之前在macos系統測試安裝psql和kong,但是實際環境中,大部分是部署在linux服務器上。下面記錄了在centos7上部署postgresql和kong的總結以及遇到的一些問題的解決。
查看centos版本:
$ cat /etc/redhat-release CentOS Linux release 7.2.1511 (Core)
部署版本:
kong: v0.13.1
postgresql: v10.4 (注意:psql版本必須與kong版本對應)
安裝依賴包
安裝gcc編譯環境
$ sudo yum install -y gcc gcc-c++
pcre安裝
pcre(Perl Compatible Regular Expressions) 是一個 Perl 庫,包括 perl 兼容的正則表達式,nginx 的 http 庫使用 pcre 解析正則表達式。
$ sudo yum install -y pcre pcre-devel
zlib安裝
zlib 庫提供多種壓縮和加壓縮的方式。
$ sudo yum install -y zlib zlib-devel
openssl安裝
openssl 是一個請打的安全套接字層密碼庫,囊括主要的密碼算法、常用的密鑰和證書封裝管理功能及 SSL 協議
$ sudo yum install -y openssl openssl-devel
postgresql 部署
PostgreSQL是完全由社區驅動的開源項目,由全世界超過1000名貢獻者所維護。它提供了單個完整功能的版本。可靠性是PostgreSQL的最高優先級。Kong 默認使用 postgresql 作為數據庫。
這里安裝kong的版本是0.13,對應的psql版本需要在v10+,否則啟動kong會報下面的錯:
$ /usr/local/bin/kong start 2018/06/08 12:07:55 [warn] postgres database 'kong' is missing migration: (response-transformer) 2016-05-04-160000_resp_trans_schema_changes Error: /usr/local/share/lua/5.1/kong/cmd/start.lua:34: [postgres error] the current database schema does not match this version of Kong. Please run `kong migrations up` to update/initialize the database schema. Be aware that Kong migrations should only run from a single node, and that nodes running migrations concurrently will conflict with each other and might corrupt your database schema!
安裝psql-10
$ sudo yum install -y https://download.postgresql.org/pub/repos/yum/10/redhat/rhel-latest-x86_64/pgdg-centos10-10-2.noarch.rpm
$ sudo yum install -y postgresql10-server postgresql10-contrib
初始化數據庫
$ sudo /usr/pgsql-10/bin/postgresql-10-setup initdb Initializing database ... OK
設置成centos7開機自啟動
sudo systemctl enable postgresql-10.service
啟動postgresql服務
# 啟動服務 $ sudo systemctl start postgresql-10.service # 查看psql運行狀態 $ sudo systemctl status postgresql-10.service ● postgresql-10.service - PostgreSQL 10 database server Loaded: loaded (/usr/lib/systemd/system/postgresql-10.service; disabled; vendor preset: disabled) Active: active (running) since Fri 2018-06-08 12:22:17 CST; 16s ago Docs: https://www.postgresql.org/docs/10/static/ Process: 12951 ExecStartPre=/usr/pgsql-10/bin/postgresql-10-check-db-dir ${PGDATA} (code=exited, status=0/SUCCESS) Main PID: 12957 (postmaster) CGroup: /system.slice/postgresql-10.service ├─12957 /usr/pgsql-10/bin/postmaster -D /var/lib/pgsql/10/data/ ├─12959 postgres: logger process ├─12961 postgres: checkpointer process ├─12962 postgres: writer process ├─12963 postgres: wal writer process ├─12964 postgres: autovacuum launcher process ├─12965 postgres: stats collector process └─12966 postgres: bgworker: logical replication launcher Jun 08 12:22:17 172-18-38-219 systemd[1]: Starting PostgreSQL 10 database server... Jun 08 12:22:17 172-18-38-219 postmaster[12957]: 2018-06-08 12:22:17.798 CST [12957] LOG: listeni...432 Jun 08 12:22:17 172-18-38-219 postmaster[12957]: 2018-06-08 12:22:17.798 CST [12957] LOG: could n...ess Jun 08 12:22:17 172-18-38-219 postmaster[12957]: 2018-06-08 12:22:17.798 CST [12957] HINT: Is ano...ry. Jun 08 12:22:17 172-18-38-219 postmaster[12957]: 2018-06-08 12:22:17.801 CST [12957] LOG: listeni...32" Jun 08 12:22:17 172-18-38-219 postmaster[12957]: 2018-06-08 12:22:17.808 CST [12957] LOG: listeni...32" Jun 08 12:22:17 172-18-38-219 postmaster[12957]: 2018-06-08 12:22:17.825 CST [12957] LOG: redirec...ess Jun 08 12:22:17 172-18-38-219 postmaster[12957]: 2018-06-08 12:22:17.825 CST [12957] HINT: Future...g". Jun 08 12:22:17 172-18-38-219 systemd[1]: Started PostgreSQL 10 database server. Hint: Some lines were ellipsized, use -l to show in full.
Postgresql配置
執行完初始化任務之后,postgresql 會自動創建和生成兩個用戶和一個數據庫:
linux 系統用戶 postgres:管理數據庫的系統用戶;
postgresql 用戶 postgres:數據庫超級管理員;
數據庫 postgres:用戶 postgres 的默認數據庫;
密碼由於是默認生成的,需要在系統中修改一下。
修改初始密碼
$ passwd postgres Changing password for user postgres. New password: BAD PASSWORD: The password contains the user name in some form Retype new password: passwd: all authentication tokens updated successfully.
創建用戶
為了安全以及滿足 Kong 初始化的需求,需要在建立一個 postgre 用戶 kong 和對應的 linux 用戶 kong,並新建數據庫 kong。
# 新建 linux kong 用戶 $ sudo adduser kong # 使用管理員賬號登錄 psql 創建用戶和數據庫 # 切換 postgres 用戶 # 切換 postgres 用戶后,提示符變成 `-bash-4.3$` $ su postgres # 進入psql控制台,此時會進入到控制台(系統提示符變為'postgres=#') bash-4.3$ psql could not change directory to "/root": Permission denied psql (10.4) Type "help" for help. #為管理員用戶postgres修改密碼,之前改過了這里就不用改了 postgres=# password postgres #建立新的數據庫用戶(和之前建立的系統用戶要一樣) postgres=# create user kong with password 'kong'; CREATE ROLE #為新用戶建立數據庫 postgres=# create database kong owner kong; CREATE DATABASE #把新建的數據庫權限賦予 kong postgres=# grant all privileges on database kong to kong; GRANT #退出控制台 postgres=# \q bash-4.3$
注意:在 psql 控制台下執行命令,一定記得在命令后添加分號。
而且postgresql的用戶要和系統用戶一樣:
$ cat /etc/passwd ... postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash kong:x:1002:1002::/home/kong:/bin/bash
問題一:
用命令行登錄,在root賬戶下登錄postgresql 數據庫會提示權限問題:
$ psql -U kong -d kong -h 127.0.0.1 -p 5432 psql: FATAL: Ident authentication failed for user "kong"
原因是postgres沒有配置對外訪問策略。
認證權限配置文件為
/var/lib/pgsql/10/data/pg_hba.conf
常見的四種身份驗證為:
trust:凡是連接到服務器的,都是可信任的。只需要提供psql用戶名,可以沒有對應的操作系統同名用戶;
password 和 md5:對於外部訪問,需要提供 psql 用戶名和密碼。對於本地連接,提供 psql 用戶名密碼之外,還需要有操作系統訪問權。(用操作系統同名用戶驗證)password 和 md5 的區別就是外部訪問時傳輸的密碼是否用 md5 加密;
ident:對於外部訪問,從 ident 服務器獲得客戶端操作系統用戶名,然后把操作系統作為數據庫用戶名進行登錄對於本地連接,實際上使用了peer;
peer:通過客戶端操作系統內核來獲取當前系統登錄的用戶名,並作為psql用戶名進行登錄。
psql 用戶必須有同名的操作系統用戶名。並且必須以與 psql 同名用戶登錄 linux 才可以登錄 psql 。想用其他用戶(例如 root )登錄 psql,修改本地認證方式為 trust 或者 password 即可。
$ vim /var/lib/pgsql/10/data/pg_hba.conf
# 增加如下兩條配置
# IPv4 local connections:
host all all 127.0.0.1/32 trust
host all all 0.0.0.0/0 trust
問題二:
通過本地連接會提示拒絕連接,因為pgsql 默認只能通過本地訪問,需要開啟遠程訪問。
修改配置文件 var/lib/pgsql/10/data/postgresql.conf ,將 listen_address 設置為 '*'
$ vim var/lib/pgsql/10/data/postgresql.conf
# CONNECTIONS AND AUTHENTICATION #------------------------------------------------------------------------------ # - Connection Settings - listen_addresses = '*' # what IP address(es) to listen on;
修改以上兩個配置文件后,重啟postgresql服務:
$ sudo systemctl restart postgresql-10.service $ psql -U kong -d kong -h 127.0.0.1 -p 5432 psql (10.4) Type "help" for help. kong=> \l List of databases Name | Owner | Encoding | Collate | Ctype | Access privileges -----------+----------+-----------+---------+-------+----------------------- kong | kong | SQL_ASCII | C | C | =Tc/kong + | | | | | kong=CTc/kong postgres | postgres | SQL_ASCII | C | C | template0 | postgres | SQL_ASCII | C | C | =c/postgres + | | | | | postgres=CTc/postgres template1 | postgres | SQL_ASCII | C | C | =c/postgres + | | | | | postgres=CTc/postgres (4 rows) kong=>
相關postgres命令參考:postgres常見命令
kong部署
kong這塊按照官網的方法不成功,最終下載了rpm包安裝成功的。
安裝kong
$ sudo yum install kong-community-edition-0.13.1.el7.noarch.rpm ... Downloading packages: Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : kong-community-edition-0.13.1-1.noarch 1/1 Verifying : kong-community-edition-0.13.1-1.noarch 1/1 Installed: kong-community-edition.noarch 0:0.13.1-1 Complete!
修改 kong 的配置文件
默認配置文件位於 /etc/kong/kong.conf.default
sudo cp /etc/kong/kong.conf.default /etc/kong/kong.conf
將之前安裝配置好的 postgresql 信息填入 kong 配置文件中:
$ sudo vi /etc/kong/kong.conf #------------------------------------------------------------------------------ # DATASTORE #------------------------------------------------------------------------------ # Kong will store all of its data (such as APIs, consumers and plugins) in # either Cassandra or PostgreSQL. # # All Kong nodes belonging to the same cluster must connect themselves to the # same database. database = postgres # Determines which of PostgreSQL or Cassandra # this node will use as its datastore. # Accepted values are `postgres` and # `cassandra`. pg_host = 127.0.0.1 # The PostgreSQL host to connect to. pg_port = 5432 # The port to connect to. pg_user = kong # The username to authenticate if required. pg_password = kong # The password to authenticate if required. pg_database = kong # The database name to connect to. ssl = off # 如果不希望開放 8443 的 ssl 訪問可關閉
初始化數據庫表
$ kong migrations up -c /etc/kong/kong.conf migrating core for database kong core migrated up to: 2015-01-12-175310_skeleton core migrated up to: 2015-01-12-175310_init_schema core migrated up to: 2015-11-23-817313_nodes core migrated up to: 2016-02-29-142793_ttls core migrated up to: 2016-09-05-212515_retries core migrated up to: 2016-09-16-141423_upstreams core migrated up to: 2016-12-14-172100_move_ssl_certs_to_core core migrated up to: 2016-11-11-151900_new_apis_router_1 core migrated up to: 2016-11-11-151900_new_apis_router_2 core migrated up to: 2016-11-11-151900_new_apis_router_3 core migrated up to: 2016-01-25-103600_unique_custom_id core migrated up to: 2017-01-24-132600_upstream_timeouts core migrated up to: 2017-01-24-132600_upstream_timeouts_2 core migrated up to: 2017-03-27-132300_anonymous core migrated up to: 2017-04-18-153000_unique_plugins_id core migrated up to: 2017-04-18-153000_unique_plugins_id_2 core migrated up to: 2017-05-19-180200_cluster_events core migrated up to: 2017-05-19-173100_remove_nodes_table core migrated up to: 2017-06-16-283123_ttl_indexes core migrated up to: 2017-07-28-225000_balancer_orderlist_remove core migrated up to: 2017-10-02-173400_apis_created_at_ms_precision core migrated up to: 2017-11-07-192000_upstream_healthchecks core migrated up to: 2017-10-27-134100_consistent_hashing_1 core migrated up to: 2017-11-07-192100_upstream_healthchecks_2 core migrated up to: 2017-10-27-134100_consistent_hashing_2 core migrated up to: 2017-09-14-121200_routes_and_services core migrated up to: 2017-10-25-180700_plugins_routes_and_services migrating response-transformer for database kong response-transformer migrated up to: 2016-05-04-160000_resp_trans_schema_changes migrating ip-restriction for database kong ip-restriction migrated up to: 2016-05-24-remove-cache migrating statsd for database kong statsd migrated up to: 2017-06-09-160000_statsd_schema_changes migrating jwt for database kong jwt migrated up to: 2015-06-09-jwt-auth jwt migrated up to: 2016-03-07-jwt-alg jwt migrated up to: 2017-05-22-jwt_secret_not_unique jwt migrated up to: 2017-07-31-120200_jwt-auth_preflight_default jwt migrated up to: 2017-10-25-211200_jwt_cookie_names_default migrating cors for database kong cors migrated up to: 2017-03-14_multiple_orgins migrating basic-auth for database kong basic-auth migrated up to: 2015-08-03-132400_init_basicauth basic-auth migrated up to: 2017-01-25-180400_unique_username migrating key-auth for database kong key-auth migrated up to: 2015-07-31-172400_init_keyauth key-auth migrated up to: 2017-07-31-120200_key-auth_preflight_default migrating ldap-auth for database kong ldap-auth migrated up to: 2017-10-23-150900_header_type_default migrating hmac-auth for database kong hmac-auth migrated up to: 2015-09-16-132400_init_hmacauth hmac-auth migrated up to: 2017-06-21-132400_init_hmacauth migrating datadog for database kong datadog migrated up to: 2017-06-09-160000_datadog_schema_changes migrating tcp-log for database kong tcp-log migrated up to: 2017-12-13-120000_tcp-log_tls migrating acl for database kong acl migrated up to: 2015-08-25-841841_init_acl migrating response-ratelimiting for database kong response-ratelimiting migrated up to: 2015-08-03-132400_init_response_ratelimiting response-ratelimiting migrated up to: 2016-08-04-321512_response-rate-limiting_policies response-ratelimiting migrated up to: 2017-12-19-120000_add_route_and_service_id_to_response_ratelimiting migrating request-transformer for database kong request-transformer migrated up to: 2016-05-04-160000_req_trans_schema_changes migrating rate-limiting for database kong rate-limiting migrated up to: 2015-08-03-132400_init_ratelimiting rate-limiting migrated up to: 2016-07-25-471385_ratelimiting_policies rate-limiting migrated up to: 2017-11-30-120000_add_route_and_service_id migrating oauth2 for database kong oauth2 migrated up to: 2015-08-03-132400_init_oauth2 oauth2 migrated up to: 2016-07-15-oauth2_code_credential_id oauth2 migrated up to: 2016-12-22-283949_serialize_redirect_uri oauth2 migrated up to: 2016-09-19-oauth2_api_id oauth2 migrated up to: 2016-12-15-set_global_credentials oauth2 migrated up to: 2017-04-24-oauth2_client_secret_not_unique oauth2 migrated up to: 2017-10-19-set_auth_header_name_default oauth2 migrated up to: 2017-10-11-oauth2_new_refresh_token_ttl_config_value oauth2 migrated up to: 2018-01-09-oauth2_pg_add_service_id 62 migrations ran
啟動kong服務
$ kong start
Kong started
服務已經正常啟動
$ curl 127.0.0.1:8001 {"plugins":{"enabled_in_cluster":[],"available_on_server":{"response-transformer":true,"correlation-id":true,"statsd":true,"jwt":true,"cors":true,"basic-auth":true,"key-auth":true,"ldap-auth":true,"http-log":true,"oauth2":true,"hmac-auth":true,"acl":true,"datadog":true,"tcp-log":true,"ip-restriction":true,"request-transformer":true,"file-log":true,"bot-detection":true,"loggly":true,"request-size-limiting":true,"syslog":true,"udp-log":true,"response-ratelimiting":true,"aws-lambda":true,"runscope":true,"rate-limiting":true,"request-termination":true}},"tagline":"Welcome to kong","configuration":{"error_default_type":"text\/plain","client_ssl":false,"lua_ssl_verify_depth":1 ....