Ngake ngacabanga ngokwenza ngokuzenzakalelayo ukuthunyelwa kwephrojekthi yami. I-gitlab.com ihlinzeka ngomusa wonke amathuluzi alokhu, futhi-ke nginqume ukusizakala, ngisithole futhi ngibhale iskripthi esincane sokuthunyelwa. Kulesi sihloko ngabelana ngolwazi lwami nomphakathi.
TL; DR
- Setha i-VPS: khubaza impande, ngena ngemvume ngephasiwedi, faka i-dockerd, lungiselela i-ufw
- Khiqiza izitifiketi zeseva neklayenti
docs.docker.com/engine/security/https/#create-a-ca-server-and-client-keys-with-openssl Nika amandla isilawuli se-dockerd ngesokhethi ye-tcp: susa inketho ye--H fd:// ku-docker config. - Bhalisa izindlela ezitifiketini ku-docker.json
- Bhalisa kokuguquguqukayo kwe-gitlab kuzilungiselelo ze-CI/CD ngokuqukethwe kwezitifiketi. Bhala umbhalo othi .gitlab-ci.yml ukuze usetshenziswe.
Ngizobonisa zonke izibonelo ekusabalaliseni kwe-Debian.
Ukusethwa kwe-VPS kokuqala
Ngakho-ke uthenge isibonelo njengesibonelo ku
Isithombe-skrini
Okokuqala, faka i-firewall ye-ufw:
apt-get update && apt-get install ufw
Masinike amandla inqubomgomo ezenzakalelayo: vimba konke ukuxhumana okungenayo, vumela konke ukuxhumana okuphumayo:
ufw default deny incoming
ufw default allow outgoing
Okubalulekile: ungakhohlwa ukuvumela uxhumano nge-ssh:
ufw allow OpenSSH
I-syntax evamile imi kanje: Vumela uxhumano ngembobo: ufw vumela u-12345, lapho u-12345 kuyinombolo yembobo noma igama lesevisi. Phika: ufw phika 12345
Vula i-firewall:
ufw enable
Siphuma kuseshini bese singena futhi nge-ssh.
Engeza umsebenzisi, mnikeze iphasiwedi, futhi umengeze eqenjini le-sudo.
apt-get install sudo
adduser scoty
usermod -aG sudo scoty
Okulandelayo, ngokohlelo, kufanele ukhubaze ukungena ngemvume kwephasiwedi. ukwenza lokhu, kopisha ukhiye wakho we-ssh kuseva:
ssh-copy-id [email protected]
Iseva ye-ip kufanele kube ngeyakho. Manje zama ukungena usebenzisa umsebenzisi owakhe ekuqaleni; akusadingeki ukuthi ufake iphasiwedi. Okulandelayo, kuzilungiselelo zokucushwa, shintsha okulandelayo:
sudo nano /etc/ssh/sshd_config
khubaza ukungena ngemvume kwephasiwedi:
PasswordAuthentication no
Qala kabusha i-daemon ye-sshd:
sudo systemctl reload sshd
Manje uma wena noma omunye umuntu ezama ukungena njengomsebenzisi wempande, ngeke kusebenze.
Okulandelayo, faka i-dockerd, ngeke ngiyichaze inqubo lapha, njengoba konke sekungashintshwa kakade, landela isixhumanisi sewebhusayithi esemthethweni bese udlulela ezinyathelweni zokufaka i-docker emshinini wakho obonakalayo:
Ukukhiqiza izitifiketi
Ukuze ulawule i-daemon yedokha ukude, kudingeka uxhumano olubethelwe lwe-TLS. Ukuze wenze lokhu, udinga ukuba nesitifiketi kanye nokhiye, okumele wenziwe futhi udluliselwe emshinini wakho oqhelile. Landela izinyathelo ezinikezwe emiyalweni ekuwebhusayithi esemthethweni ye-docker:
Isetha i-dockerd
Kuskripthi sokuqalisa se-docker daemon, sisusa inketho ethi -H df://, le nketho inquma ukuthi yimuphi umsingathi i-daemon yedokhu engalawulwa.
# At /lib/systemd/system/docker.service
[Service]
Type=notify
ExecStart=/usr/bin/dockerd
Okulandelayo, kufanele udale ifayela lezilungiselelo, uma lingekho, futhi ucacise izinketho:
/etc/docker/docker.json
{
"hosts": [
"unix:///var/run/docker.sock",
"tcp://0.0.0.0:2376"
],
"labels": [
"is-our-remote-engine=true"
],
"tls": true,
"tlscacert": "/etc/docker/ca.pem",
"tlscert": "/etc/docker/server.pem",
"tlskey": "/etc/docker/key.pem",
"tlsverify": true
}
Masivumele ukuxhumana ku-port 2376:
sudo ufw allow 2376
Masiqale kabusha i-dockerd ngezilungiselelo ezintsha:
sudo systemctl daemon-reload && sudo systemctl restart docker
Ake sihlole:
sudo systemctl status docker
Uma yonke into "iluhlaza", khona-ke sicabanga ukuthi silungiselele ngempumelelo i-docker kuseva.
Ukusetha ukulethwa okuqhubekayo ku-gitlab
Ukuze isisebenzi sase-Gitalaba sikwazi ukwenza imiyalo kumsingathi we-Docker ekude, kuyadingeka ukunquma ukuthi izitifiketi zizogcinwa kanjani futhi kuphi kanye nokhiye wokuxhumana okubethelwe nge-Dockerd. Ngixazulule le nkinga ngokungeza okulandelayo kokuguquguqukayo kuzilungiselelo ze-gitlbab:
isihloko se-spoiler
Vele ukhiphe okuqukethwe kwezitifiketi nokhiye ngekati: cat ca.pem
. Kopisha futhi unamathisele kumanani aguquguqukayo.
Masibhale umbhalo ozosetshenziswa nge-GitLab. Isithombe se-docker-in-docker (dind) sizosetshenziswa.
.gitlab-ci.yml
image:
name: docker/compose:1.23.2
# ΠΏΠ΅ΡΠ΅ΠΏΠΈΡΠ΅ΠΌ entrypoint , ΡΡΠΎΠ±Ρ ΡΠ°Π±ΠΎΡΠ°Π»ΠΎ Π² dind
entrypoint: ["/bin/sh", "-c"]
variables:
DOCKER_HOST: tcp://docker:2375/
DOCKER_DRIVER: overlay2
services:
- docker:dind
stages:
- deploy
deploy:
stage: deploy
script:
- bin/deploy.sh # ΡΠΊΡΠΈΠΏΡ Π΄Π΅ΠΏΠ»ΠΎΡ ΡΡΡ
Okuqukethwe kweskripthi sokuphakelwa esinamazwana:
bin/deploy.sh
#!/usr/bin/env sh
# ΠΠ°Π΄Π°Π΅ΠΌ ΡΡΠ°Π·Ρ, Π΅ΡΠ»ΠΈ Π²ΠΎΠ·Π½ΠΈΠΊΠ»ΠΈ ΠΊΠ°ΠΊΠΈΠ΅-ΡΠΎ ΠΎΡΠΈΠ±ΠΊΠΈ
set -e
# ΠΡΠ²ΠΎΠ΄ΠΈΠΌ, ΡΠΎ , ΡΡΠΎ Π΄Π΅Π»Π°Π΅ΠΌ
set -v
#
DOCKER_COMPOSE_FILE=docker-compose.yml
# ΠΡΠ΄Π° Π΄Π΅ΠΏΠ»ΠΎΠΈΠΌ
DEPLOY_HOST=185.241.52.28
# ΠΡΡΡ Π΄Π»Ρ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΠΎΠ² ΠΊΠ»ΠΈΠ΅Π½ΡΠ°, ΡΠΎ Π΅ΡΡΡ Π² Π½Π°ΡΠ΅ΠΌ ΡΠ»ΡΡΠ°Π΅ - gitlab-Π²ΠΎΡΠΊΠ΅ΡΠ°
DOCKER_CERT_PATH=/root/.docker
# ΠΏΡΠΎΠ²Π΅ΡΠΈΠΌ, ΡΡΠΎ Π² ΠΊΠΎΠ½ΡΠ΅ΠΉΠ½Π΅ΡΠ΅ Π²ΡΠ΅ ΠΈΠΌΠ΅Π΅ΡΡΡ
docker info
docker-compose version
# ΡΠΎΠ·Π΄Π°Π΅ΠΌ ΠΏΡΡΡ (ΡΠ΅ΠΉΡΠ°Ρ ΡΠ°Π±ΠΎΡΠ°Π΅ΠΌ Π² ΠΊΠ»ΠΈΠ΅Π½ΡΠ΅ - Π²ΠΎΡΠΊΠ΅ΡΠ΅ gitlab'Π°)
mkdir $DOCKER_CERT_PATH
# ΠΈΠ·ΡΠΌΠ°Π΅ΠΌ ΡΠΎΠ΄Π΅ΡΠΆΠΈΠΌΠΎΠ΅ ΠΏΠ΅ΡΠ΅ΠΌΠ΅Π½Π½ΡΡ
, ΠΏΡΠΈ ΡΡΠΎΠΌ ΡΠ΄Π°Π»ΡΠ΅ΠΌ Π»ΠΈΡΠ½ΠΈΠ΅ ΡΠΈΠΌΠ²ΠΎΠ»Ρ Π΄ΠΎΠ±Π°Π²Π»Π΅Π½Π½ΡΠ΅ ΠΏΡΠΈ ΡΠΎΡ
ΡΠ°Π½Π΅Π½ΠΈΠΈ ΠΏΠ΅ΡΠ΅ΠΌΠ΅Π½Π½ΡΡ
.
echo "$CA_PEM" | tr -d 'r' > $DOCKER_CERT_PATH/ca.pem
echo "$CERT_PEM" | tr -d 'r' > $DOCKER_CERT_PATH/cert.pem
echo "$KEY_PEM" | tr -d 'r' > $DOCKER_CERT_PATH/key.pem
# Π½Π° Π²ΡΡΠΊΠΈΠΉ ΡΠ»ΡΡΠ°ΠΉ Π΄Π°Π΅ΠΌ ΡΠΎΠ»ΡΠΊΠΎ ΡΠΈΡΠ°ΡΡ
chmod 400 $DOCKER_CERT_PATH/ca.pem
chmod 400 $DOCKER_CERT_PATH/cert.pem
chmod 400 $DOCKER_CERT_PATH/key.pem
# Π΄Π°Π»Π΅Π΅ Π½Π°ΡΠΈΠ½Π°Π΅ΠΌ ΡΠΆΠ΅ ΡΠ°Π±ΠΎΡΠ°ΡΡ Ρ ΡΠ΄Π°Π»Π΅Π½Π½ΡΠΌ docker-Π΄Π΅ΠΌΠΎΠ½ΠΎΠΌ. Π‘ΠΎΠ±ΡΡΠ²Π΅Π½Π½ΠΎ, ΡΠ°ΠΌ Π΄Π΅ΠΏΠ»ΠΎΠΉ
export DOCKER_TLS_VERIFY=1
export DOCKER_HOST=tcp://$DEPLOY_HOST:2376
# ΠΏΡΠΎΠ²Π΅ΡΠΈΠΌ, ΡΡΠΎ ΠΊΠΎΠ½Π½Π΅ΠΊΡΠΈΡΡΡ Π²ΡΠ΅ ΡΡΠΏΠ΅ΡΠ½ΠΎ
docker-compose
-f $DOCKER_COMPOSE_FILE
ps
# Π»ΠΎΠ³ΠΈΠ½ΠΈΠΌΡΡ Π² docker-ΡΠ΅Π³ΠΈΡΡΡΠΈ, ΡΡΡ ΠΌΠΎΠΆΠ΅ΡΠ΅ ΡΠΊΠ°Π·Π°ΡΡ ΡΠ²ΠΎΠΉ "ΠΌΠ΅ΡΡΠ½ΡΠΉ" ΡΠ΅Π³ΠΈΡΡΡΠΈ
docker login -u $DOCKER_USER -p $DOCKER_PASSWORD
docker-compose
-f $DOCKER_COMPOSE_FILE
pull app
# ΠΏΠΎΠ΄Π½ΠΈΠΌΠ°Π΅ΠΌ ΠΏΡΠΈΠ»ΠΎΠΆΠ΅Π½ΠΈΠ΅
docker-compose
-f $DOCKER_COMPOSE_FILE
up -d app
Inkinga enkulu kwakuwuku βdonsaβ okuqukethwe kwezitifiketi ngendlela evamile kusukela kokuguquguqukayo kwe-gitlab CI/CD. Angikwazanga ukuthola ukuthi kungani ukuxhumeka kumsingathi wesilawuli kude kungasebenzi. Kusokhaya ngibheke i-log sudo journalctl -u docker, kube nephutha ngesikhathi sokuxhawulana. Nginqume ukubheka ukuthi yini ngokuvamile egcinwa ezintweni eziguquguqukayo; ukwenza lokhu, ungabukeka kanje: cat -A $DOCKER_CERT_PATH/key.pem. Nginqobe iphutha ngokungeza ukususwa kohlamvu lwenqola u-tr -d 'r'.
Okulandelayo, ungakwazi ukwengeza imisebenzi yangemva kokukhishwa kusikripthi ngokubona kwakho. Ungabuka inguqulo yokusebenza endaweni yami yokugcina
Source: www.habr.com