持续集成和持续交互:jenkins使用tls连接docker主机、ssh插件的使用、ansible参数化
jenkins持续集成
1. 准备一台server4作为docker主机
[root@server4 ~]# cat /etc/yum.repos.d/docker-ce.repo [docker-ce-stable] name=Docker CE Stable - $basearch baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/$basearch/stable enabled=1 gpgcheck=0 gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg [root@server4 ~]# ls container-selinux-2.77-1.el7.noarch.rpm # 解决安装docker的依赖 [root@server4 ~]# yum install docker-ce container-selinux-2.77-1.el7.noarch.rpm -y
2. jenkins使用tls方式连接docker构建主机
TLS加密的英文全称是Transport Layer Security,翻译过来就是安全传输层协议。
TLS是用于在两个通信应用程序之间,为通信提供保密性和数据完整性。这个协议一共有两层,分别是记录协议和握手协议。通过这个协议可以对网站、网络传真、电子邮件等数据传输进行加密、保密。
生成key和ca证书
[root@server4 ~]# openssl genrsa -aes256 -out ca-key.pem 4096 Generating RSA private key, 4096 bit long modulus ................................................................................................++ ....++ e is 65537 (0x10001) Enter pass phrase for ca-key.pem:123456 Verifying - Enter pass phrase for ca-key.pem:123456 [root@server4 ~]# openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem Enter pass phrase for ca-key.pem:123456 Country Name (2 letter code) [XX]:cn State or Province Name (full name) []:shanxi Locality Name (eg, city) [Default City]:changzhi Organization Name (eg, company) [Default Company Ltd]:westos Organizational Unit Name (eg, section) []:linux Common Name (eg, your name or your server's hostname) []:server4 Email Address []:root@westos.org
生成server-key和csr文件(server3为dcker主机名)
CSR是Certificate Signing Request的英文缩写,即证书请求文件,也就是证书申请者在申请数字证书时由CSP(加密服务提供者)在生成私钥的同时也生成证书请求文件,证书申请者只要把CSR文件提交给证书颁发机构后,证书颁发机构使用其根证书私钥签名就生成了证书公钥文件,也就是颁发给用户的证书。
[root@server4 ~]# openssl genrsa -out server-key.pem 4096 Generating RSA private key, 4096 bit long modulus ...................................++ ......++ e is 65537 (0x10001) [root@server4 ~]# openssl req -subj "/CN=server4" -sha256 -new -key server-key.pem -out server.csr
可以使用ip地址方式进行tls连接
[root@server4 ~]# echo subjectAltName = DNS:server4,IP:172.25.60.4,IP:127.0.0.1 >> extfile.cnf [root@server4 ~]# echo extendedKeyUsage = serverAuth >> extfile.cnf [root@server4 ~]# cat extfile.cnf subjectAltName = DNS:server4,IP:172.25.60.4,IP:127.0.0.1 extendedKeyUsage = serverAuth [root@server4 ~]# openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf Signature ok subject=/CN=server4 Getting CA Private Key Enter pass phrase for ca-key.pem: [root@server4 ~]# ls ca-key.pem ca.pem ca.srl extfile.cnf server-cert.pem server.csr server-key.pem [root@server4 ~]# systemctl start docker [root@server4 ~]# cp ca.pem server-cert.pem server-key.pem /etc/docker/
修改docker启动脚本的位置
[root@server4 ~]# cp /usr/lib/systemd/system/docker.service /etc/systemd/system/ [root@server4 ~]# vim /etc/systemd/system/docker.service ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --tlsverify --tlscacert=/etc/docker/ca.pem --tlscert=/etc/docker/server-cert.pem --tlskey=/etc/docker/server-key.pem -H tcp://0.0.0.0:2376 # 激活tls校验,指定证书的位置,tcp监听本加的docker端口是0.0.0.0:2376 [root@server4 ~]# systemctl daemon-reload # 重新加载某个服务的配置文件,如果新安装了一个服务,归属于 systemctl 管理,要是新服务的服务程序配置文件生效,需重新加载。 [root@server4 ~]# systemctl restart docker [root@server4 ~]# netstat -antlpe|grep :2376 tcp6 0 0 :::2376 :::* LISTEN 0 46241 4815/dockerd # 开启2376端口
生成客户端key和证书
[root@server4 ~]# openssl genrsa -out key.pem 4096 Generating RSA private key, 4096 bit long modulus .....................................................................................................................................++ ...........................................................................................++ e is 65537 (0x10001) [root@server4 ~]# openssl req -subj '/CN=client' -new -key key.pem -out client.csr [root@server4 ~]# echo extendedKeyUsage = clientAuth > extfile.cnf [root@server4 ~]# cat extfile.cnf extendedKeyUsage = clientAuth [root@server4 ~]# openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile.cnf Signature ok subject=/CN=client Getting CA Private Key Enter pass phrase for ca-key.pem:123456
让证书的信息是jenkins识别到
因为harbor仓库连接是加密的,所以把harbor仓库所在主机(server1)的认证文件发送到server4上
[root@server1 ~]# scp -r /etc/docker/certs.d/ root@172.25.60.4:/etc/docker/ [root@server4 ~]# systemctl restart docker
配置加速器
[root@server4 docker]# pwd
/etc/docker
[root@server4 docker]# cat daemon.json
{
"registry-mirrors": ["https://qe6d82ah.mirror.aliyuncs.com"]
}
地址解析
[root@server4 docker]# cat /etc/hosts 172.25.60.1 server1 reg.westos.org
测试:构建成功,说明docker和jenkins的连接没有问题
3. 使用jenkins使用ssh插件
新增一台server5虚拟机
安装docker
yum install docker-ce container-selinux-2.77-1.el7.noarch.rpm -y
systemctl start docker
[root@server5 docker]# pwd
/etc/docker
[root@server5 docker]# cat daemon.json
{
"registry-mirrors": ["https://reg.westos.org"] # 改为自己的harbor仓库地址
}
[root@server5 docker]# cat /etc/hosts # 添加解析
172.25.60.1 server1 reg.westos.org
[root@server3 docker]# scp -r certs.d/ server5:/etc/docker/ # 证书
[root@server5 ~]# systemctl restart docker
测试:尝试是否可以拉取镜像
[root@server5 ~]# docker pull gitdemo # 拉取成功 Using default tag: latest latest: Pulling from library/gitdemo afb6ec6fdc1c: Pull complete b90c53a0b692: Pull complete 11fa52a0fdc0: Pull complete 163b370228be: Pull complete Digest: sha256:761361c50e7712840786be8c7ff65a3a0fd7f1a2ee667505a7d6c149dd86ebfc Status: Downloaded newer image for gitdemo:latest docker.io/library/gitdemo:latest
在插件管理中下载ssh插件
测试:让docker自动下载镜像并运行
触发成功
4. 在server3上安装ansible
[root@server3 yum.repos.d]# cat ansible.repo [ansible] name=ansible baseurl=https://mirrors.aliyun.com/epel/7/x86_64/ # 阿里云镜像 gpgcheck=0 [root@server3 yum.repos.d]# yum install ansible -y
在gitlab上新建playbook项目
[root@server2 ~]# git clone git@172.25.60.2:root/playbook.git # 克隆
Cloning into 'playbook'...
remote: Enumerating objects: 3, done.
remote: Counting objects: 100% (3/3), done.
remote: Total 3 (delta 0), reused 0 (delta 0), pack-reused 0
Receiving objects: 100% (3/3), done.
[root@server2 ~]# ls
playbook
[root@server2 ~]# cd playbook/
[root@server2 playbook]# cat playbook.yml
---
- hosts: all
tasks:
- name: install httpd
yum:
name: httpd
state: present
- name: start httpd
service:
name: httpd
state: started
[root@server2 playbook]# mkdir inventory
[root@server2 playbook]# cd inventory/
[root@server2 inventory]# cat prod
[prod]
172.25.60.5
[root@server2 inventory]# cat test
[test]
172.25.60.4
[root@server2 playbook]# tree .
.
├── inventory
│ ├── prod
│ └── test
├── playbook.yml
└── README.md
创建一个ansible用户
[root@server4 ~]# useradd ansible [root@server4 ~]# passwd ansible Changing password for user ansible. New password: BAD PASSWORD: The password is shorter than 8 characters Retype new password: passwd: all authentication tokens updated successfully. [root@server4 ~]# visudo root ALL=(ALL) ALL ansible ALL=(ALL) NOPASSWD:ALL [root@server5 ~]# useradd ansible [root@server5 ~]# passwd ansible Changing password for user ansible. New password: BAD PASSWORD: The password is shorter than 8 characters Retype new password: passwd: all authentication tokens updated successfully. [root@server5 ~]# visudo root ALL=(ALL) ALL anbile ALL=(ALL) NOPASSWD:ALL [root@server3 ~]# usermod -s /bin/bash jenkins # 修改用户shell [root@server3 ~]# su - jenkins -bash-4.2$ id uid=998(jenkins) gid=996(jenkins) groups=996(jenkins) -bash-4.2$ ssh-keygen -bash-4.2$ ssh-copy-id ansible@172.25.60.4 -bash-4.2$ ssh-copy-id ansible@172.25.60.5 [root@server2 playbook]# cat ansible.cfg [defaults] remote_user = ansible [privilege_escalation] become=True become_method=sudo become_user=root become_ask_pass=False [root@server2 playbook]# tree . . ├── ansible.cfg ├── inventory │ ├── prod │ └── test ├── playbook.yml └── README.md [root@server2 playbook]# git add . [root@server2 playbook]# git status -s A ansible.cfg A inventory/prod A inventory/test A playbook.yml [root@server2 playbook]# git commit -m "add playbook" [master 67d5d2c] add playbook 4 files changed, 23 insertions(+) create mode 100644 ansible.cfg create mode 100644 inventory/prod create mode 100644 inventory/test create mode 100644 playbook.yml [root@server2 playbook]# git push -u origin master Counting objects: 8, done. Compressing objects: 100% (5/5), done. Writing objects: 100% (7/7), 670 bytes | 0 bytes/s, done. Total 7 (delta 0), reused 0 (delta 0) To git@172.25.60.2:root/playbook.git e9703f2..67d5d2c master -> master Branch master set up to track remote branch master from origin.
触发成功
