ืืื ืึทืืึธื ืืขืืึทื ืง ืืืขืื ืึธืืึทืืืืืื ื ืื ืืืคึผืืืืืึทื ื ืคืื ืืืื ืคึผืจืืืขืงื. gitlab.com ืืื ืืื ืึทืืข ืื ืืืฉืืจืื ืคึฟืึทืจ ืืขื, ืืื ืืึธื ืืื ืืึทืฉืืึธืกื ืฆื ื ืืฆื ืขืก, ืจืขืืขื ืขื ืขืก ืืืืก ืืื ืฉืจืืึทืื ืึท ืงืืืื ืืืคึผืืืืืึทื ื ืฉืจืืคื. ืืื ืืขื ืึทืจืืืงื ืืื ืืืืื ืืืื ืืขืจืคืึทืจืื ื ืืื ืื ืงืื.
ืื; ืืจ
- ืืึทืฉืืขืืืง VPS: ืืืกืืืืึทื ืืืึธืจืฆื, ืงืืึธืฅ ืืื ืืื ืคึผืึทืจืึธื, ืื ืกืืึทืืืจื ืืึธืงืงืขืจื, ืงืึทื ืคืืืืขืจ ufw
- ืืืฉืขื ืขืจืืื ืกืขืจืืืคืืงืึทืฅ ืคึฟืึทืจ ืกืขืจืืืขืจ ืืื ืงืืืขื ื
docs.docker.com/engine/security/https/#create-a-ca-server-and-client-keys-with-openssl ืืขืื ืืึธืงืขืจื ืงืึธื ืืจืึธื ืืืจื tcp ืืึธืืขื: ืึทืจืึธืคึผื ืขืืขื ืื -H fd: // ืึธืคึผืฆืืข ืคืื โโืื ืืึธืงืขืจ ืงืึธื ืคืื. - ืคืึทืจืฉืจืืึทืื ืคึผืึทืืก ืฆื ืกืขืจืืืคืืงืึทืฅ ืืื docker.json
- ืคืึทืจืฉืจืืึทืื ืืื ืืืืืึทื ืืืขืจืืึทืืึทืื ืืื ืื ืกื / ืกื ืกืขืืืื ืืก ืืื ืื ืืื ืืึทืื ืคืื ืื ืกืขืจืืืคืืงืึทืฅ. ืฉืจืืื ืึท ืฉืจืืคื .gitlab-ci.yml ืคึฟืึทืจ ืืืคึผืืืืืึทื ื.
ืืื ืืืขื ืืืืึทืื ืึทืืข ืืืืฉืคืืื ืืืืฃ ืื ืืขืืืึทื ืคืึทืจืฉืคึผืจืืืืื ื.
ืขืจืฉื VPS ืกืขืืึทืคึผ
ืึทืืื ืืืจ ืืขืงืืืคื ืึท ืืืึทืฉืคึผืื ืืื
ืกืงืจืขืขื ืฉืึธื
ืขืจืฉืืขืจ, ืื ืกืืึทืืืจื ืื ufw ืคืืืจืืืึทื:
apt-get update && apt-get install ufw
ืืึธืืืจ ืืขืื ืื ืคืขืืืงืืึทื ืคึผืึธืืืืืง: ืคืึทืจืฉืคึผืึทืจื ืึทืืข ืื ืงืึทืืื ื ืงืึทื ืขืงืฉืึทื ื, ืืึธืื ืึทืืข ืึทืืืืึธืืื ื ืงืึทื ืขืงืฉืึทื ื:
ufw default deny incoming
ufw default allow outgoing
ืืืืืืืง: ืืึธื ื ืื ืคืึทืจืืขืกื ืฆื ืืึธืื ืื ืงืฉืจ ืืืจื ssh:
ufw allow OpenSSH
ืืขืจ ืืขื ืขืจืึทื ืกืื ืืึทืงืก ืืื ืืื ืืืื: ืืึธืื ืึท ืงืฉืจ ืืืจื ืคึผืึธืจื: ufw ืืึธืื 12345, ืืื 12345 ืืื ืื ืคึผืึธืจื ื ืืืขืจ ืึธืืขืจ ืื ื ืึธืืขื ืคืื ืื ืืื ืกื. ืืืืงืขื ืขื: ufw deny 12345
ืงืขืจ ืืืืฃ ืื ืคืืืจืืืึทื:
ufw enable
ืืืจ ืึทืจืืืกืืึทื ื ืื ืกืขืกืืข ืืื ืงืืึธืฅ ืืื ืืืืืขืจ ืืืจื ssh.
ืืืื ืึท ืืึทื ืืฆืขืจ, ืืึทืฉืืืืขื ืืื ืึท ืคึผืึทืจืึธื ืืื ืืืื ืืื ืฆื ืื ืกืืืึธ ืืจืืคึผืข.
apt-get install sudo
adduser scoty
usermod -aG sudo scoty
ืืืืึทืืขืจ, ืืืื ืืขื ืคึผืืึทื, ืืืจ ืืึธื ืืืกืืืืึทื ืคึผืึทืจืึธื ืืึธืืื. ืฆื ืืึธื ืืึธืก, ืงืึธืคึผืืข ืืืื ssh ืฉืืืกื ืฆื ืื ืกืขืจืืืขืจ:
ssh-copy-id [email protected]
ืื ืกืขืจืืืขืจ IP ืืืื ืืืื ืืืึทื. ืืืฆื ืคึผืจืึผืืื ืฆื ืงืืึธืฅ ืืื ื ืืฆื ืืขื ืืึทื ืืฆืขืจ ืืืจ ืืืฉืืคื ืคืจืืขืจ; ืืืจ ื ืื ืืขืจ ืืึทืจืคึฟื ืฆื ืึทืจืืึทื ืึท ืคึผืึทืจืึธื. ืืืืึทืืขืจ, ืืื ืื ืงืึทื ืคืืืืขืจืืืฉืึทื ืกืขืืืื ืืก, ืืืืฉื ืื ืคืืืืขื ืืข:
sudo nano /etc/ssh/sshd_config
ืืืกืืืืึทื ืคึผืึทืจืึธื ืืึธืืื:
PasswordAuthentication no
ืจืืกืืึทืจื ืื sshd daemon:
sudo systemctl reload sshd
ืืืฆื ืืืื ืืืจ ืึธืืขืจ ืขืืขืฆืขืจ ืึทื ืืขืจืฉ ืคืจืืืื ืฆื ืงืืึธืฅ ืืื ืืื ืืขืจ ืืืึธืจืฆื ืืึทื ืืฆืขืจ, ืขืก ืืืขื ื ืืฉื ืึทืจืืขืื.
ืืขืจื ืึธื, ืื ืกืืึทืืืจื ืืึธืงืขืจื, ืืื ืืืขื ื ืืฉื ืืึทืฉืจืืึทืื ืืขื ืคึผืจืึธืฆืขืก ืืึธ, ืืืืึทื ืึทืืฅ ืงืขื ืขื ืืืื ืืฉืืื ืืืฉื, ื ืึธืืืืื ืื ืืื ืง ืฆื ืืขืจ ืืึทืึทืืืขืจ ืืืขืืืืืื ืืื ืืืื ืืืจื ืื ืกืืขืคึผืก ืคืื ืื ืกืืึธืืื ื ืืึธืงืงืขืจ ืืืืฃ ืืืื ืืืืจืืืึทื ืืึทืฉืื:
ืืืฉืขื ืขืจืืืืื ื ืกืขืจืืืคืืงืึทืฅ
ืฆื ืงืึธื ืืจืึธืืืจื ืื ืืึธืงืงืขืจ ืืืืืึทื ืจืืืึธืืืื, ืึทื ืื ืงืจืืคึผืืื TLS ืคึฟืึทืจืืื ืืื ื ืืื ืคืืจืืื ืื. ืฆื ืืึธื ืืึธืก, ืืืจ ืืึทืจืคึฟื ืฆื ืืึธืื ืึท ืืึทืืืืึทืื ืืื ืึท ืฉืืืกื, ืืืึธืก ืืืื ืืืื ืืืฉืขื ืขืจืืืืึทื ืืื ืืจืึทื ืกืคืขืจื ืฆื ืืืื ืืืืึทื ืืึทืฉืื. ืืื ืื ืกืืขืคึผืก ืืขืืขืื ืืื ืื ืื ืกืืจืึทืงืฉืึทื ื ืืืืฃ ืืขืจ ืืึทืึทืืืขืจ ืืึธืงืงืขืจ ืืืขืืืืืื:
ืืึทืฉืืขืืืงื Dockerd
ืืื ืื ืงืึทืืขืจ ืฉืจืืคื ืคืื ืืึธืงืขืจ ืืึทืขืืึธื, ืืืจ ืืึทืืืึทืืืงื ืื -H df: // ืึธืคึผืฆืืข, ืื ืึธืคึผืฆืืข ืืืืขืจืืึทื ื ืืืืฃ ืืืึธืก ืืึทืืขืืึธืก ืื ืืึธืงืงืขืจ ืืืืืึทื ืงืขื ืขื ืืืื ืงืึทื ืืจืึธืืื.
# At /lib/systemd/system/docker.service
[Service]
Type=notify
ExecStart=/usr/bin/dockerd
ืืืืึทืืขืจ, ืืืจ ืืึธื ืืึทืื ืึท ืกืขืืืื ืืก ืืขืงืข, ืืืื ืขืก ืืื ื ืืฉื ืฉืืื, ืืื ืกืคึผืขืฆืืคืืฆืืจื ืื ืึธืคึผืฆืืขืก:
/etc/docker/docker.json
{
"hosts": [
"unix:///var/run/docker.sock",
"tcp://0.0.0.0:2376"
],
"labels": [
"is-our-remote-engine=true"
],
"tls": true,
"tlscacert": "/etc/docker/ca.pem",
"tlscert": "/etc/docker/server.pem",
"tlskey": "/etc/docker/key.pem",
"tlsverify": true
}
ืืึธืืืจ ืืึธืื ืงืึทื ืขืงืฉืึทื ื ืืืืฃ ืคึผืึธืจื 2376:
sudo ufw allow 2376
ืืึธืืืจ ืจืืกืืึทืจื ืืึธืงืขืจื ืืื ืื ื ืืึทืข ืกืขืืืื ืืก:
sudo systemctl daemon-reload && sudo systemctl restart docker
ืืืืืจ ืืฉืขืงื:
sudo systemctl status docker
ืืืื ืึทืืฅ ืืื "ืืจืื", ืืืจ ืืึทืืจืึทืืื ืึทื ืืืจ ืืึธืื ืืฆืืื ืงืึทื ืคืืืืขืจื ืืึธืงืงืขืจ ืืืืฃ ืื ืกืขืจืืืขืจ.
ืืึทืฉืืขืืืงื ืงืขืกืืืืขืจืืืง ืืขืืืืืขืจื ืืืืฃ ืืืืืึทื
ืึผืื ืื Gitalaba ืึทืจืืขืืขืจ ืืึธื ืงืขื ืขื ืืืกืคืืจื ืงืึทืืึทื ืื ืืืืฃ ืึท ืืืืึทื ืืึธืงืงืขืจ ืืึทืืขืืึธืก, ืขืก ืืื ื ืืืืืง ืฆื ืืึทืฉืืืกื ืืื ืืื ืืื ืฆื ืงืจืึธื ืกืขืจืืืคืืงืึทืฅ ืืื ืื ืฉืืืกื ืคึฟืึทืจ ืึท ืื ืงืจืืคึผืืื ืงืฉืจ ืืื Dockerd. ืืื ืกืึทืืืื ืืขื ืคึผืจืึธืืืขื ืืืจื ืคืฉืื ืึทืืื ื ืื ืคืืืืขื ืืข ืฆื ืื ืืืขืจืืึทืืึทืื ืืื ืื ืืืืืืึทื ืกืขืืืื ืืก:
ืกืคึผืึธืืืขืจ ืืืื
ื ืึธืจ ืจืขืืืืืึทื ืื ืืื ืืึทืื ืคืื ืื ืกืขืจืืืคืืงืึทืฅ ืืื ืฉืืืกื ืืืจื ืงืึทืฅ: cat ca.pem
. ื ืึธืืืึทืื ืืื ืคึผืึทืคึผ ืืื ืื ืืืึทืืขืืืืืง ืืืึทืืืขืก.
ืืึธืืืจ ืฉืจืืึทืื ืึท ืฉืจืืคื ืคึฟืึทืจ ืืืคึผืืืืืึทื ื ืืืจื GitLab. ืื ืืึธืงืงืขืจ-ืืื-ืืึธืงืงืขืจ (ืืื ื) ืืืื ืืืขื ืืืื ืืขืืืืื ื.
.ืืืืืื-ืกื.ืืื
image:
name: docker/compose:1.23.2
# ะฟะตัะตะฟะธัะตะผ entrypoint , ััะพะฑั ัะฐะฑะพัะฐะปะพ ะฒ dind
entrypoint: ["/bin/sh", "-c"]
variables:
DOCKER_HOST: tcp://docker:2375/
DOCKER_DRIVER: overlay2
services:
- docker:dind
stages:
- deploy
deploy:
stage: deploy
script:
- bin/deploy.sh # ัะบัะธะฟั ะดะตะฟะปะพั ััั
ืืื ืืึทืื ืคืื ืื ืืืคึผืืืืืึทื ื ืฉืจืืคื ืืื ืืึทืืขืจืงืื ืืขื:
bin/deploy.sh
#!/usr/bin/env sh
# ะะฐะดะฐะตะผ ััะฐะทั, ะตัะปะธ ะฒะพะทะฝะธะบะปะธ ะบะฐะบะธะต-ัะพ ะพัะธะฑะบะธ
set -e
# ะัะฒะพะดะธะผ, ัะพ , ััะพ ะดะตะปะฐะตะผ
set -v
#
DOCKER_COMPOSE_FILE=docker-compose.yml
# ะัะดะฐ ะดะตะฟะปะพะธะผ
DEPLOY_HOST=185.241.52.28
# ะััั ะดะปั ัะตััะธัะธะบะฐัะพะฒ ะบะปะธะตะฝัะฐ, ัะพ ะตััั ะฒ ะฝะฐัะตะผ ัะปััะฐะต - gitlab-ะฒะพัะบะตัะฐ
DOCKER_CERT_PATH=/root/.docker
# ะฟัะพะฒะตัะธะผ, ััะพ ะฒ ะบะพะฝัะตะนะฝะตัะต ะฒัะต ะธะผะตะตััั
docker info
docker-compose version
# ัะพะทะดะฐะตะผ ะฟััั (ัะตะนัะฐั ัะฐะฑะพัะฐะตะผ ะฒ ะบะปะธะตะฝัะต - ะฒะพัะบะตัะต gitlab'ะฐ)
mkdir $DOCKER_CERT_PATH
# ะธะทัะผะฐะตะผ ัะพะดะตัะถะธะผะพะต ะฟะตัะตะผะตะฝะฝัั
, ะฟัะธ ััะพะผ ัะดะฐะปัะตะผ ะปะธัะฝะธะต ัะธะผะฒะพะปั ะดะพะฑะฐะฒะปะตะฝะฝัะต ะฟัะธ ัะพั
ัะฐะฝะตะฝะธะธ ะฟะตัะตะผะตะฝะฝัั
.
echo "$CA_PEM" | tr -d 'r' > $DOCKER_CERT_PATH/ca.pem
echo "$CERT_PEM" | tr -d 'r' > $DOCKER_CERT_PATH/cert.pem
echo "$KEY_PEM" | tr -d 'r' > $DOCKER_CERT_PATH/key.pem
# ะฝะฐ ะฒััะบะธะน ัะปััะฐะน ะดะฐะตะผ ัะพะปัะบะพ ัะธัะฐัั
chmod 400 $DOCKER_CERT_PATH/ca.pem
chmod 400 $DOCKER_CERT_PATH/cert.pem
chmod 400 $DOCKER_CERT_PATH/key.pem
# ะดะฐะปะตะต ะฝะฐัะธะฝะฐะตะผ ัะถะต ัะฐะฑะพัะฐัั ั ัะดะฐะปะตะฝะฝัะผ docker-ะดะตะผะพะฝะพะผ. ะกะพะฑััะฒะตะฝะฝะพ, ัะฐะผ ะดะตะฟะปะพะน
export DOCKER_TLS_VERIFY=1
export DOCKER_HOST=tcp://$DEPLOY_HOST:2376
# ะฟัะพะฒะตัะธะผ, ััะพ ะบะพะฝะฝะตะบัะธััั ะฒัะต ััะฟะตัะฝะพ
docker-compose
-f $DOCKER_COMPOSE_FILE
ps
# ะปะพะณะธะฝะธะผัั ะฒ docker-ัะตะณะธัััะธ, ััั ะผะพะถะตัะต ัะบะฐะทะฐัั ัะฒะพะน "ะผะตััะฝัะน" ัะตะณะธัััะธ
docker login -u $DOCKER_USER -p $DOCKER_PASSWORD
docker-compose
-f $DOCKER_COMPOSE_FILE
pull app
# ะฟะพะดะฝะธะผะฐะตะผ ะฟัะธะปะพะถะตะฝะธะต
docker-compose
-f $DOCKER_COMPOSE_FILE
up -d app
ืืขืจ ืืืืคึผื ืคึผืจืึธืืืขื ืืื ืืขืืืขื ืฆื "ืฆืืขื" ืื ืืื ืืึทืื ืคืื ืื ืกืขืจืืืคืืงืึทืฅ ืืื ืึท ื ืึธืจืืึทื ืคืึธืจืขื ืคึฟืื ืื gitlab CI / CD ืืืขืจืืึทืืึทืื. ืืื ืงืขื ื ืืฉื ืืขืคึฟืื ืขื ืืืืก ืืืึธืก ืื ืงืฉืจ ืฆื ืื ืืืืึทื ืืึทืืขืืึธืก ืืื ื ืืฉื ืืจืืขืื. ืืืืฃ ืืขื ืืึทืืขืืึธืก ืืื ืืขืงืืงื ืืืืฃ ืื ืืึธื sudo journalctl -u docker, ืขืก ืืื ืืขืืืขื ืึท ืืขืืช ืืขืฉืึทืก ืื ืืึทื ืืฉืืืง. ืืื ืืึทืฉืืึธืกื ืฆื ืงืืงื ืืื ืืืึธืก ืืื ืืืื ืกืืึธืจื ืืื ืืืขืจืืึทืืึทืื; ืฆื ืืึธื ืืึธืก, ืืืจ ืงืขื ืขื ืงืืงื ืืื ืืึธืก: cat -A $DOCKER_CERT_PATH/key.pem. ืืื ืึธืืืืขืจืงืืื ืืขื ืืขืืช ืืืจื ืึทืืื ื ืื ืืึทืืืึทืืืงืื ื ืคืื ืื ืืืขืืขืืข ืืึทืจืึทืงืืขืจ tr -d 'r'.
ืืขืจื ืึธื, ืืืจ ืงืขื ืขื ืืืืื ืืึทืกืงืก ื ืึธื ืืขืืืื ื ืฆื ืื ืฉืจืืคื ืืืื ืืืื ืืืกืงืจืขืฉืึทื. ืืืจ ืงืขื ืขื ืืขื ืื ืึทืจืืขื ืืืขืจืกืืข ืืื ืืืื ืจืืคึผืึทืืึทืืึธืจื
ืืงืืจ: www.habr.com