CICD初探(三)GitLab 自动编译Docker镜像并推送到指定的Registry里

CICD初探(三)GitLab 自动编译Docker镜像并推送到指定的Registry里

Tue Aug 14, 2018

1600 Words|Read in about 4 Min
Tags: devops  

安装并启动harbor

Harbor官方提供在线安装和离线安装两种方式,从github下载harbor离线安装包(本机要安装docker和docker-compose):

wget https://storage.googleapis.com/harbor-releases/harbor-offline-installer-v1.5.2.tgz
tar -zxvf harbor-offline-installer-v1.5.2.tgz -C /opt/

修改配置harbor.cfg,配置文件的注释提供了很多更高级的用法,包含https、ldap、邮箱配置等,这里我们只修改hostname为本机内网IP。

cd /opt/harbor
vim harbor.cfg
#The IP address or hostname to access admin UI and registry service.
#DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
hostname = 10.100.7.46

执行harbor安装:

./install.sh

需要安装docker-compose(1.7.1+),否则就会报下面的错误

[Step 0]: checking installation environment ...
Note: docker version: 1.13.1
✖ Need to install docker-compose(1.7.1+) by yourself first and run this script again.
docker-compose安装
pip安装法
pip -V
yum -y install epel-release
yum install python-pip
pip install --upgrade pip
pip -V

安装docker-compose

pip install docker-compose
官方安装法

或者

pip --default-timeout=200 install -U docker-compose

官网得安装方法(靠谱一点)

sudo curl -L https://github.com/docker/compose/releases/download/1.22.0/docker-compose-$(uname -s)-$(uname -m) -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose

查看docker-compose

[[email protected] harbor]# docker-compose version
docker-compose version 1.22.0, build f46880f
docker-py version: 3.5.0
CPython version: 2.7.5
OpenSSL version: OpenSSL 1.0.1e-fips 11 Feb 2013

搭建http模式

继续安装harbor

./install.sh

漫长的等待。。。。(贴出来占点字数)

> ./install.sh

[Step 0]: checking installation environment ...
。。。
[Step 1]: loading Harbor images ...
。。。
[Step 2]: preparing environment ...
。。。
[Step 3]: checking existing instance of Harbor ...
。。。
[Step 4]: starting Harbor ...
。。。
✔ ----Harbor has been installed and started successfully.----

Now you should be able to visit the admin portal at http://10.100.7.46 .
For more details, please visit https://github.com/vmware/harbor .

[email protected] /opt/harbor

访问 http://10.100.7.46 就可以看到harbor登陆界面

登陆界面

创建一个自己对harbor项目 harbor_project

搭建https模式

创建证书
  • 创建证书存放目录
mkdir -p /data/harbor/cert
cd /data/harbor/cert/
  • 创建 CA 根证书
openssl req  -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 365 -out ca.crt -subj "/C=CN/L=ZheJiang/O=TF/CN=harbor-registry"
  • 生成一个证书签名, 设置访问域名为 harbor.tf.cn
openssl req -newkey rsa:4096 -nodes -sha256 -keyout harbor.tf.cn.key -out server.csr -subj "/C=CN/L=ZheJiang/O=TF/CN=harbor.tf.cn"
  • 生成主机的证书
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out harbor.tf.cn.crt

修改配置文件

vim /opt/harbor/harbor.cfg

hostname = harbor.tf.cn                         # 指定私有仓库的主机名,可以是IP地址,也可以是域名
ui_url_protocol = https                         # 用户访问私仓时使用的协议,默认时http,配置成https
ssl_cert = /data/harbor/cert/harbor.tf.cn.crt         # 设置证书文件路径
ssl_cert_key = /data/harbor/cert/harbor.tf.cn.key      # 设置证书密钥文件路径

重新安装

cd /opt/harbor/
docker-compose down
./install.sh

在本机/etc/hosts中加入下面一条,就可以直接用域名访问了

10.77.0.129    harbor.tf.cn

登陆 https-login

设置docker仓库证书

在docker的宿主机上创建目录,把harbor.tf.cn的ca.crt文件拷贝过去(我是在一台机器上做的,所以直接cp就好了,不在同一台机器可以scp)

mkdir -p  /etc/docker/certs.d/harbor.tf.cn
cp /data/harbor/cert/ca.crt /etc/docker/certs.d/harbor.tf.cn/

设置docker宿主机上hosts文件

vim /etc/hosts
10.77.0.129    harbor.tf.cn

测试登陆

[[email protected] ~]#  docker login harbor.tf.cn
Username: imscc
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

测试推送

编写Dockerfile文件
mkdir test 
vim Dockerfile

内容


FROM centos

# Maintainer
MAINTAINER imscc [email protected]

# Commands
RUN rpm -ivh http://mirrors.aliyun.com/epel/epel-release-latest-7.noarch.rpm
RUN yum install nginx -y
RUN echo "daemon off;" >> /etc/nginx/nginx.conf
RUN echo "this is test nginx image" > /usr/share/nginx/html/index.html
EXPOSE 80
CMD ["nginx"]

保存

编译
docker build -t harbor.tf.cn/tfcloud/nginx:v1.0.1 .
上传镜像至Harbor registry
[[email protected] ~/test]# docker push harbor.tf.cn/tfcloud/nginx:v1.0.1
The push refers to repository [harbor.tf.cn/tfcloud/nginx]
dd250c41fcf1: Pushed
b0244cc49d76: Pushed
56e2a022284b: Pushed
b699f2e960b2: Pushed
1d31b5806ba4: Pushed
v1.0.1: digest: sha256:ca4f6c7f3335cd0e343640e8b1c5850d9c75a550462cee31b3f4f5713dbe30ea size: 1367

查看harbor push_results

配置gitlab-runner变量

set_value_5

set_value_6

set_value_4

编写 项目.gitlab-ci.yml文件

before_script:
  - docker info
  - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
 
build_image:
  stage: build_image
  script:
    - docker build --pull -t $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG .
    - docker push $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG
    - docker rmi $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG

gitlab-runner搭建(非Docker)

这里gitlab-runner未部署在docker中,原因是在做ci的时候另起的容器服务不能访问内部短域名(哪位道友如果有解决方案请告诉我一下[email protected]

安装

sudo wget -O /usr/local/bin/gitlab-runner https://gitlab-runner-downloads.s3.amazonaws.com/latest/binaries/gitlab-runner-linux-amd64
sudo chmod +x /usr/local/bin/gitlab-runner

注册

gitlab-runner register
......(配置请参考上篇)
gitlab-runner start
gitlab-runner list

我建议用我的这种方式来生成配置,然后在在配置的基础上添加docker的目录等信息,我这里没有使用tag触发的形式,如下(这里是我后面研究tag补上来的,所以项目可能对不上,不过我相信诸位能看懂。)

gitlab-runner register \
  --non-interactive \
  --url "http://10.100.7.46:8088" \
  --registration-token "5LUCEPZqHhBaGuRUsh9b" \
  --executor "docker" \
  --docker-image alpine:3 \
  --description "uuid" \
  --tag-list "docker,aws,uuid" \
  --run-untagged \
  --locked="false" 

run-untagged 不需要匹配tag,这个对于新手还是很重要的,添加上直接就能拿来测试了。

接下来提交代码

这里会出现很多坑,我直接把我的gitlab-runner配置贴出来给大家参考一下

concurrent = 1
check_interval = 0

[[runners]]
  name = "busybox"
  url = "http://10.100.7.46:8088/"
  token = "63f748dd347bf00c9304360e7e5b2f"
  executor = "docker"
  [runners.docker]
    tls_verify = false
    image = "alpine:3"
    privileged = false
    disable_cache = false
    # 特别是这里,要写上挂载docker的目录
    volumes = ["/var/run/docker.sock:/var/run/docker.sock", "/cache"]
    shm_size = 0
  [runners.cache]

如果报证书不可行,可以参考上面harbor的做法,把证书拷到docker的目录下。

好来祝你好运!下面是我成功的截图

ok_1

ok_2

ok_3

See Also

Tue Aug 14, 2018

1600 Words|Read in about 4 Min
Tags: devops