Kong API Gateway部署手册----安装
2016-10-25Linux撒加10275°c
A+ A-Changlog 2017年6月13日:
1、更新Kong为0.10.3
2、更新pcre为8.40
3、增加PGSQL的部署
4、OpenResty编译配置变更
5、升级OpenResty为1.11.2-2 (Kong 0.9.9支持的OpenResty版本为1.11.2-1)
6、增加serf的手动安装过程
Kong官方提供的源码安装方式还是略微显的简单了些,主要还是在突出Kong的安装,至于其他部分也就是寥寥带过。
源码安装Kong,需要准备的软件包有:
1、OpenResty 1.11.2-2
2、luarocks 2.42
3、pcre 8.40
4、openssl 1.0.2j+chacha20 patch
非必要模块或条件
1、Kong如果要部署在物理服务器上,CPU可以考虑使用E5-26xx v3或者v4的系列,因为AES-NI(可以去谷歌)
2、nginx-module-vts:第三方模块,用于输出更加详细的Nginx使用状态
操作系统版本 CentOS 6.5定制版,内核版本2.6.32-431.29.2
源码目录:/root/source/kong
软件目录规划:
安装目录:/opt/websuite/kong
日志目录:/opt/logs/kong
PID目录:/opt/run/kong
配置文件目录:/opt/config/kong
机器分配
Kong:172.16.5.3
PostgreSQL:172.16.5.160
安装过程
172.16.5.160上的操作
下载OneSQL for PostgreSQL
mkdir -p /root/source/kong
cd /root/source/kong
wget https://www.onexsoft.cn/software/onepgsql-9.4.11-rhel5-linux64.tar.gz
安装PostgreSQL
tar zxf onepgsql-9.4.11-rhel5-linux64.tar.gz -C /opt/websuite/
mv /opt/websuite/pgsql9411 /opt/websuite/pgsql
#创建PGSQL用户及用户组
groupadd -g 26 -o -r postgres
useradd -M -g postgres -o -r -d /database/pgsql -s /bin/bash -N -u 26 postgres
#创建pgsql数据目录及日志目录
mkdir -p /database/pgsql/{data,logs}
chown -R postgres /database/pgsql
#添加环境变量
vi /etc/profile.d/pgsql.sh
export PATH=$PATH:/opt/websuite/pgsql/bin
export PG_HOME=/opt/websuite/pgsql
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:${PG_HOME}/lib
export PGDATA=/database/pgsql/data
export PGLOG=/database/pgsql/log/pgsql.log
#切换用户初始化PGSQL
su postgres
initdb -E utf8 -D /database/pgsql/data -W -U postgres
注:以下操作均在postgres环境下操作
#增加PGSQL访问权限,修改/database/pgsql/data/pg_hba.conf
host kong kong 172.16.4.0/23 trust
新增的内容意思是允许172.16.4.0/23网段的机器可以使用用户kong访问数据库kong
#调整PGSQL的监听地址
sed -i "/#listen_addresses/c listen_addresses='172.16.5.160'" /database/pgsql/data/postgresql.conf
#启动PGSQL
pg_ctl start -D /database/pgsql/data -l /database/pgsql/log/pgsql.log
#创建用户kong,根据提示设置用户kong的密码
createuser -l -E kong -P
#创建数据库kong
createdb -E utf8 -O kong kong
172.16.5.3上的操作
安装依赖软件包
yum check-update
yum install devtoolset-3-gcc devtoolset-3-gcc-c++ devtoolset-3-libstdc++-devel gperftools-devel gperftools-libs
下载源码包
mkdir -p /root/source/kong
cd /root/source/kong
wget https://openresty.org/download/openresty-1.11.2.2.tar.gz
wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.40.tar.gz
wget https://www.openssl.org/source/openssl-1.0.2j.tar.gz
wget https://luarocks.github.io/luarocks/releases/luarocks-2.4.2.tar.gz
git clone https://github.com/cloudflare/sslconfig.git
wget https://github.com/Mashape/kong/archive/0.10.3.tar.gz -O kong-0.10.3.tar.gz
安装OpenSSL
tar zxf openssl-1.0.2j.tar.gz
cd openssl-1.0.2j
patch -p1 < /root/source/kong/sslconfig/patches/openssl__chacha20_poly1305_draft_and_rfc_ossl102j.patch
./config threads shared no-zlib no-comp no-ssl2 no-ssl3 no-ssl3-method --prefix=/opt/websuite/kong/openssl
make depend
make && make install
安装OpenResty
#创建用户及用户组
groupadd websuite
useradd -g websuite -M -s /sbin/nologin websuite
#编译安装openresty
tar zxf openresty-1.11.2.2.tar.gz
tar zxf pcre-8.40.tar.gz
cd openresty-1.11.2.2
./configure --prefix=/opt/websuite/kong -j24 \
--without-http_xss_module \
--without-http_form_input_module \
--without-http_encrypted_session_module \
--without-http_srcache_module \
--without-http_memc_module \
--without-http_redis2_module \
--without-http_redis_module \
--without-http_lua_upstream_module \
--without-http_rds_json_module \
--without-http_rds_json_module \
--with-http_iconv_module \
--without-lua_resty_mysql \
--without-lua_resty_upload \
--without-lua_rds_parser \
--without-lua51 \
--with-luajit \
--without-luajit-lua52 \
--sbin-path=/opt/websuite/kong/sbin/nginx \
--conf-path=/opt/config/kong/nginx.conf \
--error-log-path=/opt/logs/kong/error.log \
--http-log-path=/opt/logs/kong/access.log \
--pid-path=/opt/run/kong \
--user=websuite \
--group=websuite \
--without-select_module \
--without-poll_module \
--with-threads \
--with-file-aio \
--with-http_realip_module \
--with-http_addition_module \
--with-http_auth_request_module \
--with-http_random_index_module \
--with-http_slice_module \
--with-http_stub_status_module \
--with-http_ssl_module \
--without-http_uwsgi_module \
--without-http_scgi_module \
--without-http_memcached_module \
--without-http_ssi_module \
--http-client-body-temp-path=/opt/websuite/kong/temp/client \
--http-proxy-temp-path=/opt/websuite/kong/temp/proxy \
--without-http_fastcgi_module \
--without-mail_pop3_module \
--without-mail_imap_module \
--without-mail_smtp_module \
--with-google_perftools_module \
--modules-path=/opt/websuite/kong/modules \
--with-http_v2_module \
--without-http_upstream_least_conn_module \
--without-http_upstream_ip_hash_module \
--with-cc-opt='-w -pipe -march=native -mtune=native -m128bit-long-double -m64 -fno-builtin-malloc -I/opt/websuite/kong/openssl/include' \
--with-ld-opt='-L/opt/websuite/kong/openssl/lib' \
--with-pcre=../pcre-8.40 \
--with-pcre-opt=-fPIC \
--with-pcre-jit \
--add-dynamic-module=/root/source/tengine/module/nginx-module-vts
gmake -j8 && make install
#创建OpenResty所需目录
mkdir -p /opt/{run,logs}/kong
mkdir -p /opt/websuite/kong/temp/{client,proxy}
chown -R websuite.websuite /opt/{run,logs}/kong
chown -R websuite.websuite /opt/websuite/kong/temp
安装luarocks
tar zxf luarocks-2.4.2.tar.gz
cd luarocks-2.4.2
./configure --prefix=/opt/websuite/kong \
--rocks-tree=/opt/websuite/kong/luajit \
--sysconfdir=/opt/config/kong/luarocks \
--lua-suffix=jit \
--with-lua=/opt/websuite/kong/luajit \
--with-lua-include=/opt/websuite/kong/luajit/include/luajit-2.1
make build
make install
echo 'export PATH="${PATH}:/opt/websuite/kong/bin:/opt/websuite/kong/sbin:/opt/websuite/kong/luajit/bin"' > /etc/profile.d/kong.sh source /etc/profile.d/kong.sh
luarocks install luarocks
安装Kong
tar zxf kong-0.10.3.tar.gz
cd kong-0.10.3
sed -i '/OPENSSL_DIR ?=/c OPENSSL_DIR ?= /opt/websuite/kong/openssl' Makefile
make install
cp -r bin/* /opt/websuite/kong/bin/
安装Serf
unzip serf_0.7.0_linux_amd64.zip
mv serf /opt/websuite/kong/bin/
调整Kong的配置
---/opt/websuite/kong/luajit/share/lua/5.1/kong/conf_loader.lua
将
local DEFAULT_PATHS = {
"/etc/kong/kong.conf",
"/etc/kong.conf"
}
local PREFIX_PATHS = {
serf_pid = {"pids", "serf.pid"},
serf_log = {"logs", "serf.log"},
serf_event = {"serf", "serf_event.sh"},
serf_node_id = {"serf", "serf.id"}
;
nginx_pid = {"pids", "nginx.pid"},
nginx_err_logs = {"logs", "error.log"},
nginx_acc_logs = {"logs", "access.log"},
nginx_admin_acc_logs = {"logs", "admin_access.log"},
nginx_conf = {"nginx.conf"},
nginx_kong_conf = {"nginx-kong.conf"}
;
修改为(红色字体为修改部分)
local DEFAULT_PATHS = {
"/opt/config/kong/kong.conf"
}
local PREFIX_PATHS = {
serf_pid = {"/opt/run/kong", "serf.pid"},
serf_log = {"/opt/logs/kong", "serf.log"},
serf_event = {"serf", "serf_event.sh"},
serf_node_id = {"serf", "serf.id"}
;
nginx_pid = {"/opt/run/kong", "nginx.pid"},
nginx_err_logs = {"/opt/logs/kong", "error.log"},
nginx_acc_logs = {"/opt/logs/kong", "access.log"},
nginx_admin_acc_logs = {"/opt/logs/kong", "admin_access.log"},
nginx_conf = {"nginx.conf"},
nginx_kong_conf = {"nginx-kong.conf"}
;
---/opt/websuite/kong/luajit/share/lua/5.1/kong/templates/kong_defaults.lua
将
return [[
prefix = /usr/local/kong/
log_level = notice
proxy_access_log = logs/access.log
proxy_error_log = logs/error.log
admin_access_log = logs/admin_access.log
admin_error_log = logs/error.log
custom_plugins = NONE
anonymous_reports = on
proxy_listen = 0.0.0.0:8000
proxy_listen_ssl = 0.0.0.0:8443
admin_listen = 0.0.0.0:8001
admin_listen_ssl = 0.0.0.0:8444
nginx_worker_processes = auto
nginx_optimizations = on
nginx_daemon = on
mem_cache_size = 128m
ssl = on
ssl_cert = NONE
ssl_cert_key = NONE
client_ssl = off
client_ssl_cert = NONE
client_ssl_cert_key = NONE
ssl_cipher_suite = modern
ssl_ciphers = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
admin_ssl = on
admin_ssl_cert = NONE
admin_ssl_cert_key = NONE
upstream_keepalive = 60
server_tokens = on
latency_tokens = on
error_default_type = text/plain
client_max_body_size = 0
client_body_buffer_size = 8k
database = postgres
pg_host = 127.0.0.1
pg_port = 5432
pg_database = kong
pg_user = kong
pg_password = NONE
pg_ssl = off
pg_ssl_verify = off
cassandra_contact_points = 127.0.0.1
cassandra_port = 9042
cassandra_keyspace = kong
cassandra_timeout = 5000
cassandra_ssl = off
cassandra_ssl_verify = off
cassandra_username = kong
cassandra_password = NONE
cassandra_consistency = ONE
cassandra_lb_policy = RoundRobin
cassandra_local_datacenter = NONE
cassandra_repl_strategy = SimpleStrategy
cassandra_repl_factor = 1
cassandra_data_centers = dc1:2,dc2:3
cassandra_schema_consensus_timeout = 10000
cluster_listen = 0.0.0.0:7946
cluster_listen_rpc = 127.0.0.1:7373
cluster_advertise = NONE
cluster_encrypt_key = NONE
cluster_keyring_file = NONE
cluster_profile = wan
cluster_ttl_on_failure = 3600
dns_resolver = NONE
dns_hostsfile = /etc/hosts
lua_code_cache = on
lua_socket_pool_size = 30
lua_ssl_trusted_certificate = NONE
lua_ssl_verify_depth = 1
lua_package_path = ?/init.lua;./kong/?.lua
lua_package_cpath = NONE
serf_path = serf
]]
修改为(红色字体部分可根据自己的实际情况修改)
return [[
prefix = /opt/config/kong/
log_level = notice
proxy_access_log = /opt/logs/kong/access.log
proxy_error_log = /opt/logs/kong/error.log
admin_access_log = /opt/logs/kong/admin_access.log
admin_error_log = /opt/logs/kong/error.log
custom_plugins = NONE
anonymous_reports = on
proxy_listen = 0.0.0.0:80
proxy_listen_ssl = 0.0.0.0:443
admin_listen = 0.0.0.0:8001
admin_listen_ssl = 0.0.0.0:8444
nginx_worker_processes = auto
nginx_optimizations = on
nginx_daemon = on
mem_cache_size = 128m
ssl = on
ssl_cert = NONE
ssl_cert_key = NONE
client_ssl = off
client_ssl_cert = NONE
client_ssl_cert_key = NONE
ssl_cipher_suite = modern
ssl_ciphers=ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
admin_ssl = on
admin_ssl_cert = NONE
admin_ssl_cert_key = NONE
upstream_keepalive = 60
server_tokens = on
latency_tokens = on
database = postgres
pg_host = 172.16.5.160
pg_port = 5432
pg_database = kong
pg_user = kong
pg_password = ttpai
pg_ssl = off
pg_ssl_verify = off
cassandra_contact_points = 127.0.0.1 (如果不使用cassandra,请保留这一行cassandra的配置,否则在目前的版本之间升级会报错)
cluster_listen = 0.0.0.0:7946
cluster_listen_rpc = 127.0.0.1:7373
cluster_advertise = NONE
cluster_encrypt_key = NONE
cluster_keyring_file = NONE
cluster_profile = wan
cluster_ttl_on_failure = 3600
dns_resolver = 119.29.29.29
dns_hostsfile = /etc/hosts
lua_code_cache = on
lua_socket_pool_size = 30
lua_ssl_trusted_certificate = NONE
lua_ssl_verify_depth = 1
lua_package_path = ?/init.lua;./kong/?.lua
lua_package_cpath = NONE
serf_path = /opt/websuite/kong/bin/serf
]]
---/opt/websuite/kong/luajit/share/lua/5.1/kong/templates/nginx.lua
将
return [[
worker_processes ${{NGINX_WORKER_PROCESSES}};
daemon ${{NGINX_DAEMON}};
pid pids/nginx.pid;
error_log ${{PROXY_ERROR_LOG}} ${{LOG_LEVEL}};
> if nginx_optimizations then
worker_rlimit_nofile ${{WORKER_RLIMIT}};
> end
events {
> if nginx_optimizations then
worker_connections ${{WORKER_CONNECTIONS}};
multi_accept on;
> end
}
http {
include 'nginx-kong.conf';
}
]]
修改为(红色字体为修改部分)
return [[
worker_processes ${{NGINX_WORKER_PROCESSES}};
daemon ${{NGINX_DAEMON}};
pid /opt/run/kong/nginx.pid;
error_log ${{PROXY_ERROR_LOG}} ${{LOG_LEVEL}};
> if nginx_optimizations then
worker_rlimit_nofile ${{WORKER_RLIMIT}};
> end
events {
> if nginx_optimizations then
worker_connections ${{WORKER_CONNECTIONS}};
multi_accept on;
> end
}
http {
include 'nginx-kong.conf';
}
]]
修改Kong个别脚本适配自定义安装的OpenResty
---/opt/websuite/kong/luajit/share/lua/5.1/lapis/cmd/nginx.lua
将
nginx_search_paths = {
"/opt/openresty/nginx/sbin/",
"/usr/local/openresty/nginx/sbin/",
"/usr/local/opt/openresty/bin/",
"/usr/sbin/",
""
},
修改为
nginx_search_paths = {
"/opt/websuite/kong/sbin/",
},
---/opt/websuite/kong/luajit/share/lua/5.1/kong/cmd/utils/serf_signals.lua
将
local serf_search_paths = {
"serf",
"/usr/local/bin/serf"
}
修改为
local serf_search_paths = {
"/opt/websuite/kong/bin/serf"
}
启动Kong
kong start or kong start -vv(如果执行kong start报错,可以使用kong start -vv来进行调试)
