jenkins持续集成——Jenkins+企业级的私有仓库运用

上篇文章完成了本机registry私有仓库的镜像拉取部署（主要是Jenkins主动扫描gitlab，被动触发，间隔一分钟。）
本章内容
1.gitlab自动实时触发jenkins（添加gitlab插件)
搜索插件gitlab，点击直接安装

 外发请求

允许来自钩子和服务的对本地网络的请求。
允许Webhook和服务对本地网络的请求
允许系统钩子向本地网络发送的请求

更改demo的构建参数

更改文件权限
[root@server5 run]# chmod 777 docker.sock
[root@server5 run]# ll docker.sock
srwxrwxrwx 1 root docker 0 Jun 18 23:57 docker.sock
[root@server5 run]# pwd
/var/run

手动点击构建

下面设置实时触发




上图的token和链接复制到gitlab上


返回值200正确

更改Jenkins的执行shell

远程执行构建任务
新建一台虚拟机server2
Jenkins使用tls方式连接docker构建主机，启动远程docker主机加密
生成key和ca证书

[root@server2 ~]# openssl genrsa -aes256 -out ca-key.pem 4096
Generating RSA private key, 4096 bit long modulus
..........................++
.......++
e is 65537 (0x10001)
Enter pass phrase for ca-key.pem:  westos
Verifying - Enter pass phrase for ca-key.pem: westos

[root@server2 ~]# ls
  ca-key.pem   ca证书
  
[root@server2 ~]# openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem
Enter pass phrase for ca-key.pem:   westos
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:shanxi
Locality Name (eg, city) [Default City]:ci'an
Organization Name (eg, company) [Default Company Ltd]:westos
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:server2
Email Address []:root@westos.org

生成server-key和csr文件（server3为dcker主机名）

[root@server2 ~]#  openssl genrsa -out server-key.pem 4096
Generating RSA private key, 4096 bit long modulus
.........................++
.....++
e is 65537 (0x10001)
[root@server2 ~]# openssl req -subj "/CN=server2" -sha256 -new -key server-key.pem -out server.csr
[root@server2 ~]# ls
ca-key.pem  ca.pem   server.csr  server-key.pem

使用ip地址方式进行tls连接

[root@server2 ~]# echo subjectAltName = DNS:server2,IP:172.25.254.2,IP:127.0.0.1 >> extfile.cnf
[root@server2 ~]# echo extendedKeyUsage = serverAuth >> extfile.cnf
[root@server2 ~]# openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem   -CAcreateserial -out server-cert.pem -extfile extfile.cnf
Signature ok
subject=/CN=server2
Getting CA Private Key
Enter pass phrase for ca-key.pem:
[root@server2 ~]# ls
 ca-key.pem  ca.pem  ca.srl  extfile.cnf    server-cert.pem  server.csr  server-key.pem

安装docker证书

[root@server2 ~]# cp ca.pem server-cert.pem server-key.pem /etc/docker/
[root@server2 ~]# cp /usr/lib/systemd/system/docker.service /etc/systemd/system/docker.service
[root@server2 ~]# vim /etc/systemd/system/docker.service  tls校验
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --tlsverify --tlscacert=/etc/docker/ca.pem --tlscert=/etc/docker/server-cert.pem --tlskey=/etc/docker/server-key.pem -H tcp://0.0.0.0:2376  端口自定义
[root@server2 ~]#  systemctl daemon-reload 
[root@server2 ~]# systemctl restart docker

[root@server2 ~]# netstat -tnpl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      7487/sshd           
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      7648/master         
tcp6       0      0 :::2376                 :::*                    LISTEN      9200/dockerd        
tcp6       0      0 :::22                   :::*                    LISTEN      7487/sshd           
tcp6       0      0 ::1:25                  :::*                    LISTEN      7648/master       

远程访问2736端口是加密的，生成客户端key和证书

[root@server2 ~]# openssl genrsa -out key.pem 4096
Generating RSA private key, 4096 bit long modulus
...........................................++
............++
e is 65537 (0x10001)
[root@server2 ~]# ls生成此文件
  key.pem  
[root@server2 ~]# openssl req -subj '/CN=client' -new -key key.pem -out client.csr
[root@server2 ~]# echo extendedKeyUsage = clientAuth > extfile.cnf
[root@server2 ~]# cat extfile.cnf 
extendedKeyUsage = clientAuth

[root@server2 ~]# openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem   -CAcreateserial -out cert.pem -extfile extfile.cnf
Signature ok
subject=/CN=client
Getting CA Private Key
Enter pass phrase for ca-key.pem: westos
[root@server2 ~]# ls
  ca-key.pem   key.pem  客户端
  ca.pem  ca.srl    cert.pem  client.csr  extfile.cnf   server.cs
  server-cert.pem r  server-key.pem  server端

client key:    cat key.pem 
client certificate:     cat cert.pem
server CA certificate:   cat ca.pem 

在server2上配置镜像加速器

[root@server2 ~]# cd /etc/docker/
[root@server2 docker]# cat  daemon.json
{  
	"registry-mirrors": ["https://vo5twm71.mirror.aliyuncs.com"]  
} 
[root@server2 docker]# systemctl restart docker
[root@server2 docker]# docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
[root@server2 docker]# docker ps -a
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES

添加解析和证书
[root@server2 docker]# vim /etc/hosts
172.25.254.1 server1  reg.westos.org
[root@server2 docker]# ls
ca.pem  certs.d  daemon.json  key.json  server-cert.pem  server-key.pem
[root@server2 docker]# cd certs.d/
[root@server2 certs.d]# ls
reg.westos.org
[root@server2 certs.d]# cd reg.westos.org/
[root@server2 reg.westos.org]# ls
ca.crt

使用ssh远程部署镜像，这里直接使用server2主机（也可以新建一台主机专门测试）
新建主机的配置：server3

[root@server3 ~]# yum install  -y docker-ce
[root@server5 docker]# scp /etc/yum.repos.d/westos.repo server3:/etc/yum.repos.d/
[root@server5 docker]# scp -r certs.d/ server3:/etc/docker/
[root@server5 docker]# scp /etc/sysctl.d/bridge.conf server3:/etc/sysctl.d/
[root@server5 ~]# scp /etc/docker/daemon.json server3:/etc/docker/
[root@server3 ~]# systemctl enable --now docker
[root@server3 ~]# vim /etc/hosts

插件已经安装

当前一个具体的流程：git提交文件——gitlab接受文件——触发jenkins——构建到server6(build host)——上传push(harbor仓库)——交付部署使用

进行配置使容器交付到server2



在Jenkins进入docker


点击立即构建查看控制台输出


进行完整的测试

在server4进行文件内容的更改
[root@server4 ~]# cd demo/
[root@server4 demo]# ls
Dockerfile  index.html  README.md
[root@server4 demo]# cat index.html 
www.linux.org
www.westos.org
www.westos.org

[root@server4 demo]# vim index.html 
[root@server4 demo]# cat index.html 
www.redhat.org
www.redhat.org
www.redhat.org
www.redhat.org
www.redhat.org
www.redhat.org
www.redhat.org
www.redhat.org
www.redhat.org
www.redhat.org
www.redhat.org

上传文件

[root@server4 demo]# git commit -a -m "uodate index,html"
[master 617b14a] uodate index,html
 1 file changed, 11 insertions(+), 3 deletions(-)
[root@server4 demo]# git push origin master
Counting objects: 5, done.
Compressing objects: 100% (3/3), done.
Writing objects: 100% (3/3), 271 bytes | 0 bytes/s, done.
Total 3 (delta 1), reused 0 (delta 0)
To git@172.25.254.4:root/demo.git
   1476b29..617b14a  master -> master

文件推送成功


harbor仓库已经上传

server2访问成功