Pulogalamu ya ProHoster > Blog > Ulamuliro > Kukhazikitsa CD kudzera pa gitlab

Kukhazikitsa CD kudzera pa gitlab

Nthawi ina ndinaganiza zongoyendetsa ntchito yanga. gitlab.com imapereka zida zonse za izi, ndipo ndithudi ndinaganiza zopezerapo mwayi, kuziganizira ndikulemba zolemba zochepa. M'nkhaniyi ndikugawana zomwe ndakumana nazo ndi anthu ammudzi.

TL; DR

  1. Konzani VPS: zimitsani mizu, lowani ndi mawu achinsinsi, ikani dockerd, sinthani ufw
  2. Pangani ziphaso za seva ndi kasitomala docs.docker.com/engine/security/https/#create-a-ca-server-and-client-keys-with-openssl Yambitsani kuwongolera kwa dockerd kudzera pa tcp socket: chotsani -H fd: // njira kuchokera pa docker config.
  3. Lembani njira zopita ku satifiketi mu docker.json
  4. Lembetsani muzosintha za gitlab pazosintha za CI/CD ndi zomwe zili m'masatifiketi. Lembani script .gitlab-ci.yml kuti mutumizidwe.

Ndiwonetsa zitsanzo zonse pakugawa kwa Debian.

Kukonzekera koyambirira kwa VPS

Kotero mudagula chitsanzo mwachitsanzo pa DO, chinthu choyamba chomwe muyenera kuchita ndikuteteza seva yanu kudziko lakunja lankhanza. Sindingatsimikizire kapena kunena chilichonse, ndingowonetsa chipika /var/log/mauthenga a seva yanga yeniyeni:

MALANGIKukhazikitsa CD kudzera pa gitlab

Choyamba, ikani ufw firewall:

apt-get update && apt-get install ufw

Tiyeni tiwongolere ndondomeko yokhazikika: lekani maulaliki onse omwe akubwera, lolani maulumikizidwe onse otuluka:

ufw default deny incoming
ufw default allow outgoing

Chofunika: musaiwale kulola kulumikizana kudzera pa ssh:

ufw allow OpenSSH

Mawu onse ali motere: Lolani kulumikizana ndi doko: ufw lolani 12345, pomwe 12345 ndi nambala ya doko kapena dzina la ntchitoyo. Kukana: ufw kukana 12345

Yatsani firewall:

ufw enable

Timatuluka mu gawoli ndikulowanso kudzera pa ssh.

Onjezani wogwiritsa, mupatseni mawu achinsinsi, ndikumuwonjezera pagulu la sudo.

apt-get install sudo
adduser scoty
usermod -aG sudo scoty

Kenako, malinga ndi dongosolo, muyenera kuletsa kulowa achinsinsi. Kuti muchite izi, lembani kiyi yanu ya ssh ku seva:

ssh-copy-id [email protected]

IP seva iyenera kukhala yanu. Tsopano yesani kulowa pogwiritsa ntchito wosuta yemwe mudamupanga kale; simuyeneranso kuyika mawu achinsinsi. Kenako, muzokonda zosintha, sinthani izi:

sudo nano /etc/ssh/sshd_config

zimitsani kulowa mawu achinsinsi:

PasswordAuthentication no

Yambitsaninso daemon ya sshd:

sudo systemctl reload sshd

Tsopano ngati inu kapena wina ayesa kulowa ngati muzu, sizigwira ntchito.

Kenako, yikani dockerd, sindifotokoza ndondomekoyi apa, popeza zonse zitha kusinthidwa, tsatirani ulalo watsamba lovomerezeka ndikudutsa masitepe oyika docker pamakina anu enieni: https://docs.docker.com/install/linux/docker-ce/debian/

Kupanga satifiketi

Kuti muwongolere daemon ya docker patali, kulumikizana kwachinsinsi kwa TLS ndikofunikira. Kuti muchite izi, muyenera kukhala ndi satifiketi ndi kiyi, zomwe ziyenera kupangidwa ndikusamutsidwa ku makina anu akutali. Tsatirani malangizo omwe ali patsamba lovomerezeka la docker: https://docs.docker.com/engine/security/https/#create-a-ca-server-and-client-keys-with-openssl Mafayilo onse opangidwa * .pem a seva, monga ca.pem, server.pem, key.pem, ayenera kuikidwa mu /etc/docker directory pa seva.

Kupanga dockerd

Mu docker daemon launch script, timachotsa -H df: // njira, njirayi imatsimikizira kuti ndi ndani yemwe daemon ya docker ingathe kuwongoleredwa.

# At /lib/systemd/system/docker.service
[Service]
Type=notify
ExecStart=/usr/bin/dockerd

Kenako, muyenera kupanga zoikamo file, ngati palibe kale, ndipo tchulani zimene mungachite:

/etc/docker/docker.json

{
  "hosts": [
    "unix:///var/run/docker.sock",
    "tcp://0.0.0.0:2376"
  ],
  "labels": [
    "is-our-remote-engine=true"
  ],
  "tls": true,
  "tlscacert": "/etc/docker/ca.pem",
  "tlscert": "/etc/docker/server.pem",
  "tlskey": "/etc/docker/key.pem",
  "tlsverify": true
}

Tiyeni tilole kulumikizana padoko 2376:

sudo ufw allow 2376

Tiyeni tiyambirenso dockerd ndi zosintha zatsopano:

sudo systemctl daemon-reload && sudo systemctl restart docker

Tiyeni tiwone:

sudo systemctl status docker

Ngati chirichonse chiri "chobiriwira", ndiye kuti tikuwona kuti takonza bwino docker pa seva.

Kukhazikitsa kutumizira mosalekeza pa gitlab

Kuti wogwira ntchito ku Gitalaba azitha kuyika malamulo pamtundu wakutali wa Docker, ndikofunikira kusankha momwe angasungire ziphaso ndi chinsinsi cholumikizirana ndi Dockerd. Ndinathetsa vutoli pongowonjezera zotsatirazi pazosintha za gitlbab:

Mutu wa spoilerKukhazikitsa CD kudzera pa gitlab

Ingotulutsani zomwe zili mu satifiketi ndi kiyi kudzera paka: cat ca.pem. Koperani ndi kumata muzinthu zosinthika.

Tiyeni tilembe zolemba kuti titumizidwe kudzera pa GitLab. Chithunzi cha docker-in-docker (dind) chidzagwiritsidwa ntchito.

.gitlab-ci.yml

image:
  name: docker/compose:1.23.2
  # ΠΏΠ΅Ρ€Π΅ΠΏΠΈΡˆΠ΅ΠΌ entrypoint , Ρ‡Ρ‚ΠΎΠ±Ρ‹ Ρ€Π°Π±ΠΎΡ‚Π°Π»ΠΎ Π² dind
  entrypoint: ["/bin/sh", "-c"]

variables:
  DOCKER_HOST: tcp://docker:2375/
  DOCKER_DRIVER: overlay2

services:
  - docker:dind

stages:
  - deploy

deploy:
  stage: deploy
  script:
    - bin/deploy.sh # скрипт дСплоя Ρ‚ΡƒΡ‚

Zomwe zili mu deployment script ndi ndemanga:

bin/deploy.sh

#!/usr/bin/env sh
# ПадаСм сразу, Ссли Π²ΠΎΠ·Π½ΠΈΠΊΠ»ΠΈ ΠΊΠ°ΠΊΠΈΠ΅-Ρ‚ΠΎ ошибки
set -e
# Π’Ρ‹Π²ΠΎΠ΄ΠΈΠΌ, Ρ‚ΠΎ , Ρ‡Ρ‚ΠΎ Π΄Π΅Π»Π°Π΅ΠΌ
set -v

# 
DOCKER_COMPOSE_FILE=docker-compose.yml
# ΠšΡƒΠ΄Π° Π΄Π΅ΠΏΠ»ΠΎΠΈΠΌ
DEPLOY_HOST=185.241.52.28
# ΠŸΡƒΡ‚ΡŒ для сСртификатов ΠΊΠ»ΠΈΠ΅Π½Ρ‚Π°, Ρ‚ΠΎ Π΅ΡΡ‚ΡŒ Π² нашСм случаС - gitlab-Π²ΠΎΡ€ΠΊΠ΅Ρ€Π°
DOCKER_CERT_PATH=/root/.docker

# ΠΏΡ€ΠΎΠ²Π΅Ρ€ΠΈΠΌ, Ρ‡Ρ‚ΠΎ Π² ΠΊΠΎΠ½Ρ‚Π΅ΠΉΠ½Π΅Ρ€Π΅ всС имССтся
docker info
docker-compose version

# создаСм ΠΏΡƒΡ‚ΡŒ (сСйчас Ρ€Π°Π±ΠΎΡ‚Π°Π΅ΠΌ Π² ΠΊΠ»ΠΈΠ΅Π½Ρ‚Π΅ - Π²ΠΎΡ€ΠΊΠ΅Ρ€Π΅ gitlab'Π°)
mkdir $DOCKER_CERT_PATH
# ΠΈΠ·Ρ‹ΠΌΠ°Π΅ΠΌ содСрТимоС ΠΏΠ΅Ρ€Π΅ΠΌΠ΅Π½Π½Ρ‹Ρ…, ΠΏΡ€ΠΈ этом удаляСм лишниС символы Π΄ΠΎΠ±Π°Π²Π»Π΅Π½Π½Ρ‹Π΅ ΠΏΡ€ΠΈ сохранСнии ΠΏΠ΅Ρ€Π΅ΠΌΠ΅Π½Π½Ρ‹Ρ….
echo "$CA_PEM" | tr -d 'r' > $DOCKER_CERT_PATH/ca.pem
echo "$CERT_PEM" | tr -d 'r' > $DOCKER_CERT_PATH/cert.pem
echo "$KEY_PEM" | tr -d 'r' > $DOCKER_CERT_PATH/key.pem
# Π½Π° всякий случай Π΄Π°Π΅ΠΌ Ρ‚ΠΎΠ»ΡŒΠΊΠΎ Ρ‡ΠΈΡ‚Π°Ρ‚ΡŒ
chmod 400 $DOCKER_CERT_PATH/ca.pem
chmod 400 $DOCKER_CERT_PATH/cert.pem
chmod 400 $DOCKER_CERT_PATH/key.pem

# Π΄Π°Π»Π΅Π΅ Π½Π°Ρ‡ΠΈΠ½Π°Π΅ΠΌ ΡƒΠΆΠ΅ Ρ€Π°Π±ΠΎΡ‚Π°Ρ‚ΡŒ с ΡƒΠ΄Π°Π»Π΅Π½Π½Ρ‹ΠΌ docker-Π΄Π΅ΠΌΠΎΠ½ΠΎΠΌ. БобствСнно, сам Π΄Π΅ΠΏΠ»ΠΎΠΉ
export DOCKER_TLS_VERIFY=1
export DOCKER_HOST=tcp://$DEPLOY_HOST:2376

# ΠΏΡ€ΠΎΠ²Π΅Ρ€ΠΈΠΌ, Ρ‡Ρ‚ΠΎ коннСктится всС ΡƒΡΠΏΠ΅ΡˆΠ½ΠΎ
docker-compose 
  -f $DOCKER_COMPOSE_FILE 
  ps

# логинимся Π² docker-рСгистри, Ρ‚ΡƒΡ‚ ΠΌΠΎΠΆΠ΅Ρ‚Π΅ ΡƒΠΊΠ°Π·Π°Ρ‚ΡŒ свой "мСстный" рСгистри
docker login -u $DOCKER_USER -p $DOCKER_PASSWORD

docker-compose 
  -f $DOCKER_COMPOSE_FILE 
  pull app
# ΠΏΠΎΠ΄Π½ΠΈΠΌΠ°Π΅ΠΌ ΠΏΡ€ΠΈΠ»ΠΎΠΆΠ΅Π½ΠΈΠ΅
docker-compose 
  -f $DOCKER_COMPOSE_FILE 
  up -d app

Vuto lalikulu linali "kukoka" zomwe zili m'masatifiketi mumkhalidwe wabwinobwino kuchokera kumitundu ya gitlab CI/CD. Sindinathe kudziwa chifukwa chake kulumikizana ndi wolandila kutali sikukugwira ntchito. Pa wolandirayo ndidayang'ana pa log sudo journalctl -u docker, panali cholakwika pakugwirana chanza. Ndinaganiza zoyang'ana zomwe nthawi zambiri zimasungidwa mumitundu yosiyanasiyana; kuti muchite izi, mutha kuwoneka motere: mphaka -A $DOCKER_CERT_PATH/key.pem. Ndinagonjetsa cholakwikacho powonjezera kuchotsedwa kwa carriage character tr -d 'r'.

Kenako, mutha kuwonjezera ntchito zomwe zatulutsidwa pambuyo poti mwafuna. Mutha kuwona mawonekedwe omwe akugwira ntchito munkhokwe yanga https://gitlab.com/isqad/gitlab-ci-cd

Source: www.habr.com

Kuwonjezera ndemanga