安装
系统要求
如果 Linux 系统没有预装 OpenSSL 开发库,需要手工安装
Debian/Ubuntu
apt-get install -y libssl-dev
CentOS
yum install -y openssl-devel
Luwak 对内存的要求不高,查看 docker 环境状态如下所示
sudo docker compose stats
CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS
ccd4e2e5c086 luwak_v3 0.00% 20.23MiB / 1.866GiB 1.06% 9.56MB / 5.23MB 1.47MB / 737kB 9
以上信息来自开发环境的某个跨境电商项目,大致范围通常不会超过 100M,仅做为评估参考。
使用二进制安装
创建启动账号
创建 luwak 用户组和用户
/usr/sbin/groupadd -r luwak
/usr/sbin/useradd -g luwak -d /var/lib/luwak -s /sbin/nologin -r luwak
创建相关目录
目录结构
/etc/luwak配置目录/var/lib/luwak工作目录/var/log/luwak日志目录/usr/local/bin/luwak可执行文件
创建配置文件目录、工作目录和日志文件目录,并确保 luwak 用户对日志目录有写操作权限
mkdir -p /etc/luwak/conf.d /var/lib/luwak/lib /var/log/luwak
chown -R luwak:luwak /var/log/luwak/
下载相关文件
下载 Luwak 并添加可执行权限
curl -o /usr/local/bin/luwak-linux https://download.api.tech/luwak/luwak-linux
curl -o /usr/local/bin/luwak-dev-linux https://download.api.tech/luwak/luwak-dev-linux
chmod +x /usr/local/bin/luwak-*
下载插件
curl -o /var/lib/luwak/lib/asm.so https://download.api.tech/luwak/lib/asm.so
下载开发环境使用的预定义API
curl -o /var/lib/luwak/lib/luwak_dev.db https://download.api.tech/luwak/lib/luwak_dev.db
以 systemd 方式运行
创建 systemd 服务文件
/etc/systemd/system/luwak.service
[Unit]
Description=Luwak
After=syslog.target
After=network.target
[Service]
Type=simple
User=luwak
RestartSec=2s
Restart=always
WorkingDirectory=/var/lib/luwak/
# 生产环境
# ExecStart=/usr/local/bin/luwak-linux -c /etc/luwak/luwak.yaml
# 开发环境
ExecStart=/usr/local/bin/luwak-dev-linux -c /etc/luwak/luwak.yaml
[Install]
WantedBy=multi-user.target
重新加载 systemd 守护进程配置
systemctl daemon-reload
配置开机启动
systemctl enable luwak
启动服务
systemctl start luwak
使用包管理器安装
使用 Docker 安装
暂时没有提供官方镜像的计划,你需要手工下载相关文件
目录结构
/opt/docker/luwak
├── Dockerfile
├── compose.yaml
├── config
│ ├── conf.d
│ ├── license.txt
│ └── luwak.toml
├── lib
│ ├── asm.so
│ ├── luwak_dev.db
│ ├── luwak_sys.db
│ ├── node_lib
│ ├── node_modules
│ └── package.json
├── log
├── luwak-dev-linux
└── luwak-linux
Dockerfile 内容如下
/opt/docker/luwak/Dockerfile
FROM debian:stable-slim
RUN apt-get update && \
apt-get install -y libssl-dev && \
apt-get clean && \
rm -rf /var/lib/apt/lists/*
构建镜像,在 debian:stable-slim 基础上安装 libssl-dev
cd /opt/docker/luwak
docker build -t luwak-service .
配置 compose.yaml
/opt/docker/luwak/compose.yaml
services:
luwak_dev:
image: luwak-service
container_name: luwak_dev
hostname: luwak_dev
environment:
# 可选配置
# 数据库用 UTC 时区存储时间数据
# Luwak 用本地时区解析显示时间数据
TZ: "Asia/Shanghai"
ports:
- "21000:21000"
- "23000:23000"
volumes:
- ./config:/etc/luwak
- ./log:/var/log/luwak
- ./lib:/var/lib/luwak
# 开发使用 luwak-dev-linux, 生产使用 luwak-linux
- ./luwak-dev-linux:/usr/local/bin/luwak
working_dir: /var/lib/luwak
restart: always
command: /usr/local/bin/luwak -c /etc/luwak/luwak.toml
启动和停止容器
cd /opt/docker/luwak
docker compose up -d
docker compose down -v
补充说明
若内网有网络限制无法下载 docker 官方镜像,可以先导出本地镜像,上传之后,再导入
# docker save -o <path for generated tar file> <image name>
docker save -o luwak-service.tar luwak-service
# docker load -i <path to image tar file>
docker load -i luwak-service.tar
使用负载均衡器
生产环境对外提供 API 服务时,需要使用 HTTPS 协议,可在前面部署 HAProxy 或 Nginx,绑定 TLS (SSL) 证书。
HAProxy 示例
仅供参考
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend http_front
bind :443 ssl crt /etc/haproxy/certs/
compression algo gzip
compression type text/css text/html text/javascript text/plain application/javascript application/xml application/json
default_backend not_found
acl host_luwak_api hdr_beg(host) -i luwak-api.
acl host_luwak_con hdr_beg(host) -i luwak-con.
use_backend server_luwak_api if host_luwak_api
use_backend server_luwak_con if host_luwak_con
backend server_luwak_api
balance roundrobin
server luwak_api 127.0.0.1:21000 check
backend server_luwak_con
balance roundrobin
server luwak_console 127.0.0.1:23000 check
backend not_found
errorfile 403 /etc/haproxy/errors/403.http
Nginx 示例
仅供参考
server {
listen 80;
listen [::]:80;
server_name luwak-api.api.tech;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name luwak-api.api.tech;
ssl_certificate certs/api.tech.crt;
ssl_certificate_key certs/api.tech.key;
index index.html;
location / {
proxy_pass http://localhost:21000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
server {
listen 80;
listen [::]:80;
server_name luwak-con.api.tech;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name luwak-con.api.tech;
ssl_certificate certs/api.tech.crt;
ssl_certificate_key certs/api.tech.key;
index index.html;
location / {
proxy_pass http://localhost:23000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}