搭建CI/CD(持续集成/持续交付)企业示例
为了让容器构建镜像并可以持续集成,可以自动上传到Harbor仓库;并且业务主机可以通过CD自动从仓库中下载镜像latest版本并实现业务更新。
1.环境部署
1.1 环境搭建
| 业务 | IP | 域名 |
|---|---|---|
| GitLab | 172.25.254.50 | gitlab.dhj.org |
| Jenkins | 172.25.254.60 | jenkins.dhj.org |
| Dockernode | 172.25.254.100 | dockernode.dhj.org |
| Harbor | 172.25.254.200 | harbor.dhj.org |
1.2 环境准备
1.2.1 火墙及SELinux的关闭
bash
~]# systemctl disable --now firewalld
~]# sed -i '/^SELINUX=/ c SELINUX=disabled' /etc/selinux/config
~]# reboot # 如果想直接将selinux设置为disabled,可以使用临时命令setenforce=0;但是还是建议永久修改配置文件1.2.2 编写各业务主机解析
bash
~]# vim /etc/hosts
172.25.254.50 gitlab.dhj.org
172.25.254.60 jenkins.dhj.org
172.25.254.100 dockernode.dhj.org
172.25.254.200 reg.dhj.org
# 如果在上面发现这样很麻烦,可以使用scp
scp /etc/hosts root@172.25.254.xxx:/etc/hosts1.2.3 Harbor业务主机:Harbor仓库搭建--registry
bash
[root@reg ~]# cd /etc/yum.repos.d
[root@reg yum.repos.d]# vim docker.repo
[docker]
name = docker-ce
baseurl = https://mirrors.aliyun.com/docker-ce/linux/rhel/9/x86_64/stable
gpgcheck = 0
[root@reg yum.repos.d]# yum makecache
[root@reg yum.repos.d]# rpm -qa | grep podman
podman-4.6.1-5.el9.x86_64
cockpit-podman-76-1.el9_3.noarch
[root@reg yum.repos.d]# rm -rf podman-4.6.1-5.el9.x86_64
[root@reg yum.repos.d]# rm -rf cockpit-podman-76-1.el9_3.noarch
# 上传所需文件
[root@reg ~]# cd /mnt/
[root@reg mnt]# ls
docker.tar.gz packages.zip
[root@reg mnt]# tar zxf docker.tar.gz
[root@reg mnt]# unzip packages.zip
[root@reg mnt]# ls
docker docker.tar.gz packages packages.zip
[root@reg mnt]# cd docker/
[root@reg docker]# yum install *.rpm
# 在第15行命令,在后面加上参数 --iptables=true
[root@reg docker]# vim /usr/lib/systemd/system/docker.service
15 ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --iptables=true
[root@reg docker]# systemctl daemon-reload
[root@reg docker]# systemctl restart docker
bash
[root@reg docker]# echo net.ipv4.ip_forward=1 >> /etc/sysctl.conf
[root@reg docker]# sysctl -p
net.ipv4.ip_forward = 1
[root@reg docker]# systemctl enable --now docker
[root@reg docker]# docker info
bash
# 以下除了rhel9不需要做,其他版本的系统建议去做
# 激活内核网络选项
]# echo br_netfilter > /etc/modules-load.d/docker_mod.conf
]# modprobe br_netfilter
]# vim /etc/sysctl.d/docker.conf
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.ipv4.ip_forward = 1
]# sysctl --system
]# systemctl restart docker
bash
# 创建了证书与密钥
[root@reg ~]# mkdir -p /data/certs
[root@reg ~]# openssl req -newkey rsa:4096 \
-nodes -sha256 -keyout /data/certs/dhj.org.key \
-addext "subjectAltName = DNS:reg.dhj.org" \
-x509 -days 365 -out /data/certs/dhj.org.crt
Common Name (eg, your name or your server's hostname) []:reg.dhj.org
# 创建证书目录并部署信任证书(使Docker客户端信任私有仓库的HTTPS证书)
[root@reg ~]# mkdir /etc/docker/certs.d/reg.dhj.org/ -p
[root@reg ~]# cp /data/certs/dhj.org.crt /etc/docker/certs.d/reg.dhj.org/ca.crt
[root@reg ~]# systemctl restart docker
bash
[root@reg ~]# cd /mnt/packages/
[root@reg packages]# cp -p harbor-offline-installer-v2.5.4.tgz /root
[root@reg packages]# cd
[root@reg ~]# tar zxf harbor-offline-installer-v2.5.4.tgz
[root@reg ~]# cd harbor
[root@reg harbor]# cp harbor.yml.tmpl harbor.yml
# 需要修改内容如下(如果一致,不变即可):
[root@reg harbor]# vim harbor.yml
5 hostname: reg.dhj.org
17 certificate: /data/certs/dhj.org.crt # 看自己的存放位置
18 private_key: /data/certs/dhj.org.key # 看自己的存放位置
34 harbor_admin_password: admin # 初始密码
47 data_volume: /data # 此处挂载的目录(需要跟上面证书与密钥在一个目录下)
[root@reg harbor]# ./install.sh --with-chartmuseum
[root@reg harbor]# docker compose down
[root@reg harbor]# docker compose up -d
bash
# 去浏览器中去测试https://172.25.254.200
bash
[root@reg ~]# cd /etc/docker/
[root@reg docker]# vim daemon.json
[root@reg docker]# cat daemon.json
{
"registry-mirrors": ["https://reg.dhj.org"]
}
[root@reg docker]# systemctl restart docker
[root@reg docker]# docker logout reg.dhj.org
Removing login credentials for reg.dhj.org
~]# cd harbor/
[root@reg harbor]# docker compose restart
[root@reg harbor]# docker login reg.dhj.org
Username: admin
Password:admin
~]# docker info
bash
# 测试:上传一个镜像
[root@reg harbor]# cd
[root@reg ~]# cd /mnt/packages/
[root@reg packages]# docker load -i busybox-latest.tar.gz
[root@reg packages]# docker tag busybox:latest reg.dhj.org/ceshi/busybox:latest
[root@reg packages]# docker push reg.dhj.org/ceshi/busybox:latest
# 查看是否上传成功
[root@reg packages]# curl -k https://reg.dhj.org/v2/_catalog -u admin:admin
{"repositories":["ceshi/busybox"]}
# 在浏览器中可以进行查看,如下图所示
# 成功即为部署完成!1.2.4 GitLab业务主机:gitlab代码仓库搭建
1.2.4.1 部署git
1.安装
bash
# 在rhel9的系统中默认自带git
[root@CICD-node1 ~]# dnf install git -y
# 设定命令补全功能
[root@CICD-node1 timinglee]# echo "source /usr/share/bash-completion/completions/git" >> ~/.bashrc
[root@CICD-node1 timinglee]# source ~/.bashrc2.初始化
bash
[root@CICD-node1 ~]# mkdir timinglee
[root@CICD-node1 timinglee]# git init
# 设定用户信息
[root@CICD-node1 timinglee]# git config --global user.name "timinglee"
[root@CICD-node1 timinglee]# git config --global user.email "timinglee@timinglee.org"
[root@CICD-node1 timinglee]# git status -s #简化输出1.2.4.2 部署gitlab
bash
# 在安装包之前需配置好软件仓库来解决依赖性
[root@CICD-node1 ~]# yum install -y curl policycoreutils-python-utils openssh-server perl
# 此处需要上传资源包
[root@CICD-node1 ~]# dnf install gitlab-ce-17.1.6-ce.0.el9.x86_64.rpm -y
bash
# 修改配置文件
[root@CICD-node1 ~]# cd /etc/gitlab/
[root@CICD-node1 gitlab]# ls
gitlab.rb
[root@CICD-node1 gitlab]# vim gitlab.rb
32 external_url 'http://172.25.254.50'
# 修改配置文件后需利用gitlab-crt来生效,
[root@CICD-node1 gitlab]# gitlab-ctl reconfigure
# 执行命令成功后会把所有组件全部启动起来
bash
# 查看原始密码
[root@CICD-node1 gitlab]# cat /etc/gitlab/initial_root_password
Password: jN9lq6NSP8a2V+4n57djzWlEGP7RZ43DSIse8sXJGTQ= # 密码(后面需要改密码!要不然密码24小时换一次--账户默认root---后面设置成Dhjnb520即可)
# 进入浏览器搜索172.25.254.50 # 用户即为root1.登陆
2.设置语言
3.设置密码
4.在gitlab中新建项目
bash
# 生成sshd密钥
[root@CICD-node1 ~]# ssh-keygen # 一路回车
[root@CICD-node1 ~]# cat .ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC5Zg+ZbnTCrOPVne0OhYzGhxIsAcyuq7dGvG8EkMl+KGZD4+4vI3dxznQHbIa2ZNoC6gatHzdCty5KK+Ipkywzq0YSxJEzjfbCQX8n8AHRka7EI/IlkGenwD3ALkncMop7GmMNiNgfpFqQCTpM/cptXzDdAVA5AwRgIVB1efCU7QhwL/IHs91eAqH4ZalGh2W+hRAjdc3Iv68TyOTMFU5qg9CuEb899+qu8qCZlerj49ot7cps5O0wDFfyYopIKvdeYzDCDXTkd+dlHUqeSaSOh1yccCobT10wVmZDYdV7cDBsjZN3mlTKfCUAixVlyreWMXUyjQx1I+6iy0PVfrOt98ZjLb6D2oSFljvVeO57f3U/NRw90H1yOZ/FPrCGXfueSmwya9d+A6WtJFQ+eirrtqh8Q4Vy87BL2GbaKZxoLdvt7b5crqix95KzY4IAE51HvS6KQDlpR8PQKokTvRzDHWcEfcbpnBpPPA06oB89RNAeEJksaykcVen9peksRVs= root@gitlab.dhj.org5.上传公钥到gitlab中
6.下载项目
bash
# 做此实验之前,需要将前面的timinglee目录删除,以免影响实验效果!
[root@gitlab ~]# rm -rf timinglee
[root@gitlab ~]# git clone git@172.25.254.50:root/timinglee.git
[root@gitlab ~]# cd timinglee/
[root@gitlab timinglee]# ls
README.md
[root@gitlab timinglee]# git remote -v
origin git@172.25.254.50:root/timinglee.git (fetch)
origin git@172.25.254.50:root/timinglee.git (push)
# 文件提交
[root@CICD-node1 timinglee]# echo timinglee > timinglee
[root@CICD-node1 timinglee]# git add timinglee
[root@CICD-node1 timinglee]# git commit -m "add timinglee"
[root@CICD-node1 timinglee]# git push -u origin main
# 去浏览器中进行网页刷新,发现已经成功!
1.2.5 Jenkins业务主机:jenkins部署
jenkins需要部署在新的虚拟机中,建议最少4G内存,4核心cpu
bash
# 安装依赖包
[root@jenkins ~]# dnf install -y fontconfig java-21-openjdk
# 上传资源包并安装jenkins
[root@jenkins ~]# dnf install -y jenkins-2.516.2-1.1.noarch.rpm
# 启动jenkins
[root@jenkins ~]# systemctl enable --now jenkins.service
# 查看原始密码
[root@jenkins ~]# cat /var/lib/jenkins/secrets/initialAdminPassword
f0d8f8bb85ff4b81aa65db1aff88d0ac
# 浏览器中进行172.25.254.60:80801.2.5.1 部署插件
bash
# 如果网络环境不对;
# 此时会发现,很慢而且过不去,上传资源包里面的文件即可
[root@jenkins ~]# cd /var/lib/jenkins/
[root@jenkins jenkins]# systemctl stop jenkins.service
[root@jenkins jenkins]# rm -fr plugins
[root@jenkins ~]# ls
jenkins-2.516.2-1.1.noarch.rpm plugins.tar.gz
[root@jenkins ~]# tar zxf /root/plugins.tar.gz -C /var/lib/jenkins/
[root@jenkins ~]# systemctl enable --now jenkins.service
[root@jenkins ~]# systemctl restart jenkins.service # 一定要进行重启!!!
[root@jenkins ~]# cat /var/lib/jenkins/secrets/initialAdminPassword
f0d8f8bb85ff4b81aa65db1aff88d0ac
# 再次去测试即可
# 出现满屏红,后退之后进行安装即可
建议修改admin的密码,在admin的设置中修改即可
1.2.5.2 jenkins与gitlab的整合
bash
# 下载git命令
[root@gitlab ~]# dnf install git -y
[root@gitlab ceshi]# echo "source /usr/share/bash-completion/completions/git" >> ~/.bashrc
[root@gitlab ceshi]# source ~/.bashrc
这个错误的原因是因为本机没有gitlab上的sshkey
bash
[root@jenkins ~]# ssh-keygen
[root@jenkins ~]# cat /root/.ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCv//RUt7dZbb5N6P6SF/nnmSMqgYPHTs3UQ2gCYeAFiS0i917BCwQURsCrh6fnIgk2NOuzP6ZxuE5fqqvBM6gaME1/o/GFvavy7Qe22alrYhSTxITUgVEwwgn1dqjzEB/AmbBMwTCf7VUJHISkchmuUNOhtynwBrZDobzMP+wHFOdpSoL9WRUSEOEHMhAvSZmU7uhyXorOyKBD/cryTq4ul8CRO5oor5Te+YhJEctA7UhXa11Ug1rFp+tZhr8RPWjk6BFMenexq6nDHPwcKgtRz9fXo+DRrJSwGWs9IFQt5skpyRcjJpb4fXsP66aTSr/PgGW+oaAQJGGRenLxU+ys7yx4wxP7JHSeOlibeeDzl8QTtVq6lXH9/0RNo/VDJUr97uBmUKBpZpRBg50PWvx9OmCC6dB/rKSGBe3xFgnGGqlB9v4mXyGMixFwBteQ4PG4DD95BnItfwtoe8XyqiTBGmYl0uhI13Bhh6e0q3eqDdN0033EG/I8qz8aJXKM7RU= root@jenkins.dhj.org把此密钥添加到gitlab上即可
添加密钥凭据
bash
[root@jenkins ~]# cd .ssh/
[root@jenkins .ssh]# cat id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAr//0VLe3WW2+Tej+khf555kjKoGDx07N1ENoAmHgBYktIvdewQsE
FEbAq4en5yIJNjTrsz+mcbhOX6qrwTOoGjBNf6Pxhb2r8u0Httmpa2IUk8SE1IFRMMIJ9X
ao8xAfwJmwTMEwn+1VCRyEpHIZrlDTobcp8Aa2Q6G8zD/sBxTnaUqC/VkVEhDhBzIQL0mZ
lO7ocl6KzsigQ/3K8k6uLpfAkTuaKK+U3vmISRHLQO1IV2tdVINaxafrWYa/ET1o5OgRTH
p3saupwxz8HCoLUc/X16Pg0ayUsBlrPSBULebJKckXIyaW+H17D+umk0q/z4BlvqGgECRh
kXpy8VPsrO8seMMT+yR0njpYm3ng85fEE7VaupVx/f9ETaP1QyVK/e7gZlCgaWaUQYOdD1
r8fTpggunQf6ykhgXt8RYJxhqpQfb+Jl8hjIsRcAbXkODxuAw/eQZyLX8LaHvF8qokwRpm
JdLoSNdwYYentKt3qg3TdNN9xBvyPKs/GiVyjO0VAAAFkOsA5aTrAOWkAAAAB3NzaC1yc2
EAAAGBAK//9FS3t1ltvk3o/pIX+eeZIyqBg8dOzdRDaAJh4AWJLSL3XsELBBRGwKuHp+ci
CTY067M/pnG4Tl+qq8EzqBowTX+j8YW9q/LtB7bZqWtiFJPEhNSBUTDCCfV2qPMQH8CZsE
zBMJ/tVQkchKRyGa5Q06G3KfAGtkOhvMw/7AcU52lKgv1ZFRIQ4QcyEC9JmZTu6HJeis7I
oEP9yvJOri6XwJE7miivlN75iEkRy0DtSFdrXVSDWsWn61mGvxE9aOToEUx6d7GrqcMc/B
wqC1HP19ej4NGslLAZaz0gVC3mySnJFyMmlvh9ew/rppNKv8+AZb6hoBAkYZF6cvFT7Kzv
LHjDE/skdJ46WJt54POXxBO1WrqVcf3/RE2j9UMlSv3u4GZQoGlmlEGDnQ9a/H06YILp0H
+spIYF7fEWCcYaqUH2/iZfIYyLEXAG15Dg8bgMP3kGci1/C2h7xfKqJMEaZiXS6EjXcGGH
p7Srd6oN03TTfcQb8jyrPxolcoztFQAAAAMBAAEAAAGACBwLWk73yg1aODVM65biuzbtba
M3mvqo1cfAVmHDpIWoWITc7xiumK+U56JxzF7fXUnNdX4wkWtcYyCWVunmLES/AWtgsNin
QGOHGDgJzCqiB5gFxdPqlYxPUKnlyYNb7zA1tSeusaPKKAgSHZCrWcKcKcaqjkaE5fNhI2
krmzztl8ao5/sPkzxHXiFCqScjRj9G4yQzkakhZ1idnhIdiQSRiS+doBPNEIQfcTx6aNS2
IV8PVxpRV6uv1rl0etshMzPMxrLC171J+OdMths+HbsXhXYDLgE7rB8ildhicWUY+pQ4BG
N3MP9FbpKe/vK3VxktN+WgfXMRN09IyULRuXVWkgQ/7WARiu2aGerKRa7zzEkIEaRgGt/s
ySX2D4d2fuvNehqN1zB0/HhM+QYPiiuqFfxRJC90U7T37MGm705T0xbOzfNz8qylfvI902
qbFHTOa0KOwUbc8N3uD8VIn+rEY2qwm3Yk6s7T8k2o/+O4TF9VoaQdD62RvVYnsjVZAAAA
wHBY1Aa9jX1dhGUG3Zziz2hJ/nJx2vEXPl55kQ5hUeqT4HCDyYHCx006eLeLcBpa2F19aU
qxhktHS+nBCE0du3s1Ieo2p6LQSTEQyo8H2TBwlZNF2Hot7K18lUMJM7n9iAc42P7rZoL6
jfKtiODpCHFrN6UQRZa50+dw0PjRwzeuLZYEHOhKAE882I2rBSj5xomhZ0wfw9qyY0C5Lb
8NrTcDApIFyDtH1DJScKxDM9HYE4T5sQ4h5LT+E4GHmY0lsAAAAMEAuYV38YsSZnDK56+2
hYPU0hJo3mIiEnEch4k1zSH5RlHY7i6VBNkEZkruqGGxMjUuqDYhzQNO03jmfsZp6JMWwf
W0gaw8oAGMLaWcnWgmxBcnk8hHyXOPbTD8eLE9e1SHP3gM7zLAj97Baboo2i3EWxZXImwi
yfrJUpaMSh9K9zKnW7tmosXcrbvo90i9KW767Ywe9ZrEIXow3QpSAow27vJt4pqYTiUoKE
O1VLN6v7le9FKf16rV3lbR9EFy8HAZAAAAwQDy3HyII2xJq/FXz7qAYOPosf0YSBzNvHt0
r8UcqX3qDtsb3BLiWOIdVoU2N2ce21goaXUAUaBjrstNU0cFsUJoGPBhKIWJjRiMzIOSqx
HS/lsTUn+sMZGVh4sS1ZRzhpWNJF6cTyeczmfBvgOesqEAfSfyZbgCfjS1uxMWwTGOGDZX
A9cH+X9avhqU8961fI+ticfgD4yTJALmP5cElQEyPKEI0wve6UTme5nxdIStvUjw3Jfmvb
sAJ5ZV501MVF0AAAAUcm9vdEBqZW5raW5zLmRoai5vcmcBAgMEBQYH
-----END OPENSSH PRIVATE KEY-----
添加完成后报错依然存在,因为ssh首次连接主机是需要签名认证,需要手动输入yes(也可以网页刷新一下,重新添加即可)
bash
# 方法1
[root@jenkins ~]# vim /etc/ssh/ssh_config
33 StrictHostKeyChecking no
bash
# 方法2:看下面步骤即可
完成此设定即可解决
1.2.5.3 genkins中gitlab触发器的部署
在 Jenkins 中配置 GitLab 触发器可以实现代码提交或合并请求时自动触发 Jenkins 流水线
1.安装插件
如果需要使用gitlab触发器需要安装gitlab插件。
目前使用官方源下载比较吃力,可以直接本地部署插件即可
bash
# 由于网络环境差,访问官网下载插件的效果并不好;
# 可以选择本地部署插件
2.部署自动触发
插件加载完毕后在jenkins中选择之前构建的项目并配置自动触发
在gitlab中设定
bash
# 这样可以感受到自动触发;但是发现感觉不是很强烈,下面展示明显的自动触发的效果!3.测试自动触发
bash
# 编写测试文件
[root@gitlab timinglee]# echo "This is a ceshi project! " > ceshi.txt
[root@gitlab timinglee]# git add ceshi.txt
[root@gitlab timinglee]# git commit -m "ceshi v1"
[root@gitlab timinglee]# git push -u origin main
bash
# 此时打开浏览器去观察!
1.2.6 Dockernode业务主机:docker部署
1.2.6.1 docker部署与测试及配置Java环境
bash
[root@dockernode ~]# vim /etc/yum.repos.d/docker.repo
[docker]
name = docker
baseurl = https://mirrors.aliyun.com/docker-ce/linux/rhel/9/x86_64/stable/
gpgcheck = 0
[root@dockernode ~]# yum makecache
[root@dockernode ~]# yum install docker-ce fontconfig java-21-openjdk git -y
# 从harbor仓库中把认证文件复制到当前主机
[root@dockernode ~]# mkdir /etc/docker/certs.d/reg.dhj.org/ -p
[root@dockernode ~]# scp root@172.25.254.200:/data/certs/dhj.org.crt /etc/docker/certs.d/reg.dhj.org/ca.crt
[root@dockernode ~]# vim /etc/docker/daemon.json
{
"registry-mirrors": ["https://reg.dhj.org"]
}
[root@dockernode ~]# systemctl restart docker
[root@dockernode ~]# systemctl enable --now docker
# 测试一下docker是否安装好(先要在harbor-reg主机中)
[root@reg packages]# ls
nginx-latest.tar.gz
[root@reg packages]# docker load -i nginx-latest.tar.gz
[root@reg packages]# docker tag nginx:latest reg.dhj.org/library/nginx:latest
[root@reg packages]# docker push reg.dhj.org/library/nginx:latest
[root@dockernode ~]# docker info | grep https
https://reg.dhj.org/
[root@dockernode ~]# docker pull nginx
[root@dockernode ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx latest 5ef79149e0ec 12 months ago 188MB1.2.7 Jenkins业务主机:将Harbor仓库-registry节点部署在jenkins上
1.2.7.1 在harbor仓库主机中安装java环境及git
bash
[root@harbor harbor]# dnf install fontconfig java-21-openjdk git -y
# 设定git命令补全功能
[root@harbor harbor]# echo "source /usr/share/bash-completion/completions/git" >> ~/.bashrc
[root@harbor harbor]# source ~/.bashrc
初始只有一个master节点
bash
# 添加凭证
# 用户 --> root
# 密码 --> root
bash
# 如果出现registry主机一直连接不上,一般问题是Jenkins服务器(/var/lib/jenkins/.ssh/known_hosts)从未连接过目标主机 172.25.254.200,因此没有后者的 SSH 主机密钥记录
[root@jenkins ~]# ssh-keygen -R 172.25.254.200
[root@jenkins ~]# ssh-keyscan 172.25.254.200 >> ~/.ssh/known_hosts
[root@jenkins ~]# grep "172.25.254.200" ~/.ssh/known_hosts
[root@jenkins ~]# systemctl restart jenkins
bash
# Number of executors(执行器数量)指的是Jenkins主节点上可以同时运行的任务(Job)的数量
# 将master节点任务数量降为0
1.3 配置构建节点
1.3.1 在jenkins中安装构建插件
bash
# 此处在上面已经安装过了,本处可以忽略
bash
# 这里的ssh插件会报毒(没关系)1.3.2 设置jenkins的容器构建规则
2.解决ca证书问题
bash
# 诊断SSL证书问题
[root@reg reg.dhj.org]# curl -v https://reg.dhj.org/v2/ 2>&1 | grep -E "(SSL|cert|CA)"
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: self-signed certificate
curl: (60) SSL certificate problem: self-signed certificate
More details here: https://curl.se/docs/sslcerts.html
# 获取服务器当前证书
[root@reg reg.dhj.org]# echo | openssl s_client -connect reg.dhj.org:443 -showcerts 2>/dev/null | \
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/current_cert.pem
# 比较证书文件
[root@reg reg.dhj.org]# diff /etc/docker/certs.d/reg.dhj.org/ca.crt /tmp/current_cert.pem
# 复制证书到系统CA存储目录
[root@reg reg.dhj.org]# cd
[root@reg ~]# cp /etc/docker/certs.d/reg.dhj.org/ca.crt /etc/pki/ca-trust/source/anchors/
# 更新CA信任存储
[root@reg ~]# update-ca-trust
# 验证证书已被添加
[root@reg ~]# openssl verify /etc/docker/certs.d/reg.dhj.org/ca.crt
# 重启Docker服务
[root@reg ~]# systemctl restart docker
# 重载docker compose
[root@reg ~]# cd harbor/
[root@reg harbor]# docker compose down && docker compose up -d
# 测试连接
[root@reg harbor]# curl -v https://reg.dhj.org/v2/
* Trying 172.25.254.200:443...
* Connected to reg.dhj.org (172.25.254.200) port 443 (#0)
# 测试Docker是否能与Registry--harbor仓库正常通信
[root@dockernode ~]# docker pull reg.dhj.org/library/nginx:latest
# 成功!3.测试镜像构建
在gitlab中建立Dockerfile和index.html
bash
[root@gitlab timinglee]# vim index.html
www.dhj.org v1
[root@gitlab timinglee]# vim Dockerfile
FROM nginx
COPY index.html /usr/share/nginx/html
[root@gitlab timinglee]# git add index.html Dockerfile
[root@gitlab timinglee]# git status -s
[root@gitlab timinglee]# git commit -m "webserver v1"
[root@gitlab timinglee]# git push -u origin main
4.设置在业务节点自动运行
bash
# 上面的ssh.hpi的插件上面已经装过
bash
# command命令(一定要注意docker里面只有rm -f 没有-rf)
docker ps -a | grep myapp && docker rm -f myapp && docker rmi reg.dhj.org/library/webserver:latest
sleep 4
docker run -d --name myapp -p 80:80 reg.dhj.org/library/webserver:latest
bash
# 此时会发现并没有改变
# 是由于docker-action此项目是由timinglee这个项目触发的
bash
# 可以自己构建(手动触发)
bash
# 此时去浏览器中搜索172.25.254.100即可看到测试效果
5.测试效果
bash
[root@gitlab ceshi]# vim index.html
[root@gitlab ceshi]# git commit -a -m "webserver v4"
[root@gitlab ceshi]# git push -u origin main
此时会发现并没有改变
是由于docker-action此项目是由timinglee这个项目触发的
[外链图片转存中...(img-CMByYc8a-1756452027229)]
~~~bash
# 可以自己构建(手动触发)
外链图片转存中...(img-D5TgWxdS-1756452027229)
bash
# 此时去浏览器中搜索172.25.254.100即可看到测试效果外链图片转存中...(img-0SaGGgyG-1756452027229)
5.测试效果
bash
[root@gitlab ceshi]# vim index.html
[root@gitlab ceshi]# git commit -a -m "webserver v4"
[root@gitlab ceshi]# git push -u origin main外链图片转存中...(img-Rd0i3D1I-1756452027229)
外链图片转存中...(img-g7EgFNIT-1756452027229)