一、在阿里云服务器搭建openv-p-n
tips:目前仅在CentOS8上做一些简单配置
[root@centOS8 yum.repos.d]# yum -y install openvpn
Extra Packages for Enterprise Linux Modular 8 - x86 18 kB/s | 979 kB 00:55
Extra Packages for Enterprise Linux 8 - x86_64 135 kB/s | 11 MB 01:24
Last metadata expiration check: 0:00:02 ago on Wed 02 Feb 2022 08:41:21 PM CST.
Dependencies resolved.
====================================================================================
Package Architecture Version Repository Size
====================================================================================
Installing:
openvpn x86_64 2.4.11-1.el8 epel 543 k
Installing dependencies:
pkcs11-helper x86_64 1.22-7.el8 epel 64 k
Transaction Summary
====================================================================================
Install 2 Packages
Total download size: 608 k
Installed size: 1.4 M
Downloading Packages:
[MIRROR] openvpn-2.4.11-1.el8.x86_64.rpm: Curl error (7): Couldn't connect to server for http://epel.mirror.angkasa.id/pub/epel/8/Everything/x86_64/Packages/o/openvpn-2.4.11-1.el8.x86_64.rpm [Failed to connect to epel.mirror.angkasa.id port 80: Connection refused]
[MIRROR] pkcs11-helper-1.22-7.el8.x86_64.rpm: Curl error (7): Couldn't connect to server for http://epel.mirror.angkasa.id/pub/epel/8/Everything/x86_64/Packages/p/pkcs11-helper-1.22-7.el8.x86_64.rpm [Failed to connect to epel.mirror.angkasa.id port 80: Connection refused]
(1/2): pkcs11-helper-1.22-7.el8.x86_64.rpm 2.2 kB/s | 64 kB 00:29
(2/2): openvpn-2.4.11-1.el8.x86_64.rpm 13 kB/s | 543 kB 00:42

Total 14 kB/s | 608 kB 00:44
warning: /var/cache/dnf/epel-6519ee669354a484/packages/openvpn-2.4.11-1.el8.x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID 2f86d6a1: NOKEY
Extra Packages for Enterprise Linux 8 - x86_64 1.6 MB/s | 1.6 kB 00:00
Importing GPG key 0x2F86D6A1:
Userid : "Fedora EPEL (8) epel@fedoraproject.org"
Fingerprint: 94E2 79EB 8D8F 25B2 1810 ADF1 21EA 45AB 2F86 D6A1
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8
Key imported successfully
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : pkcs11-helper-1.22-7.el8.x86_64 1/2
Running scriptlet: openvpn-2.4.11-1.el8.x86_64 2/2
Installing : openvpn-2.4.11-1.el8.x86_64 2/2
Running scriptlet: openvpn-2.4.11-1.el8.x86_64 2/2
Verifying : openvpn-2.4.11-1.el8.x86_64 1/2
Verifying : pkcs11-helper-1.22-7.el8.x86_64 2/2
Installed products updated.
Installed:
openvpn-2.4.11-1.el8.x86_64 pkcs11-helper-1.22-7.el8.x86_64
Complete!

[root@centOS8 yum.repos.d]# yum -y install easy-rsa
Last metadata expiration check: 0:09:21 ago on Wed 02 Feb 2022 08:41:21 PM CST.
Dependencies resolved.
====================================================================================
Package Architecture Version Repository Size
====================================================================================
Installing:
easy-rsa noarch 3.0.8-1.el8 epel 47 k
Transaction Summary
====================================================================================
Install 1 Package
Total download size: 47 k
Installed size: 120 k
Downloading Packages:
[MIRROR] easy-rsa-3.0.8-1.el8.noarch.rpm: Curl error (7): Couldn't connect to server for http://epel.mirror.angkasa.id/pub/epel/8/Everything/x86_64/Packages/e/easy-rsa-3.0.8-1.el8.noarch.rpm [Failed to connect to epel.mirror.angkasa.id port 80: Connection refused]
easy-rsa-3.0.8-1.el8.noarch.rpm 1.8 kB/s | 47 kB 00:26

Total 1.6 kB/s | 47 kB 00:29
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : easy-rsa-3.0.8-1.el8.noarch 1/1
Verifying : easy-rsa-3.0.8-1.el8.noarch 1/1
Installed products updated.
Installed:
easy-rsa-3.0.8-1.el8.noarch
Complete!

[root@centOS8 yum.repos.d]# cp /usr/share/doc/openvpn/sample/sample-config-files/server.conf /etc/openvpn/

[root@centOS8 ~]# cp -r /usr/share/easy-rsa/ /etc/openvpn/easy-rsa-server

[root@centOS8 ~]# cp /usr/share/doc/easy-rsa/vars.example /etc/openvpn/easy-rsa-server/3/vars

[root@centOS8 ~]# vim /etc/openvpn/easy-rsa-server/3/vars
set_var EASYRSA_CA_EXPIRE 36500
set_var EASYRSA_CERT_EXPIRE 3650

[root@centOS8 ~]# tree /etc/openvpn/
/etc/openvpn/
├── client
├── easy-rsa-server
│ ├── 3 -> 3.0.8
│ ├── 3.0 -> 3.0.8
│ └── 3.0.8
│ ├── easyrsa
│ ├── openssl-easyrsa.cnf
│ ├── vars
│ └── x509-types
│ ├── ca
│ ├── client
│ ├── code-signing
│ ├── COMMON
│ ├── email
│ ├── kdc
│ ├── server
│ └── serverClient
├── server
└── server.conf
7 directories, 12 files

[root@centOS8 ~]# cd /etc/openvpn/easy-rsa-server/3/
[root@centOS8 3]# pwd
/etc/openvpn/easy-rsa-server/3

[root@centOS8 3]# tree
├── easyrsa
├── openssl-easyrsa.cnf
├── pki
│ ├── openssl-easyrsa.cnf
│ ├── private
│ ├── reqs
│ └── safessl-easyrsa.cnf
├── vars
└── x509-types
├── ca
├── client
├── code-signing
├── COMMON
├── email
├── kdc
├── server
└── serverClient
4 directories, 13 files

[root@centOS8 3]# tree pki
pki
├── openssl-easyrsa.cnf
├── private
├── reqs
└── safessl-easyrsa.cnf
2 directories, 2 files

[root@centOS8 3]# ./easyrsa build-ca nopass
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars
Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020
Generating RSA private key, 2048 bit long modulus (2 primes)
...............................................+++++
......................................................+++++
e is 65537 (0x010001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.

Common Name (eg: your user, host, or server name) [Easy-RSA CA]:
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa-server/3/pki/ca.crt
[root@centOS8 3]# tree pki
pki
├── ca.crt
├── certs_by_serial
├── index.txt
├── index.txt.attr
├── issued
├── openssl-easyrsa.cnf
├── private
│ └── ca.key
├── renewed
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── reqs
├── revoked
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── safessl-easyrsa.cnf
└── serial
12 directories, 7 files

[root@centOS8 3]# cat pki/ca.crt
-----BEGIN CERTIFICATE-----
MIIDTTCCAjWgAwIBAgIUBa2vY/F1QnZ4Ij35yxwIE8PoDKQwDQYJKoZIhvcNAQEL
BQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwIBcNMjIwMjAzMDIxNjAyWhgPMjEy
MjAxMTAwMjE2MDJaMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxEpvs17dlqazlF4pHJIMh46FqUUspVEFmO2g
MXyq3CcRmNkAiMvk0Bw1zuKF2ZVRVHZ20Wp1mszaK0vtTR+FvEh1Ntwh/2sS7X1Y
+GPPeBS7ssPhdLngZE8tmlemft+OIOv+66rqYA77MSRWFX7U/Ig/ftstsSbNNxdS
GGeMyfWn4NyJbnvTh3LV4KuQZTNMDRy8vdwNyUoOLOZc5LqaK0OXppYcu4VzS2XC
dFYIR59f6yHis2FIeUZUk6UhwMy7ZFRA/H3iMOROzexT1rswdzw9TEX23PaoV3a4
sg/qdlIe02btDhWMfW/3j16Lvd2y3OtS7H8iCwjl0YkdWKB6OwIDAQABo4GQMIGN
MB0GA1UdDgQWBBSPCcPKvhpKVJd7fIQ4/wI2wnDT1zBRBgNVHSMESjBIgBSPCcPK
vhpKVJd7fIQ4/wI2wnDT16EapBgwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0GCFAWt
r2PxdUJ2eCI9+cscCBPD6AykMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0G
CSqGSIb3DQEBCwUAA4IBAQAkosstKA7eFYxX3pd2qpZg2v7QSVHRcs6VHrcX7Zsl
L3R6lLfhTcfSDfwWRfw8X6pD9cKwpfN+z5I0YrHcCnnadMumcaKUe/h9ORGWqbKN
SC5D0na+agP/xLbvJK4P+wymS5Ibq438ILfEVrcma+zn885XVb5X8E3TzF6Y4/pP
h+76FEyQmhiUc61mB07uNzh/aMuWpSFrm6aeWf2wx3s+5/yXHwSy8lutzhOFr/jZ
EC8yt8yrCWvZemwdwC+tDQhxpG/Sis49GC/a2KGPQtG+Q3nEJTARh8z+CLgir41F
uoSRGKIc2saXuy39HmQAztZYzP0CQKapSuJ90I6darba
-----END CERTIFICATE-----
[root@centOS8 3]# openssl x509 -in pki/ca.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
05:ad:af:63:f1:75:42:76:78:22:3d:f9:cb:1c:08:13:c3:e8:0c:a4
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = Easy-RSA CA
Validity
Not Before: Feb 3 02:16:02 2022 GMT
Not After : Jan 10 02:16:02 2122 GMT
Subject: CN = Easy-RSA CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:c4:4a:6f:b3:5e:dd:96:a6:b3:94:5e:29:1c:92:
0c:87:8e:85:a9:45:2c:a5:51:05:98:ed:a0:31:7c:
aa:dc:27:11:98:d9:00:88:cb:e4:d0:1c:35:ce:e2:
85:d9:95:51:54:76:76:d1:6a:75:9a:cc:da:2b:4b:
ed:4d:1f:85:bc:48:75:36:dc:21:ff:6b:12:ed:7d:
58:f8:63:cf:78:14:bb:b2:c3:e1:74:b9:e0:64:4f:
2d:9a:57:a6:7e:df:8e:20:eb:fe:eb:aa:ea:60:0e:
fb:31:24:56:15:7e:d4:fc:88:3f:7e:db:2d:b1:26:
cd:37:17:52:18:67:8c:c9:f5:a7:e0:dc:89:6e:7b:
d3:87:72:d5:e0:ab:90:65:33:4c:0d:1c:bc:bd:dc:
0d:c9:4a:0e:2c:e6:5c:e4:ba:9a:2b:43:97:a6:96:
1c:bb:85:73:4b:65:c2:74:56:08:47:9f:5f:eb:21:
e2:b3:61:48:79:46:54:93:a5:21:c0:cc:bb:64:54:
40:fc:7d:e2:30:e4:4e:cd:ec:53:d6:bb:30:77:3c:
3d:4c:45:f6:dc:f6:a8:57:76:b8:b2:0f:ea:76:52:
1e:d3:66:ed:0e:15:8c:7d:6f:f7:8f:5e:8b:bd:dd:
b2:dc:eb:52:ec:7f:22:0b:08:e5:d1:89:1d:58:a0:
7a:3b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
8F:09:C3:CA:BE:1A:4A:54:97:7B:7C:84:38:FF:02:36:C2:70:D3:D7
X509v3 Authority Key Identifier:
keyid:8F:09:C3:CA:BE:1A:4A:54:97:7B:7C:84:38:FF:02:36:C2:70:D3:D7
DirName:/CN=Easy-RSA CA
serial:05:AD:AF:63:F1:75:42:76:78:22:3D:F9:CB:1C:08:13:C3:E8:0C:A4
X509v3 Basic Constraints:
CA:TRUE
X509v3 Key Usage:
Certificate Sign, CRL Sign
Signature Algorithm: sha256WithRSAEncryption
24:a2:cb:2d:28:0e:de:15:8c:57:de:97:76:aa:96:60:da:fe:
d0:49:51:d1:72:ce:95:1e:b7:17:ed:9b:25:2f:74:7a:94:b7:
e1:4d:c7:d2:0d:fc:16:45:fc:3c:5f:aa:43:f5:c2:b0:a5:f3:
7e:cf:92:34:62:b1:dc:0a:79:da:74:cb:a6:71:a2:94:7b:f8:
7d:39:11:96:a9:b2:8d:48:2e:43:d2:76:be:6a:03:ff:c4:b6:
ef:24:ae:0f:fb:0c:a6:4b:92:1b:ab:8d:fc:20:b7:c4:56:b7:
26:6b:ec:e7:f3:ce:57:55:be:57:f0:4d:d3:cc:5e:98:e3:fa:
4f:87:ee:fa:14:4c:90:9a:18:94:73:ad:66:07:4e:ee:37:38:
7f:68:cb:96:a5:21:6b:9b:a6:9e:59:fd:b0:c7:7b:3e:e7:fc:
97:1f:04:b2:f2:5b:ad:ce:13:85:af:f8:d9:10:2f:32:b7:cc:
ab:09:6b:d9:7a:6c:1d:c0:2f:ad:0d:08:71:a4:6f:d2:8a:ce:
3d:18:2f:da:d8:a1:8f:42:d1:be:43:79:c4:25:30:11:87:cc:
fe:08:b8:22:af:8d:45:ba:84:91:18:a2:1c:da:c6:97:bb:2d:
fd:1e:64:00:ce:d6:58:cc:fd:02:40:a6:a9:4a:e2:7d:d0:8e:
9d:6a:b6:da

[root@centOS8 3]# ./easyrsa gen-req server nopass
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars
Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020
Generating a RSA private key
.........................................+++++
...........+++++
writing new private key to '/etc/openvpn/easy-rsa-server/3/pki/easy-rsa-44531.WuA2Bs/tmp.6bHFTK'

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.

Common Name (eg: your user, host, or server name) [server]:
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa-server/3/pki/reqs/server.req
key: /etc/openvpn/easy-rsa-server/3/pki/private/server.key
[root@centOS8 3]# tree pki
pki
├── ca.crt
├── certs_by_serial
├── index.txt
├── index.txt.attr
├── issued
├── openssl-easyrsa.cnf
├── private
│ ├── ca.key
│ └── server.key
├── renewed
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── reqs
│ └── server.req
├── revoked
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── safessl-easyrsa.cnf
└── serial
12 directories, 9 files

[root@centOS8 3]# ./easyrsa help sign

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars

sign-req <type> <filename_base>
Sign a certificate request of the defined type. <type> must be a known
type such as 'client', 'server', 'serverClient', or 'ca' (or a user-added type.)

  This request file must exist in the reqs/ dir and have a .req file
  extension. See import-req below for importing reqs from other sources.

[root@centOS8 3]# ./easyrsa sign server server
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars
Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate for 3650 days:
subject=
commonName = server
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /etc/openvpn/easy-rsa-server/3/pki/easy-rsa-44724.wZYEl6/tmp.PrG1qp
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'server'
Certificate is to be certified until Feb 1 02:47:41 2032 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa-server/3/pki/issued/server.crt

[root@centOS8 3]# cat pki/issued/server.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
1c:48:f8:52:33:45:05:be:38:9c:96:52:aa:f3:fd:88
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=Easy-RSA CA
Validity
Not Before: Feb 3 02:47:41 2022 GMT
Not After : Feb 1 02:47:41 2032 GMT
Subject: CN=server
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:d1:9d:06:22:03:e5:28:ab:1d:49:8b:ff:26:d6:
0e:37:9a:b9:7f:52:37:d5:94:51:f7:00:46:ab:a6:
b9:69:9b:d9:07:8c:fd:a2:e8:33:7f:df:78:24:1e:
e1:ff:28:f9:05:20:de:60:98:9a:32:4a:cc:98:ce:
c8:b6:86:28:f1:83:24:db:6b:e0:71:f2:21:45:21:
09:b4:07:28:a1:f4:aa:63:4e:48:f4:84:36:30:01:
6e:6b:04:b1:5a:12:01:c9:65:08:ee:d0:ca:a9:1d:
fe:44:2b:4b:86:04:29:14:67:61:d1:8f:43:56:c9:
f7:dd:91:e9:d1:88:65:97:81:5c:c0:93:88:1d:40:
a0:c1:98:16:bb:d4:f0:66:e6:d7:60:57:11:85:54:
6a:47:62:36:4c:f6:2c:9f:d5:c9:89:9c:a5:be:2d:
0b:17:59:d6:1b:19:8c:ee:69:74:a9:c0:d1:1f:65:
8b:07:30:ec:79:e7:b6:10:d9:20:2a:68:c3:a4:30:
8a:a2:31:13:e8:fd:9b:59:8d:aa:cb:b4:ce:d1:d5:
89:c7:db:13:2c:2c:6d:b0:ce:4c:1a:06:7b:84:82:
57:5b:3e:90:5d:2f:5d:a0:06:3a:76:44:cc:8d:ba:
ed:24:89:b3:24:eb:78:ac:bb:09:fc:46:16:cb:63:
0a:c5
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
64:E3:41:19:2D:B7:6D:D8:DB:8C:2E:89:A2:18:4A:6D:14:B2:89:68
X509v3 Authority Key Identifier:
keyid:8F:09:C3:CA:BE:1A:4A:54:97:7B:7C:84:38:FF:02:36:C2:70:D3:D7
DirName:/CN=Easy-RSA CA
serial:05:AD:AF:63:F1:75:42:76:78:22:3D:F9:CB:1C:08:13:C3:E8:0C:A4

        X509v3 Extended Key Usage: 
            TLS Web Server Authentication
        X509v3 Key Usage: 
            Digital Signature, Key Encipherment
        X509v3 Subject Alternative Name: 
            DNS:server
Signature Algorithm: sha256WithRSAEncryption
     60:d5:35:a0:b3:0c:05:32:ec:44:eb:e6:25:9b:78:0d:f9:ee:
     28:f1:87:78:1b:b1:2a:20:53:2c:64:5d:f5:98:5a:d2:b8:de:
     84:37:11:00:81:32:9c:e5:a1:ba:85:99:c0:48:26:3b:4e:99:
     5f:c2:e6:11:ed:97:29:1e:aa:99:ea:a9:57:9d:1c:e3:27:86:
     78:f1:cc:53:e1:9e:2e:ec:76:d8:e2:d0:88:4d:0b:ca:17:44:
     10:f3:29:12:d0:48:d8:42:73:67:49:ef:99:bd:26:7b:f2:0b:
     dd:cf:ab:aa:f5:d7:8f:d9:7e:cb:3c:3a:18:f6:e7:3a:ce:c8:
     eb:12:16:40:83:80:9f:a4:f1:84:3a:0a:dc:e0:9c:12:08:8d:
     20:d0:aa:4d:d9:4a:7d:59:ed:97:fa:43:c5:91:55:92:05:75:
     3b:10:6a:9e:ee:d8:e2:df:bd:16:54:54:06:45:7c:12:c7:87:
     27:47:9b:49:0b:23:de:fb:32:62:59:7b:90:3b:27:d2:46:9c:
     d6:53:13:5c:19:98:b5:0d:4e:42:10:31:19:14:96:a9:17:6e:
     e3:a8:2c:a9:c5:b8:91:e2:6b:94:46:6d:28:09:74:88:18:55:
     91:ee:40:d5:fb:44:a0:90:9e:a8:10:ba:ef:57:af:63:00:f0:
     f4:cc:d6:27

-----BEGIN CERTIFICATE-----
MIIDZzCCAk+gAwIBAgIQHEj4UjNFBb44nJZSqvP9iDANBgkqhkiG9w0BAQsFADAW
MRQwEgYDVQQDDAtFYXN5LVJTQSBDQTAeFw0yMjAyMDMwMjQ3NDFaFw0zMjAyMDEw
MjQ3NDFaMBExDzANBgNVBAMMBnNlcnZlcjCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBANGdBiID5SirHUmL/ybWDjeauX9SN9WUUfcARqumuWmb2QeM/aLo
M3/feCQe4f8o+QUg3mCYmjJKzJjOyLaGKPGDJNtr4HHyIUUhCbQHKKH0qmNOSPSE
NjABbmsEsVoSAcllCO7Qyqkd/kQrS4YEKRRnYdGPQ1bJ992R6dGIZZeBXMCTiB1A
oMGYFrvU8Gbm12BXEYVUakdiNkz2LJ/VyYmcpb4tCxdZ1hsZjO5pdKnA0R9liwcw
7HnnthDZICpow6QwiqIxE+j9m1mNqsu0ztHVicfbEywsbbDOTBoGe4SCV1s+kF0v
XaAGOnZEzI267SSJsyTreKy7CfxGFstjCsUCAwEAAaOBtTCBsjAJBgNVHRMEAjAA
MB0GA1UdDgQWBBRk40EZLbdt2NuMLomiGEptFLKJaDBRBgNVHSMESjBIgBSPCcPK
vhpKVJd7fIQ4/wI2wnDT16EapBgwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0GCFAWt
r2PxdUJ2eCI9+cscCBPD6AykMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsGA1UdDwQE
AwIFoDARBgNVHREECjAIggZzZXJ2ZXIwDQYJKoZIhvcNAQELBQADggEBAGDVNaCz
DAUy7ETr5iWbeA357ijxh3gbsSogUyxkXfWYWtK43oQ3EQCBMpzlobqFmcBIJjtO
mV/C5hHtlykeqpnqqVedHOMnhnjxzFPhni7sdtji0IhNC8oXRBDzKRLQSNhCc2dJ
75m9JnvyC93Pq6r114/Zfss8Ohj25zrOyOsSFkCDgJ+k8YQ6CtzgnBIIjSDQqk3Z
Sn1Z7Zf6Q8WRVZIFdTsQap7u2OLfvRZUVAZFfBLHhydHm0kLI977MmJZe5A7J9JG
nNZTE1wZmLUNTkIQMRkUlqkXbuOoLKnFuJHia5RGbSgJdIgYVZHuQNX7RKCQnqgQ
uu9Xr2MA8PTM1ic=
-----END CERTIFICATE-----
[root@centOS8 3]# cat pki/serial
1C48F852334505BE389C9652AAF3FD89
[root@centOS8 3]# cat pki/serial.old
1c48f852334505be389c9652aaf3fd88

[root@centOS8 3]# cp /usr/share/doc/easy-rsa/vars.example /etc/openvpn//easy-rsa-client/3/vars
[root@centOS8 3]# cd /etc/openvpn//easy-rsa-client/3/
[root@centOS8 3]# ls
easyrsa openssl-easyrsa.cnf vars x509-types
[root@centOS8 3]# tree
.
├── easyrsa
├── openssl-easyrsa.cnf
├── vars
└── x509-types
├── ca
├── client
├── code-signing
├── COMMON
├── email
├── kdc
├── server
└── serverClient
1 directory, 11 files

[root@centOS8 3]# ./easyrsa gen-req fok nopass

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-client/3.0.8/vars
Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020
Generating a RSA private key
..............+++++
...............................................................................+++++
writing new private key to '/etc/openvpn/easy-rsa-client/3/pki/easy-rsa-45692.n8gGwH/tmp.SNLLhh'

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.

Common Name (eg: your user, host, or server name) [fok]:

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa-client/3/pki/reqs/fok.req
key: /etc/openvpn/easy-rsa-client/3/pki/private/fok.key

[root@centOS8 3]# tree
.
├── easyrsa
├── openssl-easyrsa.cnf
├── pki
│ ├── openssl-easyrsa.cnf
│ ├── private
│ │ └── fok.key
│ ├── reqs
│ │ └── fok.req
│ └── safessl-easyrsa.cnf
├── vars
└── x509-types
├── ca
├── client
├── code-signing
├── COMMON
├── email
├── kdc
├── server
└── serverClient
4 directories, 15 files

[root@centOS8 3]# ./easyrsa import-req /etc/openvpn/easy-rsa-client/3/pki/reqs/fok.req fok
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars
Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020
The request has been successfully imported with a short name of: fok
You may now use this name to perform signing operations on this request.
[root@centOS8 3]# tree pki
pki
├── ca.crt
├── certs_by_serial
│ └── 1C48F852334505BE389C9652AAF3FD88.pem
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── issued
│ └── server.crt
├── openssl-easyrsa.cnf
├── private
│ ├── ca.key
│ └── server.key
├── renewed
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── reqs
│ ├── fok.req
│ └── server.req
├── revoked
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── safessl-easyrsa.cnf
├── serial
└── serial.old
12 directories, 15 files

[root@centOS8 3]# vim /etc/openvpn/easy-rsa-server/3/vars
set_var EASYRSA_CERT_EXPIRE 90
[root@centOS8 3]# ./easyrsa sign client fok
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars
Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a client certificate for 90 days:
subject=
commonName = fok
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /etc/openvpn/easy-rsa-server/3/pki/easy-rsa-53178.WzOW5D/tmp.j5kUAg
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'fok'
Certificate is to be certified until May 4 13:46:57 2022 GMT (90 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa-server/3/pki/issued/fok.crt
[root@centOS8 3]# tree pki
pki
├── ca.crt
├── certs_by_serial
│ ├── 07A3086C1AF57EBECE2E72B808E03B14.pem
│ └── 1C48F852334505BE389C9652AAF3FD88.pem
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── issued
│ ├── fok.crt
│ └── server.crt
├── openssl-easyrsa.cnf
├── private
│ ├── ca.key
│ └── server.key
├── renewed
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── reqs
│ ├── fok.req
│ └── server.req
├── revoked
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── safessl-easyrsa.cnf
├── serial
└── serial.old
12 directories, 17 files

[root@centOS8 3]# cat pki/issued/fok.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
07:a3:08:6c:1a:f5:7e:be:ce:2e:72:b8:08:e0:3b:14
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=Easy-RSA CA
Validity
Not Before: Feb 3 13:46:57 2022 GMT
Not After : May 4 13:46:57 2022 GMT
Subject: CN=fok
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:c0:44:6b:6c:b6:a7:9b:d8:a3:09:28:a1:46:5e:
4c:e1:dd:64:b8:00:fc:ef:61:71:61:4b:8e:8f:4e:
a8:3b:e3:76:9b:05:d9:d7:16:47:48:98:4b:8a:73:
72:e0:ed:a0:cc:62:e8:8a:e6:ac:a2:c2:01:41:2c:
5d:3d:2a:da:48:45:0d:91:74:2c:2c:65:b4:20:c9:
11:be:9e:88:dc:f9:e9:dc:57:8d:2b:55:30:80:5b:
43:97:10:2d:ee:ba:22:52:b8:69:e1:a8:e2:bd:b0:
f4:86:86:93:b3:45:8e:ba:1e:e1:b1:70:e9:e0:08:
d3:f4:37:a8:95:90:8a:1c:2a:1a:f8:51:7b:1e:95:
8c:fe:35:50:44:b1:6f:47:29:da:b2:b4:31:81:56:
ff:e1:f5:17:7b:68:d8:c5:5d:3f:c6:c4:91:d1:e4:
79:2c:a1:ad:d2:0c:a9:36:1d:42:f4:09:c4:4d:8b:
56:7b:25:f1:33:d5:bc:db:57:e3:11:11:f4:09:96:
47:5e:31:89:31:c4:77:24:13:2f:61:87:66:1c:92:
2f:c7:9a:9e:4d:5c:db:d5:54:3c:01:d2:b3:ed:49:
fe:3a:91:df:80:73:6b:fc:77:e4:72:f6:4f:d9:ef:
de:c9:c9:c4:8b:7b:09:c8:85:65:71:c8:e0:6a:6f:
10:bb
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
1F:36:9F:C0:0E:A7:91:00:DB:36:B3:DA:20:0B:72:73:68:E9:BE:6B
X509v3 Authority Key Identifier:
keyid:8F:09:C3:CA:BE:1A:4A:54:97:7B:7C:84:38:FF:02:36:C2:70:D3:D7
DirName:/CN=Easy-RSA CA
serial:05:AD:AF:63:F1:75:42:76:78:22:3D:F9:CB:1C:08:13:C3:E8:0C:A4
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature
Signature Algorithm: sha256WithRSAEncryption
27:f8:0a:83:89:91:65:cf:df:75:8e:f1:25:64:b2:16:30:06:
14:a1:71:fd:84:fc:2e:e8:2c:e6:05:59:0d:73:f8:6c:2a:0c:
5f:03:d4:c5:c3:f2:28:40:99:ed:96:9e:86:0a:1c:33:2f:8e:
25:5e:52:01:e5:dc:63:5f:57:2c:18:89:e2:9b:0d:60:41:ac:
95:b5:1e:5b:5c:7a:4c:05:33:a3:60:19:ca:7a:07:9a:b7:89:
70:1a:45:1e:96:5c:64:40:d2:e3:51:31:d0:c9:6d:fb:0c:46:
38:2e:b5:2f:a8:a0:91:2a:1a:c6:b2:39:38:1c:7d:26:21:2b:
5d:7f:20:4f:ec:20:a0:dd:8d:2f:fb:3f:89:23:81:b5:c5:be:
76:3e:58:5d:bf:ca:ab:1d:59:41:ef:b9:80:6f:bc:87:53:18:
f8:ea:60:dc:83:5a:e9:dd:b0:58:ed:3e:7d:bf:26:c1:ad:75:
57:60:49:6d:4a:0e:b6:a0:18:57:11:c3:7c:c1:d1:19:18:a0:
40:d9:d6:83:fc:92:27:a4:00:d7:e0:d4:33:30:03:a6:06:e6:
7e:ab:08:d7:14:6a:e0:9f:a3:8f:fc:c5:08:22:fc:e6:1f:77:
a7:f7:21:98:d5:30:b0:47:66:16:eb:9a:03:5d:ee:70:3c:64:
cc:6c:94:88
-----BEGIN CERTIFICATE-----
MIIDUTCCAjmgAwIBAgIQB6MIbBr1fr7OLnK4COA7FDANBgkqhkiG9w0BAQsFADAW
MRQwEgYDVQQDDAtFYXN5LVJTQSBDQTAeFw0yMjAyMDMxMzQ2NTdaFw0yMjA1MDQx
MzQ2NTdaMA4xDDAKBgNVBAMMA2ZvazCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAMBEa2y2p5vYowkooUZeTOHdZLgA/O9hcWFLjo9OqDvjdpsF2dcWR0iY
S4pzcuDtoMxi6IrmrKLCAUEsXT0q2khFDZF0LCxltCDJEb6eiNz56dxXjStVMIBb
Q5cQLe66IlK4aeGo4r2w9IaGk7NFjroe4bFw6eAI0/Q3qJWQihwqGvhRex6VjP41
UESxb0cp2rK0MYFW/+H1F3to2MVdP8bEkdHkeSyhrdIMqTYdQvQJxE2LVnsl8TPV
vNtX4xER9AmWR14xiTHEdyQTL2GHZhySL8eank1c29VUPAHSs+1J/jqR34Bza/x3
5HL2T9nv3snJxIt7CciFZXHI4GpvELsCAwEAAaOBojCBnzAJBgNVHRMEAjAAMB0G
A1UdDgQWBBQfNp/ADqeRANs2s9ogC3JzaOm+azBRBgNVHSMESjBIgBSPCcPKvhpK
VJd7fIQ4/wI2wnDT16EapBgwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0GCFAWtr2Px
dUJ2eCI9+cscCBPD6AykMBMGA1UdJQQMMAoGCCsGAQUFBwMCMAsGA1UdDwQEAwIH
gDANBgkqhkiG9w0BAQsFAAOCAQEAJ/gKg4mRZc/fdY7xJWSyFjAGFKFx/YT8Lugs
5gVZDXP4bCoMXwPUxcPyKECZ7ZaehgocMy+OJV5SAeXcY19XLBiJ4psNYEGslbUe
W1x6TAUzo2AZynoHmreJcBpFHpZcZEDS41Ex0Mlt+wxGOC61L6igkSoaxrI5OBx9
JiErXX8gT+wgoN2NL/s/iSOBtcW+dj5YXb/Kqx1ZQe+5gG+8h1MY+Opg3INa6d2w
WO0+fb8mwa11V2BJbUoOtqAYVxHDfMHRGRigQNnWg/ySJ6QA1+DUMzADpgbmfqsI
1xRq4J+jj/zFCCL85h93p/chmNUwsEdmFuuaA13ucDxkzGyUiA==
-----END CERTIFICATE-----

[root@centos8 ~]#mkdir /etc/openvpn/certs
[root@centos8 ~]#cp /etc/openvpn/easy-rsa-server/3/pki/ca.crt
/etc/openvpn/certs/
[root@centos8 ~]#cp /etc/openvpn/easy-rsa-server/3/pki/issued/server.crt
/etc/openvpn/certs/
[root@centos8 ~]#cp /etc/openvpn/easy-rsa-server/3/pki/private/server.key
/etc/openvpn/certs/
[root@centos8 ~]#cp /etc/openvpn/easy-rsa-server/3/pki/dh.pem
/etc/openvpn/certs/

[root@centOS8 ~]# mkdir /etc/openvpn/client/fok/
[root@centOS8 ~]# find /etc/openvpn/ -name "fok.key" -o -name "fok.crt" -o -name ca.crt
/etc/openvpn/easy-rsa-server/3.0.8/pki/issued/fok.crt
/etc/openvpn/easy-rsa-server/3.0.8/pki/ca.crt
/etc/openvpn/easy-rsa-client/3.0.8/pki/private/fok.key
/etc/openvpn/certs/ca.crt
[root@centOS8 ~]# find /etc/openvpn/ ( -name "fok.key" -o -name "fok.crt" -o -name ca.crt ) -exec cp {} /etc/openvpn/client/fok ;

[root@centOS8 ~]# grep '^[a-Z].*' /etc/openvpn/server.conf
port 1194
proto udp
dev tun
ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/server.crt
key /etc/openvpn/certs/server.key # This file should be kept secret
dh /etc/openvpn/certs/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
tls-auth ta.key 0 # This file is secret
cipher AES-256-CBC
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
verb 3
explicit-exit-notify 1

[root@centOS8 ~]# getent passwd openvpn
openvpn:x:975:974:OpenVPN:/etc/openvpn:/sbin/nologin
[root@centOS8 ~]# mkdir /var/log/openvpn
'[root@centOS8 ~]# chown openvpn.openvpn /var/log/openvpn
[root@centOS8 ~]# ll -d /var/log/openvpn
drwxr-xr-x. 2 openvpn openvpn 6 Feb 3 22:58 /var/log/openvpn

[root@centOS8 ~]#
[root@centOS8 ~]# echo net.ipv4.ip_forward = 1 >> /etc/sysctl.conf
[root@centOS8 ~]# sysctl -p
net.ipv4.ip_forward = 1
[root@centOS8 ~]# echo 'iptables -t nat -A POSTROUTING -s 10.8.0.00/24 -j MASQUERADE' >> /etc/rc.d/rc.local

[root@centOS8 ~]# rpm -ql openvpn|grep systemd
/usr/lib/systemd/system/openvpn-client@.service
/usr/lib/systemd/system/openvpn-server@.service
/usr/share/doc/openvpn/README.systemd
[root@centOS8 ~]# rpm -ql openvpn|grep systemd
/usr/lib/systemd/system/openvpn-client@.service
/usr/lib/systemd/system/openvpn-server@.service
/usr/share/doc/openvpn/README.systemd

[root@centOS8 sample-config-files]# grep '^[[:alpha:]].*' /usr/share/doc/openvpn/sample/sample-config-files/client.conf > /etc/openvpn/client/fok/client.ovpn
[root@centOS8 ~]# vim /etc/openvpn/client/fok/client.ovpn
client
dev tun
proto udp
remote 10.0.0.8 1194
resolv-retry infinite
nobind

persist-key

persist-tun

ca ca.crt
cert client.crt
key client.key
remote-cert-tls server

tls-auth ta.key 1

cipher AES-256-CBC
verb 3
compress lz4-v2

QQ截图20220204111525.png

[root@centOS8 ~]# cd /etc/openvpn/client/fok/
[root@centOS8 fok]# pwd
/etc/openvpn/client/fok
[root@centOS8 fok]# ll
total 20
-rw-------. 1 root root 1204 Feb 3 22:36 ca.crt
-rw-r--r--. 1 root root 228 Feb 4 10:59 client.ovpn
-rw-------. 1 root root 4485 Feb 3 22:36 fok.crt
-rw-------. 1 root root 1708 Feb 3 22:36 fok.key
[root@centOS8 fok]# tar cf fok.tar ./
tar: ./fok.tar: file is the archive; not dumped
[root@centOS8 fok]# ll
total 40
-rw-------. 1 root root 1204 Feb 3 22:36 ca.crt
-rw-r--r--. 1 root root 228 Feb 4 10:59 client.ovpn
-rw-------. 1 root root 4485 Feb 3 22:36 fok.crt
-rw-------. 1 root root 1708 Feb 3 22:36 fok.key
-rw-r--r--. 1 root root 20480 Feb 4 11:48 fok.tar
[root@centOS8 fok]# tar tf fok.tar
./
./fok.crt
./ca.crt
./fok.key
./client.ovpn

QQ截图20220204123753.png

二、通过编译、二进制安装MySQL5.7
①、二进制安装MySQL5.7
[root@centOS8 ~]# yum -y install libaio numactl-libs
Upgraded:
numactl-libs-2.0.12-13.el8.x86_64 Complete!
[root@centOS8 ~]# groupadd mysql
[root@centOS8 ~]# useradd -r -g mysql -s /bin/false mysql
[root@centOS8 ~]# wget http://mirrors.163.com/mysql/Downloads/MySQL-5.7/mysql-5.7.35-linux-glibc2.12-x86_64.tar.gz
[root@centOS8 ~]# tar xf mysql-5.7.35-linux-glibc2.12-x86_64.tar.gz -C /usr/local
[root@centOS8 ~]# cd /usr/local/
[root@centOS8 local]# ln -s mysql-5.7.35-linux-glibc2.12-x86_64/ mysql
[root@centOS8 local]# chown -R root.root /usr/local/mysql/
[root@centOS8 ~]# cd /usr/local
[root@centOS8 local]# ln -s mysql-5.7.35-linux-glibc2.12-x86_64/ mysql
[root@centOS8 local]# chown -R root.root /usr/local/mysql
[root@centOS8 ~]# echo 'PATH=/usr/local/mysql/bin:$PATH' > /etc/profile.d/mysql.sh. /etc/profile.d/mysql.sh
[root@centOS8 etc]# vim /etc/my.cnf
[mysqld]
datadir=/data/mysql
skip_name_resolve=1
socket=/data/mysql/mysql.sock
log-error=/data/mysql/mysql.log
pid-file=/data/mysql/mysql.pid
[client]
socket=/data/mysql/mysql.sock
[root@centOS8 ~]# mysqld --initialize-insecure --user=mysql --datadir=/data/mysql
[root@centOS8 ~]# cp /usr/local/mysql/support-files/mysql.server /etc/init.d/mysqld
[root@centOS8 ~]# chkconfig --add mysqld
[root@centOS8 ~]# service mysqld start
Starting MySQL.. SUCCESS!
②源码编译安装MySQL5.7
[root@centOS8 ~]#yum -y install gcc gcc-c++ cmake bison bison-devel zlib-devel libcurl-devel libarchive-devel boost-devel ncurses-devel gnutls-devel libxml2-devel openssl-devel libevent-devel libaio-devel perl-Data-Dumper
[root@centOS8 ~]# useradd -r -s /sbin/nologin -d /data/mysql mysql
[root@centOS8 ~]# mkdir /data/mysql
[root@centOS8 ~]# chown mysql.mysql /data/mysql
[root@centOS8 data]# ll
total 54924
drwxr-xr-x. 2 mysql mysql 6 Feb 6 17:08 mysql
-rw-r--r--. 1 root root 56238341 Feb 6 17:36 mysql-5.7.36.tar.gz
[root@centOS8 ~]# tar xvf /data/mysql-5.7.36.tar.gz -C /usr/local/src
[root@centOS8 ~]#cd mysql-5.6.51/
cmake .
.
.
.
CMake Warning:
Manually-specified variables were not used by the project:
MYSQL_USER
WITHOUT_MROONGA_STORAGE_ENGINE
WITH_READLINE
-- Build files have been written to: /usr/local/src/mysql-5.7.36
[root@centOS8 ~]#./bin/mysqld --initialize-insecure --user=mysql --basedir=/usr/local/mysql --datadir=/data0/mysql/data
[root@centOS8 ~]#./bin/mysql_ssl_rsa_setup
[root@centOS8 ~]#chown -R root .
[root@centOS8 ~]#chown -R mysql data
[root@centOS8 ~]#cp support-files/my-default.cnf /etc/my.cnf
[root@centOS8 ~]#vim /etc/my.cnf
[client]
port=3306
socket=/usr/local/mysql/mysql.sock
[mysqld]
character-set-server=utf8
collation-server=utf8_general_ci
skip-external-locking
skip-name-resolve
user=mysql
port=3306
basedir=/usr/local/mysql
datadir=/usr/local/mysql/data
tmpdir=/usr/local/mysql/temp

server_id = .....

socket=/usr/local/mysql/mysql.sock
log-error=/usr/local/mysql/logs/mysql_error.log
pid-file=/usr/local/mysql/mysql.pid
open_files_limit=10240
back_log=600
max_connections=500
max_connect_errors=6000
wait_timeout=605800

open_tables=600

table_cache = 650

opened_tables = 630

max_allowed_packet=32M
sort_buffer_size=4M
join_buffer_size=4M
thread_cache_size=300
query_cache_type=1
query_cache_size=256M
query_cache_limit=2M
query_cache_min_res_unit=16k
tmp_table_size=256M
max_heap_table_size=256M
key_buffer_size=256M
read_buffer_size=1M
read_rnd_buffer_size=16M
bulk_insert_buffer_size=64M
lower_case_table_names=1
default-storage-engine=INNODB
innodb_buffer_pool_size=2G
innodb_log_buffer_size=32M
innodb_log_file_size=128M
innodb_flush_method=O_DIRECT
#####################
thread_concurrency=32
long_query_time=2
slow-query-log=on
slow-query-log-file=/usr/local/mysql/logs/mysql-slow.log
[mysqldump]
quick
max_allowed_packet=32M
[mysqld_safe]
log-error=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid
[root@centOS8 ~]#cp support-files/mysql.server /etc/init.d/mysqld
[root@centOS8 ~]#chkconfig --add mysqld
[root@centOS8 ~]#chkconfig mysqld on
[root@centOS8 ~]#service mysqld start
[root@centOS8 ~]#service mysqld stop
[root@centOS8 ~]#service mysqld restart
[root@centOS8 ~]#/usr/local/mysql/bin/mysql -e "grant all privileges on . to root@'10.0.0.8' identified by "root" with grant option;"
[root@centOS8 ~]#/usr/local/mysql/bin/mysql -e "grant all privileges on . to root@'%' identified by "root" with grant option;"
[root@centOS8 ~]#/usr/local/mysql/bin/mysql -e "grant all privileges on . to root@'localhost' identified by "root" with grant option;"
[root@centOS8 ~]#vim /etc/profile
export PATH=/usr/local/mysql/bin:$PATH
[root@centOS8 ~]source /etc/profile
三、二进制安装mariadb10.4
[root@centOS8 ~]# wget https://tw1.mirror.blendbyte.net/mariadb//mariadb-10.4.22/bintar-linux-x86_64/mariadb-10.4.22-linux-x86_64.tar.gz
[root@centOS8 ~]# tar -xvf mariadb-10.4.22-linux-x86_64
[root@centOS8 mariadb-10.4.22-linux-x86_64]# cat INSTALL-BINARY
[root@centOS8 ~]# mv mariadb-10.4.22-linux-x86_64 /usr/local
[root@centOS8 ~]# cd /usr/local ; ln -sv mariadb-10.4.22-linux-x86_64 mysql
'mysql' -> 'mariadb-10.4.22-linux-x86_64'
[root@centOS8 ~]# mkdir /etc/mysql/
[root@centOS8 mariadb-10.4.22-linux-x86_64]# cp support-files/my.cnf /etc/mysql/my.cnf
[root@centOS8 mariadb-10.4.22-linux-x86_64]# vim /etc/mysql/my.cnf

[client]
port = 3306
socket = /tmp/mysql.sock
default-character-set=utf8
[mysqld]
port = 3306
socket = /tmp/mysql.sock
datadir = /app/data
innodb_file_per_table = on
skip_name_resolve = on
skip-external-locking
key_buffer_size = 384M
max_allowed_packet=256M

basedir=/var/lib/mysql

table_open_cache = 512
sort_buffer_size = 2M
read_buffer_size = 2M
read_rnd_buffer_size = 8M
myisam_sort_buffer_size = 64M
thread_cache_size = 8
query_cache_size = 32M
pid_file=/var/lib/mysql/mysql.pid
log_error = /var/log/mysql/error.log
thread_concurrency = 8
innodb_buffer_pool_size = 256M
innodb_flush_method = O_DIRECT
innodb_file_per_table = 1
innodb_flush_log_at_trx_commit = 0
innodb_log_file_size = 32M
innodb_log_buffer_size = 8M
innodb_lock_wait_timeout = 50
[root@centOS8 mariadb-10.4.22-linux-x86_64]# ./scripts/mysql_install_db --datadir=/app/data --user=mysql
[root@centOS8 ~]# mkdir /var/log/mariadb/
[root@centOS8 ~]# touch /var/log/mariadb/mariadb.log
[root@centOS8 ~]# setfacl -R -m u:mysql:rwx /var/log/mariadb/mariadb.log
[root@centOS8 mariadb-10.4.22-linux-x86_64]# cp support-files/mysql.server /etc/init.d/mysql
[root@centOS8 mariadb-10.4.22-linux-x86_64]# chkconfig --add mysql
[root@centOS8 mariadb-10.4.22-linux-x86_64]# chkconfig on
[root@centOS8 ~]# vim /etc/profile.d/mysql.sh
export PATH=/usr/local/mysql/bin:$PATH
[root@centOS8 ~]# source /etc/profile.d/mysql.sh
[root@centOS8 ~]# mysql -u xxxxx