Kuv ib zaug xav txog automating kev xa tawm ntawm kuv qhov project. gitlab.com ua siab zoo muab tag nrho cov cuab yeej rau qhov no, thiab tau kawg kuv txiav txim siab coj kom zoo dua ntawm nws, xam nws tawm thiab sau ntawv me me xa mus. Hauv tsab xov xwm no kuv qhia kuv qhov kev paub dhau los rau cov zej zog.
TL; DR
- Teem VPS: lov tes taw hauv paus, nkag mus nrog tus password, nruab dockerd, teeb tsa ufw
- Tsim daim ntawv pov thawj rau server thiab cov neeg siv khoom Pab kom dockerd tswj ntawm tcp socket: tshem tawm -H fd: // kev xaiv los ntawm docker config.
- Sau npe mus rau daim ntawv pov thawj hauv docker.json
- Sau npe nyob rau hauv gitlab variables nyob rau hauv CI / CD teeb tsa nrog cov ntsiab lus ntawm daim ntawv pov thawj. Sau ib tsab ntawv .gitlab-ci.yml rau kev xa tawm.
Kuv yuav qhia tag nrho cov piv txwv ntawm Debian kev faib tawm.
Thawj VPS teeb tsa
Yog li koj yuav ib qho piv txwv ntawm , thawj qhov koj yuav tsum tau ua yog tiv thaiv koj lub server los ntawm kev ua phem rau sab nraud. Kuv yuav tsis ua pov thawj lossis lees paub dab tsi, Kuv tsuas yog qhia lub cav /var/log/messages ntawm kuv lub server virtual:
Cov Vijtsam
Ua ntej, nruab ufw firewall:
apt-get update && apt-get install ufwCia peb tso cai rau lub neej ntawd txoj cai: thaiv txhua qhov kev sib txuas nkag, tso cai rau txhua qhov kev sib txuas:
ufw default deny incoming
ufw default allow outgoingTseem ceeb: tsis txhob hnov ββββqab tso cai rau kev sib txuas ntawm ssh:
ufw allow OpenSSHCov syntax dav dav yog raws li hauv qab no: Tso cai rau kev sib txuas los ntawm chaw nres nkoj: ufw tso cai 12345, qhov twg 12345 yog tus lej chaw nres nkoj lossis lub npe ntawm qhov kev pabcuam. Tsis lees paub: ufw tsis lees paub 12345
Qhib lub firewall:
ufw enablePeb tawm ntawm qhov kev sib kho thiab nkag mus dua ntawm ssh.
Ntxiv ib tus neeg siv, muab nws tus password, thiab ntxiv nws mus rau pawg sudo.
apt-get install sudo
adduser scoty
usermod -aG sudo scotyTom ntej no, raws li txoj kev npaj, koj yuav tsum lov tes taw tus password nkag. Txhawm rau ua qhov no, luam koj tus yuam sij ssh mus rau lub server:
ssh-copy-id [email protected]Lub server ip yuav tsum yog koj li. Tam sim no sim nkag mus siv tus neeg siv koj tau tsim ua ntej; koj tsis tas yuav nkag mus rau tus password. Tom ntej no, hauv kev teeb tsa kev teeb tsa, hloov cov hauv qab no:
sudo nano /etc/ssh/sshd_configdisable password nkag mus:
PasswordAuthentication noRestart sshd daemon:
sudo systemctl reload sshdTam sim no yog tias koj lossis lwm tus neeg sim nkag mus ua tus neeg siv hauv paus, nws yuav tsis ua haujlwm.
Tom ntej no, nruab dockerd, Kuv yuav tsis piav qhia txog cov txheej txheem ntawm no, txij li txhua yam tuaj yeem hloov pauv, ua raws li qhov txuas mus rau lub vev xaib raug cai thiab mus dhau cov kauj ruam ntawm kev txhim kho docker ntawm koj lub tshuab virtual:
Tsim daim ntawv pov thawj
Txhawm rau tswj tus docker daemon nyob deb, yuav tsum muaj kev sib txuas TLS encrypted. Ua li no, koj yuav tsum muaj daim ntawv pov thawj thiab tus yuam sij, uas yuav tsum tau tsim thiab xa mus rau koj lub tshuab tej thaj chaw deb. Ua raws li cov kauj ruam tau muab hauv cov lus qhia ntawm lub vev xaib official docker: Tag nrho cov tsim tawm *.pem cov ntaub ntawv rau lub server, xws li ca.pem, server.pem, key.pem, yuav tsum muab tso rau hauv /etc/docker directory ntawm lub server.
Kev teeb tsa dockerd
Hauv docker daemon tso tsab ntawv, peb tshem tawm -H df: // kev xaiv, qhov kev xaiv no txiav txim siab seb tus tswv tsev twg lub docker daemon tuaj yeem tswj tau.
# At /lib/systemd/system/docker.service
[Service]
Type=notify
ExecStart=/usr/bin/dockerdTom ntej no, koj yuav tsum tsim cov ntaub ntawv teeb tsa, yog tias nws tseem tsis tau muaj, thiab qhia cov kev xaiv:
/etc/docker/docker.json
{
"hosts": [
"unix:///var/run/docker.sock",
"tcp://0.0.0.0:2376"
],
"labels": [
"is-our-remote-engine=true"
],
"tls": true,
"tlscacert": "/etc/docker/ca.pem",
"tlscert": "/etc/docker/server.pem",
"tlskey": "/etc/docker/key.pem",
"tlsverify": true
}Cia peb tso cai rau kev sib txuas ntawm chaw nres nkoj 2376:
sudo ufw allow 2376Cia peb rov pib dockerd nrog cov chaw tshiab:
sudo systemctl daemon-reload && sudo systemctl restart dockerCia peb kuaj:
sudo systemctl status dockerYog tias txhua yam yog "ntsuab", ces peb xav tias peb tau ua tiav kev teeb tsa docker ntawm lub server.
Teeb tsa kev xa khoom tas mus li ntawm gitlab
Txhawm rau kom tus neeg ua haujlwm Gitalaba tuaj yeem ua tiav cov lus txib ntawm Docker tus tswv tsev nyob deb, nws yuav tsum txiav txim siab yuav ua li cas thiab qhov twg yuav khaws daim ntawv pov thawj thiab tus yuam sij rau kev sib txuas encrypted nrog Dockerd. Kuv tau daws qhov teeb meem no los ntawm kev ntxiv cov hauv qab no rau cov hloov pauv hauv gitlbab nqis:
Spoiler lub npe
Tsuas yog tso tawm cov ntsiab lus ntawm daim ntawv pov thawj thiab qhov tseem ceeb ntawm miv: cat ca.pem. Luam thiab muab tso rau hauv cov nqi sib txawv.
Wb sau tsab ntawv rau kev xa tawm ntawm GitLab. Daim duab docker-in-docker (dind) yuav raug siv.
.gitlab-ci.yml
image:
name: docker/compose:1.23.2
# ΠΏΠ΅ΡΠ΅ΠΏΠΈΡΠ΅ΠΌ entrypoint , ΡΡΠΎΠ±Ρ ΡΠ°Π±ΠΎΡΠ°Π»ΠΎ Π² dind
entrypoint: ["/bin/sh", "-c"]
variables:
DOCKER_HOST: tcp://docker:2375/
DOCKER_DRIVER: overlay2
services:
- docker:dind
stages:
- deploy
deploy:
stage: deploy
script:
- bin/deploy.sh # ΡΠΊΡΠΈΠΏΡ Π΄Π΅ΠΏΠ»ΠΎΡ ΡΡΡ
Cov ntsiab lus ntawm cov ntawv xa mus nrog cov lus pom:
bin/deploy.sh
#!/usr/bin/env sh
# ΠΠ°Π΄Π°Π΅ΠΌ ΡΡΠ°Π·Ρ, Π΅ΡΠ»ΠΈ Π²ΠΎΠ·Π½ΠΈΠΊΠ»ΠΈ ΠΊΠ°ΠΊΠΈΠ΅-ΡΠΎ ΠΎΡΠΈΠ±ΠΊΠΈ
set -e
# ΠΡΠ²ΠΎΠ΄ΠΈΠΌ, ΡΠΎ , ΡΡΠΎ Π΄Π΅Π»Π°Π΅ΠΌ
set -v
#
DOCKER_COMPOSE_FILE=docker-compose.yml
# ΠΡΠ΄Π° Π΄Π΅ΠΏΠ»ΠΎΠΈΠΌ
DEPLOY_HOST=185.241.52.28
# ΠΡΡΡ Π΄Π»Ρ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΠΎΠ² ΠΊΠ»ΠΈΠ΅Π½ΡΠ°, ΡΠΎ Π΅ΡΡΡ Π² Π½Π°ΡΠ΅ΠΌ ΡΠ»ΡΡΠ°Π΅ - gitlab-Π²ΠΎΡΠΊΠ΅ΡΠ°
DOCKER_CERT_PATH=/root/.docker
# ΠΏΡΠΎΠ²Π΅ΡΠΈΠΌ, ΡΡΠΎ Π² ΠΊΠΎΠ½ΡΠ΅ΠΉΠ½Π΅ΡΠ΅ Π²ΡΠ΅ ΠΈΠΌΠ΅Π΅ΡΡΡ
docker info
docker-compose version
# ΡΠΎΠ·Π΄Π°Π΅ΠΌ ΠΏΡΡΡ (ΡΠ΅ΠΉΡΠ°Ρ ΡΠ°Π±ΠΎΡΠ°Π΅ΠΌ Π² ΠΊΠ»ΠΈΠ΅Π½ΡΠ΅ - Π²ΠΎΡΠΊΠ΅ΡΠ΅ gitlab'Π°)
mkdir $DOCKER_CERT_PATH
# ΠΈΠ·ΡΠΌΠ°Π΅ΠΌ ΡΠΎΠ΄Π΅ΡΠΆΠΈΠΌΠΎΠ΅ ΠΏΠ΅ΡΠ΅ΠΌΠ΅Π½Π½ΡΡ
, ΠΏΡΠΈ ΡΡΠΎΠΌ ΡΠ΄Π°Π»ΡΠ΅ΠΌ Π»ΠΈΡΠ½ΠΈΠ΅ ΡΠΈΠΌΠ²ΠΎΠ»Ρ Π΄ΠΎΠ±Π°Π²Π»Π΅Π½Π½ΡΠ΅ ΠΏΡΠΈ ΡΠΎΡ
ΡΠ°Π½Π΅Π½ΠΈΠΈ ΠΏΠ΅ΡΠ΅ΠΌΠ΅Π½Π½ΡΡ
.
echo "$CA_PEM" | tr -d 'r' > $DOCKER_CERT_PATH/ca.pem
echo "$CERT_PEM" | tr -d 'r' > $DOCKER_CERT_PATH/cert.pem
echo "$KEY_PEM" | tr -d 'r' > $DOCKER_CERT_PATH/key.pem
# Π½Π° Π²ΡΡΠΊΠΈΠΉ ΡΠ»ΡΡΠ°ΠΉ Π΄Π°Π΅ΠΌ ΡΠΎΠ»ΡΠΊΠΎ ΡΠΈΡΠ°ΡΡ
chmod 400 $DOCKER_CERT_PATH/ca.pem
chmod 400 $DOCKER_CERT_PATH/cert.pem
chmod 400 $DOCKER_CERT_PATH/key.pem
# Π΄Π°Π»Π΅Π΅ Π½Π°ΡΠΈΠ½Π°Π΅ΠΌ ΡΠΆΠ΅ ΡΠ°Π±ΠΎΡΠ°ΡΡ Ρ ΡΠ΄Π°Π»Π΅Π½Π½ΡΠΌ docker-Π΄Π΅ΠΌΠΎΠ½ΠΎΠΌ. Π‘ΠΎΠ±ΡΡΠ²Π΅Π½Π½ΠΎ, ΡΠ°ΠΌ Π΄Π΅ΠΏΠ»ΠΎΠΉ
export DOCKER_TLS_VERIFY=1
export DOCKER_HOST=tcp://$DEPLOY_HOST:2376
# ΠΏΡΠΎΠ²Π΅ΡΠΈΠΌ, ΡΡΠΎ ΠΊΠΎΠ½Π½Π΅ΠΊΡΠΈΡΡΡ Π²ΡΠ΅ ΡΡΠΏΠ΅ΡΠ½ΠΎ
docker-compose
-f $DOCKER_COMPOSE_FILE
ps
# Π»ΠΎΠ³ΠΈΠ½ΠΈΠΌΡΡ Π² docker-ΡΠ΅Π³ΠΈΡΡΡΠΈ, ΡΡΡ ΠΌΠΎΠΆΠ΅ΡΠ΅ ΡΠΊΠ°Π·Π°ΡΡ ΡΠ²ΠΎΠΉ "ΠΌΠ΅ΡΡΠ½ΡΠΉ" ΡΠ΅Π³ΠΈΡΡΡΠΈ
docker login -u $DOCKER_USER -p $DOCKER_PASSWORD
docker-compose
-f $DOCKER_COMPOSE_FILE
pull app
# ΠΏΠΎΠ΄Π½ΠΈΠΌΠ°Π΅ΠΌ ΠΏΡΠΈΠ»ΠΎΠΆΠ΅Π½ΠΈΠ΅
docker-compose
-f $DOCKER_COMPOSE_FILE
up -d app
Qhov teeb meem tseem ceeb yog "rub" cov ntsiab lus ntawm daim ntawv pov thawj hauv daim ntawv ib txwm los ntawm gitlab CI / CD hloov pauv. Kuv tsis tuaj yeem paub tias yog vim li cas qhov kev sib txuas mus rau lub chaw taws teeb tswj tsis ua haujlwm. Ntawm tus tswv tsev kuv ntsia lub log sudo journalctl -u docker, muaj qhov yuam kev thaum tuav tes. Kuv txiav txim siab saib qhov uas feem ntau khaws cia hauv qhov sib txawv; ua qhov no, koj tuaj yeem zoo li no: miv -A $DOCKER_CERT_PATH/key.pem. Kuv kov yeej qhov yuam kev los ntawm kev ntxiv qhov kev tshem tawm ntawm lub carriage cim tr -d 'r'.
Tom ntej no, koj tuaj yeem ntxiv cov haujlwm tom qab tso tawm rau tsab ntawv ntawm koj qhov kev txiav txim siab. Koj tuaj yeem saib cov haujlwm ua haujlwm hauv kuv qhov chaw cia khoom
Tau qhov twg los: www.hab.com