持续集成(c/i)的实验环境
git/harbor服务器 ip 192.168.200.132
docker服务器 ip 192.168.200.149
Jenkins服务器 ip 192.168.200.150
工具与版本要求
centos 7.5_x86
maven 3.5
tomcat 8
jdk 1.8
jenkins 2.6
docker -ce 18.09.0
查看实验环境
[root@harbor ~]# cat /etc/redhat-release CentOS Linux release 7.5.1804 (Core) [root@harbor ~]# uname -r 3.10.0-862.el7.x86_64
开始部署harbor
[root@harbor ~]# ls
anaconda-ks.cfg docker-compose harbor-offline-installer-v1.5.0.tgz
#创建ca证书
[root@harbor ~]# mkdir -p /data/ssl
[root@harbor ~]# cd /data/ssl/
[root@harbor ssl]# which openssl
/usr/bin/openssl
[root@harbor ssl]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 365 -out ca.crt
Generating a 4096 bit RSA private key
.......................................................................................................................................++
...................++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:yunjisuan
Organizational Unit Name (eg, section) []:yunjisuan
Common Name (eg, your name or your server's hostname) []:www.yunjisuan.com
Email Address []:
[root@harbor ssl]#
#生成证书请求
[root@harbor ssl]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout www.yunjisuan.com.key -out www.yunjisuan.com.csr
Generating a 4096 bit RSA private key
...................................................++
.........................................++
writing new private key to 'www.yunjisuan.com.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:yunjisuan
Organizational Unit Name (eg, section) []:yunjisuan
Common Name (eg, your name or your server's hostname) []:www.yunjisuan.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@harbor ssl]#
#生成主机注册表的证书
[root@harbor ssl]# openssl x509 -req -days 365 -in www.yunjisuan.com.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out www.yunjisuan.com.crt
Signature ok
subject=/C=CN/ST=Beijing/L=Beijing/O=yunjisuan/OU=yunjisuan/CN=www.yunjisuan.com
Getting CA Private Key
[root@harbor ssl]#
#查看生成的证书
[root@harbor ssl]# ls
ca.crt ca.key ca.srl www.yunjisuan.com.crt www.yunjisuan.com.csr www.yunjisuan.com.key
#信任自签发的证书
[root@harbor ssl]# cp www.yunjisuan.com.crt /etc/pki/ca-trust/source/anchors/
[root@harbor ssl]# update-ca-trust enable
[root@harbor ssl]# update-ca-trust extract
#关闭selinux
[root@harbor ssl]# setenforce 0
#查看selinux的状态
[root@harbor ssl]# sestatus
#安装docker
[root@harbor ssl]# yum -y install yum-utils device-mapper-persistent-data 1vm2 wget
[root@harbor yum.repos.d]# wget http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
[root@harbor yum.repos.d]# yum -y install docker-ce
[root@harbor yum.repos.d]# systemctl start docker
[root@harbor yum.repos.d]# vim /etc/docker/daemon.json
[root@harbor yum.repos.d]# cat /etc/docker/daemon.json
{
"registry-mirrors":[ "https://registry.docker-cn.com" ]
}
[root@harbor yum.repos.d]# systemctl daemon-reload
[root@harbor yum.repos.d]# systemctl restart docker
[root@harbor yum.repos.d]# docker version
Client:
Version: 18.09.0
API version: 1.39
Go version: go1.10.4
Git commit: 4d60db4
Built: Wed Nov 7 00:48:22 2018
OS/Arch: linux/amd64
Experimental: false
Server: Docker Engine - Community
Engine:
Version: 18.09.0
API version: 1.39 (minimum version 1.12)
Go version: go1.10.4
Git commit: 4d60db4
Built: Wed Nov 7 00:19:08 2018
OS/Arch: linux/amd64
Experimental: false
#搭建harbor,先复制证书
[root@harbor ssl]# cd /data/ssl/
[root@harbor ssl]# mkdir -p /etc/ssl/harbor
[root@harbor ssl]# cp /data/ssl/www.yunjisuan.com.key /etc/ssl/harbor/
[root@harbor ssl]# cp /data/ssl/www.yunjisuan.com.crt /etc/ssl/harbor/
#harbor的现在地址
[root@harbor install]# wget http://harbor.orientsoft.cn/harbor-v1.5.0/harbor-offline-installer-v1.5.0.tgz
#安装harbor
[root@harbor install]# cd ~
[root@harbor ~]# tar xf harbor-offline-installer-v1.5.0.tgz -C /data/install/
[root@harbor ~]# cd /data/install/harbor/
[root@harbor harbor]# cp harbor.cfg{,.bak}
[root@harbor harbor]# cat -n harbor.cfg | sed -n '7p;11p;23p;24p;68p'
7 hostname = www.yunjisuan.com
11 ui_url_protocol = https
23 ssl_cert = /etc/ssl/harbor/www.yunjisuan.com.crt
24 ssl_cert_key = /etc/ssl/harbor/www.yunjisuan.com.key
68 harbor_admin_password = Harbor12345
[root@harbor harbor]#
#安装docker-compose命令
[root@harbor harbor]# cd ~
[root@harbor ~]# chmod +x docker-compose
[root@harbor ~]# mv docker-compose /usr/bin/
[root@harbor ~]# which docker-compose
/usr/bin/docker-compose
#启动harbor
[root@harbor ~]# cd /data/install/harbor/
[root@harbor harbor]# ./install.sh --with-clair
给其他服务器下发信任证书
[root@harbor ~]# scp /data/ssl/www.yunjisuan.com.crt 192.168.200.149:/etc/pki/ca-trust/source/anchors/ The authenticity of host '192.168.200.149 (192.168.200.149)' can't be established. ECDSA key fingerprint is SHA256:gm/RhqGrfDo5Rgcr/LmBAaqPv6tmni7cRpXjGEWZQpg. ECDSA key fingerprint is MD5:ae:f6:0b:6e:80:96:67:cf:bd:e8:f5:b5:c4:e0:da:11. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.200.149' (ECDSA) to the list of known hosts. root@192.168.200.149's password: www.yunjisuan.com.crt 100% 1931 5.9KB/s 00:00 [root@harbor ~]# scp /data/ssl/www.yunjisuan.com.crt 192.168.200.150:/etc/pki/ca-trust/source/anchors/ The authenticity of host '192.168.200.150 (192.168.200.150)' can't be established. ECDSA key fingerprint is SHA256:gm/RhqGrfDo5Rgcr/LmBAaqPv6tmni7cRpXjGEWZQpg. ECDSA key fingerprint is MD5:ae:f6:0b:6e:80:96:67:cf:bd:e8:f5:b5:c4:e0:da:11. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.200.150' (ECDSA) to the list of known hosts. root@192.168.200.150's password: www.yunjisuan.com.crt 100% 1931 19.5KB/s 00:00 [root@harbor ~]#
让另两个服务器立即生效并且映射域名,重启docker
[root@docker ~]# update-ca-trust enable [root@docker ~]# update-ca-trust extract [root@docker ~]# echo "192.168.200.132 www.yunjisuan.com" >> /etc/hosts [root@docker ~]# systemctl restart docker
[root@jenkins ~]# update-ca-trust enable [root@jenkins ~]# update-ca-trust extract [root@jenkins ~]# echo "192.168.200.132 www.yunjisuan.com" >> /etc/hosts [root@jenkins ~]# systemctl restart docker
部署git在harbor上和Jenkins上
[root@harbor harbor]# yum -y install git
[root@harbor harbor]# useradd git [root@harbor harbor]# echo "123123" | passwd --stdin git Changing password for user git. passwd: all authentication tokens updated successfully.