配置证书
1、创建目录/etc/docker/certs,
在该目录下执行下列命令
openssl genrsa -aes256 -out ca-key.pem 4096
openssl req -new -x509 -days 3650 -key ca-key.pem -sha256 -out ca.pem
openssl genrsa -out server-key.pem 4096 \
openssl req -subj "/CN=server" -sha256 -new -key server-key.pem -out server.csr \
echo subjectAltName = DNS:223.5.5.5,IP:106.14.114.xx,IP:172.22.251.52,IP:127.0.0.1 >> extfile.cnf \
echo extendedKeyUsage = serverAuth >> extfile.cnf \
openssl x509 -req -days 3650 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf
//备注 ip为自己服务器的内外网地址
openssl genrsa -out key.pem 4096 \
openssl req -subj '/CN=client' -new -key key.pem -out client.csr \
echo extendedKeyUsage = clientAuth > extfile-client.cnf \
openssl x509 -req -days 3650 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile-client.cnf
rm -rf -v client.csr server.csr extfile.cnf extfile-client.cnf \
chmod -v 0400 ca-key.pem key.pem server-key.pem \
chmod -v 0444 ca.pem server-cert.pem cert.pem
2、文件配置(/lib/systemd/system/docker.service )
编辑该文件如下:
[Service]
ExecStart=
ExecStart=/usr/bin/dockerd --tlsverify --tlscacert=/etc/docker/certs/ca.pem --tlscert=/etc/docker/certs/server-cert.pem --tlskey=/etc/docker/certs/server-key.pem -H fd:// -H tcp://0.0.0.0:2376
3、重启docker服务
systemctl enable docker.service && systemctl daemon-reload && systemctl start docker.service
systemctl status docker.service
4、查看docker api服务是否成功
netstat -lntp | grep dockerd
二、Jenkins配置
1、配置coding代码仓库访问权限。
2、配置docker镜像
3、docker api配置:Jenkins配置三个证书(ca.pem、cert.pem、key.pem)
三、新建试图、配置任务
任务:新建任务——>流水线——>选择“Pipeline script from SCM”——>选择“git”(配置Jenkinsfile路径、取消“轻量级检出”)
四. jenkinsfile上的配置
stage('Deploy to docker') {
environment {
// docker客户端证书凭证,若不需要ssl访问则注释
DOCKER_CERT_PATH = credentials('saidi252-credit')
}
steps {
script {
container_port = 80
container_port_map = ""
docker_client_env = ""
if (params.container_port) {
container_port = "${params.container_port}"
container_port_map = " -p ${params.container_port}:80 "
}
if (params.docker_remotes) {
def docker_remote_arr = "${params.docker_remotes}".split(",")
// 部署服务处理
for (int i = 0; i < docker_remote_arr.size(); ++i) {
docker_remote = "${docker_remote_arr[i]}"
docker_client_env = "export DOCKER_TLS_VERIFY=1; export DOCKER_HOST=tcp://${docker_remote}:2377; docker_remote=${docker_remote};"
sh "$docker_client_env docker rm -f $DOMAIN_NAME"
//部署服务
sh "$docker_client_env docker run -d --name ${DOMAIN_NAME} --restart=always \
-e TZ='Asia/Shanghai' -e CONTAINER_PORT=${container_port} -m ${LIMIT_MEMORY}M \
$container_port_map -v /etc/localtime:/etc/localtime:ro \
$docker_image"
echo "清理过时的镜像"
sh "$docker_client_env docker images $docker_image_name -q --filter before=$docker_image | xargs --no-run-if-empty docker rmi "
}
}
}
}
}
完
