企业级-搭建CICD(持续集成持续交付)实验手册

搭建CI/CD(持续集成/持续交付)企业示例

为了让容器构建镜像并可以持续集成，可以自动上传到Harbor仓库；并且业务主机可以通过CD自动从仓库中下载镜像latest版本并实现业务更新。

1.环境部署

1.1 环境搭建

业务	IP	域名
GitLab	172.25.254.50	gitlab.dhj.org
Jenkins	172.25.254.60	jenkins.dhj.org
Dockernode	172.25.254.100	dockernode.dhj.org
Harbor	172.25.254.200	harbor.dhj.org

1.2 环境准备

1.2.1 火墙及SELinux的关闭

~]# systemctl disable --now firewalld
~]# sed -i '/^SELINUX=/ c SELINUX=disabled' /etc/selinux/config
~]# reboot			# 如果想直接将selinux设置为disabled，可以使用临时命令setenforce=0;但是还是建议永久修改配置文件

1.2.2 编写各业务主机解析

~]# vim /etc/hosts
172.25.254.50   gitlab.dhj.org
172.25.254.60   jenkins.dhj.org
172.25.254.100  dockernode.dhj.org
172.25.254.200  reg.dhj.org# 如果在上面发现这样很麻烦，可以使用scp
scp /etc/hosts root@172.25.254.xxx:/etc/hosts

1.2.3 Harbor业务主机：Harbor仓库搭建–registry

[root@reg ~]# cd /etc/yum.repos.d
[root@reg yum.repos.d]# vim docker.repo
[docker]
name = docker-ce
baseurl = https://mirrors.aliyun.com/docker-ce/linux/rhel/9/x86_64/stable
gpgcheck = 0[root@reg yum.repos.d]# yum makecache[root@reg yum.repos.d]# rpm -qa | grep podman
podman-4.6.1-5.el9.x86_64
cockpit-podman-76-1.el9_3.noarch[root@reg yum.repos.d]# rm -rf podman-4.6.1-5.el9.x86_64
[root@reg yum.repos.d]# rm -rf cockpit-podman-76-1.el9_3.noarch# 上传所需文件
[root@reg ~]# cd /mnt/
[root@reg mnt]# ls
docker.tar.gz  packages.zip[root@reg mnt]# tar zxf docker.tar.gz
[root@reg mnt]# unzip packages.zip[root@reg mnt]# ls
docker  docker.tar.gz packages  packages.zip
[root@reg mnt]# cd docker/[root@reg docker]# yum install *.rpm# 在第15行命令，在后面加上参数 --iptables=true
[root@reg docker]# vim /usr/lib/systemd/system/docker.service
15 ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --iptables=true[root@reg docker]# systemctl daemon-reload
[root@reg docker]# systemctl restart docker

[root@reg docker]# echo net.ipv4.ip_forward=1 >> /etc/sysctl.conf
[root@reg docker]# sysctl -p
net.ipv4.ip_forward = 1[root@reg docker]# systemctl  enable --now docker
[root@reg docker]# docker info

# 以下除了rhel9不需要做，其他版本的系统建议去做
# 激活内核网络选项
]# echo br_netfilter > /etc/modules-load.d/docker_mod.conf
]# modprobe br_netfilter
]# vim /etc/sysctl.d/docker.conf
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.ipv4.ip_forward = 1]# sysctl --system
]# systemctl  restart docker

# 创建了证书与密钥
[root@reg ~]# mkdir -p /data/certs
[root@reg ~]#  openssl req -newkey  rsa:4096 \
-nodes -sha256 -keyout /data/certs/dhj.org.key \
-addext "subjectAltName = DNS:reg.dhj.org" \
-x509 -days 365 -out /data/certs/dhj.org.crtCommon Name (eg, your name or your server's hostname) []:reg.dhj.org# 创建证书目录并部署信任证书（使Docker客户端信任私有仓库的HTTPS证书）
[root@reg ~]# mkdir /etc/docker/certs.d/reg.dhj.org/ -p
[root@reg ~]# cp /data/certs/dhj.org.crt  /etc/docker/certs.d/reg.dhj.org/ca.crt
[root@reg ~]# systemctl restart docker

[root@reg ~]# cd /mnt/packages/
[root@reg packages]# cp -p harbor-offline-installer-v2.5.4.tgz  /root[root@reg packages]# cd
[root@reg ~]# tar zxf harbor-offline-installer-v2.5.4.tgz[root@reg ~]# cd harbor
[root@reg harbor]# cp harbor.yml.tmpl harbor.yml# 需要修改内容如下（如果一致，不变即可）：
[root@reg harbor]# vim harbor.yml5 hostname: reg.dhj.org17   certificate: /data/certs/dhj.org.crt				# 看自己的存放位置18   private_key: /data/certs/dhj.org.key				# 看自己的存放位置34 harbor_admin_password: admin						# 初始密码47 data_volume: /data									# 此处挂载的目录（需要跟上面证书与密钥在一个目录下）[root@reg harbor]# ./install.sh --with-chartmuseum
[root@reg harbor]# docker compose down
[root@reg harbor]# docker compose up -d

# 去浏览器中去测试https://172.25.254.200

[root@reg ~]# cd /etc/docker/
[root@reg docker]# vim daemon.json
[root@reg docker]# cat daemon.json
{"registry-mirrors": ["https://reg.dhj.org"]
}[root@reg docker]# systemctl restart docker[root@reg docker]# docker logout reg.dhj.org
Removing login credentials for reg.dhj.org~]# cd harbor/
[root@reg harbor]# docker compose restart[root@reg harbor]# docker login reg.dhj.org
Username: admin
Password:admin~]# docker info

# 测试：上传一个镜像
[root@reg harbor]# cd
[root@reg ~]# cd /mnt/packages/[root@reg packages]# docker load -i busybox-latest.tar.gz[root@reg packages]# docker tag busybox:latest  reg.dhj.org/ceshi/busybox:latest
[root@reg packages]# docker push reg.dhj.org/ceshi/busybox:latest# 查看是否上传成功
[root@reg packages]# curl -k https://reg.dhj.org/v2/_catalog -u admin:admin
{"repositories":["ceshi/busybox"]}# 在浏览器中可以进行查看，如下图所示
# 成功即为部署完成！

1.2.4 GitLab业务主机：gitlab代码仓库搭建

1.2.4.1 部署git

1.安装

# 在rhel9的系统中默认自带git
[root@CICD-node1 ~]# dnf install git  -y# 设定命令补全功能
[root@CICD-node1 timinglee]# echo "source  /usr/share/bash-completion/completions/git" >> ~/.bashrc
[root@CICD-node1 timinglee]# source  ~/.bashrc

2.初始化

[root@CICD-node1 ~]# mkdir  timinglee
[root@CICD-node1 timinglee]# git init# 设定用户信息
[root@CICD-node1 timinglee]# git config --global user.name "timinglee"
[root@CICD-node1 timinglee]# git config --global user.email "timinglee@timinglee.org"
[root@CICD-node1 timinglee]# git status -s		#简化输出

1.2.4.2 部署gitlab

# 在安装包之前需配置好软件仓库来解决依赖性
[root@CICD-node1 ~]# yum install -y curl policycoreutils-python-utils  openssh-server perl
# 此处需要上传资源包
[root@CICD-node1 ~]# dnf install gitlab-ce-17.1.6-ce.0.el9.x86_64.rpm -y

# 修改配置文件
[root@CICD-node1 ~]# cd /etc/gitlab/
[root@CICD-node1 gitlab]# ls
gitlab.rb
[root@CICD-node1 gitlab]# vim gitlab.rb
32 external_url 'http://172.25.254.50'# 修改配置文件后需利用gitlab-crt来生效，
[root@CICD-node1 gitlab]# gitlab-ctl reconfigure
# 执行命令成功后会把所有组件全部启动起来

# 查看原始密码
[root@CICD-node1 gitlab]# cat /etc/gitlab/initial_root_password
Password: jN9lq6NSP8a2V+4n57djzWlEGP7RZ43DSIse8sXJGTQ=		# 密码（后面需要改密码！要不然密码24小时换一次--账户默认root---后面设置成Dhjnb520即可）# 进入浏览器搜索172.25.254.50		# 用户即为root

1.登陆

2.设置语言

3.设置密码

4.在gitlab中新建项目

# 生成sshd密钥
[root@CICD-node1 ~]# ssh-keygen		# 一路回车
[root@CICD-node1 ~]# cat .ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC5Zg+ZbnTCrOPVne0OhYzGhxIsAcyuq7dGvG8EkMl+KGZD4+4vI3dxznQHbIa2ZNoC6gatHzdCty5KK+Ipkywzq0YSxJEzjfbCQX8n8AHRka7EI/IlkGenwD3ALkncMop7GmMNiNgfpFqQCTpM/cptXzDdAVA5AwRgIVB1efCU7QhwL/IHs91eAqH4ZalGh2W+hRAjdc3Iv68TyOTMFU5qg9CuEb899+qu8qCZlerj49ot7cps5O0wDFfyYopIKvdeYzDCDXTkd+dlHUqeSaSOh1yccCobT10wVmZDYdV7cDBsjZN3mlTKfCUAixVlyreWMXUyjQx1I+6iy0PVfrOt98ZjLb6D2oSFljvVeO57f3U/NRw90H1yOZ/FPrCGXfueSmwya9d+A6WtJFQ+eirrtqh8Q4Vy87BL2GbaKZxoLdvt7b5crqix95KzY4IAE51HvS6KQDlpR8PQKokTvRzDHWcEfcbpnBpPPA06oB89RNAeEJksaykcVen9peksRVs= root@gitlab.dhj.org

5.上传公钥到gitlab中

6.下载项目

# 做此实验之前，需要将前面的timinglee目录删除，以免影响实验效果！
[root@gitlab ~]# rm -rf timinglee
[root@gitlab ~]# git clone  git@172.25.254.50:root/timinglee.git[root@gitlab ~]# cd timinglee/
[root@gitlab timinglee]# ls
README.md
[root@gitlab timinglee]# git remote -v
origin  git@172.25.254.50:root/timinglee.git (fetch)
origin  git@172.25.254.50:root/timinglee.git (push)# 文件提交
[root@CICD-node1 timinglee]# echo timinglee > timinglee
[root@CICD-node1 timinglee]# git add timinglee
[root@CICD-node1 timinglee]# git commit -m "add timinglee"
[root@CICD-node1 timinglee]# git push -u origin main# 去浏览器中进行网页刷新，发现已经成功！

1.2.5 Jenkins业务主机：jenkins部署

jenkins需要部署在新的虚拟机中，建议最少4G内存，4核心cpu

# 安装依赖包
[root@jenkins ~]# dnf install -y fontconfig java-21-openjdk# 上传资源包并安装jenkins
[root@jenkins ~]# dnf install -y jenkins-2.516.2-1.1.noarch.rpm# 启动jenkins
[root@jenkins ~]# systemctl enable --now jenkins.service# 查看原始密码
[root@jenkins ~]# cat /var/lib/jenkins/secrets/initialAdminPassword
f0d8f8bb85ff4b81aa65db1aff88d0ac
# 浏览器中进行172.25.254.60:8080

1.2.5.1 部署插件

# 如果网络环境不对；
# 此时会发现，很慢而且过不去，上传资源包里面的文件即可[root@jenkins ~]# cd  /var/lib/jenkins/
[root@jenkins jenkins]# systemctl stop jenkins.service
[root@jenkins jenkins]# rm -fr plugins
[root@jenkins ~]# ls
jenkins-2.516.2-1.1.noarch.rpm  plugins.tar.gz
[root@jenkins ~]# tar zxf /root/plugins.tar.gz -C  /var/lib/jenkins/[root@jenkins ~]# systemctl enable --now jenkins.service
[root@jenkins ~]# systemctl restart jenkins.service			# 一定要进行重启！！！
[root@jenkins ~]# cat /var/lib/jenkins/secrets/initialAdminPassword
f0d8f8bb85ff4b81aa65db1aff88d0ac
# 再次去测试即可# 出现满屏红，后退之后进行安装即可

建议修改admin的密码，在admin的设置中修改即可

1.2.5.2 jenkins与gitlab的整合

# 下载git命令
[root@gitlab ~]# dnf install git  -y
[root@gitlab ceshi]# echo "source  /usr/share/bash-completion/completions/git" >> ~/.bashrc
[root@gitlab ceshi]# source  ~/.bashrc

这个错误的原因是因为本机没有gitlab上的sshkey

[root@jenkins ~]# ssh-keygen
[root@jenkins ~]# cat /root/.ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCv//RUt7dZbb5N6P6SF/nnmSMqgYPHTs3UQ2gCYeAFiS0i917BCwQURsCrh6fnIgk2NOuzP6ZxuE5fqqvBM6gaME1/o/GFvavy7Qe22alrYhSTxITUgVEwwgn1dqjzEB/AmbBMwTCf7VUJHISkchmuUNOhtynwBrZDobzMP+wHFOdpSoL9WRUSEOEHMhAvSZmU7uhyXorOyKBD/cryTq4ul8CRO5oor5Te+YhJEctA7UhXa11Ug1rFp+tZhr8RPWjk6BFMenexq6nDHPwcKgtRz9fXo+DRrJSwGWs9IFQt5skpyRcjJpb4fXsP66aTSr/PgGW+oaAQJGGRenLxU+ys7yx4wxP7JHSeOlibeeDzl8QTtVq6lXH9/0RNo/VDJUr97uBmUKBpZpRBg50PWvx9OmCC6dB/rKSGBe3xFgnGGqlB9v4mXyGMixFwBteQ4PG4DD95BnItfwtoe8XyqiTBGmYl0uhI13Bhh6e0q3eqDdN0033EG/I8qz8aJXKM7RU= root@jenkins.dhj.org

把此密钥添加到gitlab上即可

添加密钥凭据

[root@jenkins ~]# cd .ssh/
[root@jenkins .ssh]# cat id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAr//0VLe3WW2+Tej+khf555kjKoGDx07N1ENoAmHgBYktIvdewQsE
FEbAq4en5yIJNjTrsz+mcbhOX6qrwTOoGjBNf6Pxhb2r8u0Httmpa2IUk8SE1IFRMMIJ9X
ao8xAfwJmwTMEwn+1VCRyEpHIZrlDTobcp8Aa2Q6G8zD/sBxTnaUqC/VkVEhDhBzIQL0mZ
lO7ocl6KzsigQ/3K8k6uLpfAkTuaKK+U3vmISRHLQO1IV2tdVINaxafrWYa/ET1o5OgRTH
p3saupwxz8HCoLUc/X16Pg0ayUsBlrPSBULebJKckXIyaW+H17D+umk0q/z4BlvqGgECRh
kXpy8VPsrO8seMMT+yR0njpYm3ng85fEE7VaupVx/f9ETaP1QyVK/e7gZlCgaWaUQYOdD1
r8fTpggunQf6ykhgXt8RYJxhqpQfb+Jl8hjIsRcAbXkODxuAw/eQZyLX8LaHvF8qokwRpm
JdLoSNdwYYentKt3qg3TdNN9xBvyPKs/GiVyjO0VAAAFkOsA5aTrAOWkAAAAB3NzaC1yc2
EAAAGBAK//9FS3t1ltvk3o/pIX+eeZIyqBg8dOzdRDaAJh4AWJLSL3XsELBBRGwKuHp+ci
CTY067M/pnG4Tl+qq8EzqBowTX+j8YW9q/LtB7bZqWtiFJPEhNSBUTDCCfV2qPMQH8CZsE
zBMJ/tVQkchKRyGa5Q06G3KfAGtkOhvMw/7AcU52lKgv1ZFRIQ4QcyEC9JmZTu6HJeis7I
oEP9yvJOri6XwJE7miivlN75iEkRy0DtSFdrXVSDWsWn61mGvxE9aOToEUx6d7GrqcMc/B
wqC1HP19ej4NGslLAZaz0gVC3mySnJFyMmlvh9ew/rppNKv8+AZb6hoBAkYZF6cvFT7Kzv
LHjDE/skdJ46WJt54POXxBO1WrqVcf3/RE2j9UMlSv3u4GZQoGlmlEGDnQ9a/H06YILp0H
+spIYF7fEWCcYaqUH2/iZfIYyLEXAG15Dg8bgMP3kGci1/C2h7xfKqJMEaZiXS6EjXcGGH
p7Srd6oN03TTfcQb8jyrPxolcoztFQAAAAMBAAEAAAGACBwLWk73yg1aODVM65biuzbtba
M3mvqo1cfAVmHDpIWoWITc7xiumK+U56JxzF7fXUnNdX4wkWtcYyCWVunmLES/AWtgsNin
QGOHGDgJzCqiB5gFxdPqlYxPUKnlyYNb7zA1tSeusaPKKAgSHZCrWcKcKcaqjkaE5fNhI2
krmzztl8ao5/sPkzxHXiFCqScjRj9G4yQzkakhZ1idnhIdiQSRiS+doBPNEIQfcTx6aNS2
IV8PVxpRV6uv1rl0etshMzPMxrLC171J+OdMths+HbsXhXYDLgE7rB8ildhicWUY+pQ4BG
N3MP9FbpKe/vK3VxktN+WgfXMRN09IyULRuXVWkgQ/7WARiu2aGerKRa7zzEkIEaRgGt/s
ySX2D4d2fuvNehqN1zB0/HhM+QYPiiuqFfxRJC90U7T37MGm705T0xbOzfNz8qylfvI902
qbFHTOa0KOwUbc8N3uD8VIn+rEY2qwm3Yk6s7T8k2o/+O4TF9VoaQdD62RvVYnsjVZAAAA
wHBY1Aa9jX1dhGUG3Zziz2hJ/nJx2vEXPl55kQ5hUeqT4HCDyYHCx006eLeLcBpa2F19aU
qxhktHS+nBCE0du3s1Ieo2p6LQSTEQyo8H2TBwlZNF2Hot7K18lUMJM7n9iAc42P7rZoL6
jfKtiODpCHFrN6UQRZa50+dw0PjRwzeuLZYEHOhKAE882I2rBSj5xomhZ0wfw9qyY0C5Lb
8NrTcDApIFyDtH1DJScKxDM9HYE4T5sQ4h5LT+E4GHmY0lsAAAAMEAuYV38YsSZnDK56+2
hYPU0hJo3mIiEnEch4k1zSH5RlHY7i6VBNkEZkruqGGxMjUuqDYhzQNO03jmfsZp6JMWwf
W0gaw8oAGMLaWcnWgmxBcnk8hHyXOPbTD8eLE9e1SHP3gM7zLAj97Baboo2i3EWxZXImwi
yfrJUpaMSh9K9zKnW7tmosXcrbvo90i9KW767Ywe9ZrEIXow3QpSAow27vJt4pqYTiUoKE
O1VLN6v7le9FKf16rV3lbR9EFy8HAZAAAAwQDy3HyII2xJq/FXz7qAYOPosf0YSBzNvHt0
r8UcqX3qDtsb3BLiWOIdVoU2N2ce21goaXUAUaBjrstNU0cFsUJoGPBhKIWJjRiMzIOSqx
HS/lsTUn+sMZGVh4sS1ZRzhpWNJF6cTyeczmfBvgOesqEAfSfyZbgCfjS1uxMWwTGOGDZX
A9cH+X9avhqU8961fI+ticfgD4yTJALmP5cElQEyPKEI0wve6UTme5nxdIStvUjw3Jfmvb
sAJ5ZV501MVF0AAAAUcm9vdEBqZW5raW5zLmRoai5vcmcBAgMEBQYH
-----END OPENSSH PRIVATE KEY-----

添加完成后报错依然存在，因为ssh首次连接主机是需要签名认证，需要手动输入yes（也可以网页刷新一下，重新添加即可）

# 方法1
[root@jenkins ~]# vim /etc/ssh/ssh_config33    StrictHostKeyChecking no

# 方法2:看下面步骤即可

完成此设定即可解决

1.2.5.3 genkins中gitlab触发器的部署

在 Jenkins 中配置 GitLab 触发器可以实现代码提交或合并请求时自动触发 Jenkins 流水线

1.安装插件

如果需要使用gitlab触发器需要安装gitlab插件。

目前使用官方源下载比较吃力，可以直接本地部署插件即可

# 由于网络环境差，访问官网下载插件的效果并不好；
# 可以选择本地部署插件

2.部署自动触发

插件加载完毕后在jenkins中选择之前构建的项目并配置自动触发

在gitlab中设定

# 这样可以感受到自动触发；但是发现感觉不是很强烈，下面展示明显的自动触发的效果！

3.测试自动触发

# 编写测试文件
[root@gitlab timinglee]# echo "This is a ceshi project! " > ceshi.txt
[root@gitlab timinglee]# git add ceshi.txt
[root@gitlab timinglee]# git commit -m "ceshi v1"
[root@gitlab timinglee]# git push -u origin main

# 此时打开浏览器去观察！

1.2.6 Dockernode业务主机：docker部署

1.2.6.1 docker部署与测试及配置Java环境

[root@dockernode ~]# vim /etc/yum.repos.d/docker.repo
[docker]
name = docker
baseurl = https://mirrors.aliyun.com/docker-ce/linux/rhel/9/x86_64/stable/
gpgcheck = 0[root@dockernode ~]# yum makecache
[root@dockernode ~]# yum install docker-ce fontconfig java-21-openjdk git -y# 从harbor仓库中把认证文件复制到当前主机
[root@dockernode ~]# mkdir  /etc/docker/certs.d/reg.dhj.org/ -p
[root@dockernode ~]# scp root@172.25.254.200:/data/certs/dhj.org.crt  /etc/docker/certs.d/reg.dhj.org/ca.crt
[root@dockernode ~]# vim /etc/docker/daemon.json
{"registry-mirrors": ["https://reg.dhj.org"]
}[root@dockernode ~]# systemctl restart docker
[root@dockernode ~]# systemctl enable --now docker# 测试一下docker是否安装好(先要在harbor-reg主机中)
[root@reg packages]# ls
nginx-latest.tar.gz
[root@reg packages]# docker load -i nginx-latest.tar.gz
[root@reg packages]# docker tag nginx:latest reg.dhj.org/library/nginx:latest
[root@reg packages]# docker push reg.dhj.org/library/nginx:latest[root@dockernode ~]# docker info | grep httpshttps://reg.dhj.org/
[root@dockernode ~]# docker pull nginx
[root@dockernode ~]# docker images
REPOSITORY   TAG       IMAGE ID       CREATED         SIZE
nginx        latest    5ef79149e0ec   12 months ago   188MB

1.2.7 Jenkins业务主机：将Harbor仓库-registry节点部署在jenkins上

1.2.7.1 在harbor仓库主机中安装java环境及git

[root@harbor harbor]# dnf install  fontconfig java-21-openjdk git -y
# 设定git命令补全功能
[root@harbor harbor]# echo "source  /usr/share/bash-completion/completions/git" >> ~/.bashrc
[root@harbor harbor]# source  ~/.bashrc

初始只有一个master节点

# 添加凭证
# 用户 --> root
# 密码 --> root

# 如果出现registry主机一直连接不上，一般问题是Jenkins服务器（/var/lib/jenkins/.ssh/known_hosts）从未连接过目标主机 172.25.254.200，因此没有后者的 SSH 主机密钥记录
[root@jenkins ~]# ssh-keygen -R 172.25.254.200
[root@jenkins ~]# ssh-keyscan 172.25.254.200 >> ~/.ssh/known_hosts
[root@jenkins ~]# grep "172.25.254.200" ~/.ssh/known_hosts
[root@jenkins ~]# systemctl restart jenkins

# Number of executors（执行器数量）指的是Jenkins主节点上可以同时运行的任务（Job）的数量
# 将master节点任务数量降为0

1.3 配置构建节点

1.3.1 在jenkins中安装构建插件

# 此处在上面已经安装过了，本处可以忽略

# 这里的ssh插件会报毒（没关系）

1.3.2 设置jenkins的容器构建规则

2.解决ca证书问题

# 诊断SSL证书问题
[root@reg reg.dhj.org]# curl -v https://reg.dhj.org/v2/ 2>&1 | grep -E "(SSL|cert|CA)"
*  CAfile: /etc/pki/tls/certs/ca-bundle.crt
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: self-signed certificate
curl: (60) SSL certificate problem: self-signed certificate
More details here: https://curl.se/docs/sslcerts.html# 获取服务器当前证书
[root@reg reg.dhj.org]# echo | openssl s_client -connect reg.dhj.org:443 -showcerts 2>/dev/null | \
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/current_cert.pem# 比较证书文件
[root@reg reg.dhj.org]# diff /etc/docker/certs.d/reg.dhj.org/ca.crt /tmp/current_cert.pem# 复制证书到系统CA存储目录
[root@reg reg.dhj.org]# cd
[root@reg ~]# cp /etc/docker/certs.d/reg.dhj.org/ca.crt  /etc/pki/ca-trust/source/anchors/# 更新CA信任存储
[root@reg ~]# update-ca-trust
# 验证证书已被添加
[root@reg ~]# openssl verify /etc/docker/certs.d/reg.dhj.org/ca.crt# 重启Docker服务
[root@reg ~]# systemctl restart docker# 重载docker compose
[root@reg ~]# cd harbor/
[root@reg harbor]# docker compose down && docker compose up -d# 测试连接
[root@reg harbor]# curl -v https://reg.dhj.org/v2/
*   Trying 172.25.254.200:443...
* Connected to reg.dhj.org (172.25.254.200) port 443 (#0)# 测试Docker是否能与Registry--harbor仓库正常通信
[root@dockernode ~]# docker pull reg.dhj.org/library/nginx:latest
# 成功！

3.测试镜像构建

在gitlab中建立Dockerfile和index.html

[root@gitlab timinglee]# vim index.html
www.dhj.org v1[root@gitlab timinglee]# vim Dockerfile
FROM nginx
COPY index.html /usr/share/nginx/html[root@gitlab timinglee]# git add index.html Dockerfile
[root@gitlab timinglee]# git status -s[root@gitlab timinglee]# git commit -m "webserver v1"
[root@gitlab timinglee]# git push -u origin main

4.设置在业务节点自动运行

# 上面的ssh.hpi的插件上面已经装过

# command命令（一定要注意docker里面只有rm -f 没有-rf）
docker ps -a | grep myapp && docker rm -f myapp && docker rmi  reg.dhj.org/library/webserver:latest
sleep 4
docker run -d --name myapp -p 80:80 reg.dhj.org/library/webserver:latest

# 此时会发现并没有改变
# 是由于docker-action此项目是由timinglee这个项目触发的

# 可以自己构建（手动触发）

# 此时去浏览器中搜索172.25.254.100即可看到测试效果

5.测试效果

[root@gitlab ceshi]# vim index.html
[root@gitlab ceshi]# git commit -a -m "webserver v4"
[root@gitlab ceshi]# git push -u origin main

此时会发现并没有改变

是由于docker-action此项目是由timinglee这个项目触发的


[外链图片转存中...(img-CMByYc8a-1756452027229)]~~~bash
# 可以自己构建（手动触发）

[外链图片转存中…(img-D5TgWxdS-1756452027229)]

# 此时去浏览器中搜索172.25.254.100即可看到测试效果

[外链图片转存中…(img-0SaGGgyG-1756452027229)]

5.测试效果

[root@gitlab ceshi]# vim index.html
[root@gitlab ceshi]# git commit -a -m "webserver v4"
[root@gitlab ceshi]# git push -u origin main

[外链图片转存中…(img-Rd0i3D1I-1756452027229)]

[外链图片转存中…(img-g7EgFNIT-1756452027229)]