git config –global core.mergeoptions –no-edit
拉取不提示merge信息
git config –global credential.helper store
保存密码

一些工作及日常随笔
git config –global core.mergeoptions –no-edit
拉取不提示merge信息
git config –global credential.helper store
保存密码
[mysqld]
sql_mode=STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_ENGINE_SUBSTITUTION
apt-get update
apt-get upgrade -y
apt-get install apt-transport-https ca-certificates curl software-properties-common
curl -fsSL http://mirrors.aliyun.com/docker-ce/linux/ubuntu/gpg | sudo apt-key add -
add-apt-repository "deb [arch=amd64] http://mirrors.aliyun.com/docker-ce/linux/ubuntu $(lsb_release -cs) stable"
apt-get update
apt-get install docker-ce docker-ce-cli containerd.io -y
安装完成后要去/etc/docker/daemon.json换源
curl -L "https://get.daocloud.io/docker/compose/releases/download/1.27.4/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose
cd /opt
git clone https://github.com/jumpserver/Dockerfile.git
注:可以通过gitee中转一下,要不然太慢了
docker network create jumpserver
docker volumes create core-data ## 这个卷要被两个容器共享,docker官方推荐的共享卷方式就是先生成卷,然后分别挂载
docker volumes create guacamole-data
docker volumes create koko-data
docker volumes create redis-data
docker volumes create mysql-data
直接给出docker-compose.yml
version: '3'
services:
mysql:
image: mysql:8
networks:
- jumpserver
restart: always
volumes:
- mysql-data:/var/lib/mysql
- $PWD/mysql:/etc/mysql
environment:
- MYSQL_ROOT_PASSWORD=自定义mysql的root密码
container_name: mysql
security_opt:
- seccomp:unconfined
networks:
jumpserver:
external: true
version: '3'
services:
redis:
image: redis:6
container_name: redis
volumes:
- $PWD/redis.conf:/usr/local/etc/redis/redis.conf
- redis-data:/data
restart: always
networks:
- jumpserver
command: redis-server /usr/local/etc/redis/redis.conf
networks:
jumpserver:
external: true
volumes:
redis-data:
external: true
在mysql新增jumpserver用户,并新增jumpserver数据库,将jumpserver数据库权限完全赋予jumpserver用户
由于mysql8的认证方式变化,需要将jumpserver登陆认证修改为mysql自带认证。
version: '3'
services:
core:
image: jumpserver/core:${Version} ## 此处与2.5.3的镜像名不一样,切记要改,以下各个容器一样,2.5.3为jumpserver/jms_core:tag,而2.6以后为jumpserver/core:tag
container_name: core ## 此处与2.5.3的容器名不一样,切记要改,切记要改,以下各个容器一样
restart: always
tty: true
environment:
SECRET_KEY: $SECRET_KEY
BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN
LOG_LEVEL: $LOG_LEVEL
DB_HOST: $DB_HOST
DB_PORT: $DB_PORT
DB_USER: $DB_USER
DB_PASSWORD: $DB_PASSWORD
DB_NAME: $DB_NAME
REDIS_HOST: $REDIS_HOST
REDIS_PORT: $REDIS_PORT
REDIS_PASSWORD: $REDIS_PASSWORD
volumes:
- core-data:/opt/jumpserver/data
networks:
- jumpserver
koko:
image: jumpserver/koko:${Version}
container_name: koko
restart: always
privileged: true
tty: true
environment:
CORE_HOST: http://core:8080
BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN
LOG_LEVEL: $LOG_LEVEL
depends_on:
- core
volumes:
- koko-data:/opt/koko/data
ports:
- 2222:2222
networks:
- jumpserver
guacamole:
image: jumpserver/guacamole:${Version}
container_name: guacamole
restart: always
tty: true
environment:
JUMPSERVER_SERVER: http://core:8080
BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN
GUACAMOLE_LOG_LEVEL: $LOG_LEVEL
depends_on:
- core
volumes:
- guacamole-data:/config/guacamole/data
networks:
- jumpserver
nginx:
image: jumpserver/nginx:alpine2 ## 该处镜像选择这个
container_name: nginx
restart: always
tty: true
depends_on:
- core
- koko
- guacamole
volumes:
- $PWD/nginx/nginx.conf:/etc/nginx/nginx.conf ## 此文件简单修改一下servername即可,https证书暂时未配置
- $PWD/nginx/luna:/opt/luna ## 此处参照Dockerfile/nginx目录下的Dockerfile,将https://github.com/jumpserver/luna/releases/download/${Version}/luna-${Version}.tar.gz下载并解压
- $PWD/nginx/lina:/opt/lina ## 同上,将lina-v2.6.1.tar.gz下载并解压
- core-data:/opt/jumpserver/data
ports:
- 80:80
- 443:443
networks:
- jumpserver
volumes:
core-data:
external: true
koko-data:
external: true
guacamole-data:
external: true
networks:
jumpserver:
external: true
# 版本号可以自己根据项目的版本修改
Version=v2.6.1
# MySQL
DB_HOST=mysql
DB_PORT=3306
DB_USER=jumpserver
DB_PASSWORD=jumpserver用户在mysql数据库的密码
DB_NAME=jumpserver
# Redis
REDIS_HOST=redis
REDIS_PORT=6379
REDIS_PASSWORD=redis的密码,在redis.conf里面设置
# Core
SECRET_KEY=随便生成个超长随机字符串
BOOTSTRAP_TOKEN=随便生成个超长随机字符串
LOG_LEVEL=ERROR
##
# SECRET_KEY 保护签名数据的密匙, 首次安装请一定要修改并牢记, 后续升级和迁移不可更改, 否则将导致加密的数据不可解密。
# BOOTSTRAP_TOKEN 为组件认证使用的密钥, 仅组件注册时使用。组件指 koko、guacamole
cd /opt/Dockerfile
docker-compose -f docker-compose-external.yml up -d
mysql8的认证方式要改成基本认证方式
检查docker-compose-external.yml中的container_name是否为core,在2.5.3版本里面是jms_core
一般来说,是因为在core服务启动之前,相关容器已经启动了,简单重启其他容器即可。
docker-compose -f docker-compose-external.yml restart 容器名
在gitee上注册个账号,从github上同步到gitee再下载
正常语句:if test $# -eq 0,意思是当命令行参数个数是0的时候
可以使用“[]”替代test,将上述语句写成:if [ $# -eq 0 ]
方括号左右必须有空格
利用gitlab-runner在gitlab上完成CI/CD遇见的权限坑
需要在gitlab上建立一个用户,例如:gitlab-runner用户
再将此用户加入需要CI/CD的项目中
如果需要需要登录其他服务器执行shell,则需要把gitlab-runner容器中的gitlab-runner用户的公钥复制到远端主机,并登录一次。
在项目根目录构造一个.gitlab-ci.yml文件。当开发和运维分开时,此文件必须被版本控制管理
现在本项目注册两个runner,tags名为:myproject,mycode
.gitlab-ci.yml的基本结构
## 定义流水线的阶段,可以自己定义名称,用来管理作业流程,默认stages为:build,test,deploy
## 作业顺序就是按照stages定义的顺序,自上而下的执行
## 不管job的编写顺序如何,只按照job内定义的stage顺序执行。
## 不同的job,使用同一个stage,会并行执行
stages:
- build
- test
- deploy
## 第一条作业
job1:
stage: build ## 指定作业阶段
tags: ## 指定作业的runner
- mycode
script: ## 作业执行的脚本
- "ssh root@目标主机 'sh /opt/data/git pull;exit'"
only: ## 针对哪个分支执行
- dev
job2:
stage: deploy
tags: ## 一条流水线可以定义不同的tags
- myproject
script: ## 作业执行的脚本
- "ssh root@目标主机 '/usr/bin/docker-compose -f /opt/data/docker-compose.yml'"
only:
- dev
补充:
runner的定义,其实是跟着项目走的,一个项目一个runner比较好
gitlab-server基于docker搭建,备份迁移命令组如下:
## 备份
### 12.2以后版本
docker exec -t <container name> gitlab-backup create
### 12.1以前版本
docker exec -t <container name> gitlab-rake gitlab:backup:create
在backups目录里面,有名为xxx_gitlab_backup.tar
的文件
## 恢复
### 12.2以后版本
# Stop the processes that are connected to the database
docker exec -it <name of container> gitlab-ctl stop unicorn
docker exec -it <name of container> gitlab-ctl stop puma
docker exec -it <name of container> gitlab-ctl stop sidekiq
# Verify that the processes are all down before continuing
docker exec -it <name of container> gitlab-ctl status
# Run the restore
12.2以后版本
docker exec -it <name of container> gitlab-backup restore BACKUP=xxxx
## 注意,没有_gitlab_backup.tar部分
# Run the restore 12.1以前版本
docker exec -it gitlab-server gitlab-rake gitlab:backup:restore BACKUP=xxxx ## 注意,没有_gitlab_backup.tar部分
# Restart the GitLab container
docker restart <name of container>
# Check GitLab
docker exec -it <name of container> gitlab-rake gitlab:check SANITIZE=true
gitlab-runner使用docker运行时,在运行的时候,是在容器内使用gitlab-runner这个用户运行的
所以,如果要登陆到远端服务器,需要使用gitlab-runner这个用户身份
例如:
docker exec -it gitlab-runner /bin/bash
#su - gitlab-runner
$ssh-keygen
$ssh-copy-id 远端服务器用户名@远端服务器地址
这样,在.gitlab_ci.yml里面,就可以使用ssh免密登录远端服务器进行操作了
先给出docker-compose.yml,慢慢追加细节
version: '3'
services:
gitlab:
image: 'fjcanyue/gitlab-ce-zh:latest'
container_name: 'gitlab-server'
restart: always
hostname: 'gitserver' #填写计算机名即可
environment:
TZ: 'Asia/Shanghai'
GITLAB_OMNIBUS_CONFIG: |
external_url 'https://域名' #访问地址
# HTTPS配置
nginx['enable'] = true
nginx['redirect_http_to_https']= true
nginx['ssl_certificate']= "/home/certs/xxx.pem"
nginx['ssl_certificate_key']= "/home/certs/xxx.key"
# 端口配置
# gitlab_rails['gitlab_shell_ssh_port'] = 7022
# unicorn['port'] = 8880
# Email配置
# gitlab_rails['smtp_enable'] = true
# gitlab_rails['smtp_address'] = "smtp.exmail.qq.com"
# gitlab_rails['smtp_port'] = 465
# gitlab_rails['smtp_user_name'] = "system@gitlab.com"
# gitlab_rails['smtp_password'] = "XXXXXXXXXX"
# gitlab_rails['smtp_authentication'] = "login"
# gitlab_rails['smtp_enable_starttls_auto'] = true
# gitlab_rails['smtp_tls'] = true
# gitlab_rails['gitlab_email_from'] = 'system@gitlab.com'
# gitlab pages配置
#pages_nginx['enable'] = true #开启pages服务
#pages_external_url 'https://appink.cn' #Gitlab pages 域名
#pages_nginx['redirect_http_to_https'] = true #http转https
#gitlab_pages['inplace_chroot'] = true #Gitlab-ce pages
#pages_nginx['ssl_certificate'] = "/home/certs/appink.cn/appink.cn.pem" #证书路径
#pages_nginx['ssl_certificate_key'] = "/home/certs/appink.cn/appink.cn.key" #证书路径
ports:
- '80:80' #http端口
- '443:443' #https端口
# - '7022:7022' #配置7022端口转发到容器的22端口上
volumes:
- ./gitlab/etc:/etc/gitlab #Gitlab配置文件目录
- gitlab:/var/opt/gitlab #Gitlab数据目录
- /var/log/gitlab/logs:/var/log/gitlab #Gitlab日志目录
- ./certs:/home/certs #域名SSL证书目录
- /etc/localtime:/etc/localtime:ro #同步宿主机日期时间到容器
runner:
image: 'gitlab/gitlab-runner:latest'
container_name: gitlab-runner
restart: always
networks:
- gitlab_default
volumes:
- ./config:/etc/gitlab-runner
- /var/run/docker.sock:/var/run/docker.sock
networks:
gitlab_default:
external: true
volumes:
gitlab:
追加:
使用nginx代理
将nginx和gitlab放在同一个docker网络下,必须开启gitlab自己的nginx,并配置gitlab自己的https,docker-compose.yml中关闭端口,然后使用nginx透传
server {
listen 80;
listen [::]:80;
server_name xxx;
location / {
return 301 https://$host$request_uri;
}
location = /50x.html {
root /usr/share/nginx/html;
}
}
server {
listen 443 ssl http2;
server_name xxx;
ssl_certificate certs/xxx.pem;
ssl_certificate_key certs/xxx.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; #使用此加密套件。
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; #使用该协议进行配置。
ssl_prefer_server_ciphers on;
location / {
proxy_pass https://xxx:443; ###特别注意,此处切记要写端口号,切记切记
aio threads;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
proxy_connect_timeout 600;
proxy_read_timeout 600;
proxy_send_timeout 600;
proxy_buffers 8 512k;
proxy_buffer_size 512k;
client_max_body_size 2048M;
client_body_buffer_size 256K;
}
}