ProHoster > Blog > Tsamaiso > Ho theha CD ka gitlab

Ho theha CD ka gitlab

Ka nako e 'ngoe ke ile ka nahana ka ho iketsetsa mosebetsi oa ka. gitlab.com e fana ka lisebelisoa tsohle tsa sena, 'me ehlile ke nkile qeto ea ho e sebelisa ka ho e fumana le ho ngola mongolo o monyane oa ho tsamaisa. Sehloohong sena, ke arolelana phihlelo ea ka le sechaba.

TL; DR

  1. Theha VPS: tima motso, ho kena ka password, kenya dockerd, lokisa ufw
  2. Hlahisa setifikeiti bakeng sa seva le moreki docs.docker.com/engine/security/https/#create-a-ca-server-and-client-keys-with-openssl Numella taolo ea li-dockerd ka tcp socket: tlosa khetho ea -H fd:// ho tsoa ho tlhophiso ea docker.
  3. Beha litsela ho litifikeiti ho docker.json
  4. Ngolisa ho mefuta e fapaneng ea gitlab ho li-setting tsa CI / CD ka litaba tsa setifikeiti. Ngola .gitlab-ci.yml script bakeng sa ho tsamaisoa.

Ke tla bontša mehlala eohle mabapi le kabo ea Debian.

Tlhophiso ea pele ea VPS

Mona u rekile mohlala ka mohlala ho DO, ntho ea pele eo u lokelang ho e etsa ke ho sireletsa seva sa hau ho tsoa lefats'eng le ka ntle le mabifi. Nke ke ka paka kapa ho tiisa letho, ke tla bonts'a /var/log/messages log ea seva sa ka sa nnete:

Screen ScreenHo theha CD ka gitlab

Ntlha ea pele, kenya firewall ea ufw:

apt-get update && apt-get install ufw

Numella leano la kamehla: thibela likhokahano tsohle tse kenang, lumella likhokahano tsohle tse tsoang:

ufw default deny incoming
ufw default allow outgoing

Bohlokoa: u seke oa lebala ho lumella khokahano ka ssh:

ufw allow OpenSSH

Polelo e akaretsang ke: Lumella khokahano boema-kepeng: ufw lumella 12345, moo 12345 e leng nomoro ea boema-kepe kapa lebitso la tšebeletso. Latola: ufw hana 12345

Bulela firewall:

ufw enable

Re tsoa sebokeng ebe re kena hape ka ssh.

Kenya mosebelisi, mo abele phasewete, 'me u mo kenye sehlopheng sa sudo.

apt-get install sudo
adduser scoty
usermod -aG sudo scoty

Ka mor'a moo, ho ea ka moralo, o lokela ho tima ho kena ka password. Ho etsa sena, kopitsa senotlolo sa hau sa ssh ho seva:

ssh-copy-id [email protected]

IP ea seva e tlameha ho ba ea hau. Joale leka ho kena tlas'a mosebelisi ea entsoeng pejana, ha ho sa hlokahala hore u kenye phasewete. E latelang, ho li-setting tsa tlhophiso, fetola tse latelang:

sudo nano /etc/ssh/sshd_config

tima password ea ho kena:

PasswordAuthentication no

Qala hape daemon ea sshd:

sudo systemctl reload sshd

Joale haeba uena kapa motho e mong a leka ho kena e le motso, e tla hloleha.

Ka mor'a moo, re kenya dockerd, nke ke ka hlalosa ts'ebetso mona, kaha ntho e 'ngoe le e' ngoe e se e ka fetoloa, latela sehokelo sa webosaete ea semmuso 'me u tsamaee mehatong ea ho kenya docker mochining oa hau oa nnete: https://docs.docker.com/install/linux/docker-ce/debian/

Ho hlahisa setifikeiti

Ho laola daemon ea docker u le hole, ho hlokahala khokahano e patiloeng ea TLS. Ho etsa sena, o hloka ho ba le setifikeiti le senotlolo seo u hlokang ho se hlahisa le ho fetisetsa mochining oa hau o hole. Latela mehato e fanoeng litaelong ho webosaete ea semmuso ea docker: https://docs.docker.com/engine/security/https/#create-a-ca-server-and-client-keys-with-openssl Lifaele tsohle tse hlahisitsoeng * .pem bakeng sa seva, e leng ca.pem, server.pem, key.pem, li lokela ho behoa bukeng ea /etc/docker ho seva.

tlhophiso ea docker

Ho script ea ho qala daemon ea docker, tlosa khetho ea -H df://, khetho ena e bolela hore na daemon ea docker e ka laoloa ho mang.

# At /lib/systemd/system/docker.service
[Service]
Type=notify
ExecStart=/usr/bin/dockerd

E latelang, theha faele ea litlhophiso haeba e se e le sieo, 'me u behe likhetho:

/etc/docker/docker.json

{
  "hosts": [
    "unix:///var/run/docker.sock",
    "tcp://0.0.0.0:2376"
  ],
  "labels": [
    "is-our-remote-engine=true"
  ],
  "tls": true,
  "tlscacert": "/etc/docker/ca.pem",
  "tlscert": "/etc/docker/server.pem",
  "tlskey": "/etc/docker/key.pem",
  "tlsverify": true
}

Lumella likhokahano ho port 2376:

sudo ufw allow 2376

Qala hape dockerd ka litlhophiso tse ncha:

sudo systemctl daemon-reload && sudo systemctl restart docker

Ha re hlahlobeng:

sudo systemctl status docker

Haeba ntho e 'ngoe le e' ngoe e le tala, joale re nahana hore re atlehile ho lokisa docker ho seva.

Ho theha tlhahiso e tsoelang pele ho gitlab

E le hore mosebeletsi oa gitalab a khone ho phethahatsa litaelo ho moamoheli oa li-docker tse hole, o hloka ho etsa qeto ea hore na o ka boloka litifikeiti joang le hore na o tla boloka eng le senotlolo sa khokahano e patiloeng ho dockerd. Ke rarolle bothata bona ka ho ngolla feela mefuta e fapaneng ea litlhophiso tsa gitlbab:

sehlooho se senyangHo theha CD ka gitlab

Hlahisa feela litaba tsa setifikeiti le senotlolo ka katse: cat ca.pem. Kopitsa le ho manamisa mekhoeng e fapaneng.

Ha re ngole script bakeng sa ho romelloa ka gitlab. Setšoantšo sa docker-in-docker (dind) se tla sebelisoa.

.gitlab-ci.yml

image:
  name: docker/compose:1.23.2
  # перепишем entrypoint , чтобы работало в dind
  entrypoint: ["/bin/sh", "-c"]

variables:
  DOCKER_HOST: tcp://docker:2375/
  DOCKER_DRIVER: overlay2

services:
  - docker:dind

stages:
  - deploy

deploy:
  stage: deploy
  script:
    - bin/deploy.sh # скрипт деплоя тут

Litaba tsa sengoloa sa deployment se nang le maikutlo:

bin/deploy.sh

#!/usr/bin/env sh
# Падаем сразу, если возникли какие-то ошибки
set -e
# Выводим, то , что делаем
set -v

# 
DOCKER_COMPOSE_FILE=docker-compose.yml
# Куда деплоим
DEPLOY_HOST=185.241.52.28
# Путь для сертификатов клиента, то есть в нашем случае - gitlab-воркера
DOCKER_CERT_PATH=/root/.docker

# проверим, что в контейнере все имеется
docker info
docker-compose version

# создаем путь (сейчас работаем в клиенте - воркере gitlab'а)
mkdir $DOCKER_CERT_PATH
# изымаем содержимое переменных, при этом удаляем лишние символы добавленные при сохранении переменных.
echo "$CA_PEM" | tr -d 'r' > $DOCKER_CERT_PATH/ca.pem
echo "$CERT_PEM" | tr -d 'r' > $DOCKER_CERT_PATH/cert.pem
echo "$KEY_PEM" | tr -d 'r' > $DOCKER_CERT_PATH/key.pem
# на всякий случай даем только читать
chmod 400 $DOCKER_CERT_PATH/ca.pem
chmod 400 $DOCKER_CERT_PATH/cert.pem
chmod 400 $DOCKER_CERT_PATH/key.pem

# далее начинаем уже работать с удаленным docker-демоном. Собственно, сам деплой
export DOCKER_TLS_VERIFY=1
export DOCKER_HOST=tcp://$DEPLOY_HOST:2376

# проверим, что коннектится все успешно
docker-compose 
  -f $DOCKER_COMPOSE_FILE 
  ps

# логинимся в docker-регистри, тут можете указать свой "местный" регистри
docker login -u $DOCKER_USER -p $DOCKER_PASSWORD

docker-compose 
  -f $DOCKER_COMPOSE_FILE 
  pull app
# поднимаем приложение
docker-compose 
  -f $DOCKER_COMPOSE_FILE 
  up -d app

Bothata bo boholo e ne e le ho "hula" litaba tsa litifikeiti ka mokhoa o tloaelehileng ho tsoa ho mefuta e fapaneng ea gitlab CI / CD. Ke ne ke sitoa ho utloisisa hore na hobaneng khokahanyo ea moamoheli ea hole e sa sebetse. Ke ile ka sheba sudo journalctl -u docker log ho moamoheli, ho na le phoso ka ho ts'oarana ka letsoho. Ke ile ka etsa qeto ea ho sheba seo ka kakaretso se bolokiloeng ka mefuta-futa, bakeng sa sena u ka bona cat -A $DOCKER_CERT_PATH/key.pem. E hlōtse phoso ka ho kenyelletsa ho tlosoa ha setho sa caret tr -d 'r'.

Ho feta moo, o ka eketsa mesebetsi ea morao-rao ho script ka boikhethelo ba hau. U ka sheba mofuta o sebetsang sebakeng sa ka sa polokelo https://gitlab.com/isqad/gitlab-ci-cd

Source: www.habr.com

Eketsa ka tlhaloso