ProHoster > Blog > Utongi > CD setup kuburikidza negitlab

CD setup kuburikidza negitlab

Ndakambofunga nezve automating yekutumirwa kweprojekiti yangu. gitlab.com inopa nemutsa zvese zvishandiso zveizvi, uye zvechokwadi ndakafunga kuishandisa nekuzvifungidzira uye kunyora diki rekutumira script. Muchinyorwa chino, ndinogovera ruzivo rwangu nenharaunda.

TL; DR

  1. Seta VPS: dzima mudzi, password login, isa dockerd, gadzirisa ufw
  2. Gadzira zvitupa zve server uye mutengi docs.docker.com/engine/security/https/#create-a-ca-server-and-client-keys-with-openssl Gonesa dockerd control kuburikidza netcp socket: bvisa iyo -H fd: // sarudzo kubva kune docker config.
  3. Seta nzira kune zvitupa mu docker.json
  4. Nyoresa mumagitlab akasiyana muCI / CD marongero ane zviri mukati mezvitupa. Nyora .gitlab-ci.yml script kuti uendeswe.

Ini ndicharatidza yese mienzaniso pane iyo Debian kugovera.

Kutanga VPS setup

Pano iwe wakatenga muenzaniso semuenzaniso pa DO, chinhu chekutanga kuita kuchengetedza server yako kubva kune hukasha kunze kwenyika. Ini handisi kuzoratidza kana kutaura chero chinhu, ini ndinongoratidza iyo /var/log/message log yeangu virtual server:

ScreenshotCD setup kuburikidza negitlab

Kutanga, isa iyo ufw firewall:

apt-get update && apt-get install ufw

Gonesa iyo default mutemo: vhara zvese zvinopinda zvinongedzo, bvumidza zvese zvinobuda zvinongedzo:

ufw default deny incoming
ufw default allow outgoing

Zvakakosha: usakanganwa kubvumidza kubatana kuburikidza ne ssh:

ufw allow OpenSSH

Iyo general syntax ndeye: Bvumira kubatana pachiteshi: ufw bvumidza 12345, uko 12345 ndiyo nhamba yechiteshi kana zita rebasa. Kuramba: ufw ramba 12345

Batidza firewall:

ufw enable

Isu tinobuda muchikamu uye tinopinda zvakare kuburikidza ne ssh.

Wedzera mushandisi, mupe password, uye muwedzere kuboka re sudo.

apt-get install sudo
adduser scoty
usermod -aG sudo scoty

Tevere, zvinoenderana nehurongwa, iwe unofanirwa kudzima password login. kuti uite izvi, kopira kiyi yako ye ssh kune server:

ssh-copy-id [email protected]

Iyo ip ye server inofanira kunge iri yako. Zvino edza kupinda pasi pemushandisi akagadzirwa kare, iwe hauchadi kuisa password zvakare. Tevere, mune zvigadziriso zvigadziriso, shandura zvinotevera:

sudo nano /etc/ssh/sshd_config

dzima password kupinda:

PasswordAuthentication no

Tangazve iyo sshd daemon:

sudo systemctl reload sshd

Zvino kana iwe kana mumwe munhu akaedza kupinda mukati semudzi, zvinotadza.

Tevere, isu tinoisa dockerd, ini handisi kuzotsanangura maitiro pano, sezvo zvese zvichigona kushandurwa, tevera chinongedzo kune webhusaiti yepamutemo uye enda nematanho ekuisa docker pamushini wako chaiwo: https://docs.docker.com/install/linux/docker-ce/debian/

Certificate generation

Kuti udzore iyo docker daemon kure, yakavharidzirwa TLS yekubatanidza inodiwa. Kuti uite izvi, iwe unofanirwa kuve uine chitupa uye kiyi yaunoda kugadzira uye kuendesa kune yako kure muchina. Tevedza nhanho dzakapihwa mumirairo pane yepamutemo docker webhusaiti: https://docs.docker.com/engine/security/https/#create-a-ca-server-and-client-keys-with-openssl Mafaira ese akagadzirwa *.pem eserver, anoti ca.pem, server.pem, key.pem, anofanirwa kuiswa mu/etc/docker directory paserver.

docker setup

Mune docker daemon yekutanga script, bvisa iyo -H df: // sarudzo, iyi sarudzo inotaurira kuti ndeupi mugadziri wedocker daemon anogona kudzorwa.

# At /lib/systemd/system/docker.service
[Service]
Type=notify
ExecStart=/usr/bin/dockerd

Tevere, gadzira faira rekuisa kana isati yavepo uye isa sarudzo:

/etc/docker/docker.json

{
  "hosts": [
    "unix:///var/run/docker.sock",
    "tcp://0.0.0.0:2376"
  ],
  "labels": [
    "is-our-remote-engine=true"
  ],
  "tls": true,
  "tlscacert": "/etc/docker/ca.pem",
  "tlscert": "/etc/docker/server.pem",
  "tlskey": "/etc/docker/key.pem",
  "tlsverify": true
}

Bvumira kubatana pachiteshi 2376:

sudo ufw allow 2376

Tangazve dockerd nezvigadziriso zvitsva:

sudo systemctl daemon-reload && sudo systemctl restart docker

Ngatitarisei:

sudo systemctl status docker

Kana zvese zvakasvibirira, saka tinofunga kuti isu takabudirira kugadzirisa docker pane server.

Kumisikidza kuenderera mberi kwekutumira pane gitlab

Kuti mushandi wegitalab akwanise kuita mirairo pane ari kure docker host, iwe unofanirwa kusarudza kuti sei uye kupi kwekuchengetedza zvitupa uye kiyi yekubatanidza yakavharidzirwa kune dockerd. Ndakagadzirisa dambudziko iri nekungonyorera kune akasiyana ari mugitlbab marongero:

spoiler titleCD setup kuburikidza negitlab

Ingoburitsa zviri mukati mezvitupa uye kiyi kuburikidza nekatsi: cat ca.pem. Kopa uye unamatire mumhando dzakasiyana.

Ngatinyorei script yekutumirwa kuburikidza negitlab. Iyo docker-in-docker (dind) mufananidzo uchashandiswa.

.gitlab-ci.yml

image:
  name: docker/compose:1.23.2
  # ΠΏΠ΅Ρ€Π΅ΠΏΠΈΡˆΠ΅ΠΌ entrypoint , Ρ‡Ρ‚ΠΎΠ±Ρ‹ Ρ€Π°Π±ΠΎΡ‚Π°Π»ΠΎ Π² dind
  entrypoint: ["/bin/sh", "-c"]

variables:
  DOCKER_HOST: tcp://docker:2375/
  DOCKER_DRIVER: overlay2

services:
  - docker:dind

stages:
  - deploy

deploy:
  stage: deploy
  script:
    - bin/deploy.sh # скрипт дСплоя Ρ‚ΡƒΡ‚

Zviri mukati meiyo deployment script ine makomendi:

bin/deploy.sh

#!/usr/bin/env sh
# ПадаСм сразу, Ссли Π²ΠΎΠ·Π½ΠΈΠΊΠ»ΠΈ ΠΊΠ°ΠΊΠΈΠ΅-Ρ‚ΠΎ ошибки
set -e
# Π’Ρ‹Π²ΠΎΠ΄ΠΈΠΌ, Ρ‚ΠΎ , Ρ‡Ρ‚ΠΎ Π΄Π΅Π»Π°Π΅ΠΌ
set -v

# 
DOCKER_COMPOSE_FILE=docker-compose.yml
# ΠšΡƒΠ΄Π° Π΄Π΅ΠΏΠ»ΠΎΠΈΠΌ
DEPLOY_HOST=185.241.52.28
# ΠŸΡƒΡ‚ΡŒ для сСртификатов ΠΊΠ»ΠΈΠ΅Π½Ρ‚Π°, Ρ‚ΠΎ Π΅ΡΡ‚ΡŒ Π² нашСм случаС - gitlab-Π²ΠΎΡ€ΠΊΠ΅Ρ€Π°
DOCKER_CERT_PATH=/root/.docker

# ΠΏΡ€ΠΎΠ²Π΅Ρ€ΠΈΠΌ, Ρ‡Ρ‚ΠΎ Π² ΠΊΠΎΠ½Ρ‚Π΅ΠΉΠ½Π΅Ρ€Π΅ всС имССтся
docker info
docker-compose version

# создаСм ΠΏΡƒΡ‚ΡŒ (сСйчас Ρ€Π°Π±ΠΎΡ‚Π°Π΅ΠΌ Π² ΠΊΠ»ΠΈΠ΅Π½Ρ‚Π΅ - Π²ΠΎΡ€ΠΊΠ΅Ρ€Π΅ gitlab'Π°)
mkdir $DOCKER_CERT_PATH
# ΠΈΠ·Ρ‹ΠΌΠ°Π΅ΠΌ содСрТимоС ΠΏΠ΅Ρ€Π΅ΠΌΠ΅Π½Π½Ρ‹Ρ…, ΠΏΡ€ΠΈ этом удаляСм лишниС символы Π΄ΠΎΠ±Π°Π²Π»Π΅Π½Π½Ρ‹Π΅ ΠΏΡ€ΠΈ сохранСнии ΠΏΠ΅Ρ€Π΅ΠΌΠ΅Π½Π½Ρ‹Ρ….
echo "$CA_PEM" | tr -d 'r' > $DOCKER_CERT_PATH/ca.pem
echo "$CERT_PEM" | tr -d 'r' > $DOCKER_CERT_PATH/cert.pem
echo "$KEY_PEM" | tr -d 'r' > $DOCKER_CERT_PATH/key.pem
# Π½Π° всякий случай Π΄Π°Π΅ΠΌ Ρ‚ΠΎΠ»ΡŒΠΊΠΎ Ρ‡ΠΈΡ‚Π°Ρ‚ΡŒ
chmod 400 $DOCKER_CERT_PATH/ca.pem
chmod 400 $DOCKER_CERT_PATH/cert.pem
chmod 400 $DOCKER_CERT_PATH/key.pem

# Π΄Π°Π»Π΅Π΅ Π½Π°Ρ‡ΠΈΠ½Π°Π΅ΠΌ ΡƒΠΆΠ΅ Ρ€Π°Π±ΠΎΡ‚Π°Ρ‚ΡŒ с ΡƒΠ΄Π°Π»Π΅Π½Π½Ρ‹ΠΌ docker-Π΄Π΅ΠΌΠΎΠ½ΠΎΠΌ. БобствСнно, сам Π΄Π΅ΠΏΠ»ΠΎΠΉ
export DOCKER_TLS_VERIFY=1
export DOCKER_HOST=tcp://$DEPLOY_HOST:2376

# ΠΏΡ€ΠΎΠ²Π΅Ρ€ΠΈΠΌ, Ρ‡Ρ‚ΠΎ коннСктится всС ΡƒΡΠΏΠ΅ΡˆΠ½ΠΎ
docker-compose 
  -f $DOCKER_COMPOSE_FILE 
  ps

# логинимся Π² docker-рСгистри, Ρ‚ΡƒΡ‚ ΠΌΠΎΠΆΠ΅Ρ‚Π΅ ΡƒΠΊΠ°Π·Π°Ρ‚ΡŒ свой "мСстный" рСгистри
docker login -u $DOCKER_USER -p $DOCKER_PASSWORD

docker-compose 
  -f $DOCKER_COMPOSE_FILE 
  pull app
# ΠΏΠΎΠ΄Π½ΠΈΠΌΠ°Π΅ΠΌ ΠΏΡ€ΠΈΠ»ΠΎΠΆΠ΅Π½ΠΈΠ΅
docker-compose 
  -f $DOCKER_COMPOSE_FILE 
  up -d app

Dambudziko guru raive re "kuburitsa" zviri mukati mezvitupa mune yakajairika fomu kubva kune gitlab CI / CD zvinosiyana. Ndakashaya kuti sei kubatana neremote host isina kushanda. Ndakatarisa sudo journalctl -u docker log pane iyo host, pane kukanganisa nekubata ruoko. Ndakafunga kutarisa izvo zvinowanzo chengetwa mumhando, nekuda kweizvi unogona kuona katsi -A $DOCKER_CERT_PATH/key.pem. Kukunda kukanganisa nekuwedzera kubviswa kweiyo caret character tr -d 'r'.

Kupfuurirazve, iwe unogona kuwedzera post-kuburitswa mabasa kune script pakufunga kwako. Unogona kutarisa shanduro yekushanda mune yangu repository https://gitlab.com/isqad/gitlab-ci-cd

Source: www.habr.com

Voeg