I-ProHoster > Π‘Π»ΠΎΠ³ > Ukuphatha > Ukusetha i-CD nge-gitlab

Ukusetha i-CD nge-gitlab

Ngake ngacabanga ngokwenza ngokuzenzakalelayo ukuthunyelwa kwephrojekthi yami. I-gitlab.com ihlinzeka ngomusa wonke amathuluzi alokhu, futhi-ke nginqume ukusizakala, ngisithole futhi ngibhale iskripthi esincane sokuthunyelwa. Kulesi sihloko ngabelana ngolwazi lwami nomphakathi.

TL; DR

  1. Setha i-VPS: khubaza impande, ngena ngemvume ngephasiwedi, faka i-dockerd, lungiselela i-ufw
  2. Khiqiza izitifiketi zeseva neklayenti docs.docker.com/engine/security/https/#create-a-ca-server-and-client-keys-with-openssl Nika amandla isilawuli se-dockerd ngesokhethi ye-tcp: susa inketho ye--H fd:// ku-docker config.
  3. Bhalisa izindlela ezitifiketini ku-docker.json
  4. Bhalisa kokuguquguqukayo kwe-gitlab kuzilungiselelo ze-CI/CD ngokuqukethwe kwezitifiketi. Bhala umbhalo othi .gitlab-ci.yml ukuze usetshenziswe.

Ngizobonisa zonke izibonelo ekusabalaliseni kwe-Debian.

Ukusethwa kwe-VPS kokuqala

Ngakho-ke uthenge isibonelo njengesibonelo ku DO, into yokuqala okudingeka uyenze ukuvikela iseva yakho ezweni langaphandle elinolaka. Ngeke ngifakazele noma ngigomele noma yini, ngizovele ngibonise ilogi /var/log/imiyalezo yeseva yami ebonakalayo:

Isithombe-skriniUkusetha i-CD nge-gitlab

Okokuqala, faka i-firewall ye-ufw:

apt-get update && apt-get install ufw

Masinike amandla inqubomgomo ezenzakalelayo: vimba konke ukuxhumana okungenayo, vumela konke ukuxhumana okuphumayo:

ufw default deny incoming
ufw default allow outgoing

Okubalulekile: ungakhohlwa ukuvumela uxhumano nge-ssh:

ufw allow OpenSSH

I-syntax evamile imi kanje: Vumela uxhumano ngembobo: ufw vumela u-12345, lapho u-12345 kuyinombolo yembobo noma igama lesevisi. Phika: ufw phika 12345

Vula i-firewall:

ufw enable

Siphuma kuseshini bese singena futhi nge-ssh.

Engeza umsebenzisi, mnikeze iphasiwedi, futhi umengeze eqenjini le-sudo.

apt-get install sudo
adduser scoty
usermod -aG sudo scoty

Okulandelayo, ngokohlelo, kufanele ukhubaze ukungena ngemvume kwephasiwedi. ukwenza lokhu, kopisha ukhiye wakho we-ssh kuseva:

ssh-copy-id [email protected]

Iseva ye-ip kufanele kube ngeyakho. Manje zama ukungena usebenzisa umsebenzisi owakhe ekuqaleni; akusadingeki ukuthi ufake iphasiwedi. Okulandelayo, kuzilungiselelo zokucushwa, shintsha okulandelayo:

sudo nano /etc/ssh/sshd_config

khubaza ukungena ngemvume kwephasiwedi:

PasswordAuthentication no

Qala kabusha i-daemon ye-sshd:

sudo systemctl reload sshd

Manje uma wena noma omunye umuntu ezama ukungena njengomsebenzisi wempande, ngeke kusebenze.

Okulandelayo, faka i-dockerd, ngeke ngiyichaze inqubo lapha, njengoba konke sekungashintshwa kakade, landela isixhumanisi sewebhusayithi esemthethweni bese udlulela ezinyathelweni zokufaka i-docker emshinini wakho obonakalayo: https://docs.docker.com/install/linux/docker-ce/debian/

Ukukhiqiza izitifiketi

Ukuze ulawule i-daemon yedokha ukude, kudingeka uxhumano olubethelwe lwe-TLS. Ukuze wenze lokhu, udinga ukuba nesitifiketi kanye nokhiye, okumele wenziwe futhi udluliselwe emshinini wakho oqhelile. Landela izinyathelo ezinikezwe emiyalweni ekuwebhusayithi esemthethweni ye-docker: https://docs.docker.com/engine/security/https/#create-a-ca-server-and-client-keys-with-openssl Wonke amafayela *.pem akhiqiziwe weseva, okuyi-ca.pem, iseva.pem, key.pem, kufanele abekwe kuhla lwemibhalo /etc/docker kuseva.

Isetha i-dockerd

Kuskripthi sokuqalisa se-docker daemon, sisusa inketho ethi -H df://, le nketho inquma ukuthi yimuphi umsingathi i-daemon yedokhu engalawulwa.

# At /lib/systemd/system/docker.service
[Service]
Type=notify
ExecStart=/usr/bin/dockerd

Okulandelayo, kufanele udale ifayela lezilungiselelo, uma lingekho, futhi ucacise izinketho:

/etc/docker/docker.json

{
  "hosts": [
    "unix:///var/run/docker.sock",
    "tcp://0.0.0.0:2376"
  ],
  "labels": [
    "is-our-remote-engine=true"
  ],
  "tls": true,
  "tlscacert": "/etc/docker/ca.pem",
  "tlscert": "/etc/docker/server.pem",
  "tlskey": "/etc/docker/key.pem",
  "tlsverify": true
}

Masivumele ukuxhumana ku-port 2376:

sudo ufw allow 2376

Masiqale kabusha i-dockerd ngezilungiselelo ezintsha:

sudo systemctl daemon-reload && sudo systemctl restart docker

Ake sihlole:

sudo systemctl status docker

Uma yonke into "iluhlaza", khona-ke sicabanga ukuthi silungiselele ngempumelelo i-docker kuseva.

Ukusetha ukulethwa okuqhubekayo ku-gitlab

Ukuze isisebenzi sase-Gitalaba sikwazi ukwenza imiyalo kumsingathi we-Docker ekude, kuyadingeka ukunquma ukuthi izitifiketi zizogcinwa kanjani futhi kuphi kanye nokhiye wokuxhumana okubethelwe nge-Dockerd. Ngixazulule le nkinga ngokungeza okulandelayo kokuguquguqukayo kuzilungiselelo ze-gitlbab:

isihloko se-spoilerUkusetha i-CD nge-gitlab

Vele ukhiphe okuqukethwe kwezitifiketi nokhiye ngekati: cat ca.pem. Kopisha futhi unamathisele kumanani aguquguqukayo.

Masibhale umbhalo ozosetshenziswa nge-GitLab. Isithombe se-docker-in-docker (dind) sizosetshenziswa.

.gitlab-ci.yml

image:
  name: docker/compose:1.23.2
  # ΠΏΠ΅Ρ€Π΅ΠΏΠΈΡˆΠ΅ΠΌ entrypoint , Ρ‡Ρ‚ΠΎΠ±Ρ‹ Ρ€Π°Π±ΠΎΡ‚Π°Π»ΠΎ Π² dind
  entrypoint: ["/bin/sh", "-c"]

variables:
  DOCKER_HOST: tcp://docker:2375/
  DOCKER_DRIVER: overlay2

services:
  - docker:dind

stages:
  - deploy

deploy:
  stage: deploy
  script:
    - bin/deploy.sh # скрипт дСплоя Ρ‚ΡƒΡ‚

Okuqukethwe kweskripthi sokuphakelwa esinamazwana:

bin/deploy.sh

#!/usr/bin/env sh
# ПадаСм сразу, Ссли Π²ΠΎΠ·Π½ΠΈΠΊΠ»ΠΈ ΠΊΠ°ΠΊΠΈΠ΅-Ρ‚ΠΎ ошибки
set -e
# Π’Ρ‹Π²ΠΎΠ΄ΠΈΠΌ, Ρ‚ΠΎ , Ρ‡Ρ‚ΠΎ Π΄Π΅Π»Π°Π΅ΠΌ
set -v

# 
DOCKER_COMPOSE_FILE=docker-compose.yml
# ΠšΡƒΠ΄Π° Π΄Π΅ΠΏΠ»ΠΎΠΈΠΌ
DEPLOY_HOST=185.241.52.28
# ΠŸΡƒΡ‚ΡŒ для сСртификатов ΠΊΠ»ΠΈΠ΅Π½Ρ‚Π°, Ρ‚ΠΎ Π΅ΡΡ‚ΡŒ Π² нашСм случаС - gitlab-Π²ΠΎΡ€ΠΊΠ΅Ρ€Π°
DOCKER_CERT_PATH=/root/.docker

# ΠΏΡ€ΠΎΠ²Π΅Ρ€ΠΈΠΌ, Ρ‡Ρ‚ΠΎ Π² ΠΊΠΎΠ½Ρ‚Π΅ΠΉΠ½Π΅Ρ€Π΅ всС имССтся
docker info
docker-compose version

# создаСм ΠΏΡƒΡ‚ΡŒ (сСйчас Ρ€Π°Π±ΠΎΡ‚Π°Π΅ΠΌ Π² ΠΊΠ»ΠΈΠ΅Π½Ρ‚Π΅ - Π²ΠΎΡ€ΠΊΠ΅Ρ€Π΅ gitlab'Π°)
mkdir $DOCKER_CERT_PATH
# ΠΈΠ·Ρ‹ΠΌΠ°Π΅ΠΌ содСрТимоС ΠΏΠ΅Ρ€Π΅ΠΌΠ΅Π½Π½Ρ‹Ρ…, ΠΏΡ€ΠΈ этом удаляСм лишниС символы Π΄ΠΎΠ±Π°Π²Π»Π΅Π½Π½Ρ‹Π΅ ΠΏΡ€ΠΈ сохранСнии ΠΏΠ΅Ρ€Π΅ΠΌΠ΅Π½Π½Ρ‹Ρ….
echo "$CA_PEM" | tr -d 'r' > $DOCKER_CERT_PATH/ca.pem
echo "$CERT_PEM" | tr -d 'r' > $DOCKER_CERT_PATH/cert.pem
echo "$KEY_PEM" | tr -d 'r' > $DOCKER_CERT_PATH/key.pem
# Π½Π° всякий случай Π΄Π°Π΅ΠΌ Ρ‚ΠΎΠ»ΡŒΠΊΠΎ Ρ‡ΠΈΡ‚Π°Ρ‚ΡŒ
chmod 400 $DOCKER_CERT_PATH/ca.pem
chmod 400 $DOCKER_CERT_PATH/cert.pem
chmod 400 $DOCKER_CERT_PATH/key.pem

# Π΄Π°Π»Π΅Π΅ Π½Π°Ρ‡ΠΈΠ½Π°Π΅ΠΌ ΡƒΠΆΠ΅ Ρ€Π°Π±ΠΎΡ‚Π°Ρ‚ΡŒ с ΡƒΠ΄Π°Π»Π΅Π½Π½Ρ‹ΠΌ docker-Π΄Π΅ΠΌΠΎΠ½ΠΎΠΌ. БобствСнно, сам Π΄Π΅ΠΏΠ»ΠΎΠΉ
export DOCKER_TLS_VERIFY=1
export DOCKER_HOST=tcp://$DEPLOY_HOST:2376

# ΠΏΡ€ΠΎΠ²Π΅Ρ€ΠΈΠΌ, Ρ‡Ρ‚ΠΎ коннСктится всС ΡƒΡΠΏΠ΅ΡˆΠ½ΠΎ
docker-compose 
  -f $DOCKER_COMPOSE_FILE 
  ps

# логинимся Π² docker-рСгистри, Ρ‚ΡƒΡ‚ ΠΌΠΎΠΆΠ΅Ρ‚Π΅ ΡƒΠΊΠ°Π·Π°Ρ‚ΡŒ свой "мСстный" рСгистри
docker login -u $DOCKER_USER -p $DOCKER_PASSWORD

docker-compose 
  -f $DOCKER_COMPOSE_FILE 
  pull app
# ΠΏΠΎΠ΄Π½ΠΈΠΌΠ°Π΅ΠΌ ΠΏΡ€ΠΈΠ»ΠΎΠΆΠ΅Π½ΠΈΠ΅
docker-compose 
  -f $DOCKER_COMPOSE_FILE 
  up -d app

Inkinga enkulu kwakuwuku β€œdonsa” okuqukethwe kwezitifiketi ngendlela evamile kusukela kokuguquguqukayo kwe-gitlab CI/CD. Angikwazanga ukuthola ukuthi kungani ukuxhumeka kumsingathi wesilawuli kude kungasebenzi. Kusokhaya ngibheke i-log sudo journalctl -u docker, kube nephutha ngesikhathi sokuxhawulana. Nginqume ukubheka ukuthi yini ngokuvamile egcinwa ezintweni eziguquguqukayo; ukwenza lokhu, ungabukeka kanje: cat -A $DOCKER_CERT_PATH/key.pem. Nginqobe iphutha ngokungeza ukususwa kohlamvu lwenqola u-tr -d 'r'.

Okulandelayo, ungakwazi ukwengeza imisebenzi yangemva kokukhishwa kusikripthi ngokubona kwakho. Ungabuka inguqulo yokusebenza endaweni yami yokugcina https://gitlab.com/isqad/gitlab-ci-cd

Source: www.habr.com

Engeza amazwana