ProHoster > Ibhulogi > Ulawulo > Ukuseta iCD ngegitlab

Ukuseta iCD ngegitlab

Ndakhe ndacinga malunga nokwenza ngokuzenzekelayo ukuthunyelwa kweprojekthi yam. gitlab.com ngobubele ibonelela ngazo zonke izixhobo zoku, kwaye ngokuqinisekileyo ndaye ndagqiba ekubeni ndithathe ithuba, ndiyicinge kwaye ndibhale iskripthi esincinci sokuhambisa. Kweli nqaku ndabelana ngamava am noluntu.

TL; DR

  1. Cwangcisa iVPS: khubaza ingcambu, ngena ngegama eligqithisiweyo, faka i-dockerd, qwalasela ufw
  2. Yenza izatifikethi zeseva kunye nomxhasi docs.docker.com/engine/security/https/#create-a-ca-server-and-client-keys-with-openssl Vumela ulawulo lwe-dockerd nge-tcp socket: susa i--H fd:// ukhetho kwi-docker config.
  3. Bhalisa iindlela zezatifikethi kwi-docker.json
  4. Bhalisa kwiinguqu ze-gitlab kwizicwangciso zeCI / CD kunye nemixholo yezatifikethi. Bhala iscript .gitlab-ci.yml ukuze usasazwe.

Ndiza kubonisa yonke imizekelo kwi-Debian distribution.

Ukusekwa kweVPS yokuqala

Ngoko uthenge umzekelo ngomzekelo DO, into yokuqala ekufuneka uyenzile kukukhusela iseva yakho kwihlabathi elinobundlongondlongo langaphandle. Andiyi kungqina okanye ndiqinisekise nantoni na, ndiza kubonisa ilogi / var / log / imiyalezo yeseva yam ebonakalayo:

Π‘Ukuseta iCD ngegitlab

Okokuqala, faka i-firewall ye-ufw:

apt-get update && apt-get install ufw

Masenze umgaqo-nkqubo ongagqibekanga: vala lonke uqhagamshelo olungenayo, vumela lonke uqhagamshelo oluphumayo:

ufw default deny incoming
ufw default allow outgoing

Kubalulekile: ungalibali ukuvumela unxibelelwano nge-ssh:

ufw allow OpenSSH

Isivakalisi ngokubanzi simi ngolu hlobo lulandelayo: Vumela udibaniso ngezibuko: ufw vumela 12345, apho 12345 linani lezibuko okanye igama lenkonzo. Nqaba: ufw khanyela 12345

Vula i-firewall:

ufw enable

Siphuma kwiseshoni kwaye singene kwakhona nge-ssh.

Yongeza umsebenzisi, mnikeze igama eligqithisiweyo, kwaye umngeze kwiqela le-sudo.

apt-get install sudo
adduser scoty
usermod -aG sudo scoty

Okulandelayo, ngokwesicwangciso, kufuneka ukhubaze ukungena kwegama lokugqitha. ukwenza oku, khuphela isitshixo sakho se-ssh kumncedisi:

ssh-copy-id [email protected]

Iseva ip kufuneka ibe yeyakho. Ngoku zama ukungena usebenzisa umsebenzisi owenze ngaphambili; akusekho mfuneko yokuba ufake igama lokugqitha. Okulandelayo, kwisethingi yoqwalaselo, tshintsha oku kulandelayo:

sudo nano /etc/ssh/sshd_config

khubaza igama lokungena:

PasswordAuthentication no

Qala kwakhona i-daemon ye-sshd:

sudo systemctl reload sshd

Ngoku ukuba wena okanye omnye umntu uzama ukungena njengengcambu yomsebenzisi, ayizukusebenza.

Okulandelayo, faka i-dockerd, andiyi kuyichaza inkqubo apha, kuba yonke into inokutshintsha, landela ikhonkco kwiwebhusayithi esemthethweni kwaye uhambe ngamanyathelo okufaka i-docker kumatshini wakho wenyani: https://docs.docker.com/install/linux/docker-ce/debian/

Ukuvelisa izatifikethi

Ukulawula idokhi yedaemon ukude, uqhagamshelwano oluntsonkothileyo lwe-TLS luyafuneka. Ukwenza oku, kufuneka ube nesatifikethi kunye nesitshixo, ekufuneka senziwe kwaye sidluliselwe kumatshini wakho okude. Landela la manyathelo anikwe kwimiyalelo ekwiwebhusayithi yedocker esemthethweni: https://docs.docker.com/engine/security/https/#create-a-ca-server-and-client-keys-with-openssl Zonke iifayile eziveliswe *.pem zomncedisi, ezizezi, ca.pem, server.pem, key.pem, kufuneka zibekwe kwi/etc/docker directory kumncedisi.

Ukumisela i-dockerd

Kumbhalo wokuphehlelelwa kwedaemon yedocker, sisusa i -H df:// ukhetho, olu khetho lumisela ukuba yeyiphi inginginya yedaemon yedocker enokulawulwa.

# At /lib/systemd/system/docker.service
[Service]
Type=notify
ExecStart=/usr/bin/dockerd

Okulandelayo, kufuneka wenze ifayile yesethingi, ukuba ayisekho, kwaye uchaze iinketho:

/etc/docker/docker.json

{
  "hosts": [
    "unix:///var/run/docker.sock",
    "tcp://0.0.0.0:2376"
  ],
  "labels": [
    "is-our-remote-engine=true"
  ],
  "tls": true,
  "tlscacert": "/etc/docker/ca.pem",
  "tlscert": "/etc/docker/server.pem",
  "tlskey": "/etc/docker/key.pem",
  "tlsverify": true
}

Masivumele uqhagamshelo kwizibuko 2376:

sudo ufw allow 2376

Masiqale ngokutsha i-dockerd ngoseto olutsha:

sudo systemctl daemon-reload && sudo systemctl restart docker

Masijonge:

sudo systemctl status docker

Ukuba yonke into "iluhlaza", ngoko sicinga ukuba silungiselele ngempumelelo i-docker kumncedisi.

Ukumisela ukuhanjiswa okuqhubekayo kwi-gitlab

Ukuze umsebenzi waseGitalaba akwazi ukwenza imiyalelo kwinginginya ye-Docker ekude, kuyimfuneko ukugqiba ukuba njani kwaye phi iziqinisekiso kunye nesitshixo soqhagamshelwano olufihliweyo kunye ne-Dockerd. Ndiyisombulule le ngxaki ngokongeza nje oku kulandelayo kwizinto eziguquguqukayo kuseto lwe-gitlbab:

Isihloko seSpoilerUkuseta iCD ngegitlab

Phuma nje imixholo yezatifikethi kunye nesitshixo ngekati: cat ca.pem. Khuphela kwaye uncamathisele kumaxabiso aguquguqukayo.

Masibhale iscript ukuze sisetyenziswe ngeGitLab. Umfanekiso wedocker-in-docker (dind) uya kusetyenziswa.

.gitlab-ci.yml

image:
  name: docker/compose:1.23.2
  # ΠΏΠ΅Ρ€Π΅ΠΏΠΈΡˆΠ΅ΠΌ entrypoint , Ρ‡Ρ‚ΠΎΠ±Ρ‹ Ρ€Π°Π±ΠΎΡ‚Π°Π»ΠΎ Π² dind
  entrypoint: ["/bin/sh", "-c"]

variables:
  DOCKER_HOST: tcp://docker:2375/
  DOCKER_DRIVER: overlay2

services:
  - docker:dind

stages:
  - deploy

deploy:
  stage: deploy
  script:
    - bin/deploy.sh # скрипт дСплоя Ρ‚ΡƒΡ‚

Imixholo yeskripthi sokusasazwa ngamagqabantshintshi:

umgqomo/deploy.sh

#!/usr/bin/env sh
# ПадаСм сразу, Ссли Π²ΠΎΠ·Π½ΠΈΠΊΠ»ΠΈ ΠΊΠ°ΠΊΠΈΠ΅-Ρ‚ΠΎ ошибки
set -e
# Π’Ρ‹Π²ΠΎΠ΄ΠΈΠΌ, Ρ‚ΠΎ , Ρ‡Ρ‚ΠΎ Π΄Π΅Π»Π°Π΅ΠΌ
set -v

# 
DOCKER_COMPOSE_FILE=docker-compose.yml
# ΠšΡƒΠ΄Π° Π΄Π΅ΠΏΠ»ΠΎΠΈΠΌ
DEPLOY_HOST=185.241.52.28
# ΠŸΡƒΡ‚ΡŒ для сСртификатов ΠΊΠ»ΠΈΠ΅Π½Ρ‚Π°, Ρ‚ΠΎ Π΅ΡΡ‚ΡŒ Π² нашСм случаС - gitlab-Π²ΠΎΡ€ΠΊΠ΅Ρ€Π°
DOCKER_CERT_PATH=/root/.docker

# ΠΏΡ€ΠΎΠ²Π΅Ρ€ΠΈΠΌ, Ρ‡Ρ‚ΠΎ Π² ΠΊΠΎΠ½Ρ‚Π΅ΠΉΠ½Π΅Ρ€Π΅ всС имССтся
docker info
docker-compose version

# создаСм ΠΏΡƒΡ‚ΡŒ (сСйчас Ρ€Π°Π±ΠΎΡ‚Π°Π΅ΠΌ Π² ΠΊΠ»ΠΈΠ΅Π½Ρ‚Π΅ - Π²ΠΎΡ€ΠΊΠ΅Ρ€Π΅ gitlab'Π°)
mkdir $DOCKER_CERT_PATH
# ΠΈΠ·Ρ‹ΠΌΠ°Π΅ΠΌ содСрТимоС ΠΏΠ΅Ρ€Π΅ΠΌΠ΅Π½Π½Ρ‹Ρ…, ΠΏΡ€ΠΈ этом удаляСм лишниС символы Π΄ΠΎΠ±Π°Π²Π»Π΅Π½Π½Ρ‹Π΅ ΠΏΡ€ΠΈ сохранСнии ΠΏΠ΅Ρ€Π΅ΠΌΠ΅Π½Π½Ρ‹Ρ….
echo "$CA_PEM" | tr -d 'r' > $DOCKER_CERT_PATH/ca.pem
echo "$CERT_PEM" | tr -d 'r' > $DOCKER_CERT_PATH/cert.pem
echo "$KEY_PEM" | tr -d 'r' > $DOCKER_CERT_PATH/key.pem
# Π½Π° всякий случай Π΄Π°Π΅ΠΌ Ρ‚ΠΎΠ»ΡŒΠΊΠΎ Ρ‡ΠΈΡ‚Π°Ρ‚ΡŒ
chmod 400 $DOCKER_CERT_PATH/ca.pem
chmod 400 $DOCKER_CERT_PATH/cert.pem
chmod 400 $DOCKER_CERT_PATH/key.pem

# Π΄Π°Π»Π΅Π΅ Π½Π°Ρ‡ΠΈΠ½Π°Π΅ΠΌ ΡƒΠΆΠ΅ Ρ€Π°Π±ΠΎΡ‚Π°Ρ‚ΡŒ с ΡƒΠ΄Π°Π»Π΅Π½Π½Ρ‹ΠΌ docker-Π΄Π΅ΠΌΠΎΠ½ΠΎΠΌ. БобствСнно, сам Π΄Π΅ΠΏΠ»ΠΎΠΉ
export DOCKER_TLS_VERIFY=1
export DOCKER_HOST=tcp://$DEPLOY_HOST:2376

# ΠΏΡ€ΠΎΠ²Π΅Ρ€ΠΈΠΌ, Ρ‡Ρ‚ΠΎ коннСктится всС ΡƒΡΠΏΠ΅ΡˆΠ½ΠΎ
docker-compose 
  -f $DOCKER_COMPOSE_FILE 
  ps

# логинимся Π² docker-рСгистри, Ρ‚ΡƒΡ‚ ΠΌΠΎΠΆΠ΅Ρ‚Π΅ ΡƒΠΊΠ°Π·Π°Ρ‚ΡŒ свой "мСстный" рСгистри
docker login -u $DOCKER_USER -p $DOCKER_PASSWORD

docker-compose 
  -f $DOCKER_COMPOSE_FILE 
  pull app
# ΠΏΠΎΠ΄Π½ΠΈΠΌΠ°Π΅ΠΌ ΠΏΡ€ΠΈΠ»ΠΎΠΆΠ΅Π½ΠΈΠ΅
docker-compose 
  -f $DOCKER_COMPOSE_FILE 
  up -d app

Ingxaki ephambili yayikukuba "ukudonsa" iziqulatho zezatifikethi kwifom eqhelekileyo ukusuka kwi-gitlab CI / CD variables. Khange ndiqonde ukuba kutheni unxibelelwano kwi-remote host kungasebenzi. Kumamkeli ndajonga kwilog sudo journalctl -u docker, bekukho impazamo ngexesha lokuxhawulana. Ndigqibe ekubeni ndijonge ukuba yintoni egcinwa ngokubanzi kwizinto ezahlukeneyo ukwenza oku, ungajongeka ngolu hlobo: ikati -A $DOCKER_CERT_PATH/key.pem. Ndiyoyisile impazamo ngokongeza ukususwa komlinganiswa wekhareji tr -d 'r'.

Okulandelayo, unokongeza imisebenzi yokukhutshwa emva kokukhutshwa kwiskripthi ngokubona kwakho. Ungajonga inguqulelo yokusebenza kwindawo yam yokugcina https://gitlab.com/isqad/gitlab-ci-cd

umthombo: www.habr.com

Yongeza izimvo