之前在本地部署了Docker +Jenkins + Gitlab,因为博客服务器在香港,直接传输不方便,还通过成都的腾讯云服务器+ Aliyun Code进行转发,完整的过程参考 [腾讯云][阿里云]网站迁移小结
现在打算直接在云服务器上部署Jenkins + Gitlab,这样的构建逻辑更加直接,能够进一步压缩博客部署过程。Let's go !!!
整体流程 在本地均通过Docker方式部署Jenkins和Gitlab,所以Jenkins相关的数据保存在Docker Volume中,Gitlab相关数据保存在本地。整体实现流程如下:
将本地Jenkins和Gitlab数据打包到云服务器并解压
下载Jenkins和Gitlab镜像并启动容器
注册SSL证书,配置Https连接
设置腾讯云安全组,开放端口
对于Gitlab来说,其内置了Nginx,所以提供了相关的SSL配置参数,直接配置即可;而对于Jenkins,通过Nginx反向代理的方式设置SSL连接
Gitlab 数据迁移 打包本地数据
1 $ tar zcvf /srv/gitlab gitlab.tar.gz
上传到云服务器
1 $ scp gitlab.tar.gz ubuntu@xxx.xxx.xxx:/home/ubuntu
解压回原位置
1 $ tar zxvf gitlab.tar.gz /srv/
容器服务 下载镜像
1 $ docker pull gitlab/gitlab-ce:latest
Jenkins 数据迁移 备份和还原卷操作,参考[docker volume]创建和管理卷
容器服务 下载镜像
1 $ docker pull jenkins/jenkins:latest
容器部署 通过docker-compose方式编排容器Jenkins、Gitlab和Nginx
SSL 在阿里云下载免费的SSL证书
Gitlab 在gitlab.rb配置文件中保存相关的Nginx配置参数
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 ################################################################################ ## GitLab NGINX ##! Docs: https://docs.gitlab.com/omnibus/settings/nginx.html ################################################################################ # nginx['enable'] = true # nginx['client_max_body_size'] = '250m' # nginx['redirect_http_to_https'] = false # nginx['redirect_http_to_https_port'] = 80 ##! Most root CA's are included by default # nginx['ssl_client_certificate'] = "/etc/gitlab/ssl/ca.crt" ##! enable/disable 2-way SSL client authentication # nginx['ssl_verify_client'] = "off" ##! if ssl_verify_client on, verification depth in the client certificates chain # nginx['ssl_verify_depth'] = "1" # nginx['ssl_certificate'] = "/etc/gitlab/ssl/#{node['fqdn']}.crt" # nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/#{node['fqdn']}.key" # nginx['ssl_ciphers'] = "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256" # nginx['ssl_prefer_server_ciphers'] = "on" ##! **Recommended by: https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html ##! https://cipherli.st/** # nginx['ssl_protocols'] = "TLSv1.2 TLSv1.3" ##! **Recommended in: https://nginx.org/en/docs/http/ngx_http_ssl_module.html** # nginx['ssl_session_cache'] = "builtin:1000 shared:SSL:10m" ##! **Default according to https://nginx.org/en/docs/http/ngx_http_ssl_module.html** # nginx['ssl_session_timeout'] = "5m" ... ... ##! **Override only if you use a reverse proxy** ##! Docs: https://docs.gitlab.com/omnibus/settings/nginx.html#setting-the-nginx-listen-port # nginx['listen_port'] = nil
结合在Nginx或Tengine服务器上安装证书 ,完整的配置参数如下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 external_url 'https://xxx.xxx.xxx:7010' # 当前访问地址 gitlab_rails['gitlab_shell_ssh_port'] = 7020 # SSH监听端口 unicorn['listen'] = 'localhost' unicorn['port'] = 8999 nginx['listen_port'] = 7010 # Https监听端口 nginx['enable'] = true nginx['ssl_certificate'] = "/etc/gitlab/ssl/gitlab.pem" # SSL证书配置 nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/gitlab.key" nginx['ssl_ciphers'] = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4" nginx['ssl_prefer_server_ciphers'] = "on" nginx['ssl_protocols'] = "TLSv1 TLSv1.1 TLSv1.2" nginx['ssl_session_timeout'] = "5m"
开放了两个端口用于Https和SSH连接
ssl_ciphers具体配置参数需要参考相关文档
Jenkins+Nginx 对于Docker Jenkins本身而言,不需要其他的设置,开放8080端口即可;其Https设置通过Docker Nginx完成
其配置文件如下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 $ cat jenkins.conf server { listen 7700 ssl; # 指定端口号 server_name xxx.xxx.xxx; # 指定域名 ssl_certificate cert/jenkins.pem; #将domain name.pem替换成您证书的文件名。 ssl_certificate_key cert/jenkins.key; #将domain name.key替换成您证书的密钥文件名。 ssl_session_timeout 5m; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; location / { proxy_set_header X-Rea $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_set_header X-Nginx-Proxy true; proxy_pass http://xxx.xxx.xxx:7070; # 可以使用内网地址转发到jenkins proxy_set_header X-Forwarded-Proto $scheme; } }
设置Nginx发布的端口
配置相关SSL参数
通过内网地址转发到jenkins
docker-compose 使用了两个docker-compose.yml,一个用于启动Jenkins + Gitlab,另一个用于启动Nginx
Jenkins + Gitlab 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 $ cat docker-compose.yml version: "3.7" services: jenkins: labels: AUTHOR: "zhujian <zjzstu@github.com>" container_name: jenkins user: jenkins image: jenkins/jenkins volumes: - "jenkins_home:/var/jenkins_home" ports: - "7070:8080" - "50000:50000" restart: always tty: true stdin_open: true gitlab: labels: AUTHOR: "zhujian <zjzstu@github.com>" container_name: gitlab image: gitlab/gitlab-ce:latest volumes: - "/srv/gitlab/config:/etc/gitlab" - "/srv/gitlab/logs:/var/log/gitlab" - "/srv/gitlab/data:/var/opt/gitlab" ports: - "7000:7000" - "7010:7010" - "7020:22" restart: always tty: true stdin_open: true volumes: jenkins_home: external: true
Nginx 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 $ cat docker-compose.yml version: "3" services: nginx: container_name: nginx image: nginx ports: - "7700:7700" volumes: - "~/software/nginx/cert:/etc/nginx/cert" - "~/software/nginx/www:/opt/www" - "~/software/nginx/logs:/var/log/nginx" - "~/software/nginx/conf.d:/etc/nginx/conf.d" - "~/software/nginx/nginx.conf:/etc/nginx/nginx.conf" restart: always
安全组 最后还需要去腾讯云服务器的安全组中开放相应的端口号
博客部署 之前因为备案的关系,将博客服务器迁到香港;又因为墙的关系,在本地编译完成后,将文件上传到Aliyun Code,然后通过腾讯云服务器发送提醒消息给博客服务器,博客服务器再从远程仓库中下载相应的文件,完成更新
现在因为部署在了云服务器上,所以完成后可以直接传输提醒消息给博客服务器了
问题 Jenkins
Gitlab
相关阅读