra'@'localhost';GRANT ALL ON elentra_cbe.* TO 'elentra'@'localhost';FLUSH PRIVILEGES; - 13.If you plan to set up the Replica Database Server, then you should create a
repl
database user that can connect from thedb02
server. Do not forget that you need to enter a password on the GRANT REPLICATION SLAVE line.GRANT REPLICATION SLAVE ON *.* TO 'repl'@'db02.med.university.edu' IDENTIFIED BY 'your-password-needs-to-go-here'; - 14.Make note of the master log file (i.e.
mysql-bin.000002
) as you will need it when configuring the replica.SHOW MASTER STATUS \G
- 1.SSH into server and
sudo
to root:sudo -s - 2.Add the following lines to
/etc/hosts
file:127.0.0.1 db02.med.university.edu - 3.Edit the hostname of the virtual machine in the
/etc/hostname
file:db02.med.university.edu - 4.Install
screen
, update RHEL, and reboot:yum install screenscreenyum updatereboot - 5.SSH back into the server, and install the Inline with Upstream Stable (IUS Community) package.sudo -sscreenyum -y install https://repo.ius.io/ius-release-el7.rpm \https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
- 6.Install MariaDB Client and Server:yum install mariadb104 mariadb104-server ntp
- 7.Create a new file within the
/etc/my.cnf.d/
directory calledelentra.cnf
, and place the below configuration settings within the file. Do not forget to enter a unique 7-8 digit number (i.e. 1012802) in theserver-id
variable.[mysqld]# Innodbinnodb_buffer_pool_size = 6G # main memory buffer of Innodb, very imporantinnodb_log_file_size = 256M # transactional journal sizeinnodb_flush_method = O_DIRECT # avoid double buffering with the OSinnodb_flush_log_at_trx_commit = 2 # writes to OS, fsynced once per secondinnodb_buffer_pool_load_at_startup = oninnodb_buffer_pool_dump_at_shutdown = oninnodb_ft_min_token_size = 3# Basic Settingsthread_cache_size = 8table_open_cache = 4000table_definition_cache = 1800query_cache_size = 64Mquery_cache_type = 1max_allowed_packet = 8388608sql_mode = "NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION"# MariaDB performance tuning options for more connections. (OPTIONAL)#max_connections = 512# Replication (OPTIONAL)#server_id = 1012802 # the ip address of the server is a good idea.#log_bin = /var/lib/mysql/mysql-bin#expire_logs_days = 14#sync_binlog = 4 # 1: with every transaction 4 or 5: every 4th or 5th transaction.# Slow Query Logging / Tuningslow_query_log = onslow_query_log_file = /var/log/mysqld-slow-queries.loglog_slow_verbosity = 'innodb,query_plan'long_query_time = 7performance_schema = on - 8.The default
open_files_limit
for MariaDB is too low for the Elentra Platform due to the size of our databases. In order to increase this limit, create a new/usr/lib/systemd/system/mariadb.service.d
directory and place the below configuration settings within a new file calledlimit_nofile.conf
:mkdir -p /usr/lib/systemd/system/mariadb.service.dvim /usr/lib/systemd/system/mariadb.service.d/limit_nofile.confConfiguration settings withinlimit_nofile.conf
:[Service]LimitNOFILE=4096 - 9.Start MariaDB, and set to start on system startup:systemctl daemon-reloadsystemctl enable mariadbsystemctl start mariadb
- 10.Run the
mysql_secure_installation
script included with MariaDB to further lock down your database server./usr/bin/mysql_secure_installationHere is an example of amysql_secure_installation
hardening:[root@db02]# /usr/bin/mysql_secure_installation/usr/bin/mysql_secure_installation: line 379: find_mysql_client: command not foundNOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDBSERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!In order to log into MariaDB to secure it, we'll need the currentpassword for the root user. If you've just installed MariaDB, andyou haven't set the root password yet, the password will be blank,so you should just press enter here.Enter current password for root (enter for none):OK, successfully used password, moving on...Setting the root password ensures that nobody can log into the MariaDBroot user without the proper authorisation.Set root password? [Y/n] YNew password:Re-enter new password:Password updated successfully!Reloading privilege tables..... Success!By default, a MariaDB installation has an anonymous user, allowing anyoneto log into MariaDB without having to have a user account created forthem. This is intended only for testing, and to make the installationgo a bit smoother. You should remove them before moving into aproduction environment.Remove anonymous users? [Y/n] Y... Success!Normally, root should only be allowed to connect from 'localhost'. Thisensures that someone cannot guess at the root password from the network.Disallow root login remotely? [Y/n] Y... Success!By default, MariaDB comes with a database named 'test' that anyone canaccess. This is also intended only for testing, and should be removedbefore moving into a production environment.Remove test database and access to it? [Y/n] Y- Dropping test database...... Success!- Removing privileges on test database...... Success!Reloading the privilege tables will ensure that all changes made so farwill take effect immediately.Reload privilege tables now? [Y/n] Y... Success!Cleaning up...All done! If you've completed all of the above steps, your MariaDBinstallation should now be secure.Thanks for using MariaDB! - 11.Connect to MariaDB as the root user:mysql -uroot -p
- 12.Tell the replica server to replicate from your
db01
master, then start the slave. Do not forget that you need to enter the password on theCHANGE MASTER
line.CHANGE MASTER TO MASTER_HOST='db01.med.university.edu', MASTER_USER='repl', MASTER_PASSWORD='your-password-needs-to-go-here', MASTER_LOG_FILE='mysql-bin.000002';START SLAVE;
Last modified 1yr ago