持续集成和持续交互:jenkins使用tls连接docker主机、ssh插件的使用、ansible参数化
jenkins持续集成
- 1. 准备一台server4作为docker主机
- 2. jenkins使用tls方式连接docker构建主机
- 3. 使用jenkins使用ssh插件
- 4. 在server3上安装ansible
1. 准备一台server4作为docker主机
[root@server4 ~]# cat /etc/yum.repos.d/docker-ce.repo
[docker-ce-stable]
name=Docker CE Stable - $basearch
baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/$basearch/stable
enabled=1
gpgcheck=0
gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
[root@server4 ~]# ls
container-selinux-2.77-1.el7.noarch.rpm # 解决安装docker的依赖
[root@server4 ~]# yum install docker-ce container-selinux-2.77-1.el7.noarch.rpm -y
2. jenkins使用tls方式连接docker构建主机
TLS加密的英文全称是Transport Layer Security,翻译过来就是安全传输层协议。
TLS是用于在两个通信应用程序之间,为通信提供保密性和数据完整性。这个协议一共有两层,分别是记录协议和握手协议。通过这个协议可以对网站、网络传真、电子邮件等数据传输进行加密、保密。
生成key和ca证书
[root@server4 ~]# openssl genrsa -aes256 -out ca-key.pem 4096
Generating RSA private key, 4096 bit long modulus
................................................................................................++
....++
e is 65537 (0x10001)
Enter pass phrase for ca-key.pem:123456
Verifying - Enter pass phrase for ca-key.pem:123456
[root@server4 ~]# openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem
Enter pass phrase for ca-key.pem:123456
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:shanxi
Locality Name (eg, city) [Default City]:changzhi
Organization Name (eg, company) [Default Company Ltd]:westos
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:server4
Email Address []:root@westos.org
生成server-key和csr文件(server3为dcker主机名)
CSR是Certificate Signing Request的英文缩写,即证书请求文件,也就是证书申请者在申请数字证书时由CSP(加密服务提供者)在生成私钥的同时也生成证书请求文件,证书申请者只要把CSR文件提交给证书颁发机构后,证书颁发机构使用其根证书私钥签名就生成了证书公钥文件,也就是颁发给用户的证书。
[root@server4 ~]# openssl genrsa -out server-key.pem 4096
Generating RSA private key, 4096 bit long modulus
...................................++
......++
e is 65537 (0x10001)
[root@server4 ~]# openssl req -subj "/CN=server4" -sha256 -new -key server-key.pem -out server.csr
可以使用ip地址方式进行tls连接
[root@server4 ~]# echo subjectAltName = DNS:server4,IP:172.25.60.4,IP:127.0.0.1 >> extfile.cnf
[root@server4 ~]# echo extendedKeyUsage = serverAuth >> extfile.cnf
[root@server4 ~]# cat extfile.cnf
subjectAltName = DNS:server4,IP:172.25.60.4,IP:127.0.0.1
extendedKeyUsage = serverAuth
[root@server4 ~]# openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf
Signature ok
subject=/CN=server4
Getting CA Private Key
Enter pass phrase for ca-key.pem:
[root@server4 ~]# ls
ca-key.pem ca.pem ca.srl extfile.cnf server-cert.pem server.csr server-key.pem
[root@server4 ~]# systemctl start docker
[root@server4 ~]# cp ca.pem server-cert.pem server-key.pem /etc/docker/
修改docker启动脚本的位置
[root@server4 ~]# cp /usr/lib/systemd/system/docker.service /etc/systemd/system/
[root@server4 ~]# vim /etc/systemd/system/docker.service
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --tlsverify --tlscacert=/etc/docker/ca.pem --tlscert=/etc/docker/server-cert.pem --tlskey=/etc/docker/server-key.pem -H tcp://0.0.0.0:2376
# 激活tls校验,指定证书的位置,tcp监听本加的docker端口是0.0.0.0:2376
[root@server4 ~]# systemctl daemon-reload # 重新加载某个服务的配置文件,如果新安装了一个服务,归属于 systemctl 管理,要是新服务的服务程序配置文件生效,需重新加载。
[root@server4 ~]# systemctl restart docker
[root@server4 ~]# netstat -antlpe|grep :2376
tcp6 0 0 :::2376 :::* LISTEN 0 46241 4815/dockerd # 开启2376端口
生成客户端key和证书
[root@server4 ~]# openssl genrsa -out key.pem 4096
Generating RSA private key, 4096 bit long modulus
.....................................................................................................................................++
...........................................................................................++
e is 65537 (0x10001)
[root@server4 ~]# openssl req -subj '/CN=client' -new -key key.pem -out client.csr
[root@server4 ~]# echo extendedKeyUsage = clientAuth > extfile.cnf
[root@server4 ~]# cat extfile.cnf
extendedKeyUsage = clientAuth
[root@server4 ~]# openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile.cnf
Signature ok
subject=/CN=client
Getting CA Private Key
Enter pass phrase for ca-key.pem:123456
让证书的信息是jenkins识别到
因为harbor仓库连接是加密的,所以把harbor仓库所在主机(server1)的认证文件发送到server4上
[root@server1 ~]# scp -r /etc/docker/certs.d/ [email protected]:/etc/docker/
[root@server4 ~]# systemctl restart docker
配置加速器
[root@server4 docker]# pwd
/etc/docker
[root@server4 docker]# cat daemon.json
{
"registry-mirrors": ["https://qe6d82ah.mirror.aliyuncs.com"]
}
地址解析
[root@server4 docker]# cat /etc/hosts
172.25.60.1 server1 reg.westos.org
测试:构建成功,说明docker和jenkins的连接没有问题
3. 使用jenkins使用ssh插件
新增一台server5虚拟机
安装docker
yum install docker-ce container-selinux-2.77-1.el7.noarch.rpm -y
systemctl start docker
[root@server5 docker]# pwd
/etc/docker
[root@server5 docker]# cat daemon.json
{
"registry-mirrors": ["https://reg.westos.org"] # 改为自己的harbor仓库地址
}
[root@server5 docker]# cat /etc/hosts # 添加解析
172.25.60.1 server1 reg.westos.org
[root@server3 docker]# scp -r certs.d/ server5:/etc/docker/ # 证书
[root@server5 ~]# systemctl restart docker
测试:尝试是否可以拉取镜像
[root@server5 ~]# docker pull gitdemo # 拉取成功
Using default tag: latest
latest: Pulling from library/gitdemo
afb6ec6fdc1c: Pull complete
b90c53a0b692: Pull complete
11fa52a0fdc0: Pull complete
163b370228be: Pull complete
Digest: sha256:761361c50e7712840786be8c7ff65a3a0fd7f1a2ee667505a7d6c149dd86ebfc
Status: Downloaded newer image for gitdemo:latest
docker.io/library/gitdemo:latest
在插件管理中下载ssh插件
测试:让docker自动下载镜像并运行
触发成功
4. 在server3上安装ansible
[root@server3 yum.repos.d]# cat ansible.repo
[ansible]
name=ansible
baseurl=https://mirrors.aliyun.com/epel/7/x86_64/ # 阿里云镜像
gpgcheck=0
[root@server3 yum.repos.d]# yum install ansible -y
在gitlab上新建playbook项目
[root@server2 ~]# git clone [email protected]:root/playbook.git # 克隆
Cloning into 'playbook'...
remote: Enumerating objects: 3, done.
remote: Counting objects: 100% (3/3), done.
remote: Total 3 (delta 0), reused 0 (delta 0), pack-reused 0
Receiving objects: 100% (3/3), done.
[root@server2 ~]# ls
playbook
[root@server2 ~]# cd playbook/
[root@server2 playbook]# cat playbook.yml
---
- hosts: all
tasks:
- name: install httpd
yum:
name: httpd
state: present
- name: start httpd
service:
name: httpd
state: started
[root@server2 playbook]# mkdir inventory
[root@server2 playbook]# cd inventory/
[root@server2 inventory]# cat prod
[prod]
172.25.60.5
[root@server2 inventory]# cat test
[test]
172.25.60.4
[root@server2 playbook]# tree .
.
├── inventory
│ ├── prod
│ └── test
├── playbook.yml
└── README.md
创建一个ansible用户
[root@server4 ~]# useradd ansible
[root@server4 ~]# passwd ansible
Changing password for user ansible.
New password:
BAD PASSWORD: The password is shorter than 8 characters
Retype new password:
passwd: all authentication tokens updated successfully.
[root@server4 ~]# visudo
root ALL=(ALL) ALL
ansible ALL=(ALL) NOPASSWD:ALL
[root@server5 ~]# useradd ansible
[root@server5 ~]# passwd ansible
Changing password for user ansible.
New password:
BAD PASSWORD: The password is shorter than 8 characters
Retype new password:
passwd: all authentication tokens updated successfully.
[root@server5 ~]# visudo
root ALL=(ALL) ALL
anbile ALL=(ALL) NOPASSWD:ALL
[root@server3 ~]# usermod -s /bin/bash jenkins # 修改用户shell
[root@server3 ~]# su - jenkins
-bash-4.2$ id
uid=998(jenkins) gid=996(jenkins) groups=996(jenkins)
-bash-4.2$ ssh-keygen
-bash-4.2$ ssh-copy-id ansible@172.25.60.4
-bash-4.2$ ssh-copy-id ansible@172.25.60.5
[root@server2 playbook]# cat ansible.cfg
[defaults]
remote_user = ansible
[privilege_escalation]
become=True
become_method=sudo
become_user=root
become_ask_pass=False
[root@server2 playbook]# tree .
.
├── ansible.cfg
├── inventory
│ ├── prod
│ └── test
├── playbook.yml
└── README.md
[root@server2 playbook]# git add .
[root@server2 playbook]# git status -s
A ansible.cfg
A inventory/prod
A inventory/test
A playbook.yml
[root@server2 playbook]# git commit -m "add playbook"
[master 67d5d2c] add playbook
4 files changed, 23 insertions(+)
create mode 100644 ansible.cfg
create mode 100644 inventory/prod
create mode 100644 inventory/test
create mode 100644 playbook.yml
[root@server2 playbook]# git push -u origin master
Counting objects: 8, done.
Compressing objects: 100% (5/5), done.
Writing objects: 100% (7/7), 670 bytes | 0 bytes/s, done.
Total 7 (delta 0), reused 0 (delta 0)
To git@172.25.60.2:root/playbook.git
e9703f2..67d5d2c master -> master
Branch master set up to track remote branch master from origin.
触发成功
