ProHoster > Blog > Pulega > Seti CD e ala ile gitlab

Seti CD e ala ile gitlab

Sa ou mafaufau i se tasi taimi e uiga i le otometi le faʻapipiʻiina o laʻu poloketi. gitlab.com agalelei saunia meafaigaluega uma mo lenei, ma o le mea moni na ou filifili e faʻaoga lelei, faʻataʻitaʻiina ma tusia se tusi faʻapipiʻi laʻititi. I lenei tusiga ou te faʻasoa atu ai loʻu poto masani i le alalafaga.

TL; AMA

  1. Seti VPS: faʻamalo aʻa, faʻaoga i upu faʻaulu, faʻapipiʻi dockerd, configure ufw
  2. Fausia tusi faamaonia mo le server ma le tagata o tausia docs.docker.com/engine/security/https/#create-a-ca-server-and-client-keys-with-openssl Faʻaaga le pule faʻatonu e ala i le tcp socket: aveese le -H fd: // filifiliga mai le faʻaoga faʻapipiʻi.
  3. Resitala ala i tusi faamaonia i docker.json
  4. Resitala i gitlab fesuiaiga i le CI / CD faʻatasi ma mea o loʻo i totonu o tusi faamaonia. Tusi se tusitusiga .gitlab-ci.yml mo le faʻapipiʻiina.

O le a ou faʻaalia uma faʻataʻitaʻiga i le tufatufaina Debian.

Fa'atonu VPS muamua

O lea na e fa'atau ai se fa'ata'ita'iga i DO, o le mea muamua e tatau ona e faia o le puipuia lea o lau 'auʻaunaga mai le lalolagi faʻamalosi i fafo. O le a ou le faʻamaonia pe faʻamaonia se mea, o le a ou faʻaalia le ogalaau / var / log / feʻau o laʻu server virtual:

MatagofieSeti CD e ala ile gitlab

Muamua, faʻapipiʻi le ufw firewall:

apt-get update && apt-get install ufw

Se'i tatou fa'agaoioi le faiga fa'aletonu: poloka uma feso'ota'iga, fa'ataga uma feso'ota'iga i fafo:

ufw default deny incoming
ufw default allow outgoing

Taua: aua nei galo e faʻatagaina le fesoʻotaʻiga e ala ile ssh:

ufw allow OpenSSH

Ole fa'asologa lautele e fa'apea: Fa'ataga se feso'ota'iga ile taulaga: ufw fa'atagaina le 12345, lea ole 12345 ole numera ole taulaga po'o le igoa ole tautua. Te'ena: ufw te'ena 12345

Ki le pa puipui:

ufw enable

Matou te o ese mai le sauniga ma toe ulufale mai ile ssh.

Faʻaopoopo se tagata faʻaoga, tuʻuina atu ia te ia se faʻaupuga, ma faʻaopoopo o ia i le vaega sudo.

apt-get install sudo
adduser scoty
usermod -aG sudo scoty

O le isi, e tusa ai ma le fuafuaga, e tatau ona e faʻamalo le password login. ina ia faia lenei mea, kopi lau ki ssh i le server:

ssh-copy-id [email protected]

O le server ip e tatau ona avea ma oe. Ia taumafai nei e saini i totonu e faʻaaoga ai le tagata faʻaoga na e faia muamua; e te le toe manaʻomia le faʻaogaina o se upu faʻaulu. Sosoo ai, i le fa'atulagaina o fa'atulagaga, sui mea nei:

sudo nano /etc/ssh/sshd_config

tape le password login:

PasswordAuthentication no

Toe amata le sshd daemon:

sudo systemctl reload sshd

Ia afai o oe poʻo se isi e taumafai e saini i totonu o le aʻa faʻaoga, o le a le aoga.

Le isi, faʻapipiʻi le dockerd, o le a ou le faʻamatalaina le faagasologa iinei, talu ai ua mafai ona suia mea uma, mulimuli i le fesoʻotaʻiga i le upega tafaʻilagi aloaia ma alu i laasaga o le faʻapipiʻiina o le docker i lau masini masini: https://docs.docker.com/install/linux/docker-ce/debian/

Fausia tusi pasi

Ina ia pulea mamao le docker daemon, e manaʻomia se fesoʻotaʻiga TLS faʻailoga. Ina ia faia lenei mea, e tatau ona i ai sau tusi faamaonia ma se ki, lea e tatau ona gaosia ma tuʻuina atu i lau masini mamao. Mulimuli i laasaga o loʻo tuʻuina atu i faʻatonuga i luga o le upega tafaʻilagi aloaia a le docker: https://docs.docker.com/engine/security/https/#create-a-ca-server-and-client-keys-with-openssl O faila *.pem uma na gaosia mo le server, e ta'ua o le ca.pem, server.pem, key.pem, e tatau ona tu'u i le /etc/docker directory i luga o le server.

Faʻatulagaina o le dockerd

I le faʻailoga faʻailoga a le docker daemon, matou te aveese le -H df: // filifiliga, o lenei filifiliga e fuafua ai po o ai e mafai ona pulea le docker daemon.

# At /lib/systemd/system/docker.service
[Service]
Type=notify
ExecStart=/usr/bin/dockerd

Le isi, e tatau ona e fatuina se faila faila, pe afai e leʻi i ai, ma faʻamaonia filifiliga:

/etc/docker/docker.json

{
  "hosts": [
    "unix:///var/run/docker.sock",
    "tcp://0.0.0.0:2376"
  ],
  "labels": [
    "is-our-remote-engine=true"
  ],
  "tls": true,
  "tlscacert": "/etc/docker/ca.pem",
  "tlscert": "/etc/docker/server.pem",
  "tlskey": "/etc/docker/key.pem",
  "tlsverify": true
}

Sei o tatou faʻatagaina fesoʻotaʻiga i luga o le taulaga 2376:

sudo ufw allow 2376

Sei o tatou toe amata le dockerd ma tulaga fou:

sudo systemctl daemon-reload && sudo systemctl restart docker

Sei o tatou siaki:

sudo systemctl status docker

Afai o mea uma e "lanu meamata", ona matou manatu lea ua matou faʻatulagaina lelei le faʻailoga i luga o le 'auʻaunaga.

Fa'atulagaina le fa'asolo pea i luga ole gitlab

Ina ia mafai e le tagata faigaluega Gitalaba ona mafai ona faʻatino poloaiga i luga o se talimalo mamao Docker, e tatau ona filifili pe faʻafefea ma le mea e teu ai tusi faamaonia ma le ki mo se fesoʻotaʻiga faʻailoga ma Dockerd. Na ou foia lenei faafitauli i le na o le faaopoopoina o mea nei i fesuiaiga i le gitlbab settings:

spoiler igoaSeti CD e ala ile gitlab

Na'o le fa'aalia o mea o lo'o i totonu o tusi pasi ma ki e ala i pusi: cat ca.pem. Kopi ma faapipii i totonu o tau fesuisuiai.

Sei o tatou tusia se tusitusiga mo le faʻapipiʻiina e ala ile GitLab. O le ata o le docker-in-docker (dind) o le a faʻaaogaina.

.gitlab-ci.yml

image:
  name: docker/compose:1.23.2
  # перепишем entrypoint , чтобы работало в dind
  entrypoint: ["/bin/sh", "-c"]

variables:
  DOCKER_HOST: tcp://docker:2375/
  DOCKER_DRIVER: overlay2

services:
  - docker:dind

stages:
  - deploy

deploy:
  stage: deploy
  script:
    - bin/deploy.sh # скрипт деплоя тут

O mea o lo'o i totonu ole fa'ata'otoga fa'atasi ma fa'amatalaga:

bin/deploy.sh

#!/usr/bin/env sh
# Падаем сразу, если возникли какие-то ошибки
set -e
# Выводим, то , что делаем
set -v

# 
DOCKER_COMPOSE_FILE=docker-compose.yml
# Куда деплоим
DEPLOY_HOST=185.241.52.28
# Путь для сертификатов клиента, то есть в нашем случае - gitlab-воркера
DOCKER_CERT_PATH=/root/.docker

# проверим, что в контейнере все имеется
docker info
docker-compose version

# создаем путь (сейчас работаем в клиенте - воркере gitlab'а)
mkdir $DOCKER_CERT_PATH
# изымаем содержимое переменных, при этом удаляем лишние символы добавленные при сохранении переменных.
echo "$CA_PEM" | tr -d 'r' > $DOCKER_CERT_PATH/ca.pem
echo "$CERT_PEM" | tr -d 'r' > $DOCKER_CERT_PATH/cert.pem
echo "$KEY_PEM" | tr -d 'r' > $DOCKER_CERT_PATH/key.pem
# на всякий случай даем только читать
chmod 400 $DOCKER_CERT_PATH/ca.pem
chmod 400 $DOCKER_CERT_PATH/cert.pem
chmod 400 $DOCKER_CERT_PATH/key.pem

# далее начинаем уже работать с удаленным docker-демоном. Собственно, сам деплой
export DOCKER_TLS_VERIFY=1
export DOCKER_HOST=tcp://$DEPLOY_HOST:2376

# проверим, что коннектится все успешно
docker-compose 
  -f $DOCKER_COMPOSE_FILE 
  ps

# логинимся в docker-регистри, тут можете указать свой "местный" регистри
docker login -u $DOCKER_USER -p $DOCKER_PASSWORD

docker-compose 
  -f $DOCKER_COMPOSE_FILE 
  pull app
# поднимаем приложение
docker-compose 
  -f $DOCKER_COMPOSE_FILE 
  up -d app

O le faʻafitauli autu o le "toso" mea o loʻo i totonu o tusi faamaonia i se tulaga masani mai le gitlab CI / CD fesuiaiga. Sa le mafai ona ou iloa pe aisea ua le aoga ai le sootaga i le talimalo mamao. I luga o le talimalo na ou tilotilo i le log sudo journalctl -u docker, sa i ai se mea sese i le taimi o le faatalofa. Na ou filifili e vaʻai i mea e masani ona teuina i fesuiaiga; e fai lenei mea, e mafai ona e foliga faʻapenei: pusi -A $DOCKER_CERT_PATH/key.pem. Na ou manumalo i le mea sese e ala i le faʻaopoopoina o le aveeseina o le taʻavale tr -d 'r'.

Soso'o, e mafai ona e fa'aopoopo galuega fa'asa'o i le fa'amaumauga i lau faitalia. E mafai ona e vaʻai i le galuega galue i laʻu fale teu oloa https://gitlab.com/isqad/gitlab-ci-cd

puna: www.habr.com

Faaopoopo i ai se faamatalaga