ProHoster > Блог > Nchịkwa > Ịtọlite ​​​​CD site na gitlab

Ịtọlite ​​​​CD site na gitlab

Echere m otu oge maka ịmegharị ọrụ nke m. gitlab.com ji obiọma na-enye ngwaọrụ niile maka nke a, na n'ezie, ekpebiri m iji ya mee ihe, na-achọpụta ya na ide obere edemede ntinye. N'isiokwu a, m na-ekerịta ahụmahụ m na obodo.

TL; DR

  1. Tọlite ​​​​VPS: gbanyụọ mgbọrọgwụ, banye na paswọọdụ, tinye dockerd, hazie ufw
  2. Mepụta asambodo maka ihe nkesa na onye ahịa docs.docker.com/engine/security/https/#create-a-ca-server-and-client-keys-with-openssl Kwado njikwa dockerd site na oghere tcp: wepụ nhọrọ -H fd: // site na nhazi docker.
  3. Debanye aha ụzọ na asambodo na docker.json
  4. Debanye aha na mgbanwe gitlab na ntọala CI/CD yana ọdịnaya nke asambodo. Dee edemede .gitlab-ci.yml maka ibunye.

M ga-egosi ihe atụ niile na nkesa Debian.

Mbido VPS

Ya mere, ị zụtara ihe atụ na DO, Ihe mbụ ị ga-eme bụ ichebe ihe nkesa gị site na ụwa na-eme ihe ike. Agaghị m egosi ma ọ bụ kwupụta ihe ọ bụla, aga m egosi log /var/log/message of my virtual server:

Nseta ihuenyoỊtọlite ​​​​CD site na gitlab

Nke mbụ, wụnye firewall ufw:

apt-get update && apt-get install ufw

Ka anyị mee ka amụma ndabara dị: gbochie njikọ niile na-abata, kwe ka njikọ niile na-apụ apụ:

ufw default deny incoming
ufw default allow outgoing

Ihe dị mkpa: echefula ikwe ka njikọ ahụ site na ssh:

ufw allow OpenSSH

Nkwekọrịta izugbe bụ nke a: Kwe ka njikọ site na ọdụ ụgbọ mmiri: ufw kwe 12345, ebe 12345 bụ nọmba ọdụ ụgbọ mmiri ma ọ bụ aha ọrụ ahụ. Agọnarị: ufw agọn 12345

Gbanwuo firewall:

ufw enable

Anyị na-apụ na nnọkọ wee banye ọzọ site na ssh.

Tinye onye ọrụ, kenye ya paswọọdụ, tinye ya na otu sudo.

apt-get install sudo
adduser scoty
usermod -aG sudo scoty

Na-esote, dịka atụmatụ ahụ siri dị, ị ga-ewepụ nbanye paswọọdụ. Iji mee nke a, detuo igodo ssh gị na sava ahụ:

ssh-copy-id [email protected]

Ihe nkesa IP ga-abụrịrị nke gị. Ugbu a gbalịa ịbanye na iji onye ọrụ ị mepụtara na mbụ; ọ dịghịzi mkpa itinye paswọọdụ. Na-esote, na ntọala nhazi, gbanwee ihe ndị a:

sudo nano /etc/ssh/sshd_config

gbanyụọ nbanye paswọọdụ:

PasswordAuthentication no

Malitegharịa sshd daemon:

sudo systemctl reload sshd

Ugbu a ọ bụrụ na gị ma ọ bụ onye ọzọ nwaa ịbanye dị ka onye ọrụ mgbọrọgwụ, ọ gaghị arụ ọrụ.

Na-esote, wụnye dockerd, agaghị m akọwa usoro a ebe a, ebe ọ bụ na enwere ike ịgbanwe ihe niile, soro njikọ ahụ na webụsaịtị gọọmentị wee banye usoro nke ịwụnye docker na igwe mebere gị: https://docs.docker.com/install/linux/docker-ce/debian/

Na-emepụta asambodo

Iji jikwaa docker daemon n'ime ime, a chọrọ njikọ TLS ezoro ezo. Iji mee nke a, ịkwesịrị ịnwe asambodo na igodo, nke a ga-emerịrị ma bufee ya na igwe dịpụrụ adịpụ gị. Soro usoro enyere na ntuziaka na webụsaịtị docker gọọmentị: https://docs.docker.com/engine/security/https/#create-a-ca-server-and-client-keys-with-openssl Faịlụ * .pem niile emepụtara maka ihe nkesa, ya bụ ca.pem, server.pem, key.pem, ga-etinyerịrị n'ime ndekọ aha /etc/docker na sava ahụ.

Ịtọlite ​​dockerd

N'ime edemede mmalite docker daemon, anyị na-ewepụ nhọrọ -H df: //, nhọrọ a na-ekpebi nke enwere ike ịchịkwa onye ọbịa docker daemon.

# At /lib/systemd/system/docker.service
[Service]
Type=notify
ExecStart=/usr/bin/dockerd

Na-esote, ị kwesịrị ịmepụta faịlụ ntọala, ọ bụrụ na ọ dịbeghị, ma kọwaa nhọrọ ndị a:

/etc/docker/docker.json

{
  "hosts": [
    "unix:///var/run/docker.sock",
    "tcp://0.0.0.0:2376"
  ],
  "labels": [
    "is-our-remote-engine=true"
  ],
  "tls": true,
  "tlscacert": "/etc/docker/ca.pem",
  "tlscert": "/etc/docker/server.pem",
  "tlskey": "/etc/docker/key.pem",
  "tlsverify": true
}

Ka anyị hapụ njikọ na ọdụ ụgbọ mmiri 2376:

sudo ufw allow 2376

Ka anyị jiri ntọala ọhụrụ malitegharịa dockerd:

sudo systemctl daemon-reload && sudo systemctl restart docker

Ka anyị lelee:

sudo systemctl status docker

Ọ bụrụ na ihe niile bụ "akwụkwọ ndụ akwụkwọ ndụ", anyị na-atụle na anyị edozila docker nke ọma na sava ahụ.

Ịtọlite ​​nnyefe na-aga n'ihu na gitlab

Ka onye ọrụ Gitalaba nwee ike ịme iwu na onye ọbịa Docker dịpụrụ adịpụ, ọ dị mkpa ikpebi otu na ebe a ga-echekwa asambodo yana igodo maka njikọ ezoro ezo na Dockerd. Adoziri m nsogbu a site na ịgbakwunye ihe ndị a na mgbanwe dị na ntọala gitlbab:

aha mmebi iwuỊtọlite ​​​​CD site na gitlab

Naanị wepụta ọdịnaya nke asambodo na igodo site na pusi: cat ca.pem. Detuo na mado n'ime ụkpụrụ agbanwe agbanwe.

Ka anyị dee edemede maka mbugharị site na GitLab. A ga-eji onyonyo docker-in-docker (dind) mee ihe.

.gitlab-ci.yml

image:
  name: docker/compose:1.23.2
  # перепишем entrypoint , чтобы работало в dind
  entrypoint: ["/bin/sh", "-c"]

variables:
  DOCKER_HOST: tcp://docker:2375/
  DOCKER_DRIVER: overlay2

services:
  - docker:dind

stages:
  - deploy

deploy:
  stage: deploy
  script:
    - bin/deploy.sh # скрипт деплоя тут

Ọdịnaya nke script nbunye nwere nkọwa:

bin/ebuga.sh

#!/usr/bin/env sh
# Падаем сразу, если возникли какие-то ошибки
set -e
# Выводим, то , что делаем
set -v

# 
DOCKER_COMPOSE_FILE=docker-compose.yml
# Куда деплоим
DEPLOY_HOST=185.241.52.28
# Путь для сертификатов клиента, то есть в нашем случае - gitlab-воркера
DOCKER_CERT_PATH=/root/.docker

# проверим, что в контейнере все имеется
docker info
docker-compose version

# создаем путь (сейчас работаем в клиенте - воркере gitlab'а)
mkdir $DOCKER_CERT_PATH
# изымаем содержимое переменных, при этом удаляем лишние символы добавленные при сохранении переменных.
echo "$CA_PEM" | tr -d 'r' > $DOCKER_CERT_PATH/ca.pem
echo "$CERT_PEM" | tr -d 'r' > $DOCKER_CERT_PATH/cert.pem
echo "$KEY_PEM" | tr -d 'r' > $DOCKER_CERT_PATH/key.pem
# на всякий случай даем только читать
chmod 400 $DOCKER_CERT_PATH/ca.pem
chmod 400 $DOCKER_CERT_PATH/cert.pem
chmod 400 $DOCKER_CERT_PATH/key.pem

# далее начинаем уже работать с удаленным docker-демоном. Собственно, сам деплой
export DOCKER_TLS_VERIFY=1
export DOCKER_HOST=tcp://$DEPLOY_HOST:2376

# проверим, что коннектится все успешно
docker-compose 
  -f $DOCKER_COMPOSE_FILE 
  ps

# логинимся в docker-регистри, тут можете указать свой "местный" регистри
docker login -u $DOCKER_USER -p $DOCKER_PASSWORD

docker-compose 
  -f $DOCKER_COMPOSE_FILE 
  pull app
# поднимаем приложение
docker-compose 
  -f $DOCKER_COMPOSE_FILE 
  up -d app

Nsogbu bụ isi bụ "ịdọrọ" ọdịnaya nke asambodo n'ụdị nkịtị site na mgbanwe gitlab CI/CD. Enweghị m ike ịchọpụta ihe kpatara njikọ na onye ọbịa anya anaghị arụ ọrụ. Na onye ọbịa m lere anya na log sudo journalctl -u docker, enwere mperi n'oge mmetụ aka. Ekpebiri m ileba anya n'ihe a na-echekwa n'ozuzu ya na mgbanwe; ime nke a, ị nwere ike ịdị ka nke a: cat -A $DOCKER_CERT_PATH/key.pem. Emeriri m njehie ahụ site n'ịgbakwunye mwepụ nke agwa ụgbọ ala tr -d 'r'.

Na-esote, ị nwere ike itinye ihe aga-eme ka ahapụchara n'edemede na ikike gị. Ị nwere ike ịlele ụdị ọrụ na ebe nchekwa m https://gitlab.com/isqad/gitlab-ci-cd

isi: www.habr.com

Tinye a comment