å°å ¥
æè¿ãKubernetes ã®äººæ°ãæ¥éã«é«ãŸã£ãŠãããKubernetes ãå®è£ ãããããžã§ã¯ããå¢ããŠããŸãã Nomad ã®ãããªãªãŒã±ã¹ãã¬ãŒã¿ãŒã«ã€ããŠè§ŠããããšæããŸãããNomad ã¯ãVault ã Consul ãªã©ãHashiCorp ã®ä»ã®ãœãªã¥ãŒã·ã§ã³ããã§ã«äœ¿çšããŠãããããžã§ã¯ãã«æé©ã§ããããããžã§ã¯ãèªäœã¯ã€ã³ãã©ã¹ãã©ã¯ãã£ã®ç¹ã§è€éã§ã¯ãããŸããã ãã®è³æã«ã¯ãNomad ã®ã€ã³ã¹ããŒã«ãXNUMX ã€ã®ããŒããã¯ã©ã¹ã¿ãŒã«çµåããæé ãããã³ Nomad ã Gitlab ãšçµ±åããæé ãå«ãŸããŠããŸãã
ãã¹ãã¹ã¿ã³ã
ãã¹ããã³ãã«ã€ããŠå°ã説æããŸãã2 ã€ã® CPUã4 ã€ã® RAMã50 Gb SSD ã®ç¹æ§ãæ〠XNUMX ã€ã®ä»®æ³ãµãŒããŒãå ±éã®ããŒã«ã« ãããã¯ãŒã¯ã«çµ±åãããŠäœ¿çšãããŸãã 圌ãã®ååãšIPã¢ãã¬ã¹:
- ããã-livelinux-01ïŒïŒïŒïŒ
- ããã-livelinux-02ïŒïŒïŒïŒ
- é äº-livelinux-01ïŒïŒïŒïŒ
NomadãConsulã®ã€ã³ã¹ããŒã«ã Nomad ã¯ã©ã¹ã¿ãŒã®äœæ
åºæ¬çãªã€ã³ã¹ããŒã«ããå§ããŸãããã ã»ããã¢ããã¯ç°¡åã§ããããèšäºã®æŽåæ§ãä¿ã€ããã«èª¬æããŸããåºæ¬çã«ãå¿ èŠãªãšãã«ããã«ã¢ã¯ã»ã¹ã§ããããã«ãäžæžããšã¡ã¢ããäœæãããŸããã
ãã®æ®µéã§ã¯å°æ¥ã®æ§é ãç解ããããšãéèŠã§ãããããå®è·µãå§ããåã«çè«çãªéšåã«ã€ããŠèª¬æããŸãã
XNUMX ã€ã®ããã ããŒããããããããã XNUMX ã€ã®ã¯ã©ã¹ã¿ãŒã«çµåããããšèããŠããŸããå°æ¥çã«ã¯ã¯ã©ã¹ã¿ãŒã®èªåã¹ã±ãŒãªã³ã°ãå¿ èŠã«ãªããŸãããã®ããã«ã¯ Consul ãå¿ èŠã«ãªããŸãã ãã®ããŒã«ã䜿çšãããšãã¯ã©ã¹ã¿ãªã³ã°ãšæ°ããããŒãã®è¿œå ãéåžžã«ç°¡åãªã¿ã¹ã¯ã«ãªããŸããäœæããã Nomad ããŒã㯠Consul ãšãŒãžã§ã³ãã«æ¥ç¶ãã次ã«æ¢åã® Nomad ã¯ã©ã¹ã¿ã«æ¥ç¶ããŸãã ãããã£ãŠãæåã« Consul ãµãŒããŒãã€ã³ã¹ããŒã«ããWeb ããã«ã®åºæ¬ç㪠http èªèšŒ (ããã©ã«ãã§ã¯èªèšŒããªããå€éšã¢ãã¬ã¹ã§ã¢ã¯ã»ã¹ã§ããŸã) ãšãNomad ãµãŒããŒäžã® Consul ãšãŒãžã§ã³ãèªäœãèšå®ããŸãã Nomadã®ã¿ã«é²ã¿ãŸãã
HashiCorp ã®ããŒã«ã®ã€ã³ã¹ããŒã«ã¯éåžžã«ç°¡åã§ããåºæ¬çã«ã¯ããã€ã㪠ãã¡ã€ã«ã bin ãã£ã¬ã¯ããªã«ç§»åããããŒã«ã®æ§æãã¡ã€ã«ãã»ããã¢ãããããµãŒãã¹ ãã¡ã€ã«ãäœæããã ãã§ãã
Consul ãã€ã㪠ãã¡ã€ã«ãããŠã³ããŒããããŠãŒã¶ãŒã®ããŒã ãã£ã¬ã¯ããªã«è§£åããŸãã
root@consul-livelinux-01:~# wget https://releases.hashicorp.com/consul/1.5.0/consul_1.5.0_linux_amd64.zip
root@consul-livelinux-01:~# unzip consul_1.5.0_linux_amd64.zip
root@consul-livelinux-01:~# mv consul /usr/local/bin/
ããã§ãããã«æ§æãé²ããããã®æ¢è£œã® consul ãã€ããªãå®æããŸããã
Consul ã䜿çšããã«ã¯ãkeygen ã³ãã³ãã䜿çšããŠäžæã®ããŒãäœæããå¿ èŠããããŸãã
root@consul-livelinux-01:~# consul keygen
Consul æ§æã®ã»ããã¢ããã«é²ã¿ã次ã®æ§é ãæã€ãã£ã¬ã¯ã㪠/etc/consul.d/ ãäœæããŸãã
/etc/consul.d/
âââ bootstrap
â âââ config.json
ããŒãã¹ãã©ãã ãã£ã¬ã¯ããªã«ã¯æ§æãã¡ã€ã« config.json ãå«ãŸããŸãããã®äžã« Consul èšå®ãèšå®ããŸãã ãã®å 容:
{
"bootstrap": true,
"server": true,
"datacenter": "dc1",
"data_dir": "/var/consul",
"encrypt": "your-key",
"log_level": "INFO",
"enable_syslog": true,
"start_join": ["172.30.0.15"]
}
äž»ãªãã£ã¬ã¯ãã£ããšãã®æå³ãåå¥ã«èŠãŠã¿ãŸãããã
- ããŒãã¹ãã©ããïŒ çå®ã æ°ããããŒããæ¥ç¶ãããŠããå Žåãèªåçã«ããŒããè¿œå ã§ããããã«ããŸãã ããã§ã¯ãäºæ³ãããããŒãã®æ£ç¢ºãªæ°ã瀺ããŠããªãããšã«æ³šæããŠãã ããã
- ïŒ çå®ã ãµãŒããŒã¢ãŒããæå¹ã«ããŸãã çŸæç¹ã§ã¯ããã®ä»®æ³ãã·ã³äžã® Consul ãå¯äžã®ãµãŒããŒããã³ãã¹ã¿ãŒãšããŠæ©èœããNomad ã® VM ãã¯ã©ã€ã¢ã³ãã«ãªããŸãã
- ããŒã¿ã»ã³ã¿ãŒïŒDC1ã ã¯ã©ã¹ã¿ãŒãäœæããããŒã¿ã»ã³ã¿ãŒã®ååãæå®ããŸãã ã¯ã©ã€ã¢ã³ããšãµãŒããŒã®äž¡æ¹ã§åäžã§ããå¿ èŠããããŸãã
- æå·åãã: ããªãã®ããŒã ããŒããããäžæã§ããããã¹ãŠã®ã¯ã©ã€ã¢ã³ããšãµãŒããŒã§äžèŽããå¿ èŠããããŸãã consul keygen ã³ãã³ãã䜿çšããŠçæãããŸãã
- éå§_åå ã ãã®ãªã¹ãã«ã¯ãæ¥ç¶ãè¡ããã IP ã¢ãã¬ã¹ã®ãªã¹ãã瀺ãããŸãã çŸæç¹ã§ã¯èªåã®ã¢ãã¬ã¹ã®ã¿ãæ®ããŸãã
ãã®æç¹ã§ãã³ãã³ãã©ã€ã³ã䜿çšã㊠consul ãå®è¡ã§ããŸãã
root@consul-livelinux-01:~# /usr/local/bin/consul agent -config-dir /etc/consul.d/bootstrap -ui
ããã¯çŸæç¹ã§ãããã°ããã«ã¯è¯ãæ¹æ³ã§ãããæãããªçç±ã«ããããã®æ¹æ³ãç¶ç¶çã«äœ¿çšããããšã¯ã§ããŸããã systemd çµç±ã§ Consul ã管çããããã®ãµãŒãã¹ ãã¡ã€ã«ãäœæããŸãããã
root@consul-livelinux-01:~# nano /etc/systemd/system/consul.service
consul.service ãã¡ã€ã«ã®å 容:
[Unit]
Description=Consul Startup process
After=network.target
[Service]
Type=simple
ExecStart=/bin/bash -c '/usr/local/bin/consul agent -config-dir /etc/consul.d/bootstrap -ui'
TimeoutStartSec=0
[Install]
WantedBy=default.target
systemctl çµç±ã§ Consul ãèµ·åããŸãã
root@consul-livelinux-01:~# systemctl start consul
確èªããŠã¿ãŸããã: ãµãŒãã¹ãå®è¡ãããŠããå¿ èŠããããconsul members ã³ãã³ããå®è¡ãããšãµãŒããŒã衚瀺ãããã¯ãã§ãã
root@consul-livelinux:/etc/consul.d# consul members
consul-livelinux 172.30.0.15:8301 alive server 1.5.0 2 dc1 <all>
次ã®æ®µé: Nginx ãã€ã³ã¹ããŒã«ãããããã·ãš http èªèšŒãèšå®ããŸãã ããã±ãŒãž ãããŒãžã£ãŒãéã㊠nginx ãã€ã³ã¹ããŒã«ãã/etc/nginx/sites-enabled ãã£ã¬ã¯ããªã«æ¬¡ã®å 容ã®æ§æãã¡ã€ã« consul.conf ãäœæããŸãã
upstream consul-auth {
server localhost:8500;
}
server {
server_name consul.doman.name;
location / {
proxy_pass http://consul-auth;
proxy_set_header Host $host;
auth_basic_user_file /etc/nginx/.htpasswd;
auth_basic "Password-protected Area";
}
}
.htpasswd ãã¡ã€ã«ãäœæãããã®ãã¡ã€ã«ã®ãŠãŒã¶ãŒåãšãã¹ã¯ãŒããçæããããšãå¿ããªãã§ãã ããã ãã®é ç®ã¯ããã¡ã€ã³ãç¥ã£ãŠããäººå šå¡ã Web ããã«ãå©çšã§ããªãããã«ããããã«å¿ èŠã§ãã ãã ããGitlab ãã»ããã¢ãããããšãã¯ããããæŸæ£ããå¿ èŠããããŸããããããªããšãã¢ããªã±ãŒã·ã§ã³ã Nomad ã«ãããã€ã§ããªããªããŸãã ç§ã®ãããžã§ã¯ãã§ã¯ãGitlab ãš Nomad ã¯äž¡æ¹ãšãç°è²ã® Web äžã«ã®ã¿ååšãããããããã§ã¯ãã®ãããªåé¡ã¯çºçããŸããã
æ®ãã® XNUMX ã€ã®ãµãŒããŒã«ã¯ã次ã®æé ã«åŸã£ãŠ Consul ãšãŒãžã§ã³ããã€ã³ã¹ããŒã«ããŸãã ãã€ã㪠ãã¡ã€ã«ã䜿çšããŠæé ãç¹°ãè¿ããŸãã
root@nomad-livelinux-01:~# wget https://releases.hashicorp.com/consul/1.5.0/consul_1.5.0_linux_amd64.zip
root@nomad-livelinux-01:~# unzip consul_1.5.0_linux_amd64.zip
root@nomad-livelinux-01:~# mv consul /usr/local/bin/
åã®ãµãŒããŒãšåæ§ã«ã次ã®æ§é ã§æ§æãã¡ã€ã«çšã®ãã£ã¬ã¯ã㪠/etc/consul.d ãäœæããŸãã
/etc/consul.d/
âââ client
â âââ config.json
config.json ãã¡ã€ã«ã®å 容:
{
"datacenter": "dc1",
"data_dir": "/opt/consul",
"log_level": "DEBUG",
"node_name": "nomad-livelinux-01",
"server": false,
"encrypt": "your-private-key",
"domain": "livelinux",
"addresses": {
"dns": "127.0.0.1",
"https": "0.0.0.0",
"grpc": "127.0.0.1",
"http": "127.0.0.1"
},
"bind_addr": "172.30.0.5", # лПкалÑÐœÑй аЎÑÐµÑ Ð²ÐŒ
"start_join": ["172.30.0.15"], # ÑЎалеММÑй аЎÑÐµÑ ÐºÐŸÐœÑÑл ÑеÑвеÑа
"ports": {
"dns": 53
}
å€æŽãä¿åãããµãŒãã¹ ãã¡ã€ã«ãšãã®å 容ã®èšå®ã«é²ã¿ãŸãã
/etc/systemd/system/consul.service:
[Unit]
Description="HashiCorp Consul - A service mesh solution"
Documentation=https://www.consul.io/
Requires=network-online.target
After=network-online.target
[Service]
User=root
Group=root
ExecStart=/usr/local/bin/consul agent -config-dir=/etc/consul.d/client
ExecReload=/usr/local/bin/consul reload
KillMode=process
Restart=on-failure
[Install]
WantedBy=multi-user.target
ãµãŒããŒäžã§ consul ãèµ·åããŸãã èµ·ååŸãnsul ã¡ã³ããŒã«èšå®ããããµãŒãã¹ã衚瀺ãããã¯ãã§ãã ããã¯ãã¯ã©ã€ã¢ã³ããšããŠã¯ã©ã¹ã¿ãŒã«æ£åžžã«æ¥ç¶ãããããšãæå³ããŸãã XNUMX çªç®ã®ãµãŒããŒã§ãåãããšãç¹°ãè¿ããŸãããã®åŸãNomad ã®ã€ã³ã¹ããŒã«ãšæ§æãéå§ã§ããŸãã
Nomad ã®ã€ã³ã¹ããŒã«ã®è©³çŽ°ã«ã€ããŠã¯ãå ¬åŒããã¥ã¡ã³ãã«èšèŒãããŠããŸãã åŸæ¥ã®ã€ã³ã¹ããŒã«æ¹æ³ã«ã¯ããã€ã㪠ãã¡ã€ã«ãããŠã³ããŒãããæ¹æ³ãšãœãŒã¹ããã³ã³ãã€ã«ããæ¹æ³ã® XNUMX ã€ããããŸãã æåã®æ¹æ³ãéžæããŸãã
泚æ: ãããžã§ã¯ãã¯éåžžã«æ¥éã«éçºãããŠãããæ°ããã¢ããããŒããé »ç¹ã«ãªãªãŒã¹ãããŸãã ããããããã®èšäºãå®æãããŸã§ã«æ°ããããŒãžã§ã³ããªãªãŒã¹ãããã§ãããã ãããã£ãŠãèªãåã«ãçŸæç¹ã§ã® Nomad ã®ããŒãžã§ã³ã確èªããããŠã³ããŒãããããšããå§ãããŸãã
root@nomad-livelinux-01:~# wget https://releases.hashicorp.com/nomad/0.9.1/nomad_0.9.1_linux_amd64.zip
root@nomad-livelinux-01:~# unzip nomad_0.9.1_linux_amd64.zip
root@nomad-livelinux-01:~# mv nomad /usr/local/bin/
root@nomad-livelinux-01:~# nomad -autocomplete-install
root@nomad-livelinux-01:~# complete -C /usr/local/bin/nomad nomad
root@nomad-livelinux-01:~# mkdir /etc/nomad.d
解ååŸã65 MB ã® Nomad ãã€ã㪠ãã¡ã€ã«ãåãåããŸãããã㯠/usr/local/bin ã«ç§»åããå¿ èŠããããŸãã
Nomad ã®ããŒã¿ ãã£ã¬ã¯ããªãäœæãããã®ãµãŒãã¹ ãã¡ã€ã«ãç·šéããŸããã (æåã¯ååšããªãå¯èœæ§ãé«ãã§ã)ã
root@nomad-livelinux-01:~# mkdir --parents /opt/nomad
root@nomad-livelinux-01:~# nano /etc/systemd/system/nomad.service
ããã«æ¬¡ã®è¡ã貌ãä»ããŸãã
[Unit]
Description=Nomad
Documentation=https://nomadproject.io/docs/
Wants=network-online.target
After=network-online.target
[Service]
ExecReload=/bin/kill -HUP $MAINPID
ExecStart=/usr/local/bin/nomad agent -config /etc/nomad.d
KillMode=process
KillSignal=SIGINT
LimitNOFILE=infinity
LimitNPROC=infinity
Restart=on-failure
RestartSec=2
StartLimitBurst=3
StartLimitIntervalSec=10
TasksMax=infinity
[Install]
WantedBy=multi-user.target
ãã ããnomad ã®èµ·åãæ¥ãã§ããŸãããæ§æãã¡ã€ã«ã¯ãŸã äœæããŠããŸããã
root@nomad-livelinux-01:~# mkdir --parents /etc/nomad.d
root@nomad-livelinux-01:~# chmod 700 /etc/nomad.d
root@nomad-livelinux-01:~# nano /etc/nomad.d/nomad.hcl
root@nomad-livelinux-01:~# nano /etc/nomad.d/server.hcl
æçµçãªãã£ã¬ã¯ããªæ§é ã¯æ¬¡ã®ããã«ãªããŸãã
/etc/nomad.d/
âââ nomad.hcl
âââ server.hcl
nomad.hcl ãã¡ã€ã«ã«ã¯æ¬¡ã®æ§æãå«ãŸããŠããå¿ èŠããããŸãã
datacenter = "dc1"
data_dir = "/opt/nomad"
server.hcl ãã¡ã€ã«ã®å 容:
server {
enabled = true
bootstrap_expect = 1
}
consul {
address = "127.0.0.1:8500"
server_service_name = "nomad"
client_service_name = "nomad-client"
auto_advertise = true
server_auto_join = true
client_auto_join = true
}
bind_addr = "127.0.0.1"
advertise {
http = "172.30.0.5"
}
client {
enabled = true
}
XNUMX çªç®ã®ãµãŒããŒäžã®æ§æãã¡ã€ã«ãå€æŽããããšãå¿ããªãã§ãã ããããã㧠http ãã£ã¬ã¯ãã£ãã®å€ãå€æŽããå¿ èŠããããŸãã
ãã®æ®µéã§ã®æåŸã®äœæ¥ã¯ããããã·çšã« Nginx ãæ§æããhttp èªèšŒãèšå®ããããšã§ãã nomad.conf ãã¡ã€ã«ã®å 容:
upstream nomad-auth {
server 172.30.0.5:4646;
}
server {
server_name nomad.domain.name;
location / {
proxy_pass http://nomad-auth;
proxy_set_header Host $host;
auth_basic_user_file /etc/nginx/.htpasswd;
auth_basic "Password-protected Area";
}
}
ããã§ãå€éšãããã¯ãŒã¯çµç±ã§ Web ããã«ã«ã¢ã¯ã»ã¹ã§ããããã«ãªããŸããã æ¥ç¶ããŠãµãŒã㌠ããŒãžã«ç§»åããŸãã
ç»å1ã Nomad ã¯ã©ã¹ã¿ãŒå
ã®ãµãŒããŒã®ãªã¹ã
äž¡æ¹ã®ãµãŒããŒãããã«ã«æ£åžžã«è¡šç€ºãããnomad ããŒã ã¹ããŒã¿ã¹ ã³ãã³ãã®åºåã«ãåãããšã衚瀺ãããŸãã
ç»å2ã nomad ããŒã ã¹ããŒã¿ã¹ ã³ãã³ãã®åºå
é äºã¯ã©ãã§ããïŒ èŠãŠã¿ãŸãããã Consul ã³ã³ãããŒã« ããã«ã®ããŒã ããŒãžã«ç§»åããŸãã
ç»å3ã Consul ã¯ã©ã¹ã¿ãŒå
ã®ããŒãã®ãªã¹ã
ããã§ãConsul ãšé£æºããŠåäœããæºåã®æŽã£ã Nomad ãã§ããŸããã æçµæ®µéã§ã¯ãGitlab ãã Nomad ãžã® Docker ã³ã³ããã®é ä¿¡ãèšå®ãããã®ä»ã®ç¹åŸŽçãªæ©èœã«ã€ããŠã説æãã楜ããéšåã«é²ã¿ãŸãã
Gitlab ã©ã³ããŒã®äœæ
Docker ã€ã¡ãŒãžã Nomad ã«ãããã€ããã«ã¯ãNomad ãã€ã㪠ãã¡ã€ã«ãå éšã«æã€å¥ã®ã©ã³ããŒã䜿çšããŸã (ãšããã§ãããã§ãHashicorp ã¢ããªã±ãŒã·ã§ã³ã®å¥ã®æ©èœã«æ³šç®ã§ããŸããåå¥ã«ã¯åäžã®ãã€ã㪠ãã¡ã€ã«ã§ã)ã ã©ã³ããŒãã£ã¬ã¯ããªã«ã¢ããããŒãããŸãã 次ã®å 容ãå«ãåçŽãª Dockerfile ãäœæããŸãããã
FROM alpine:3.9
RUN apk add --update --no-cache libc6-compat gettext
COPY nomad /usr/local/bin/nomad
åããããžã§ã¯ã㧠.gitlab-ci.yml ãäœæããŸãã
variables:
DOCKER_IMAGE: nomad/nomad-deploy
DOCKER_REGISTRY: registry.domain.name
stages:
- build
build:
stage: build
image: ${DOCKER_REGISTRY}/nomad/alpine:3
script:
- tag=${DOCKER_REGISTRY}/${DOCKER_IMAGE}:latest
- docker build --pull -t ${tag} -f Dockerfile .
- docker push ${tag}
ãã®çµæãGitlab ã¬ãžã¹ããªã« Nomad ã©ã³ããŒã®å©çšå¯èœãªã€ã¡ãŒãžãã§ããããã«ãªãããããžã§ã¯ã ãªããžããªã«çŽæ¥ç§»åããŠãã€ãã©ã€ã³ãäœæããNomad ã®ããã ãžã§ããæ§æã§ããããã«ãªããŸãã
ãããžã§ã¯ãã®ã»ããã¢ãã
Nomad ã®ãžã§ã ãã¡ã€ã«ããå§ããŸãããã ãã®èšäºã§ã®ç§ã®ãããžã§ã¯ãã¯éåžžã«åå§çãªãã®ã«ãªããŸãããã㯠XNUMX ã€ã®ã¿ã¹ã¯ã§æ§æãããŸãã .gitlab-ci ã®å 容ã¯æ¬¡ã®ããã«ãªããŸãã
variables:
NOMAD_ADDR: http://nomad.address.service:4646
DOCKER_REGISTRY: registry.domain.name
DOCKER_IMAGE: example/project
stages:
- build
- deploy
build:
stage: build
image: ${DOCKER_REGISTRY}/nomad-runner/alpine:3
script:
- tag=${DOCKER_REGISTRY}/${DOCKER_IMAGE}:${CI_COMMIT_SHORT_SHA}
- docker build --pull -t ${tag} -f Dockerfile .
- docker push ${tag}
deploy:
stage: deploy
image: registry.example.com/nomad/nomad-runner:latest
script:
- envsubst '${CI_COMMIT_SHORT_SHA}' < project.nomad > job.nomad
- cat job.nomad
- nomad validate job.nomad
- nomad plan job.nomad || if [ $? -eq 255 ]; then exit 255; else echo "success"; fi
- nomad run job.nomad
environment:
name: production
allow_failure: false
when: manual
ããã§ã¯å±éã¯æåã§è¡ãããŸããããããžã§ã¯ã ãã£ã¬ã¯ããªã®å 容ãå€æŽããããã«èšå®ã§ããŸãã ãã€ãã©ã€ã³ã¯ãã€ã¡ãŒãžã®ã¢ã»ã³ããªãš nomad ãžã®ãããã€ã® XNUMX ã€ã®æ®µéã§æ§æãããŸãã æåã®æ®µéã§ã¯ãDocker ã€ã¡ãŒãžãã¢ã»ã³ãã«ããŠã¬ãžã¹ããªã«ããã·ã¥ãã第 XNUMX 段é㧠Nomad ã§ãžã§ããèµ·åããŸãã
job "monitoring-status" {
datacenters = ["dc1"]
migrate {
max_parallel = 3
health_check = "checks"
min_healthy_time = "15s"
healthy_deadline = "5m"
}
group "zhadan.ltd" {
count = 1
update {
max_parallel = 1
min_healthy_time = "30s"
healthy_deadline = "5m"
progress_deadline = "10m"
auto_revert = true
}
task "service-monitoring" {
driver = "docker"
config {
image = "registry.domain.name/example/project:${CI_COMMIT_SHORT_SHA}"
force_pull = true
auth {
username = "gitlab_user"
password = "gitlab_password"
}
port_map {
http = 8000
}
}
resources {
network {
port "http" {}
}
}
}
}
}
ç§ã¯ãã©ã€ããŒã ã¬ãžã¹ããªãæã£ãŠãããDocker ã€ã¡ãŒãžãæ£åžžã«ãã«ããã«ã¯ããã«ãã°ã€ã³ããå¿ èŠãããããšã«æ³šæããŠãã ããã ãã®å Žåã®æåã®è§£æ±ºçã¯ãVault ã«ãã°ã€ã³ãšãã¹ã¯ãŒããå ¥åããNomad ãšçµ±åããããšã§ãã Nomad 㯠Vault ããã€ãã£ãã«ãµããŒãããŸãã ãã ãããã®åã«ãNomad ã«å¿ èŠãªããªã·ãŒã Vault èªäœã«ã€ã³ã¹ããŒã«ããŸããããããªã·ãŒã¯ããŠã³ããŒãã§ããŸãã
# Download the policy and token role
$ curl https://nomadproject.io/data/vault/nomad-server-policy.hcl -O -s -L
$ curl https://nomadproject.io/data/vault/nomad-cluster-role.json -O -s -L
# Write the policy to Vault
$ vault policy write nomad-server nomad-server-policy.hcl
# Create the token role with Vault
$ vault write /auth/token/roles/nomad-cluster @nomad-cluster-role.json
å¿ èŠãªããªã·ãŒãäœæããã®ã§ãjob.nomad ãã¡ã€ã«ã®ã¿ã¹ã¯ ãããã¯ã« Vault ãšã®çµ±åãè¿œå ããŸãã
vault {
enabled = true
address = "https://vault.domain.name:8200"
token = "token"
}
ç§ã¯ããŒã¯ã³ã«ããèªå¯ã䜿çšããããã§çŽæ¥ç»é²ããŸããnomad ãšãŒãžã§ã³ããéå§ãããšãã«ããŒã¯ã³ãå€æ°ãšããŠæå®ãããªãã·ã§ã³ããããŸãã
$ VAULT_TOKEN=<token> nomad agent -config /path/to/config
ããã§ãVault ã§ããŒã䜿çšã§ããããã«ãªããŸããã åäœåçã¯åçŽã§ããNomad ãžã§ãã§å€æ°ã®å€ãä¿åãããã¡ã€ã«ãäœæããŸããããšãã°ã次ã®ããã«ãªããŸãã
template {
data = <<EOH
{{with secret "secrets/pipeline-keys"}}
REGISTRY_LOGIN="{{ .Data.REGISTRY_LOGIN }}"
REGISTRY_PASSWORD="{{ .Data.REGISTRY_LOGIN }}{{ end }}"
EOH
destination = "secrets/service-name.env"
env = true
}
ãã®ç°¡åãªã¢ãããŒãã䜿çšãããšãNomad ã¯ã©ã¹ã¿ãŒãžã®ã³ã³ãããŒã®é ä¿¡ãæ§æããå°æ¥çã«ããã䜿çšã§ããããã«ãªããŸãã ç§ã¯ããçšåºŠ Nomad ã«å ±æããŸããKubernetes ãè€éããå¢ãããã®å¯èœæ§ãæ倧éã«çºæ®ã§ããªããããªå°èŠæš¡ãªãããžã§ã¯ãã«é©ããŠããŸãã ããã«ãNomad ã¯åå¿è ã«æé©ã§ããã€ã³ã¹ããŒã«ãšèšå®ãç°¡åã§ãã ãã ããããã€ãã®ãããžã§ã¯ãã§ãã¹ãããŠãããšãã«ãåæããŒãžã§ã³ã§åé¡ãçºçããŸãããå€ãã®åºæ¬çãªæ©èœãåã«ååšããªãããæ£ããåäœããŸããã ããããNomadã¯ä»åŸãçºå±ãç¶ããå°æ¥çã«ã¯èª°ããå¿ èŠãšããæ©èœãç²åŸãããšä¿¡ããŠããŸãã
èè
: Ilya Andreevãç·šé: Alexey Zhadan ããã³ Live Linux ããŒã
åºæïŒ habr.com