# Database Server

## Database Server <a href="#database-server" id="database-server"></a>

This documentation can be used as a reference to create your **Primary Database Server** and optional **Replica Database Server** on **Red Hat Enterprise** or **CentOS 7** virtual machines.

The hostnames that will be referenced throughout this document will be `db01.med.university.edu`and `db02.med.university.edu`. These hostnames should be replaced by your actual DNS hostnames.

### Primary Database Server <a href="#primary-database-server" id="primary-database-server"></a>

1. SSH into server and `sudo` to root:

   ```bash
   ssh service@db01.med.university.edu
   sudo -s
   ```
2. Add the following lines to `/etc/hosts` file:

   ```
   127.0.0.1   db01.med.university.edu
   ```
3. Edit the hostname of the virtual machine in the `/etc/hostname` file:

   ```
   db01.med.university.edu
   ```
4. Install `screen`, update RHEL, and reboot:

   ```bash
   yum install screen
   screen
   yum update
   reboot
   ```
5. SSH back into server, and install the Inline with Upstream Stable (IUS Community) package.

   ```bash
   ssh service@db01.med.university.edu
   sudo -s
   screen

   yum -y install https://repo.ius.io/ius-release-el7.rpm \
   https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
   ```
6. Install MariaDB Client, Server, and NTP:

   ```bash
   yum install mariadb104 mariadb104-server ntp
   ```
7. Create a new file within the `/etc/my.cnf.d/` directory called `elentra.cnf` , and place the below configuration settings within the file. **Do not forget** to enter a unique 7-8 digit number (i.e. 1012801) in the `server-id` variable.

   ```
   [mysqld]
   # Innodb
   innodb_buffer_pool_size = 6G                # main memory buffer of Innodb, very imporant
   innodb_log_file_size = 256M                 # transactional journal size
   innodb_flush_method = O_DIRECT              # avoid double buffering with the OS
   innodb_flush_log_at_trx_commit = 2          # writes to OS, fsynced once per second
   innodb_buffer_pool_load_at_startup = on
   innodb_buffer_pool_dump_at_shutdown = on
   innodb_ft_min_token_size = 3

   # Basic Settings
   thread_cache_size = 8
   table_open_cache = 4000
   table_definition_cache = 1800
   query_cache_size = 64M
   query_cache_type = 1
   max_allowed_packet = 8388608
   sql_mode = "NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION"

   # MariaDB performance tuning options for more connections. (OPTIONAL)
   #max_connections = 512

   # Replication (OPTIONAL)
   #server_id = 1012801 # the ip address of the server is a good idea.
   #log_bin = /var/lib/mysql/mysql-bin
   #expire_logs_days = 14
   #sync_binlog = 4                             # 1: with every transaction 4 or 5: every 4th or 5th transaction.

   # Slow Query Logging / Tuning
   slow_query_log = on
   slow_query_log_file = /var/log/mysqld-slow-queries.log
   log_slow_verbosity = 'innodb,query_plan'
   long_query_time = 7
   performance_schema = on
   ```
8. The default `open_files_limit` for MariaDB is too low for the Elentra Platform due to the size of our databases. In order to increase this limit, create a new `/usr/lib/systemd/system/mariadb.service.d` directory and place the below configuration settings within a new file called `limit_nofile.conf`:

   ```
   mkdir -p /usr/lib/systemd/system/mariadb.service.d
   vim /usr/lib/systemd/system/mariadb.service.d/limit_nofile.conf
   ```

   Configuration settings within `limit_nofile.conf`:

   ```
   [Service]
   LimitNOFILE=4096
   ```
9. Start MariaDB, and set to start on system startup:

   ```bash
   systemctl daemon-reload
   systemctl enable mariadb
   systemctl start mariadb
   ```
10. Run the `mysql_secure_installation` script included with MariaDB to further lock down your database server.

    ```bash
    /usr/bin/mysql_secure_installation
    ```

    Here is an example of a `mysql_secure_installation` hardening:

    ```
    [root@db01]# /usr/bin/mysql_secure_installation
    /usr/bin/mysql_secure_installation: line 379: find_mysql_client: command not found

    NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
          SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!

    In order to log into MariaDB to secure it, we'll need the current
    password for the root user.  If you've just installed MariaDB, and
    you haven't set the root password yet, the password will be blank,
    so you should just press enter here.

    Enter current password for root (enter for none): 
    OK, successfully used password, moving on...

    Setting the root password ensures that nobody can log into the MariaDB
    root user without the proper authorisation.

    Set root password? [Y/n] Y
    New password: 
    Re-enter new password: 
    Password updated successfully!
    Reloading privilege tables..
     ... Success!

    By default, a MariaDB installation has an anonymous user, allowing anyone
    to log into MariaDB without having to have a user account created for
    them.  This is intended only for testing, and to make the installation
    go a bit smoother.  You should remove them before moving into a
    production environment.

    Remove anonymous users? [Y/n] Y
     ... Success!

    Normally, root should only be allowed to connect from 'localhost'.  This
    ensures that someone cannot guess at the root password from the network.

    Disallow root login remotely? [Y/n] Y
     ... Success!

    By default, MariaDB comes with a database named 'test' that anyone can
    access.  This is also intended only for testing, and should be removed
    before moving into a production environment.

    Remove test database and access to it? [Y/n] Y
     - Dropping test database...
     ... Success!
     - Removing privileges on test database...
     ... Success!

    Reloading the privilege tables will ensure that all changes made so far
    will take effect immediately.

    Reload privilege tables now? [Y/n] Y
     ... Success!

    Cleaning up...

    All done!  If you've completed all of the above steps, your MariaDB
    installation should now be secure.

    Thanks for using MariaDB!
    ```
11. Connect to MariaDB as the root user:

    ```bash
    mysql -uroot -p
    ```
12. Create the required `elentra_auth`, `elentra_me`, and `elentra_me_clerkship` databases as well as an `elentra` user that can connect to these databases. **DO NOT FORGET** that you need to enter a password on the CREATE USER line.

    ```sql
    CREATE DATABASE `elentra_auth` CHARACTER SET utf8 COLLATE utf8_general_ci;
    CREATE DATABASE `elentra_admissions` CHARACTER SET utf8 COLLATE utf8_general_ci;
    CREATE DATABASE `elentra_cpd` CHARACTER SET utf8 COLLATE utf8_general_ci;
    CREATE DATABASE `elentra_me` CHARACTER SET utf8 COLLATE utf8_general_ci;
    CREATE DATABASE `elentra_me_clerkship` CHARACTER SET utf8 COLLATE utf8_general_ci;
    CREATE DATABASE `elentra_cbe` CHARACTER SET utf8 COLLATE utf8_general_ci;

    -- DO NOT FORGET to change the password in the following line.
    CREATE USER 'elentra'@'localhost' IDENTIFIED BY 'your-password-needs-to-go-here';

    GRANT ALL ON elentra_auth.* TO 'elentra'@'localhost';
    GRANT ALL ON elentra_admissions.* TO 'elentra'@'localhost';
    GRANT ALL ON elentra_cpd.* TO 'elentra'@'localhost';
    GRANT ALL ON elentra_me.* TO 'elentra'@'localhost';
    GRANT ALL ON elentra_me_clerkship.* TO 'elentra'@'localhost';
    GRANT ALL ON elentra_cbe.* TO 'elentra'@'localhost';

    FLUSH PRIVILEGES;
    ```
13. If you plan to set up the Replica Database Server, then you should create a `repl` database user that can connect from the `db02` server. **Do not forget** that you need to enter a password on the GRANT REPLICATION SLAVE line.

    ```sql
    GRANT REPLICATION SLAVE ON *.* TO 'repl'@'db02.med.university.edu' IDENTIFIED BY 'your-password-needs-to-go-here';
    ```
14. Make note of the master log file (i.e. `mysql-bin.000002`) as you will need it when configuring the replica.

    ```
    SHOW MASTER STATUS \G
    ```

### Replica Database Server <a href="#slave-database-server" id="slave-database-server"></a>

1. SSH into server and `sudo` to root:

   ```bash
   ssh service@db02.med.university.edu
   sudo -s
   ```
2. Add the following lines to `/etc/hosts` file:

   ```
   127.0.0.1   db02.med.university.edu
   ```
3. Edit the hostname of the virtual machine in the `/etc/hostname` file:

   ```
   db02.med.university.edu
   ```
4. Install `screen`, update RHEL, and reboot:

   ```bash
   yum install screen
   screen
   yum update
   reboot
   ```
5. SSH back into the server, and install the Inline with Upstream Stable (IUS Community) package.

   ```bash
   ssh service@db02.med.university.edu
   sudo -s
   screen

   yum -y install https://repo.ius.io/ius-release-el7.rpm \
   https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
   ```
6. Install MariaDB Client and Server:

   ```bash
   yum install mariadb104 mariadb104-server ntp
   ```
7. Create a new file within the `/etc/my.cnf.d/` directory called `elentra.cnf` , and place the below configuration settings within the file. **Do not forget** to enter a unique 7-8 digit number (i.e. 1012802) in the `server-id` variable.

   ```
   [mysqld]

   # Innodb
   innodb_buffer_pool_size = 6G                # main memory buffer of Innodb, very imporant
   innodb_log_file_size = 256M                 # transactional journal size
   innodb_flush_method = O_DIRECT              # avoid double buffering with the OS
   innodb_flush_log_at_trx_commit = 2          # writes to OS, fsynced once per second
   innodb_buffer_pool_load_at_startup = on
   innodb_buffer_pool_dump_at_shutdown = on
   innodb_ft_min_token_size = 3

   # Basic Settings
   thread_cache_size = 8
   table_open_cache = 4000
   table_definition_cache = 1800
   query_cache_size = 64M
   query_cache_type = 1
   max_allowed_packet = 8388608
   sql_mode = "NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION"

   # MariaDB performance tuning options for more connections. (OPTIONAL)
   #max_connections = 512

   # Replication (OPTIONAL)
   #server_id = 1012802 # the ip address of the server is a good idea.
   #log_bin = /var/lib/mysql/mysql-bin
   #expire_logs_days = 14
   #sync_binlog = 4                             # 1: with every transaction 4 or 5: every 4th or 5th transaction.

   # Slow Query Logging / Tuning
   slow_query_log = on
   slow_query_log_file = /var/log/mysqld-slow-queries.log
   log_slow_verbosity = 'innodb,query_plan'
   long_query_time = 7
   performance_schema = on
   ```
8. The default `open_files_limit` for MariaDB is too low for the Elentra Platform due to the size of our databases. In order to increase this limit, create a new `/usr/lib/systemd/system/mariadb.service.d` directory and place the below configuration settings within a new file called `limit_nofile.conf`:

   ```
   mkdir -p /usr/lib/systemd/system/mariadb.service.d
   vim /usr/lib/systemd/system/mariadb.service.d/limit_nofile.conf
   ```

   Configuration settings within `limit_nofile.conf`:

   ```
   [Service]
   LimitNOFILE=4096
   ```
9. Start MariaDB, and set to start on system startup:

   ```bash
   systemctl daemon-reload
   systemctl enable mariadb
   systemctl start mariadb
   ```
10. Run the `mysql_secure_installation` script included with MariaDB to further lock down your database server.

    ```bash
    /usr/bin/mysql_secure_installation
    ```

    Here is an example of a `mysql_secure_installation` hardening:

    ```
    [root@db02]# /usr/bin/mysql_secure_installation
    /usr/bin/mysql_secure_installation: line 379: find_mysql_client: command not found

    NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
         SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!

    In order to log into MariaDB to secure it, we'll need the current
    password for the root user.  If you've just installed MariaDB, and
    you haven't set the root password yet, the password will be blank,
    so you should just press enter here.

    Enter current password for root (enter for none): 
    OK, successfully used password, moving on...

    Setting the root password ensures that nobody can log into the MariaDB
    root user without the proper authorisation.

    Set root password? [Y/n] Y
    New password: 
    Re-enter new password: 
    Password updated successfully!
    Reloading privilege tables..
    ... Success!

    By default, a MariaDB installation has an anonymous user, allowing anyone
    to log into MariaDB without having to have a user account created for
    them.  This is intended only for testing, and to make the installation
    go a bit smoother.  You should remove them before moving into a
    production environment.

    Remove anonymous users? [Y/n] Y
    ... Success!

    Normally, root should only be allowed to connect from 'localhost'.  This
    ensures that someone cannot guess at the root password from the network.

    Disallow root login remotely? [Y/n] Y
    ... Success!

    By default, MariaDB comes with a database named 'test' that anyone can
    access.  This is also intended only for testing, and should be removed
    before moving into a production environment.

    Remove test database and access to it? [Y/n] Y
    - Dropping test database...
    ... Success!
    - Removing privileges on test database...
    ... Success!

    Reloading the privilege tables will ensure that all changes made so far
    will take effect immediately.

    Reload privilege tables now? [Y/n] Y
    ... Success!

    Cleaning up...

    All done!  If you've completed all of the above steps, your MariaDB
    installation should now be secure.

    Thanks for using MariaDB!
    ```
11. Connect to MariaDB as the root user:

    ```bash
    mysql -uroot -p
    ```
12. Tell the replica server to replicate from your `db01` master, then start the slave. **Do not forget** that you need to enter the password on the `CHANGE MASTER` line.

    ```
    CHANGE MASTER TO MASTER_HOST='db01.med.university.edu', MASTER_USER='repl', MASTER_PASSWORD='your-password-needs-to-go-here', MASTER_LOG_FILE='mysql-bin.000002';
    START SLAVE;
    ```