CI/CD企业案例详解

7.持续集成持续交付企业示例

为了让容器构建镜像可以持续集成并自动上传到harbor仓库，业务主机通过持续交付自动从仓库中下载镜像最近版本并实现业务更新

7.1 在jenkins中添加registry节点

7.1.1 在业务节点中安装docker和java环境并配置其可以从仓库中下载镜像

# 新增一台docker主机进行业务实现 ---> 给每台主机配置好解析
~]# systemctl disable --now firewalld
~]# cat /etc/hosts
172.25.254.50   gitlab.dhj.org
172.25.254.60   jenkins.dhj.org
172.25.254.100  dockernode.dhj.org
172.25.254.200  reg.dhj.org

[root@dockernode ~]# vim /etc/yum.repos.d/docker.repo
[docker]
name = docker
baseurl = https://mirrors.aliyun.com/docker-ce/linux/rhel/9/x86_64/stable/
gpgcheck = 0[root@dockernode ~]# dnf makecache
[root@dockernode ~]# dnf install docker-ce fontconfig java-21-openjdk git -y# 从harbor仓库中把认证文件复制到当前主机
[root@dockernode ~]# mkdir  /etc/docker/certs.d/reg.dhj.org/ -p
[root@dockernode ~]# scp root@172.25.254.200:/data/certs/dhj.org.crt  /etc/docker/certs.d/reg.dhj.org/ca.crt
[root@dockernode ~]# vim /etc/docker/daemon.json
[root@dockernode ~]# systemctl restart docker
[root@dockernode ~]# systemctl enable --now docker# 测试一下docker是否安装好
[root@dockernode ~]# docker info | grep httpshttps://reg.dhj.org/
[root@dockernode ~]# docker pull nginx
[root@dockernode ~]# docker images
REPOSITORY   TAG       IMAGE ID       CREATED         SIZE
nginx        latest    5ef79149e0ec   12 months ago   188MB

7.1.2 部署jenkins节点

7.2.1.1 在harbor仓库主机中安装java环境及git

[root@harbor harbor]# dnf install  fontconfig java-21-openjdk git -y
# 设定git命令补全功能
[root@CICD-node1 timinglee]# echo "source  /usr/share/bash-completion/completions/git" >> ~/.bashrc
[root@CICD-node1 timinglee]# source  ~/.bashrc

初始只有一个master节点

# 添加凭证
# 用户 --> root
# 密码 --> root

7.2 配置构建节点

7.2.1 在jenkins中安装构建插件

# 此处在上面已经安装过了，本处可以忽略

7.2.2 设置jenkins的容器构建规则

7.3 解决ca证书问题

# 诊断SSL证书问题
[root@reg reg.dhj.org]# curl -v https://reg.dhj.org/v2/ 2>&1 | grep -E "(SSL|cert|CA)"
*  CAfile: /etc/pki/tls/certs/ca-bundle.crt
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: self-signed certificate
curl: (60) SSL certificate problem: self-signed certificate
More details here: https://curl.se/docs/sslcerts.html# 获取服务器当前证书
[root@reg reg.dhj.org]# echo | openssl s_client -connect reg.dhj.org:443 -showcerts 2>/dev/null | \
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/current_cert.pem# 比较证书文件
[root@reg reg.dhj.org]# diff /etc/docker/certs.d/reg.dhj.org/ca.crt /tmp/current_cert.pem# 复制证书到系统CA存储目录
[root@reg reg.dhj.org]# cd
[root@reg ~]# cp /etc/docker/certs.d/reg.dhj.org/ca.crt  /etc/pki/ca-trust/source/anchors/# 更新CA信任存储
[root@reg ~]# update-ca-trust
# 验证证书已被添加
[root@reg ~]# openssl verify /etc/docker/certs.d/reg.dhj.org/ca.crt# 重启Docker服务
[root@reg ~]# systemctl restart docker# 重载docker compose
[root@reg ~]# cd harbor/
[root@reg harbor]# docker compose down && docker compose up -d# 测试连接
[root@reg harbor]# curl -v https://reg.dhj.org/v2/
*   Trying 172.25.254.200:443...
* Connected to reg.dhj.org (172.25.254.200) port 443 (#0)# 测试Docker是否能与Registry--harbor仓库正常通信
[root@reg harbor]# docker pull reg.dhj.org/library/nginx:latest
# 成功！

7.4 测试镜像构建

在gitlab中建立Dockerfile和index.html

[root@gitlab timinglee]# vim index.html
www.dhj.org v1[root@gitlab timinglee]# vim Dockerfile
FROM nginx
COPY index.html /usr/share/nginx/html[root@gitlab timinglee]# git add index.html Dockerfile
[root@gitlab timinglee]# git status -s[root@gitlab timinglee]# git commit -m "webserver v1"
[root@gitlab timinglee]# git push -u origin main

7.4 在业务节点自动运行

# 上面的ssh.hpi的插件上面已经装过

# command命令
docker ps -a | grep myapp && docker rm -f myapp && docker rmi  reg.dhj.org/library/webserver:latest
sleep 4
docker run -d --name myapp -p 80:80 reg.dhj.org/library/webserver:latest

# 此时会发现并没有改变
# 是由于docker-action此项目是由timinglee这个项目触发的

# 可以自己构建（手动触发）

# 此时去浏览器中搜索172.25.254.100即可看到测试效果

7.5 测试效果

[root@gitlab timinglee]# vim index.html
[root@gitlab timinglee]# git commit -a -m "webserver v4"
[root@gitlab timinglee]# git push -u origin main