[腾讯云]Jenkins+Gitlab+Nginx+Docker部署小结

之前在本地部署了Docker +Jenkins + Gitlab,因为博客服务器在香港,直接传输不方便,还通过成都的腾讯云服务器+ Aliyun Code进行转发,完整的过程参考[腾讯云][阿里云]网站迁移小结

现在打算直接在云服务器上部署Jenkins + Gitlab,这样的构建逻辑更加直接,能够进一步压缩博客部署过程。Let's go !!!

整体流程

在本地均通过Docker方式部署JenkinsGitlab,所以Jenkins相关的数据保存在Docker Volume中,Gitlab相关数据保存在本地。整体实现流程如下:

  1. 将本地JenkinsGitlab数据打包到云服务器并解压
  2. 下载JenkinsGitlab镜像并启动容器
  3. 注册SSL证书,配置Https连接
  4. 设置腾讯云安全组,开放端口

对于Gitlab来说,其内置了Nginx,所以提供了相关的SSL配置参数,直接配置即可;而对于Jenkins,通过Nginx反向代理的方式设置SSL连接

Gitlab

数据迁移

打包本地数据

1
$ tar zcvf /srv/gitlab gitlab.tar.gz

上传到云服务器

1
$ scp gitlab.tar.gz ubuntu@xxx.xxx.xxx:/home/ubuntu

解压回原位置

1
$ tar zxvf gitlab.tar.gz /srv/

容器服务

下载镜像

1
$ docker pull gitlab/gitlab-ce:latest

Jenkins

数据迁移

备份和还原卷操作,参考[docker volume]创建和管理卷

容器服务

下载镜像

1
$ docker pull jenkins/jenkins:latest

容器部署

通过docker-compose方式编排容器Jenkins、Gitlab和Nginx

SSL

在阿里云下载免费的SSL证书

Gitlab

gitlab.rb配置文件中保存相关的Nginx配置参数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
################################################################################
## GitLab NGINX
##! Docs: https://docs.gitlab.com/omnibus/settings/nginx.html
################################################################################

# nginx['enable'] = true
# nginx['client_max_body_size'] = '250m'
# nginx['redirect_http_to_https'] = false
# nginx['redirect_http_to_https_port'] = 80

##! Most root CA's are included by default
# nginx['ssl_client_certificate'] = "/etc/gitlab/ssl/ca.crt"

##! enable/disable 2-way SSL client authentication
# nginx['ssl_verify_client'] = "off"

##! if ssl_verify_client on, verification depth in the client certificates chain
# nginx['ssl_verify_depth'] = "1"

# nginx['ssl_certificate'] = "/etc/gitlab/ssl/#{node['fqdn']}.crt"
# nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/#{node['fqdn']}.key"
# nginx['ssl_ciphers'] = "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256"
# nginx['ssl_prefer_server_ciphers'] = "on"

##! **Recommended by: https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
##! https://cipherli.st/**
# nginx['ssl_protocols'] = "TLSv1.2 TLSv1.3"

##! **Recommended in: https://nginx.org/en/docs/http/ngx_http_ssl_module.html**
# nginx['ssl_session_cache'] = "builtin:1000 shared:SSL:10m"

##! **Default according to https://nginx.org/en/docs/http/ngx_http_ssl_module.html**
# nginx['ssl_session_timeout'] = "5m"

...
...

##! **Override only if you use a reverse proxy**
##! Docs: https://docs.gitlab.com/omnibus/settings/nginx.html#setting-the-nginx-listen-port
# nginx['listen_port'] = nil

结合在Nginx或Tengine服务器上安装证书,完整的配置参数如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
external_url 'https://xxx.xxx.xxx:7010'          # 当前访问地址

gitlab_rails['gitlab_shell_ssh_port'] = 7020 # SSH监听端口
unicorn['listen'] = 'localhost'
unicorn['port'] = 8999

nginx['listen_port'] = 7010 # Https监听端口
nginx['enable'] = true
nginx['ssl_certificate'] = "/etc/gitlab/ssl/gitlab.pem" # SSL证书配置
nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/gitlab.key"
nginx['ssl_ciphers'] = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4"
nginx['ssl_prefer_server_ciphers'] = "on"
nginx['ssl_protocols'] = "TLSv1 TLSv1.1 TLSv1.2"
nginx['ssl_session_timeout'] = "5m"
  • 开放了两个端口用于HttpsSSH连接
  • ssl_ciphers具体配置参数需要参考相关文档

Jenkins+Nginx

对于Docker Jenkins本身而言,不需要其他的设置,开放8080端口即可;其Https设置通过Docker Nginx完成

其配置文件如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
$ cat jenkins.conf 
server {
listen 7700 ssl; # 指定端口号
server_name xxx.xxx.xxx; # 指定域名

ssl_certificate cert/jenkins.pem; #将domain name.pem替换成您证书的文件名。
ssl_certificate_key cert/jenkins.key; #将domain name.key替换成您证书的密钥文件名。
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;

location / {
proxy_set_header X-Rea $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Nginx-Proxy true;
proxy_pass http://xxx.xxx.xxx:7070; # 可以使用内网地址转发到jenkins
proxy_set_header X-Forwarded-Proto $scheme;
}
}
  • 设置Nginx发布的端口
  • 配置相关SSL参数
  • 通过内网地址转发到jenkins

docker-compose

使用了两个docker-compose.yml,一个用于启动Jenkins + Gitlab,另一个用于启动Nginx

Jenkins + Gitlab

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
$ cat docker-compose.yml 
version: "3.7"
services:
jenkins:
labels:
AUTHOR: "zhujian <zjzstu@github.com>"
container_name: jenkins
user: jenkins
image: jenkins/jenkins
volumes:
- "jenkins_home:/var/jenkins_home"
ports:
- "7070:8080"
- "50000:50000"
restart: always
tty: true
stdin_open: true
gitlab:
labels:
AUTHOR: "zhujian <zjzstu@github.com>"
container_name: gitlab
image: gitlab/gitlab-ce:latest
volumes:
- "/srv/gitlab/config:/etc/gitlab"
- "/srv/gitlab/logs:/var/log/gitlab"
- "/srv/gitlab/data:/var/opt/gitlab"
ports:
- "7000:7000"
- "7010:7010"
- "7020:22"
restart: always
tty: true
stdin_open: true
volumes:
jenkins_home:
external: true

Nginx

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
$ cat docker-compose.yml 
version: "3"
services:
nginx:
container_name: nginx
image: nginx
ports:
- "7700:7700"
volumes:
- "~/software/nginx/cert:/etc/nginx/cert"
- "~/software/nginx/www:/opt/www"
- "~/software/nginx/logs:/var/log/nginx"
- "~/software/nginx/conf.d:/etc/nginx/conf.d"
- "~/software/nginx/nginx.conf:/etc/nginx/nginx.conf"
restart: always

安全组

最后还需要去腾讯云服务器的安全组中开放相应的端口号

博客部署

之前因为备案的关系,将博客服务器迁到香港;又因为墙的关系,在本地编译完成后,将文件上传到Aliyun Code,然后通过腾讯云服务器发送提醒消息给博客服务器,博客服务器再从远程仓库中下载相应的文件,完成更新

现在因为部署在了云服务器上,所以完成后可以直接传输提醒消息给博客服务器了

问题

Jenkins

Gitlab

相关阅读