- Install docker
- Install UCP + DTR på en maskin + 1 worker i dev
- Install UCP + DTR på en maskin + 1 worker i prod
- Lägg upp license i dev + prod
- Enable Layer 7 Routing
- Sätt upp CA-trust på alla 4 maskiner
- Bygg ut upstream imagen jenkins:lts
- Sätt upp jenkins som en service i vår swarm
- Bygg en Jenkins image och pusha till dev-dtr/admin/jenkins
- Sätt upp ett github-repo med webhook mot vår Jenkins
- Skapa ett jenkins jobb som ska bygga vår test applikation, samt pusha imagen till dev-DTR
- När en ny tag pushas in i dev-DTR så ska en säkerhetscan startas
- Manuell promotion av en image från dev till prod
- Automatisk deployment av ny image
export DOCKERURL="https://storebits.docker.com/ee/centos/sub-7019e3a8-f1cf-434c-b454-952669b3e8b2"
echo "$DOCKERURL/centos" | sudo tee /etc/yum/vars/dockerurl
sudo yum install -y yum-utils device-mapper-persistent-data lvm2
sudo yum-config-manager --add-repo "$DOCKERURL/centos/docker-ee.repo"
sudo yum-config-manager --enable docker-ee-stable-17.06
sudo yum -y -q install docker-ee unzip
sudo systemctl start docker
sudo systemctl enable docker
sudo usermod -a -G docker centos
cat << EOT >> .bashrc
export DOMAIN="cicd.
.se"
export ENV=${HOSTNAME%-*}
export UCP_FQDN="\${ENV}-ucp.\${DOMAIN}"
export DTR_FQDN="\${ENV}-dtr.\${DOMAIN}"
EOT
# exit
docker container run -it --rm --name=ucp -v /var/run/docker.sock:/var/run/docker.sock docker/ucp:3.0.2 install \
--admin-username admin \
--admin-password changeme \
--san ${UCP_FQDN} \
--san ${DTR_FQDN} \
--san ${ENV}-worker.${DOMAIN} \
--controller-port 443 \
--disable-tracking \
--disable-usage
docker swarm join-token worker
docker container run -it --rm --name=ucp -v /var/run/docker.sock:/var/run/docker.sock docker/ucp:3.0.2 install \
--admin-username admin \
--admin-password changeme \
--san ${UCP_FQDN} \
--san ${DTR_FQDN} \
--san ${ENV}-worker.${DOMAIN} \
--controller-port 443 \
--disable-tracking \
--disable-usage
docker swarm join-token worker
Logga in på store.docker.com och hämta ut en trial license. Ladda upp licensen vid inloggning.
admin -> admin settings -> layer 7 routing -> enable
docker run -it --rm docker/dtr:2.5.5 install \
--ucp-insecure-tls \
--ucp-password changeme \
--ucp-username admin \
--ucp-url https://${UCP_FQDN} \
--ucp-node ${ENV}-ucp \
--replica-https-port 4443 \
--replica-http-port 81 \
--dtr-external-url https://${DTR_FQDN}:4443
docker run -it --rm docker/dtr:2.5.5 install \
--ucp-insecure-tls \
--ucp-password changeme \
--ucp-username admin \
--ucp-url https://${UCP_FQDN} \
--ucp-node ${ENV}-ucp \
--replica-https-port 4443 \
--replica-http-port 81 \
--dtr-external-url https://${DTR_FQDN}:4443
sudo curl -k \
https://${DTR_FQDN}:4443/ca \
-o /etc/pki/ca-trust/source/anchors/${DTR_FQDN}:4443.crt
sudo update-ca-trust
sudo systemctl restart docker
sudo docker login -u admin ${DTR_FQDN}:4443
sudo curl -k \
https://${DTR_FQDN}:4443/ca \
-o /etc/pki/ca-trust/source/anchors/${DTR_FQDN}:4443.crt
sudo update-ca-trust
sudo systemctl restart docker
docker login -u admin ${DTR_FQDN}:4443
- http://dev-dtr.cicd.conoa.se:4443 -> new repo -> admin / jenkins
- system -> security -> enable scaning + sync database
Vi vill inte prata med vår lokala docker daemon utan med vår swarm.
Med hjälp av client-bundle så kan vi kommunicera säkert med vår swarm, från både klient och servers perspektiv (Mutual SSL auth).
mkdir ucp-api && cd ucp-api
export UCP_FQDN="dev-ucp.cicd.conoa.se"
export DTR_FQDN="dev-dtr.cicd.conoa.se"
AUTHTOKEN=$(curl -sk -d '{"username":"admin","password":"changeme"}' https://${UCP_FQDN}/auth/login | cut -d\" -f4)
curl -k -H "Authorization: Bearer $AUTHTOKEN" -s https://${UCP_FQDN}/api/clientbundle -o bundle.zip && unzip -o bundle.zip
source env.sh
docker login -u admin -p changeme dev-dtr.cicd.conoa.se:4443
docker info
mkdir -p jenkins/build
cd jenkins/build
cat << EOT > Dockerfile
FROM jenkins/jenkins:lts
USER root
ENV JAVA_OPTS "-Djenkins.install.runSetupWizard=false"
RUN DEBIAN_FRONTEND=non-interactive apt-get update && apt-get install -y \
apt-transport-https \
ca-certificates \
curl \
gnupg2 \
software-properties-common && \
curl -fsSL https://download.docker.com/linux/debian/gpg | apt-key add - && \
add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/debian stretch stable" && \
apt-get update && \
apt-get install -y docker-ce && \
rm -rf /var/lib/apt/*
USER jenkins
RUN touch /var/jenkins_home/.last_exec_version && \
echo 2.0 > /var/jenkins_home/upgraded && \
mkdir /var/jenkins_home/jobs/ && \
/usr/local/bin/install-plugins.sh generic-webhook-trigger github
EOT
docker build -t ${DTR_FQDN}:4443/admin/jenkins:latest .
docker image push ${DTR_FQDN}:4443/admin/jenkins:latest
Starta en jenkins container mha docker-compose.yml
cat << EOT > docker-compose.yml
version: '3.0'
services:
jenkins:
image: dev-dtr.cicd.conoa.se:4443/admin/jenkins
deploy:
placement:
constraints: [node.role == worker]
labels:
com.docker.lb.hosts: dev-jenkins.cicd.conoa.se
com.docker.lb.port: 8080
com.docker.lb.network: jenkins-network
networks:
- jenkins-network
networks:
jenkins-network:
driver: overlay
EOT
docker stack deploy -c docker-compose.yml jenkins
curl -I http://dev-jenkins.cicd.conoa.se
http://dev-dtr.cicd.conoa.se:4443 -> new repo -> admin / app
http://prod-dtr.cicd.conoa.se:4443 -> new repo -> admin / app
- https://github.com/docker-training/dops-final-project -> Fork
- Gå in i det forkade repot och verifiera att allting "ser bra ut"
URL: http://dev-jenkins.cicd.conoa.se
- Skapa nytt item
- Name: BuildJob
- Typ: Freestyle
- OK
- Ta bort gamla byggen
- Max byggen: 1
- SCM
- Git
- Repo URL: https://github.com/rjes/dops-final-project.git
- Build triggers
- Generic webhook trigger
- Request parameters
- Request parameter:
repoName
- Value filter:
Empty/tomt
- Request parameter:
- token: 3Hkv0zarwg2YtS8i9v2v
- Cause: BuildJob
- Build
- Add build step -> execute shell
-
imageName=${repoName_0} test -z ${imageName} && exit 1 export UCP_FQDN="dev-ucp.cicd.conoa.se" export DTR_FQDN="dev-dtr.cicd.conoa.se:4443" export ImageName="app" AUTHTOKEN=$(curl -sk -d '{"username":"admin","password":"changeme"}' https://${UCP_FQDN}/auth/login | cut -d\" -f4) curl -k -H "Authorization: Bearer $AUTHTOKEN" -s https://${UCP_FQDN}/api/clientbundle -o bundle.zip && unzip -o bundle.zip export DOCKER_TLS_VERIFY=1 export COMPOSE_TLS_VERSION=TLSv1_2 export DOCKER_CERT_PATH=$PWD export DOCKER_HOST=tcp://${UCP_FQDN}:443 docker login -u admin -p changeme https://${DTR_FQDN} docker build -t ${imageName}:${BUILD_ID} . docker tag ${imageName}:${BUILD_ID} ${DTR_FQDN}/admin/${imageName}:${BUILD_ID} docker push ${DTR_FQDN}/admin/${imageName}:${BUILD_ID}
- Save or apply
- Ta bort gamla byggen
- Konfigurera github
- Settings (https://github.com/rjes/dops-final-project/settings)
- Webhook URL:
- URL: http://dev-jenkins.cicd.conoa.se/generic-webhook-trigger/invoke
- Query parameter: token=3Hkv0zarwg2YtS8i9v2v&repoName=app
- Disable SSL verification
- Push event
- Gå in i https://dev-jenkins.cicd.conoa.se/
- Gå in i det aktuella bygget och klicka på "Console output"
- Gå in på https://dev-dtr.cicd.conoa.se:4443
- Klicka på repositories -> admin/app -> images
När en image inte har några critical vulnerabilities så promotas imagen till app-qa
- repositories -> admin/app -> settings -> scan on push
- save
- skapa repo admin/app-qa
- Sätt upp en promotion i app repot mot app-qa
- Critical Vulnerabilities: Less or equal 0
- Add
- Target repo: admin/app-qa
- tag-name: %n
- Save
- Trigga en webhook från github
- Det kommer ta c.a. 4 minuter att scana vår build.
- Visa att vi inte får någon image i app-qa samt att ingen promotion har körts i app repot
- Ändra
app-qa
image och sätt critical vuln till false-positive- View details -> Components -> Hide CVE's
- Trigga en ny webhook från github
- Verifiera att den senaste builden hamnar i app-qa repot
- Skapa ett nytt repo som används för att skeppa images mellan dev och prod.
- dev-dtr -> new repo -> admin/app-mirroring
- Sätt upp en ny mirror
- Registry URL: https prod-dtr.cicd.conoa.se:4443
- Advanced -> add CA from
curl https://${DTR_FQDN}:4443/ca
- Repo: admin/app
- Save
- Vi lägger inte till några
triggers/filters
eftersom vi vill pusha allt när det väl har passerat QA - Vi låter
tag name
vara som det är
- Manuell promotion från
app-qa
- Klicka på
view details
på en image - Klicka på
promote
- Target repository:
admin / app-mirroring
- Tag name in target:
Build nummer
- Gå in i
app-mirroring
repot och visa att det finns en image där nu samt att mirrors har körts - Logga in i prod-dtr och visa att imagen finns
- Klicka på
- Logga in i prod-dtr
- repositories -> admin/app -> webhooks
- Notifications to Receive: tag pushed to repo
- http://dev-jenkins.cicd.conoa.se/generic-webhook-trigger/invoke?token=PKosy4fD6YCyzBHktQJw&imageName=app
- Logga in i http://dev-jenkins.cicd.conoa.se/
- Nytt jobb
- Name: DeployJob
- Type: Freestyle
- SCM:
None
- Generic Webhook Trigger
- Token: PKosy4fD6YCyzBHktQJw
- Post content parameters
- Variable: imageName
- Expression: $.contents.imageName
- JSONPath
- Value filter: ``
- Post content parameters
- Variable: repository
- Expression: $.contents.repository
- JSONPath
- Value filter: ``
- Build (shell commands)
if [ -z ${imageName} ] || [ ${imageName} == "foo/bar:latest" ] ; then exit 0 ; fi export UCP_FQDN="prod-ucp.cicd.conoa.se" export DTR_FQDN="prod-dtr.cicd.conoa.se" AUTHTOKEN=$(curl -sk -d '{"username":"admin","password":"changeme"}' https://${UCP_FQDN}/auth/login | cut -d\" -f4) curl -k -H "Authorization: Bearer $AUTHTOKEN" -s https://${UCP_FQDN}/api/clientbundle -o bundle.zip && unzip -o bundle.zip export DOCKER_TLS_VERIFY=1 export COMPOSE_TLS_VERSION=TLSv1_2 export DOCKER_CERT_PATH=$PWD export DOCKER_HOST=tcp://${UCP_FQDN}:443 docker login -u admin -p changeme https://${DTR_FQDN}:4443 cat << EOT > docker-compose.yml version: "3.0" services: web: image: ${DTR_FQDN}/${imageName} deploy: labels: com.docker.lb.hosts: ourapp.cicd.conoa.se com.docker.lb.port: 3000 com.docker.lb.network: ourapp-network networks: - ourapp-network networks: ourapp-network: driver: overlay EOT docker stack deploy -c docker-compose.yml ${repository}
- Apply and save
- Promotea en image från dev-DTR
curl -I http://ourapp.cicd.conoa.se
- Nytt jobb