[腾讯云]Jenkins+Gitlab+Nginx+Docker部署小结

之前在本地部署了Docker +Jenkins + Gitlab，因为博客服务器在香港，直接传输不方便，还通过成都的腾讯云服务器+ Aliyun Code进行转发，完整的过程参考[腾讯云][阿里云]网站迁移小结

现在打算直接在云服务器上部署Jenkins + Gitlab，这样的构建逻辑更加直接，能够进一步压缩博客部署过程。Let's go !!!

整体流程

在本地均通过Docker方式部署Jenkins和Gitlab，所以Jenkins相关的数据保存在Docker Volume中，Gitlab相关数据保存在本地。整体实现流程如下：

1. 将本地Jenkins和Gitlab数据打包到云服务器并解压
2. 下载Jenkins和Gitlab镜像并启动容器
3. 注册SSL证书，配置Https连接
4. 设置腾讯云安全组，开放端口

对于Gitlab来说，其内置了Nginx，所以提供了相关的SSL配置参数，直接配置即可；而对于Jenkins，通过Nginx反向代理的方式设置SSL连接

Gitlab

数据迁移

打包本地数据

$ tar zcvf /srv/gitlab gitlab.tar.gz

上传到云服务器

$ scp gitlab.tar.gz ubuntu@xxx.xxx.xxx:/home/ubuntu

解压回原位置

$ tar zxvf gitlab.tar.gz /srv/

容器服务

下载镜像

$ docker pull gitlab/gitlab-ce:latest

Jenkins

数据迁移

备份和还原卷操作，参考[docker volume]创建和管理卷

容器服务

下载镜像

$ docker pull jenkins/jenkins:latest

容器部署

通过docker-compose方式编排容器Jenkins、Gitlab和Nginx

SSL

在阿里云下载免费的SSL证书

Gitlab

在gitlab.rb配置文件中保存相关的Nginx配置参数

################################################################################
## GitLab NGINX
##! Docs: https://docs.gitlab.com/omnibus/settings/nginx.html
################################################################################

# nginx['enable'] = true
# nginx['client_max_body_size'] = '250m'
# nginx['redirect_http_to_https'] = false
# nginx['redirect_http_to_https_port'] = 80

##! Most root CA's are included by default
# nginx['ssl_client_certificate'] = "/etc/gitlab/ssl/ca.crt"

##! enable/disable 2-way SSL client authentication
# nginx['ssl_verify_client'] = "off"

##! if ssl_verify_client on, verification depth in the client certificates chain
# nginx['ssl_verify_depth'] = "1"

# nginx['ssl_certificate'] = "/etc/gitlab/ssl/#{node['fqdn']}.crt"
# nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/#{node['fqdn']}.key"
# nginx['ssl_ciphers'] = "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256"
# nginx['ssl_prefer_server_ciphers'] = "on"

##! **Recommended by: https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
##!                   https://cipherli.st/**
# nginx['ssl_protocols'] = "TLSv1.2 TLSv1.3"

##! **Recommended in: https://nginx.org/en/docs/http/ngx_http_ssl_module.html**
# nginx['ssl_session_cache'] = "builtin:1000  shared:SSL:10m"

##! **Default according to https://nginx.org/en/docs/http/ngx_http_ssl_module.html**
# nginx['ssl_session_timeout'] = "5m"

...
...

##! **Override only if you use a reverse proxy**
##! Docs: https://docs.gitlab.com/omnibus/settings/nginx.html#setting-the-nginx-listen-port
# nginx['listen_port'] = nil

结合在Nginx或Tengine服务器上安装证书，完整的配置参数如下：

external_url 'https://xxx.xxx.xxx:7010'          # 当前访问地址
  
gitlab_rails['gitlab_shell_ssh_port'] = 7020  # SSH监听端口
unicorn['listen'] = 'localhost'
unicorn['port'] = 8999

nginx['listen_port'] = 7010 # Https监听端口
nginx['enable'] = true
nginx['ssl_certificate'] = "/etc/gitlab/ssl/gitlab.pem"     # SSL证书配置
nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/gitlab.key"
nginx['ssl_ciphers'] = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4"
nginx['ssl_prefer_server_ciphers'] = "on"
nginx['ssl_protocols'] = "TLSv1 TLSv1.1 TLSv1.2"
nginx['ssl_session_timeout'] = "5m"

• 开放了两个端口用于Https和SSH连接
• ssl_ciphers具体配置参数需要参考相关文档

Jenkins+Nginx

对于Docker Jenkins本身而言，不需要其他的设置，开放8080端口即可；其Https设置通过Docker Nginx完成

其配置文件如下：

$ cat jenkins.conf 
server {
    listen 7700 ssl;   # 指定端口号
    server_name xxx.xxx.xxx; # 指定域名

    ssl_certificate cert/jenkins.pem;   #将domain name.pem替换成您证书的文件名。
    ssl_certificate_key cert/jenkins.key;   #将domain name.key替换成您证书的密钥文件名。
    ssl_session_timeout 5m;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;

    location / {
        proxy_set_header X-Rea $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_set_header X-Nginx-Proxy true;
        proxy_pass http://xxx.xxx.xxx:7070; # 可以使用内网地址转发到jenkins
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

• 设置Nginx发布的端口
• 配置相关SSL参数
• 通过内网地址转发到jenkins

docker-compose

使用了两个docker-compose.yml，一个用于启动Jenkins + Gitlab，另一个用于启动Nginx

Jenkins + Gitlab

$ cat docker-compose.yml 
version: "3.7"
services: 
    jenkins:
        labels:
            AUTHOR: "zhujian <zjzstu@github.com>"
        container_name: jenkins
        user: jenkins
        image: jenkins/jenkins
        volumes: 
            - "jenkins_home:/var/jenkins_home"
        ports: 
            - "7070:8080"
            - "50000:50000"
        restart: always
        tty: true
        stdin_open: true
    gitlab:
        labels:
            AUTHOR: "zhujian <zjzstu@github.com>"
        container_name: gitlab
        image: gitlab/gitlab-ce:latest
        volumes: 
            - "/srv/gitlab/config:/etc/gitlab"
            - "/srv/gitlab/logs:/var/log/gitlab"
            - "/srv/gitlab/data:/var/opt/gitlab"
        ports: 
            - "7000:7000"
            - "7010:7010"
            - "7020:22"
        restart: always
        tty: true
        stdin_open: true
volumes: 
    jenkins_home:
        external: true

Nginx

$ cat docker-compose.yml 
version:  "3"
services:
    nginx:
        container_name: nginx
        image: nginx
        ports:
            - "7700:7700"
        volumes:
            - "~/software/nginx/cert:/etc/nginx/cert"
            - "~/software/nginx/www:/opt/www"
            - "~/software/nginx/logs:/var/log/nginx"
            - "~/software/nginx/conf.d:/etc/nginx/conf.d"
            - "~/software/nginx/nginx.conf:/etc/nginx/nginx.conf"
        restart: always

安全组

最后还需要去腾讯云服务器的安全组中开放相应的端口号

博客部署

之前因为备案的关系，将博客服务器迁到香港；又因为墙的关系，在本地编译完成后，将文件上传到Aliyun Code，然后通过腾讯云服务器发送提醒消息给博客服务器，博客服务器再从远程仓库中下载相应的文件，完成更新

现在因为部署在了云服务器上，所以完成后可以直接传输提醒消息给博客服务器了

问题

Jenkins

• [Jenkins][Docker]java.io.IOException: Permission denied

Gitlab

• 版本更新后database出错

相关阅读

• 如何配置 GitLab 使用 HTTPS
• [阿里云]配置HTTPs
• 反向代理
• Jenkins 反向代理Https