ProHoster > Π‘Π»ΠΎΠ³ > Maamulka > Habaynta CD iyada oo loo marayo gitlab

Habaynta CD iyada oo loo marayo gitlab

Waxaan mar ku fikiray inaan si otomaatig ah u diro mashruucayga. gitlab.com waxay si naxariis leh u bixisaa dhammaan agabka tan, dabcan waxaan go'aansaday inaan isticmaalo aniga oo ogaanaya oo qoraya qoraal yar oo diris ah. Maqaalkan, waxaan khibradayda la wadaagayaa bulshada.

TL, DR

  1. Deji VPS: dami xididka, gelida erayga sirta ah, ku rakib dockerd, habee ufw
  2. U samee shahaadooyin server-ka iyo macmiilka docs.docker.com/engine/security/https/#create-a-ca-server-and-client-keys-with-openssl Ku oggolow kontoroolka dockerd adigoo isticmaalaya socket tcp: ka saar -H fd: // ikhtiyaarka qaabeynta docker.
  3. Deji waddooyinka shahaadooyinka docker.json
  4. Isku qor doorsoomayaasha gitlab ee goobaha CI/CD oo wata waxa ku jira shahaadooyinka. Qor .gitlab-ci.yml script si aad u dirto.

Waxaan tusi doonaa dhammaan tusaalooyinka ku saabsan qaybinta Debian.

Dejinta hore ee VPS

Halkan waxaad ka iibsatay tusaale ahaan DO, waxa ugu horreeya ee la sameeyo waa inaad ka ilaaliso server-kaaga adduunka ka baxsan gardarrada. Ma caddayn doono ama caddayn maayo, waxaan kaliya tusi doonaa diiwaanka /var/log/farimaha ee server-kayga casriga ah:

Sawir-baadhisHabaynta CD iyada oo loo marayo gitlab

Marka hore, rakib ufw firewall:

apt-get update && apt-get install ufw

Oggolow siyaasadda caadiga ah: xannib dhammaan xidhiidhada soo galaya, oggolow dhammaan xidhiidhada baxaya:

ufw default deny incoming
ufw default allow outgoing

Muhiim: ha ilaawin inaad u oggolaato ku xidhidhiyaha ssh:

ufw allow OpenSSH

Ereyga guud waa: Oggolow in lagu xidho dekedda: ufw allow 12345, halkaas oo 12345 uu yahay lambarka dekedda ama magaca adeegga. Diid: ufw diiday 12345

Daar firewall:

ufw enable

Waanu ka baxnay fadhiga oo aan marlabaad ku galnaa ssh.

Ku dar isticmaale, ku qor furaha sirta ah, oo ku dar kooxda sudo.

apt-get install sudo
adduser scoty
usermod -aG sudo scoty

Marka xigta, sida uu qorshuhu yahay, waa inaad joojisaa gelitaanka erayga sirta ah. Si tan loo sameeyo, koobi furaha ssh serverka:

ssh-copy-id [email protected]

Ip-ka server-ku waa inuu noqdaa kaaga. Hadda isku day inaad ka hoos gasho isticmaalaha hore loo abuuray, uma baahnid inaad mar dambe geliso furaha sirta ah. Marka xigta, habaynta qaabaynta, beddel kuwa soo socda:

sudo nano /etc/ssh/sshd_config

dami gelida erayga sirta ah:

PasswordAuthentication no

Dib u bilow sshd daemon:

sudo systemctl reload sshd

Hadda haddii adiga ama qof kale isku dayaan inaad u gashid xidid ahaan, way fashilmi doontaa.

Marka xigta, waxaan ku rakibnaa dockerd, kuma sharaxi doono habka halkan, maadaama wax walba horayba loo bedeli karo, raac xiriirka bogga rasmiga ah oo mara tillaabooyinka ku rakibida docker mashiinkaaga farsamada: https://docs.docker.com/install/linux/docker-ce/debian/

Jiilka Shahaadada

Si loo xakameeyo daemonka docker-ka fog, xiriir TLS oo qarsoon ayaa loo baahan yahay. Si tan loo sameeyo, waxaad u baahan tahay inaad haysato shahaado iyo fure aad u baahan tahay si aad u soo saarto oo aad ugu wareejiso mashiinkaaga fog. Raac tillaabooyinka lagu bixiyay tilmaamaha ku yaal degelka rasmiga ah ee docker: https://docs.docker.com/engine/security/https/#create-a-ca-server-and-client-keys-with-openssl Dhammaan faylasha * .pem ee server-ka loo sameeyay, kuwaas oo kala ah cap.pem, server.pem, key.pem, waa in lagu dhejiyaa /etc/docker directory ee server-ka.

dejinta docker

Qoraalka docker daemon startup script, ka saar -H df: // ikhtiyaarka, doorashadani waxay sheegaysaa martigeliyaha daemon-ka docker lagu xakameyn karo.

# At /lib/systemd/system/docker.service
[Service]
Type=notify
ExecStart=/usr/bin/dockerd

Marka xigta, samee faylka dejinta haddii aanu horeba u jirin oo deji fursadaha:

/etc/docker/docker.json

{
  "hosts": [
    "unix:///var/run/docker.sock",
    "tcp://0.0.0.0:2376"
  ],
  "labels": [
    "is-our-remote-engine=true"
  ],
  "tls": true,
  "tlscacert": "/etc/docker/ca.pem",
  "tlscert": "/etc/docker/server.pem",
  "tlskey": "/etc/docker/key.pem",
  "tlsverify": true
}

Oggolow isku xidhka dekeda 2376:

sudo ufw allow 2376

Dib u bilaw goob cusub oo ku xidhan

sudo systemctl daemon-reload && sudo systemctl restart docker

Aan hubino:

sudo systemctl status docker

Haddii wax waliba cagaar yihiin, markaa waxaan tixgelineynaa inaan si guul leh u habeynay docker server-ka.

Dejinta gaarsiinta joogtada ah gitlab

Si shaqaalaha gitalab uu awood ugu yeesho fulinta amarada goob-jooge fog, waxaad u baahan tahay inaad go'aansato sida iyo meesha aad ku kaydinayso shahaadooyinka iyo furaha xidhidh sir ah oo lagu xidho. Waxaan ku xaliyay dhibaatadan anigoo si fudud ugu qoraya doorsoomayaasha ku jira goobaha gitlbab:

magaca qaswadayaashaHabaynta CD iyada oo loo marayo gitlab

Kaliya ku soo saar waxa ku jira shahaadooyinka iyo furaha adiga oo isticmaalaya bisad: cat ca.pem. Nuqul oo ku dheji qiyamka doorsooma.

Aan u qorno qoraal ku diritaanka gitlab. Sawirka docker-in-docker (dind) ayaa la isticmaali doonaa.

.gitlab-ci.yml

image:
  name: docker/compose:1.23.2
  # ΠΏΠ΅Ρ€Π΅ΠΏΠΈΡˆΠ΅ΠΌ entrypoint , Ρ‡Ρ‚ΠΎΠ±Ρ‹ Ρ€Π°Π±ΠΎΡ‚Π°Π»ΠΎ Π² dind
  entrypoint: ["/bin/sh", "-c"]

variables:
  DOCKER_HOST: tcp://docker:2375/
  DOCKER_DRIVER: overlay2

services:
  - docker:dind

stages:
  - deploy

deploy:
  stage: deploy
  script:
    - bin/deploy.sh # скрипт дСплоя Ρ‚ΡƒΡ‚

Nuxurka qoraalka dirida oo leh faallooyin:

bin/dhigid.sh

#!/usr/bin/env sh
# ПадаСм сразу, Ссли Π²ΠΎΠ·Π½ΠΈΠΊΠ»ΠΈ ΠΊΠ°ΠΊΠΈΠ΅-Ρ‚ΠΎ ошибки
set -e
# Π’Ρ‹Π²ΠΎΠ΄ΠΈΠΌ, Ρ‚ΠΎ , Ρ‡Ρ‚ΠΎ Π΄Π΅Π»Π°Π΅ΠΌ
set -v

# 
DOCKER_COMPOSE_FILE=docker-compose.yml
# ΠšΡƒΠ΄Π° Π΄Π΅ΠΏΠ»ΠΎΠΈΠΌ
DEPLOY_HOST=185.241.52.28
# ΠŸΡƒΡ‚ΡŒ для сСртификатов ΠΊΠ»ΠΈΠ΅Π½Ρ‚Π°, Ρ‚ΠΎ Π΅ΡΡ‚ΡŒ Π² нашСм случаС - gitlab-Π²ΠΎΡ€ΠΊΠ΅Ρ€Π°
DOCKER_CERT_PATH=/root/.docker

# ΠΏΡ€ΠΎΠ²Π΅Ρ€ΠΈΠΌ, Ρ‡Ρ‚ΠΎ Π² ΠΊΠΎΠ½Ρ‚Π΅ΠΉΠ½Π΅Ρ€Π΅ всС имССтся
docker info
docker-compose version

# создаСм ΠΏΡƒΡ‚ΡŒ (сСйчас Ρ€Π°Π±ΠΎΡ‚Π°Π΅ΠΌ Π² ΠΊΠ»ΠΈΠ΅Π½Ρ‚Π΅ - Π²ΠΎΡ€ΠΊΠ΅Ρ€Π΅ gitlab'Π°)
mkdir $DOCKER_CERT_PATH
# ΠΈΠ·Ρ‹ΠΌΠ°Π΅ΠΌ содСрТимоС ΠΏΠ΅Ρ€Π΅ΠΌΠ΅Π½Π½Ρ‹Ρ…, ΠΏΡ€ΠΈ этом удаляСм лишниС символы Π΄ΠΎΠ±Π°Π²Π»Π΅Π½Π½Ρ‹Π΅ ΠΏΡ€ΠΈ сохранСнии ΠΏΠ΅Ρ€Π΅ΠΌΠ΅Π½Π½Ρ‹Ρ….
echo "$CA_PEM" | tr -d 'r' > $DOCKER_CERT_PATH/ca.pem
echo "$CERT_PEM" | tr -d 'r' > $DOCKER_CERT_PATH/cert.pem
echo "$KEY_PEM" | tr -d 'r' > $DOCKER_CERT_PATH/key.pem
# Π½Π° всякий случай Π΄Π°Π΅ΠΌ Ρ‚ΠΎΠ»ΡŒΠΊΠΎ Ρ‡ΠΈΡ‚Π°Ρ‚ΡŒ
chmod 400 $DOCKER_CERT_PATH/ca.pem
chmod 400 $DOCKER_CERT_PATH/cert.pem
chmod 400 $DOCKER_CERT_PATH/key.pem

# Π΄Π°Π»Π΅Π΅ Π½Π°Ρ‡ΠΈΠ½Π°Π΅ΠΌ ΡƒΠΆΠ΅ Ρ€Π°Π±ΠΎΡ‚Π°Ρ‚ΡŒ с ΡƒΠ΄Π°Π»Π΅Π½Π½Ρ‹ΠΌ docker-Π΄Π΅ΠΌΠΎΠ½ΠΎΠΌ. БобствСнно, сам Π΄Π΅ΠΏΠ»ΠΎΠΉ
export DOCKER_TLS_VERIFY=1
export DOCKER_HOST=tcp://$DEPLOY_HOST:2376

# ΠΏΡ€ΠΎΠ²Π΅Ρ€ΠΈΠΌ, Ρ‡Ρ‚ΠΎ коннСктится всС ΡƒΡΠΏΠ΅ΡˆΠ½ΠΎ
docker-compose 
  -f $DOCKER_COMPOSE_FILE 
  ps

# логинимся Π² docker-рСгистри, Ρ‚ΡƒΡ‚ ΠΌΠΎΠΆΠ΅Ρ‚Π΅ ΡƒΠΊΠ°Π·Π°Ρ‚ΡŒ свой "мСстный" рСгистри
docker login -u $DOCKER_USER -p $DOCKER_PASSWORD

docker-compose 
  -f $DOCKER_COMPOSE_FILE 
  pull app
# ΠΏΠΎΠ΄Π½ΠΈΠΌΠ°Π΅ΠΌ ΠΏΡ€ΠΈΠ»ΠΎΠΆΠ΅Π½ΠΈΠ΅
docker-compose 
  -f $DOCKER_COMPOSE_FILE 
  up -d app

Dhibaatada ugu weyni waxay ahayd in "laga soo saaro" waxa ku jira shahaadooyinka qaabka caadiga ah ee gitlab CI / CD doorsoomayaasha. Waan garan waayay sababta xidhiidhka fog ee martida loo yahay u shaqayn waayay. Waxaan eegay sudo journalctl -u docker log ku yaal goobta martida loo yahay, waxaa jira qalad gacan-qaadka ah. Waxaan go'aansaday inaan eego waxa guud ahaan lagu kaydiyo doorsoomayaasha, tan waxaad arki kartaa bisad -A $DOCKER_CERT_PATH/key.pem. Ka gudubtay qaladka adoo ku daray ka saarida jilaha daryeelka tr -d 'r'.

Intaa waxaa dheer, waxaad ku dari kartaa hawlaha sii deynta ka dib qoraalka adiga oo go'aaminaya. Waxaad ka eegi kartaa nooca shaqada ee kaydkayga https://gitlab.com/isqad/gitlab-ci-cd

Source: www.habr.com

Add a comment