ProHoster > Блог > Gudanarwa > Saitin CD ta hanyar gitlab

Saitin CD ta hanyar gitlab

Na taɓa yin tunani game da sarrafa sarrafa aikin nawa. gitlab.com da kirki yana ba da duk kayan aikin don wannan, kuma ba shakka na yanke shawarar amfani da shi ta hanyar gano shi da rubuta ƙaramin rubutun turawa. A cikin wannan labarin, na raba gwaninta tare da al'umma.

TL, DR

  1. Saita VPS: kashe tushen, kalmar shiga kalmar sirri, shigar da dockerd, saita ufw
  2. Ƙirƙirar takaddun shaida don uwar garken da abokin ciniki docs.docker.com/engine/security/https/#create-a-ca-server-and-client-keys-with-openssl Kunna ikon dockerd ta hanyar tcp soket: cire zaɓin -H fd: // daga saitin docker.
  3. Saita hanyoyi zuwa takaddun shaida a docker.json
  4. Yi rijista a cikin masu canjin gitlab a cikin saitunan CI / CD tare da abubuwan da ke cikin takaddun shaida. Rubuta rubutun .gitlab-ci.yml don turawa.

Zan nuna duk misalai akan rarraba Debian.

Saitin VPS na farko

Anan kun sayi misali misali akan DO, Abu na farko da za ku yi shi ne don kare uwar garken ku daga duniyar waje mai tsanani. Ba zan tabbatar ko tabbatar da wani abu ba, zan nuna kawai /var/log/ saƙon saƙon sabar tawa:

ScreenshotSaitin CD ta hanyar gitlab

Da farko, shigar da ufw Tacewar zaɓi:

apt-get update && apt-get install ufw

Kunna tsarin tsoho: toshe duk haɗin da ke shigowa, ba da izinin duk haɗin da ke fita:

ufw default deny incoming
ufw default allow outgoing

Muhimmi: kar a manta ba da izinin haɗi ta ssh:

ufw allow OpenSSH

Gabaɗaya syntax shine: Bada haɗi akan tashar jiragen ruwa: ufw izinin 12345, inda 12345 shine lambar tashar jiragen ruwa ko sunan sabis. Saukewa: ufw 12345

Kunna Tacewar zaɓi:

ufw enable

Mun fita zaman kuma mu sake shiga ta ssh.

Ƙara mai amfani, sanya masa kalmar sirri, kuma ƙara shi zuwa rukunin sudo.

apt-get install sudo
adduser scoty
usermod -aG sudo scoty

Na gaba, bisa ga shirin, ya kamata ku kashe shigar da kalmar wucewa. Don yin wannan, kwafi maɓallin ssh ɗin ku zuwa uwar garken:

ssh-copy-id [email protected]

Dole ne ip na sabar ya zama naku. Yanzu gwada shiga ƙarƙashin mai amfani da aka ƙirƙira a baya, ba kwa buƙatar shigar da kalmar sirri kuma. Na gaba, a cikin saitunan daidaitawa, canza masu zuwa:

sudo nano /etc/ssh/sshd_config

kashe kalmar shiga:

PasswordAuthentication no

Sake kunna sshd daemon:

sudo systemctl reload sshd

Yanzu idan kai ko wani yayi ƙoƙarin shiga a matsayin tushen, zai kasa.

Bayan haka, mun shigar da dockerd, ba zan bayyana tsarin ba a nan, tunda duk abin da aka riga aka canza, bi hanyar haɗin yanar gizon hukuma kuma shiga cikin matakan shigar da docker akan na'urar ku: https://docs.docker.com/install/linux/docker-ce/debian/

Ƙwararren Takaddun shaida

Don sarrafa docker daemon daga nesa, ana buƙatar haɗin TLS mai rufaffen. Don yin wannan, kuna buƙatar samun takaddun shaida da maɓallin da kuke buƙatar ƙirƙira da canja wurin zuwa injin ku na nesa. Bi matakan da aka bayar a cikin umarnin kan gidan yanar gizon docker na hukuma: https://docs.docker.com/engine/security/https/#create-a-ca-server-and-client-keys-with-openssl Duk fayilolin * .pem da aka samar don uwar garken, wato cap.pem, server.pem, key.pem, yakamata a sanya su a cikin /etc/docker directory akan sabar.

saitin docker

A cikin rubutun farawa na docker daemon, cire zaɓi -H df: // zaɓi, wannan zaɓin yana gaya wa mai masaukin docker daemon za a iya sarrafa shi.

# At /lib/systemd/system/docker.service
[Service]
Type=notify
ExecStart=/usr/bin/dockerd

Na gaba, ƙirƙiri fayil ɗin saituna idan babu shi kuma saita zaɓuɓɓuka:

/etc/docker/docker.json

{
  "hosts": [
    "unix:///var/run/docker.sock",
    "tcp://0.0.0.0:2376"
  ],
  "labels": [
    "is-our-remote-engine=true"
  ],
  "tls": true,
  "tlscacert": "/etc/docker/ca.pem",
  "tlscert": "/etc/docker/server.pem",
  "tlskey": "/etc/docker/key.pem",
  "tlsverify": true
}

Izinin haɗi akan tashar jiragen ruwa 2376:

sudo ufw allow 2376

Sake kunna dockerd tare da sabbin saituna:

sudo systemctl daemon-reload && sudo systemctl restart docker

Mu duba:

sudo systemctl status docker

Idan komai kore ne, to muna la'akari da cewa mun sami nasarar daidaita docker akan sabar.

Kafa ci gaba da bayarwa akan gitlab

Domin ma'aikacin gitalab ya sami damar aiwatar da umarni akan mai masaukin docker mai nisa, kuna buƙatar yanke shawarar yadda da kuma inda zaku adana takaddun shaida da maɓalli don haɗin ɓoye don dockerd. Na warware wannan matsalar ta hanyar rubuta kawai zuwa masu canji a cikin saitunan gitlbab:

lakabin lalataSaitin CD ta hanyar gitlab

Kawai fitar da abubuwan da ke cikin takaddun shaida da maɓalli ta hanyar cat: cat ca.pem. Kwafi da liƙa zuwa madaidaitan ƙima.

Bari mu rubuta rubutun don turawa ta hanyar gitlab. Za a yi amfani da hoton docker-in-docker (dind).

.gitlab-ci.yml

image:
  name: docker/compose:1.23.2
  # перепишем entrypoint , чтобы работало в dind
  entrypoint: ["/bin/sh", "-c"]

variables:
  DOCKER_HOST: tcp://docker:2375/
  DOCKER_DRIVER: overlay2

services:
  - docker:dind

stages:
  - deploy

deploy:
  stage: deploy
  script:
    - bin/deploy.sh # скрипт деплоя тут

Abubuwan da ke cikin rubutun turawa tare da sharhi:

bin/deploy.sh

#!/usr/bin/env sh
# Падаем сразу, если возникли какие-то ошибки
set -e
# Выводим, то , что делаем
set -v

# 
DOCKER_COMPOSE_FILE=docker-compose.yml
# Куда деплоим
DEPLOY_HOST=185.241.52.28
# Путь для сертификатов клиента, то есть в нашем случае - gitlab-воркера
DOCKER_CERT_PATH=/root/.docker

# проверим, что в контейнере все имеется
docker info
docker-compose version

# создаем путь (сейчас работаем в клиенте - воркере gitlab'а)
mkdir $DOCKER_CERT_PATH
# изымаем содержимое переменных, при этом удаляем лишние символы добавленные при сохранении переменных.
echo "$CA_PEM" | tr -d 'r' > $DOCKER_CERT_PATH/ca.pem
echo "$CERT_PEM" | tr -d 'r' > $DOCKER_CERT_PATH/cert.pem
echo "$KEY_PEM" | tr -d 'r' > $DOCKER_CERT_PATH/key.pem
# на всякий случай даем только читать
chmod 400 $DOCKER_CERT_PATH/ca.pem
chmod 400 $DOCKER_CERT_PATH/cert.pem
chmod 400 $DOCKER_CERT_PATH/key.pem

# далее начинаем уже работать с удаленным docker-демоном. Собственно, сам деплой
export DOCKER_TLS_VERIFY=1
export DOCKER_HOST=tcp://$DEPLOY_HOST:2376

# проверим, что коннектится все успешно
docker-compose 
  -f $DOCKER_COMPOSE_FILE 
  ps

# логинимся в docker-регистри, тут можете указать свой "местный" регистри
docker login -u $DOCKER_USER -p $DOCKER_PASSWORD

docker-compose 
  -f $DOCKER_COMPOSE_FILE 
  pull app
# поднимаем приложение
docker-compose 
  -f $DOCKER_COMPOSE_FILE 
  up -d app

Babban matsalar ita ce "fitar" abubuwan da ke cikin takaddun takaddun a cikin tsari na yau da kullun daga masu canjin gitlab CI / CD. Na kasa gano dalilin da ya sa haɗin kai da mai gidan nesa bai yi aiki ba. Na kalli sudo journalctl -u docker log akan mai watsa shiri, akwai kuskure tare da musafaha. Na yanke shawarar duba abin da aka adana gabaɗaya cikin masu canji, saboda wannan zaku iya ganin cat -A $DOCKER_CERT_PATH/key.pem. Cire kuskuren ta ƙara cirewar halin kulawa tr -d 'r'.

Bugu da ari, zaku iya ƙara ayyukan bayan-saki zuwa rubutun bisa ga ra'ayinku. Kuna iya duba sigar aiki a cikin ma'ajiya ta https://gitlab.com/isqad/gitlab-ci-cd

source: www.habr.com

Add a comment