Ndakhe ndacinga malunga nokwenza ngokuzenzekelayo ukuthunyelwa kweprojekthi yam. gitlab.com ngobubele ibonelela ngazo zonke izixhobo zoku, kwaye ngokuqinisekileyo ndaye ndagqiba ekubeni ndithathe ithuba, ndiyicinge kwaye ndibhale iskripthi esincinci sokuhambisa. Kweli nqaku ndabelana ngamava am noluntu.
TL; DR
- Cwangcisa iVPS: khubaza ingcambu, ngena ngegama eligqithisiweyo, faka i-dockerd, qwalasela ufw
- Yenza izatifikethi zeseva kunye nomxhasi
docs.docker.com/engine/security/https/#create-a-ca-server-and-client-keys-with-openssl Vumela ulawulo lwe-dockerd nge-tcp socket: susa i--H fd:// ukhetho kwi-docker config. - Bhalisa iindlela zezatifikethi kwi-docker.json
- Bhalisa kwiinguqu ze-gitlab kwizicwangciso zeCI / CD kunye nemixholo yezatifikethi. Bhala iscript .gitlab-ci.yml ukuze usasazwe.
Ndiza kubonisa yonke imizekelo kwi-Debian distribution.
Ukusekwa kweVPS yokuqala
Ngoko uthenge umzekelo ngomzekelo
Π‘
Okokuqala, faka i-firewall ye-ufw:
apt-get update && apt-get install ufw
Masenze umgaqo-nkqubo ongagqibekanga: vala lonke uqhagamshelo olungenayo, vumela lonke uqhagamshelo oluphumayo:
ufw default deny incoming
ufw default allow outgoing
Kubalulekile: ungalibali ukuvumela unxibelelwano nge-ssh:
ufw allow OpenSSH
Isivakalisi ngokubanzi simi ngolu hlobo lulandelayo: Vumela udibaniso ngezibuko: ufw vumela 12345, apho 12345 linani lezibuko okanye igama lenkonzo. Nqaba: ufw khanyela 12345
Vula i-firewall:
ufw enable
Siphuma kwiseshoni kwaye singene kwakhona nge-ssh.
Yongeza umsebenzisi, mnikeze igama eligqithisiweyo, kwaye umngeze kwiqela le-sudo.
apt-get install sudo
adduser scoty
usermod -aG sudo scoty
Okulandelayo, ngokwesicwangciso, kufuneka ukhubaze ukungena kwegama lokugqitha. ukwenza oku, khuphela isitshixo sakho se-ssh kumncedisi:
ssh-copy-id [email protected]
Iseva ip kufuneka ibe yeyakho. Ngoku zama ukungena usebenzisa umsebenzisi owenze ngaphambili; akusekho mfuneko yokuba ufake igama lokugqitha. Okulandelayo, kwisethingi yoqwalaselo, tshintsha oku kulandelayo:
sudo nano /etc/ssh/sshd_config
khubaza igama lokungena:
PasswordAuthentication no
Qala kwakhona i-daemon ye-sshd:
sudo systemctl reload sshd
Ngoku ukuba wena okanye omnye umntu uzama ukungena njengengcambu yomsebenzisi, ayizukusebenza.
Okulandelayo, faka i-dockerd, andiyi kuyichaza inkqubo apha, kuba yonke into inokutshintsha, landela ikhonkco kwiwebhusayithi esemthethweni kwaye uhambe ngamanyathelo okufaka i-docker kumatshini wakho wenyani:
Ukuvelisa izatifikethi
Ukulawula idokhi yedaemon ukude, uqhagamshelwano oluntsonkothileyo lwe-TLS luyafuneka. Ukwenza oku, kufuneka ube nesatifikethi kunye nesitshixo, ekufuneka senziwe kwaye sidluliselwe kumatshini wakho okude. Landela la manyathelo anikwe kwimiyalelo ekwiwebhusayithi yedocker esemthethweni:
Ukumisela i-dockerd
Kumbhalo wokuphehlelelwa kwedaemon yedocker, sisusa i -H df:// ukhetho, olu khetho lumisela ukuba yeyiphi inginginya yedaemon yedocker enokulawulwa.
# At /lib/systemd/system/docker.service
[Service]
Type=notify
ExecStart=/usr/bin/dockerd
Okulandelayo, kufuneka wenze ifayile yesethingi, ukuba ayisekho, kwaye uchaze iinketho:
/etc/docker/docker.json
{
"hosts": [
"unix:///var/run/docker.sock",
"tcp://0.0.0.0:2376"
],
"labels": [
"is-our-remote-engine=true"
],
"tls": true,
"tlscacert": "/etc/docker/ca.pem",
"tlscert": "/etc/docker/server.pem",
"tlskey": "/etc/docker/key.pem",
"tlsverify": true
}
Masivumele uqhagamshelo kwizibuko 2376:
sudo ufw allow 2376
Masiqale ngokutsha i-dockerd ngoseto olutsha:
sudo systemctl daemon-reload && sudo systemctl restart docker
Masijonge:
sudo systemctl status docker
Ukuba yonke into "iluhlaza", ngoko sicinga ukuba silungiselele ngempumelelo i-docker kumncedisi.
Ukumisela ukuhanjiswa okuqhubekayo kwi-gitlab
Ukuze umsebenzi waseGitalaba akwazi ukwenza imiyalelo kwinginginya ye-Docker ekude, kuyimfuneko ukugqiba ukuba njani kwaye phi iziqinisekiso kunye nesitshixo soqhagamshelwano olufihliweyo kunye ne-Dockerd. Ndiyisombulule le ngxaki ngokongeza nje oku kulandelayo kwizinto eziguquguqukayo kuseto lwe-gitlbab:
Isihloko seSpoiler
Phuma nje imixholo yezatifikethi kunye nesitshixo ngekati: cat ca.pem
. Khuphela kwaye uncamathisele kumaxabiso aguquguqukayo.
Masibhale iscript ukuze sisetyenziswe ngeGitLab. Umfanekiso wedocker-in-docker (dind) uya kusetyenziswa.
.gitlab-ci.yml
image:
name: docker/compose:1.23.2
# ΠΏΠ΅ΡΠ΅ΠΏΠΈΡΠ΅ΠΌ entrypoint , ΡΡΠΎΠ±Ρ ΡΠ°Π±ΠΎΡΠ°Π»ΠΎ Π² dind
entrypoint: ["/bin/sh", "-c"]
variables:
DOCKER_HOST: tcp://docker:2375/
DOCKER_DRIVER: overlay2
services:
- docker:dind
stages:
- deploy
deploy:
stage: deploy
script:
- bin/deploy.sh # ΡΠΊΡΠΈΠΏΡ Π΄Π΅ΠΏΠ»ΠΎΡ ΡΡΡ
Imixholo yeskripthi sokusasazwa ngamagqabantshintshi:
umgqomo/deploy.sh
#!/usr/bin/env sh
# ΠΠ°Π΄Π°Π΅ΠΌ ΡΡΠ°Π·Ρ, Π΅ΡΠ»ΠΈ Π²ΠΎΠ·Π½ΠΈΠΊΠ»ΠΈ ΠΊΠ°ΠΊΠΈΠ΅-ΡΠΎ ΠΎΡΠΈΠ±ΠΊΠΈ
set -e
# ΠΡΠ²ΠΎΠ΄ΠΈΠΌ, ΡΠΎ , ΡΡΠΎ Π΄Π΅Π»Π°Π΅ΠΌ
set -v
#
DOCKER_COMPOSE_FILE=docker-compose.yml
# ΠΡΠ΄Π° Π΄Π΅ΠΏΠ»ΠΎΠΈΠΌ
DEPLOY_HOST=185.241.52.28
# ΠΡΡΡ Π΄Π»Ρ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΠΎΠ² ΠΊΠ»ΠΈΠ΅Π½ΡΠ°, ΡΠΎ Π΅ΡΡΡ Π² Π½Π°ΡΠ΅ΠΌ ΡΠ»ΡΡΠ°Π΅ - gitlab-Π²ΠΎΡΠΊΠ΅ΡΠ°
DOCKER_CERT_PATH=/root/.docker
# ΠΏΡΠΎΠ²Π΅ΡΠΈΠΌ, ΡΡΠΎ Π² ΠΊΠΎΠ½ΡΠ΅ΠΉΠ½Π΅ΡΠ΅ Π²ΡΠ΅ ΠΈΠΌΠ΅Π΅ΡΡΡ
docker info
docker-compose version
# ΡΠΎΠ·Π΄Π°Π΅ΠΌ ΠΏΡΡΡ (ΡΠ΅ΠΉΡΠ°Ρ ΡΠ°Π±ΠΎΡΠ°Π΅ΠΌ Π² ΠΊΠ»ΠΈΠ΅Π½ΡΠ΅ - Π²ΠΎΡΠΊΠ΅ΡΠ΅ gitlab'Π°)
mkdir $DOCKER_CERT_PATH
# ΠΈΠ·ΡΠΌΠ°Π΅ΠΌ ΡΠΎΠ΄Π΅ΡΠΆΠΈΠΌΠΎΠ΅ ΠΏΠ΅ΡΠ΅ΠΌΠ΅Π½Π½ΡΡ
, ΠΏΡΠΈ ΡΡΠΎΠΌ ΡΠ΄Π°Π»ΡΠ΅ΠΌ Π»ΠΈΡΠ½ΠΈΠ΅ ΡΠΈΠΌΠ²ΠΎΠ»Ρ Π΄ΠΎΠ±Π°Π²Π»Π΅Π½Π½ΡΠ΅ ΠΏΡΠΈ ΡΠΎΡ
ΡΠ°Π½Π΅Π½ΠΈΠΈ ΠΏΠ΅ΡΠ΅ΠΌΠ΅Π½Π½ΡΡ
.
echo "$CA_PEM" | tr -d 'r' > $DOCKER_CERT_PATH/ca.pem
echo "$CERT_PEM" | tr -d 'r' > $DOCKER_CERT_PATH/cert.pem
echo "$KEY_PEM" | tr -d 'r' > $DOCKER_CERT_PATH/key.pem
# Π½Π° Π²ΡΡΠΊΠΈΠΉ ΡΠ»ΡΡΠ°ΠΉ Π΄Π°Π΅ΠΌ ΡΠΎΠ»ΡΠΊΠΎ ΡΠΈΡΠ°ΡΡ
chmod 400 $DOCKER_CERT_PATH/ca.pem
chmod 400 $DOCKER_CERT_PATH/cert.pem
chmod 400 $DOCKER_CERT_PATH/key.pem
# Π΄Π°Π»Π΅Π΅ Π½Π°ΡΠΈΠ½Π°Π΅ΠΌ ΡΠΆΠ΅ ΡΠ°Π±ΠΎΡΠ°ΡΡ Ρ ΡΠ΄Π°Π»Π΅Π½Π½ΡΠΌ docker-Π΄Π΅ΠΌΠΎΠ½ΠΎΠΌ. Π‘ΠΎΠ±ΡΡΠ²Π΅Π½Π½ΠΎ, ΡΠ°ΠΌ Π΄Π΅ΠΏΠ»ΠΎΠΉ
export DOCKER_TLS_VERIFY=1
export DOCKER_HOST=tcp://$DEPLOY_HOST:2376
# ΠΏΡΠΎΠ²Π΅ΡΠΈΠΌ, ΡΡΠΎ ΠΊΠΎΠ½Π½Π΅ΠΊΡΠΈΡΡΡ Π²ΡΠ΅ ΡΡΠΏΠ΅ΡΠ½ΠΎ
docker-compose
-f $DOCKER_COMPOSE_FILE
ps
# Π»ΠΎΠ³ΠΈΠ½ΠΈΠΌΡΡ Π² docker-ΡΠ΅Π³ΠΈΡΡΡΠΈ, ΡΡΡ ΠΌΠΎΠΆΠ΅ΡΠ΅ ΡΠΊΠ°Π·Π°ΡΡ ΡΠ²ΠΎΠΉ "ΠΌΠ΅ΡΡΠ½ΡΠΉ" ΡΠ΅Π³ΠΈΡΡΡΠΈ
docker login -u $DOCKER_USER -p $DOCKER_PASSWORD
docker-compose
-f $DOCKER_COMPOSE_FILE
pull app
# ΠΏΠΎΠ΄Π½ΠΈΠΌΠ°Π΅ΠΌ ΠΏΡΠΈΠ»ΠΎΠΆΠ΅Π½ΠΈΠ΅
docker-compose
-f $DOCKER_COMPOSE_FILE
up -d app
Ingxaki ephambili yayikukuba "ukudonsa" iziqulatho zezatifikethi kwifom eqhelekileyo ukusuka kwi-gitlab CI / CD variables. Khange ndiqonde ukuba kutheni unxibelelwano kwi-remote host kungasebenzi. Kumamkeli ndajonga kwilog sudo journalctl -u docker, bekukho impazamo ngexesha lokuxhawulana. Ndigqibe ekubeni ndijonge ukuba yintoni egcinwa ngokubanzi kwizinto ezahlukeneyo ukwenza oku, ungajongeka ngolu hlobo: ikati -A $DOCKER_CERT_PATH/key.pem. Ndiyoyisile impazamo ngokongeza ukususwa komlinganiswa wekhareji tr -d 'r'.
Okulandelayo, unokongeza imisebenzi yokukhutshwa emva kokukhutshwa kwiskripthi ngokubona kwakho. Ungajonga inguqulelo yokusebenza kwindawo yam yokugcina
umthombo: www.habr.com