GitLab自动编译Docker镜像并推送到指定的Registry

Posted by 聪少 on 2018-08-14

安装并启动harbor

Harbor官方提供在线安装和离线安装两种方式,从github下载harbor离线安装包(本机要安装docker和docker-compose):

1
2
wget https://storage.googleapis.com/harbor-releases/harbor-offline-installer-v1.5.2.tgz
tar -zxvf harbor-offline-installer-v1.5.2.tgz -C /opt/

修改配置harbor.cfg,配置文件的注释提供了很多更高级的用法,包含https、ldap、邮箱配置等,这里我们只修改hostname为本机内网IP。

1
2
cd /opt/harbor
vim harbor.cfg
1
2
3
#The IP address or hostname to access admin UI and registry service.
#DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
hostname = 10.100.7.46

执行harbor安装:

1
./install.sh

需要安装docker-compose(1.7.1+),否则就会报下面的错误

1
2
3
[Step 0]: checking installation environment ...
Note: docker version: 1.13.1
✖ Need to install docker-compose(1.7.1+) by yourself first and run this script again.
docker-compose安装
pip安装法
1
2
3
4
5
pip -V
yum -y install epel-release
yum install python-pip
pip install --upgrade pip
pip -V

安装docker-compose

1
pip install docker-compose
官方安装法

或者

1
pip --default-timeout=200 install -U docker-compose

官网得安装方法(靠谱一点)

1
2
sudo curl -L https://github.com/docker/compose/releases/download/1.22.0/docker-compose-$(uname -s)-$(uname -m) -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose

查看docker-compose

1
2
3
4
5
[root@rancher-3 harbor]# docker-compose version
docker-compose version 1.22.0, build f46880f
docker-py version: 3.5.0
CPython version: 2.7.5
OpenSSL version: OpenSSL 1.0.1e-fips 11 Feb 2013

搭建http模式

继续安装harbor

1
./install.sh

漫长的等待。。。。(贴出来占点字数)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
> ./install.sh

[Step 0]: checking installation environment ...
。。。
[Step 1]: loading Harbor images ...
。。。
[Step 2]: preparing environment ...
。。。
[Step 3]: checking existing instance of Harbor ...
。。。
[Step 4]: starting Harbor ...
。。。
✔ ----Harbor has been installed and started successfully.----

Now you should be able to visit the admin portal at http://10.100.7.46 .
For more details, please visit https://github.com/vmware/harbor .

root@container /opt/harbor

访问 http://10.100.7.46 就可以看到harbor登陆界面

登陆界面

创建一个自己对harbor项目

harbor_project

搭建https模式

创建证书
  • 创建证书存放目录
1
2
mkdir -p /data/harbor/cert
cd /data/harbor/cert/
  • 创建 CA 根证书
1
openssl req  -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 365 -out ca.crt -subj "/C=CN/L=ZheJiang/O=TF/CN=harbor-registry"
  • 生成一个证书签名, 设置访问域名为 harbor.tf.cn
1
openssl req -newkey rsa:4096 -nodes -sha256 -keyout harbor.tf.cn.key -out server.csr -subj "/C=CN/L=ZheJiang/O=TF/CN=harbor.tf.cn"
  • 生成主机的证书
1
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out harbor.tf.cn.crt

修改配置文件

1
2
3
4
5
6
vim /opt/harbor/harbor.cfg

hostname = harbor.tf.cn # 指定私有仓库的主机名,可以是IP地址,也可以是域名
ui_url_protocol = https # 用户访问私仓时使用的协议,默认时http,配置成https
ssl_cert = /data/harbor/cert/harbor.tf.cn.crt    # 设置证书文件路径
ssl_cert_key = /data/harbor/cert/harbor.tf.cn.key # 设置证书密钥文件路径

重新安装

1
2
3
cd /opt/harbor/
docker-compose down
./install.sh

在本机/etc/hosts中加入下面一条,就可以直接用域名访问了

1
10.77.0.129    harbor.tf.cn

登陆

https-login

设置docker仓库证书

在docker的宿主机上创建目录,把harbor.tf.cn的ca.crt文件拷贝过去(我是在一台机器上做的,所以直接cp就好了,不在同一台机器可以scp)

1
2
mkdir -p  /etc/docker/certs.d/harbor.tf.cn
cp /data/harbor/cert/ca.crt /etc/docker/certs.d/harbor.tf.cn/

设置docker宿主机上hosts文件

1
2
vim /etc/hosts
10.77.0.129 harbor.tf.cn

测试登陆

1
2
3
4
5
6
7
8
[root@web-helm-5 ~]#  docker login harbor.tf.cn
Username: imscc
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

测试推送

编写Dockerfile文件
1
2
mkdir test 
vim Dockerfile

内容

1
2
3
4
5
6
7
8
9
10
11
12
13

FROM centos

# Maintainer
MAINTAINER imscc imscc@qq.com

# Commands
RUN rpm -ivh http://mirrors.aliyun.com/epel/epel-release-latest-7.noarch.rpm
RUN yum install nginx -y
RUN echo "daemon off;" >> /etc/nginx/nginx.conf
RUN echo "this is test nginx image" > /usr/share/nginx/html/index.html
EXPOSE 80
CMD ["nginx"]

保存

编译
1
docker build -t harbor.tf.cn/tfcloud/nginx:v1.0.1 .
上传镜像至Harbor registry
1
2
3
4
5
6
7
8
[root@web-helm-5 ~/test]# docker push harbor.tf.cn/tfcloud/nginx:v1.0.1
The push refers to repository [harbor.tf.cn/tfcloud/nginx]
dd250c41fcf1: Pushed
b0244cc49d76: Pushed
56e2a022284b: Pushed
b699f2e960b2: Pushed
1d31b5806ba4: Pushed
v1.0.1: digest: sha256:ca4f6c7f3335cd0e343640e8b1c5850d9c75a550462cee31b3f4f5713dbe30ea size: 1367

查看harbor

push_results

配置gitlab-runner变量

set_value_5
set_value_6
set_value_4

编写 项目.gitlab-ci.yml文件

1
2
3
4
5
6
7
8
9
10
before_script:
- docker info
- docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY

build_image:
stage: build_image
script:
- docker build --pull -t $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG .
- docker push $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG
- docker rmi $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG

gitlab-runner搭建

这里gitlab-runner未部署在docker中,原因是在做ci的时候另起的容器服务不能访问内部短域名(哪位道友如果有解决方案请告诉我一下imscc@qq.com)

安装

1
2
sudo wget -O /usr/local/bin/gitlab-runner https://gitlab-runner-downloads.s3.amazonaws.com/latest/binaries/gitlab-runner-linux-amd64
sudo chmod +x /usr/local/bin/gitlab-runner

注册

1
2
3
4
gitlab-runner register
......(配置请参考上篇)
gitlab-runner start
gitlab-runner list

我建议用我的这种方式来生成配置,然后在在配置的基础上添加docker的目录等信息,我这里没有使用tag触发的形式,如下(这里是我后面研究tag补上来的,所以项目可能对不上,不过我相信诸位能看懂。)

1
2
3
4
5
6
7
8
9
10
gitlab-runner register \
--non-interactive \
--url "http://10.100.7.46:8088" \
--registration-token "5LUCEPZqHhBaGuRUsh9b" \
--executor "docker" \
--docker-image alpine:3 \
--description "uuid" \
--tag-list "docker,aws,uuid" \
--run-untagged \
--locked="false"

run-untagged 不需要匹配tag,这个对于新手还是很重要的,添加上直接就能拿来测试了。

接下来提交代码

这里会出现很多坑,我直接把我的gitlab-runner配置贴出来给大家参考一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
concurrent = 1
check_interval = 0

[[runners]]
name = "busybox"
url = "http://10.100.7.46:8088/"
token = "63f748dd347bf00c9304360e7e5b2f"
executor = "docker"
[runners.docker]
tls_verify = false
image = "alpine:3"
privileged = false
disable_cache = false
# 特别是这里,要写上挂载docker的目录
volumes = ["/var/run/docker.sock:/var/run/docker.sock", "/cache"]
shm_size = 0
[runners.cache]

如果报证书不可行,可以参考上面harbor的做法,把证书拷到docker的目录下。

好来祝你好运!下面是我成功的截图

ok_1
ok_2
ok_3