Ndakambofunga nezve automating yekutumirwa kweprojekiti yangu. gitlab.com inopa nemutsa zvese zvishandiso zveizvi, uye zvechokwadi ndakafunga kuishandisa nekuzvifungidzira uye kunyora diki rekutumira script. Muchinyorwa chino, ndinogovera ruzivo rwangu nenharaunda.
TL; DR
- Seta VPS: dzima mudzi, password login, isa dockerd, gadzirisa ufw
- Gadzira zvitupa zve server uye mutengi
docs.docker.com/engine/security/https/#create-a-ca-server-and-client-keys-with-openssl Gonesa dockerd control kuburikidza netcp socket: bvisa iyo -H fd: // sarudzo kubva kune docker config. - Seta nzira kune zvitupa mu docker.json
- Nyoresa mumagitlab akasiyana muCI / CD marongero ane zviri mukati mezvitupa. Nyora .gitlab-ci.yml script kuti uendeswe.
Ini ndicharatidza yese mienzaniso pane iyo Debian kugovera.
Kutanga VPS setup
Pano iwe wakatenga muenzaniso semuenzaniso pa
Screenshot
Kutanga, isa iyo ufw firewall:
apt-get update && apt-get install ufw
Gonesa iyo default mutemo: vhara zvese zvinopinda zvinongedzo, bvumidza zvese zvinobuda zvinongedzo:
ufw default deny incoming
ufw default allow outgoing
Zvakakosha: usakanganwa kubvumidza kubatana kuburikidza ne ssh:
ufw allow OpenSSH
Iyo general syntax ndeye: Bvumira kubatana pachiteshi: ufw bvumidza 12345, uko 12345 ndiyo nhamba yechiteshi kana zita rebasa. Kuramba: ufw ramba 12345
Batidza firewall:
ufw enable
Isu tinobuda muchikamu uye tinopinda zvakare kuburikidza ne ssh.
Wedzera mushandisi, mupe password, uye muwedzere kuboka re sudo.
apt-get install sudo
adduser scoty
usermod -aG sudo scoty
Tevere, zvinoenderana nehurongwa, iwe unofanirwa kudzima password login. kuti uite izvi, kopira kiyi yako ye ssh kune server:
ssh-copy-id [email protected]
Iyo ip ye server inofanira kunge iri yako. Zvino edza kupinda pasi pemushandisi akagadzirwa kare, iwe hauchadi kuisa password zvakare. Tevere, mune zvigadziriso zvigadziriso, shandura zvinotevera:
sudo nano /etc/ssh/sshd_config
dzima password kupinda:
PasswordAuthentication no
Tangazve iyo sshd daemon:
sudo systemctl reload sshd
Zvino kana iwe kana mumwe munhu akaedza kupinda mukati semudzi, zvinotadza.
Tevere, isu tinoisa dockerd, ini handisi kuzotsanangura maitiro pano, sezvo zvese zvichigona kushandurwa, tevera chinongedzo kune webhusaiti yepamutemo uye enda nematanho ekuisa docker pamushini wako chaiwo:
Certificate generation
Kuti udzore iyo docker daemon kure, yakavharidzirwa TLS yekubatanidza inodiwa. Kuti uite izvi, iwe unofanirwa kuve uine chitupa uye kiyi yaunoda kugadzira uye kuendesa kune yako kure muchina. Tevedza nhanho dzakapihwa mumirairo pane yepamutemo docker webhusaiti:
docker setup
Mune docker daemon yekutanga script, bvisa iyo -H df: // sarudzo, iyi sarudzo inotaurira kuti ndeupi mugadziri wedocker daemon anogona kudzorwa.
# At /lib/systemd/system/docker.service
[Service]
Type=notify
ExecStart=/usr/bin/dockerd
Tevere, gadzira faira rekuisa kana isati yavepo uye isa sarudzo:
/etc/docker/docker.json
{
"hosts": [
"unix:///var/run/docker.sock",
"tcp://0.0.0.0:2376"
],
"labels": [
"is-our-remote-engine=true"
],
"tls": true,
"tlscacert": "/etc/docker/ca.pem",
"tlscert": "/etc/docker/server.pem",
"tlskey": "/etc/docker/key.pem",
"tlsverify": true
}
Bvumira kubatana pachiteshi 2376:
sudo ufw allow 2376
Tangazve dockerd nezvigadziriso zvitsva:
sudo systemctl daemon-reload && sudo systemctl restart docker
Ngatitarisei:
sudo systemctl status docker
Kana zvese zvakasvibirira, saka tinofunga kuti isu takabudirira kugadzirisa docker pane server.
Kumisikidza kuenderera mberi kwekutumira pane gitlab
Kuti mushandi wegitalab akwanise kuita mirairo pane ari kure docker host, iwe unofanirwa kusarudza kuti sei uye kupi kwekuchengetedza zvitupa uye kiyi yekubatanidza yakavharidzirwa kune dockerd. Ndakagadzirisa dambudziko iri nekungonyorera kune akasiyana ari mugitlbab marongero:
spoiler title
Ingoburitsa zviri mukati mezvitupa uye kiyi kuburikidza nekatsi: cat ca.pem
. Kopa uye unamatire mumhando dzakasiyana.
Ngatinyorei script yekutumirwa kuburikidza negitlab. Iyo docker-in-docker (dind) mufananidzo uchashandiswa.
.gitlab-ci.yml
image:
name: docker/compose:1.23.2
# ΠΏΠ΅ΡΠ΅ΠΏΠΈΡΠ΅ΠΌ entrypoint , ΡΡΠΎΠ±Ρ ΡΠ°Π±ΠΎΡΠ°Π»ΠΎ Π² dind
entrypoint: ["/bin/sh", "-c"]
variables:
DOCKER_HOST: tcp://docker:2375/
DOCKER_DRIVER: overlay2
services:
- docker:dind
stages:
- deploy
deploy:
stage: deploy
script:
- bin/deploy.sh # ΡΠΊΡΠΈΠΏΡ Π΄Π΅ΠΏΠ»ΠΎΡ ΡΡΡ
Zviri mukati meiyo deployment script ine makomendi:
bin/deploy.sh
#!/usr/bin/env sh
# ΠΠ°Π΄Π°Π΅ΠΌ ΡΡΠ°Π·Ρ, Π΅ΡΠ»ΠΈ Π²ΠΎΠ·Π½ΠΈΠΊΠ»ΠΈ ΠΊΠ°ΠΊΠΈΠ΅-ΡΠΎ ΠΎΡΠΈΠ±ΠΊΠΈ
set -e
# ΠΡΠ²ΠΎΠ΄ΠΈΠΌ, ΡΠΎ , ΡΡΠΎ Π΄Π΅Π»Π°Π΅ΠΌ
set -v
#
DOCKER_COMPOSE_FILE=docker-compose.yml
# ΠΡΠ΄Π° Π΄Π΅ΠΏΠ»ΠΎΠΈΠΌ
DEPLOY_HOST=185.241.52.28
# ΠΡΡΡ Π΄Π»Ρ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΠΎΠ² ΠΊΠ»ΠΈΠ΅Π½ΡΠ°, ΡΠΎ Π΅ΡΡΡ Π² Π½Π°ΡΠ΅ΠΌ ΡΠ»ΡΡΠ°Π΅ - gitlab-Π²ΠΎΡΠΊΠ΅ΡΠ°
DOCKER_CERT_PATH=/root/.docker
# ΠΏΡΠΎΠ²Π΅ΡΠΈΠΌ, ΡΡΠΎ Π² ΠΊΠΎΠ½ΡΠ΅ΠΉΠ½Π΅ΡΠ΅ Π²ΡΠ΅ ΠΈΠΌΠ΅Π΅ΡΡΡ
docker info
docker-compose version
# ΡΠΎΠ·Π΄Π°Π΅ΠΌ ΠΏΡΡΡ (ΡΠ΅ΠΉΡΠ°Ρ ΡΠ°Π±ΠΎΡΠ°Π΅ΠΌ Π² ΠΊΠ»ΠΈΠ΅Π½ΡΠ΅ - Π²ΠΎΡΠΊΠ΅ΡΠ΅ gitlab'Π°)
mkdir $DOCKER_CERT_PATH
# ΠΈΠ·ΡΠΌΠ°Π΅ΠΌ ΡΠΎΠ΄Π΅ΡΠΆΠΈΠΌΠΎΠ΅ ΠΏΠ΅ΡΠ΅ΠΌΠ΅Π½Π½ΡΡ
, ΠΏΡΠΈ ΡΡΠΎΠΌ ΡΠ΄Π°Π»ΡΠ΅ΠΌ Π»ΠΈΡΠ½ΠΈΠ΅ ΡΠΈΠΌΠ²ΠΎΠ»Ρ Π΄ΠΎΠ±Π°Π²Π»Π΅Π½Π½ΡΠ΅ ΠΏΡΠΈ ΡΠΎΡ
ΡΠ°Π½Π΅Π½ΠΈΠΈ ΠΏΠ΅ΡΠ΅ΠΌΠ΅Π½Π½ΡΡ
.
echo "$CA_PEM" | tr -d 'r' > $DOCKER_CERT_PATH/ca.pem
echo "$CERT_PEM" | tr -d 'r' > $DOCKER_CERT_PATH/cert.pem
echo "$KEY_PEM" | tr -d 'r' > $DOCKER_CERT_PATH/key.pem
# Π½Π° Π²ΡΡΠΊΠΈΠΉ ΡΠ»ΡΡΠ°ΠΉ Π΄Π°Π΅ΠΌ ΡΠΎΠ»ΡΠΊΠΎ ΡΠΈΡΠ°ΡΡ
chmod 400 $DOCKER_CERT_PATH/ca.pem
chmod 400 $DOCKER_CERT_PATH/cert.pem
chmod 400 $DOCKER_CERT_PATH/key.pem
# Π΄Π°Π»Π΅Π΅ Π½Π°ΡΠΈΠ½Π°Π΅ΠΌ ΡΠΆΠ΅ ΡΠ°Π±ΠΎΡΠ°ΡΡ Ρ ΡΠ΄Π°Π»Π΅Π½Π½ΡΠΌ docker-Π΄Π΅ΠΌΠΎΠ½ΠΎΠΌ. Π‘ΠΎΠ±ΡΡΠ²Π΅Π½Π½ΠΎ, ΡΠ°ΠΌ Π΄Π΅ΠΏΠ»ΠΎΠΉ
export DOCKER_TLS_VERIFY=1
export DOCKER_HOST=tcp://$DEPLOY_HOST:2376
# ΠΏΡΠΎΠ²Π΅ΡΠΈΠΌ, ΡΡΠΎ ΠΊΠΎΠ½Π½Π΅ΠΊΡΠΈΡΡΡ Π²ΡΠ΅ ΡΡΠΏΠ΅ΡΠ½ΠΎ
docker-compose
-f $DOCKER_COMPOSE_FILE
ps
# Π»ΠΎΠ³ΠΈΠ½ΠΈΠΌΡΡ Π² docker-ΡΠ΅Π³ΠΈΡΡΡΠΈ, ΡΡΡ ΠΌΠΎΠΆΠ΅ΡΠ΅ ΡΠΊΠ°Π·Π°ΡΡ ΡΠ²ΠΎΠΉ "ΠΌΠ΅ΡΡΠ½ΡΠΉ" ΡΠ΅Π³ΠΈΡΡΡΠΈ
docker login -u $DOCKER_USER -p $DOCKER_PASSWORD
docker-compose
-f $DOCKER_COMPOSE_FILE
pull app
# ΠΏΠΎΠ΄Π½ΠΈΠΌΠ°Π΅ΠΌ ΠΏΡΠΈΠ»ΠΎΠΆΠ΅Π½ΠΈΠ΅
docker-compose
-f $DOCKER_COMPOSE_FILE
up -d app
Dambudziko guru raive re "kuburitsa" zviri mukati mezvitupa mune yakajairika fomu kubva kune gitlab CI / CD zvinosiyana. Ndakashaya kuti sei kubatana neremote host isina kushanda. Ndakatarisa sudo journalctl -u docker log pane iyo host, pane kukanganisa nekubata ruoko. Ndakafunga kutarisa izvo zvinowanzo chengetwa mumhando, nekuda kweizvi unogona kuona katsi -A $DOCKER_CERT_PATH/key.pem. Kukunda kukanganisa nekuwedzera kubviswa kweiyo caret character tr -d 'r'.
Kupfuurirazve, iwe unogona kuwedzera post-kuburitswa mabasa kune script pakufunga kwako. Unogona kutarisa shanduro yekushanda mune yangu repository
Source: www.habr.com