Nthawi ina ndinaganiza zongoyendetsa ntchito yanga. gitlab.com imapereka zida zonse za izi, ndipo ndithudi ndinaganiza zopezerapo mwayi, kuziganizira ndikulemba zolemba zochepa. M'nkhaniyi ndikugawana zomwe ndakumana nazo ndi anthu ammudzi.
TL; DR
- Konzani VPS: zimitsani mizu, lowani ndi mawu achinsinsi, ikani dockerd, sinthani ufw
- Pangani ziphaso za seva ndi kasitomala
docs.docker.com/engine/security/https/#create-a-ca-server-and-client-keys-with-openssl Yambitsani kuwongolera kwa dockerd kudzera pa tcp socket: chotsani -H fd: // njira kuchokera pa docker config. - Lembani njira zopita ku satifiketi mu docker.json
- Lembetsani muzosintha za gitlab pazosintha za CI/CD ndi zomwe zili m'masatifiketi. Lembani script .gitlab-ci.yml kuti mutumizidwe.
Ndiwonetsa zitsanzo zonse pakugawa kwa Debian.
Kukonzekera koyambirira kwa VPS
Kotero mudagula chitsanzo mwachitsanzo pa
MALANGI
Choyamba, ikani ufw firewall:
apt-get update && apt-get install ufw
Tiyeni tiwongolere ndondomeko yokhazikika: lekani maulaliki onse omwe akubwera, lolani maulumikizidwe onse otuluka:
ufw default deny incoming
ufw default allow outgoing
Chofunika: musaiwale kulola kulumikizana kudzera pa ssh:
ufw allow OpenSSH
Mawu onse ali motere: Lolani kulumikizana ndi doko: ufw lolani 12345, pomwe 12345 ndi nambala ya doko kapena dzina la ntchitoyo. Kukana: ufw kukana 12345
Yatsani firewall:
ufw enable
Timatuluka mu gawoli ndikulowanso kudzera pa ssh.
Onjezani wogwiritsa, mupatseni mawu achinsinsi, ndikumuwonjezera pagulu la sudo.
apt-get install sudo
adduser scoty
usermod -aG sudo scoty
Kenako, malinga ndi dongosolo, muyenera kuletsa kulowa achinsinsi. Kuti muchite izi, lembani kiyi yanu ya ssh ku seva:
ssh-copy-id [email protected]
IP seva iyenera kukhala yanu. Tsopano yesani kulowa pogwiritsa ntchito wosuta yemwe mudamupanga kale; simuyeneranso kuyika mawu achinsinsi. Kenako, muzokonda zosintha, sinthani izi:
sudo nano /etc/ssh/sshd_config
zimitsani kulowa mawu achinsinsi:
PasswordAuthentication no
Yambitsaninso daemon ya sshd:
sudo systemctl reload sshd
Tsopano ngati inu kapena wina ayesa kulowa ngati muzu, sizigwira ntchito.
Kenako, yikani dockerd, sindifotokoza ndondomekoyi apa, popeza zonse zitha kusinthidwa, tsatirani ulalo watsamba lovomerezeka ndikudutsa masitepe oyika docker pamakina anu enieni:
Kupanga satifiketi
Kuti muwongolere daemon ya docker patali, kulumikizana kwachinsinsi kwa TLS ndikofunikira. Kuti muchite izi, muyenera kukhala ndi satifiketi ndi kiyi, zomwe ziyenera kupangidwa ndikusamutsidwa ku makina anu akutali. Tsatirani malangizo omwe ali patsamba lovomerezeka la docker:
Kupanga dockerd
Mu docker daemon launch script, timachotsa -H df: // njira, njirayi imatsimikizira kuti ndi ndani yemwe daemon ya docker ingathe kuwongoleredwa.
# At /lib/systemd/system/docker.service
[Service]
Type=notify
ExecStart=/usr/bin/dockerd
Kenako, muyenera kupanga zoikamo file, ngati palibe kale, ndipo tchulani zimene mungachite:
/etc/docker/docker.json
{
"hosts": [
"unix:///var/run/docker.sock",
"tcp://0.0.0.0:2376"
],
"labels": [
"is-our-remote-engine=true"
],
"tls": true,
"tlscacert": "/etc/docker/ca.pem",
"tlscert": "/etc/docker/server.pem",
"tlskey": "/etc/docker/key.pem",
"tlsverify": true
}
Tiyeni tilole kulumikizana padoko 2376:
sudo ufw allow 2376
Tiyeni tiyambirenso dockerd ndi zosintha zatsopano:
sudo systemctl daemon-reload && sudo systemctl restart docker
Tiyeni tiwone:
sudo systemctl status docker
Ngati chirichonse chiri "chobiriwira", ndiye kuti tikuwona kuti takonza bwino docker pa seva.
Kukhazikitsa kutumizira mosalekeza pa gitlab
Kuti wogwira ntchito ku Gitalaba azitha kuyika malamulo pamtundu wakutali wa Docker, ndikofunikira kusankha momwe angasungire ziphaso ndi chinsinsi cholumikizirana ndi Dockerd. Ndinathetsa vutoli pongowonjezera zotsatirazi pazosintha za gitlbab:
Mutu wa spoiler
Ingotulutsani zomwe zili mu satifiketi ndi kiyi kudzera paka: cat ca.pem
. Koperani ndi kumata muzinthu zosinthika.
Tiyeni tilembe zolemba kuti titumizidwe kudzera pa GitLab. Chithunzi cha docker-in-docker (dind) chidzagwiritsidwa ntchito.
.gitlab-ci.yml
image:
name: docker/compose:1.23.2
# ΠΏΠ΅ΡΠ΅ΠΏΠΈΡΠ΅ΠΌ entrypoint , ΡΡΠΎΠ±Ρ ΡΠ°Π±ΠΎΡΠ°Π»ΠΎ Π² dind
entrypoint: ["/bin/sh", "-c"]
variables:
DOCKER_HOST: tcp://docker:2375/
DOCKER_DRIVER: overlay2
services:
- docker:dind
stages:
- deploy
deploy:
stage: deploy
script:
- bin/deploy.sh # ΡΠΊΡΠΈΠΏΡ Π΄Π΅ΠΏΠ»ΠΎΡ ΡΡΡ
Zomwe zili mu deployment script ndi ndemanga:
bin/deploy.sh
#!/usr/bin/env sh
# ΠΠ°Π΄Π°Π΅ΠΌ ΡΡΠ°Π·Ρ, Π΅ΡΠ»ΠΈ Π²ΠΎΠ·Π½ΠΈΠΊΠ»ΠΈ ΠΊΠ°ΠΊΠΈΠ΅-ΡΠΎ ΠΎΡΠΈΠ±ΠΊΠΈ
set -e
# ΠΡΠ²ΠΎΠ΄ΠΈΠΌ, ΡΠΎ , ΡΡΠΎ Π΄Π΅Π»Π°Π΅ΠΌ
set -v
#
DOCKER_COMPOSE_FILE=docker-compose.yml
# ΠΡΠ΄Π° Π΄Π΅ΠΏΠ»ΠΎΠΈΠΌ
DEPLOY_HOST=185.241.52.28
# ΠΡΡΡ Π΄Π»Ρ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΠΎΠ² ΠΊΠ»ΠΈΠ΅Π½ΡΠ°, ΡΠΎ Π΅ΡΡΡ Π² Π½Π°ΡΠ΅ΠΌ ΡΠ»ΡΡΠ°Π΅ - gitlab-Π²ΠΎΡΠΊΠ΅ΡΠ°
DOCKER_CERT_PATH=/root/.docker
# ΠΏΡΠΎΠ²Π΅ΡΠΈΠΌ, ΡΡΠΎ Π² ΠΊΠΎΠ½ΡΠ΅ΠΉΠ½Π΅ΡΠ΅ Π²ΡΠ΅ ΠΈΠΌΠ΅Π΅ΡΡΡ
docker info
docker-compose version
# ΡΠΎΠ·Π΄Π°Π΅ΠΌ ΠΏΡΡΡ (ΡΠ΅ΠΉΡΠ°Ρ ΡΠ°Π±ΠΎΡΠ°Π΅ΠΌ Π² ΠΊΠ»ΠΈΠ΅Π½ΡΠ΅ - Π²ΠΎΡΠΊΠ΅ΡΠ΅ gitlab'Π°)
mkdir $DOCKER_CERT_PATH
# ΠΈΠ·ΡΠΌΠ°Π΅ΠΌ ΡΠΎΠ΄Π΅ΡΠΆΠΈΠΌΠΎΠ΅ ΠΏΠ΅ΡΠ΅ΠΌΠ΅Π½Π½ΡΡ
, ΠΏΡΠΈ ΡΡΠΎΠΌ ΡΠ΄Π°Π»ΡΠ΅ΠΌ Π»ΠΈΡΠ½ΠΈΠ΅ ΡΠΈΠΌΠ²ΠΎΠ»Ρ Π΄ΠΎΠ±Π°Π²Π»Π΅Π½Π½ΡΠ΅ ΠΏΡΠΈ ΡΠΎΡ
ΡΠ°Π½Π΅Π½ΠΈΠΈ ΠΏΠ΅ΡΠ΅ΠΌΠ΅Π½Π½ΡΡ
.
echo "$CA_PEM" | tr -d 'r' > $DOCKER_CERT_PATH/ca.pem
echo "$CERT_PEM" | tr -d 'r' > $DOCKER_CERT_PATH/cert.pem
echo "$KEY_PEM" | tr -d 'r' > $DOCKER_CERT_PATH/key.pem
# Π½Π° Π²ΡΡΠΊΠΈΠΉ ΡΠ»ΡΡΠ°ΠΉ Π΄Π°Π΅ΠΌ ΡΠΎΠ»ΡΠΊΠΎ ΡΠΈΡΠ°ΡΡ
chmod 400 $DOCKER_CERT_PATH/ca.pem
chmod 400 $DOCKER_CERT_PATH/cert.pem
chmod 400 $DOCKER_CERT_PATH/key.pem
# Π΄Π°Π»Π΅Π΅ Π½Π°ΡΠΈΠ½Π°Π΅ΠΌ ΡΠΆΠ΅ ΡΠ°Π±ΠΎΡΠ°ΡΡ Ρ ΡΠ΄Π°Π»Π΅Π½Π½ΡΠΌ docker-Π΄Π΅ΠΌΠΎΠ½ΠΎΠΌ. Π‘ΠΎΠ±ΡΡΠ²Π΅Π½Π½ΠΎ, ΡΠ°ΠΌ Π΄Π΅ΠΏΠ»ΠΎΠΉ
export DOCKER_TLS_VERIFY=1
export DOCKER_HOST=tcp://$DEPLOY_HOST:2376
# ΠΏΡΠΎΠ²Π΅ΡΠΈΠΌ, ΡΡΠΎ ΠΊΠΎΠ½Π½Π΅ΠΊΡΠΈΡΡΡ Π²ΡΠ΅ ΡΡΠΏΠ΅ΡΠ½ΠΎ
docker-compose
-f $DOCKER_COMPOSE_FILE
ps
# Π»ΠΎΠ³ΠΈΠ½ΠΈΠΌΡΡ Π² docker-ΡΠ΅Π³ΠΈΡΡΡΠΈ, ΡΡΡ ΠΌΠΎΠΆΠ΅ΡΠ΅ ΡΠΊΠ°Π·Π°ΡΡ ΡΠ²ΠΎΠΉ "ΠΌΠ΅ΡΡΠ½ΡΠΉ" ΡΠ΅Π³ΠΈΡΡΡΠΈ
docker login -u $DOCKER_USER -p $DOCKER_PASSWORD
docker-compose
-f $DOCKER_COMPOSE_FILE
pull app
# ΠΏΠΎΠ΄Π½ΠΈΠΌΠ°Π΅ΠΌ ΠΏΡΠΈΠ»ΠΎΠΆΠ΅Π½ΠΈΠ΅
docker-compose
-f $DOCKER_COMPOSE_FILE
up -d app
Vuto lalikulu linali "kukoka" zomwe zili m'masatifiketi mumkhalidwe wabwinobwino kuchokera kumitundu ya gitlab CI/CD. Sindinathe kudziwa chifukwa chake kulumikizana ndi wolandila kutali sikukugwira ntchito. Pa wolandirayo ndidayang'ana pa log sudo journalctl -u docker, panali cholakwika pakugwirana chanza. Ndinaganiza zoyang'ana zomwe nthawi zambiri zimasungidwa mumitundu yosiyanasiyana; kuti muchite izi, mutha kuwoneka motere: mphaka -A $DOCKER_CERT_PATH/key.pem. Ndinagonjetsa cholakwikacho powonjezera kuchotsedwa kwa carriage character tr -d 'r'.
Kenako, mutha kuwonjezera ntchito zomwe zatulutsidwa pambuyo poti mwafuna. Mutha kuwona mawonekedwe omwe akugwira ntchito munkhokwe yanga
Source: www.habr.com