堆栈内存溢出
  简体   繁体   English

GitLab CI ssh注册表登录

[英]GitLab CI ssh registry login

 原文  2016-12-21 16:45:43       docker/ gitlab/ gitlab-ci/ docker-registry/ gitlab-ci-runner

问题描述

I have a GitLab project gitlab.com/my-group/my-project which has a CI pipeline that builds an image and pushes it to the project's GitLab registry registry.gitlab.com/my-group/my-project:tag . 我有一个GitLab项目gitlab.com/my-group/my-project ,它有一个CI管道,可以构建一个图像并将其推送到项目的GitLab注册表registry.gitlab.com/my-group/my-project:tag I want to deploy this image to Google Compute Engine, where I have a VM running docker. 我想将此图像部署到Google Compute Engine,在那里我有一个运行docker的VM。

Easy enough to do it manually by ssh'ing into the VM, then docker login registry.gitlab.com and docker run ... registry.gitlab.com/my-group/my-project:tag . 很容易通过ssh进入VM手动完成,然后docker docker login registry.gitlab.comdocker run ... registry.gitlab.com/my-group/my-project:tag Except the docker login command is interactive, which is a no-go for CI. 除了docker login命令是交互式的,这对于CI来说是不可取的。 It can accept a username and password on the command line, but that hardly feels like the right thing to do, even if my login info is in a secret variable (storing my GitLab login credentials in a GitLab secret variable?...) 它可以在命令行上接受用户名和密码,但即使我的登录信息是在一个秘密变量 (将我的GitLab登录凭据存储在GitLab秘密变量中......),这也不是正确的事情。

This is the intended workflow on the Deploy stage of the pipeline: 这是管道的Deploy阶段的预期工作流程:

  1. Either install the gcloud tool or use an image with it preinstalled 安装gcloud工具或使用预装的图像
  2. gcloud compute ssh my-gce-vm-name --quiet --command \\ "docker login registry.gitlab.com && docker run registry.gitlab.com/my-group/my-project:tag"

Since the gcloud command would be running within the GitLab CI Runner, it could have access to secret variables, but is that really the best way to log in to the GitLab Registry over ssh from GitLab ? 由于gcloud命令将在GitLab CI Runner中运行,它可以访问秘密变量,但这是否真的是从GitLab通过ssh登录GitLab Registry的最佳方式?

3 个解决方案

解决方案1
 2 已采纳  2016-12-21 20:11:37

I'll answer my own question in case anyone else stumbles upon it. 我会回答我自己的问题,万一其他人偶然发现它。 GitLab creates ephemeral access tokens for each build of the pipeline that give the user gitlab-ci-token access to the GitLab Registry. GitLab为管道的每个构建创建临时访问令牌,为用户提供gitlab-ci-token访问GitLab注册表。 The solution was to log in as the gitlab-ci-token user in the build. 解决方案是在构建中以gitlab-ci-token用户身份登录。

.gitlab-ci.yml (excerpt): .gitlab-ci.yml(摘录): 

deploy:
  stage: deploy
  before_script:
    - gcloud compute ssh my-instance-name --command "docker login registry.gitlab.com/my-group/my-project -u gitlab-ci-token -p $CI_BUILD_TOKEN"

解决方案2
 1  2016-12-21 20:09:11

The docker login command creates a local configuration file in which your credentials are stored at $HOME/.docker/config.json that looks like this (also see the documentation on this): docker login命令创建一个本地配置文件,其中您的凭据存储在$HOME/.docker/config.json ,如下所示(另请参阅此文档 ): 

{
    "auths": {
        "<registry-url>": {
            "auth": "<credentials>"
        }
    }
}

As long as the config.json file is present on your host and your credentials (in this case simply being stored as base64("<username>:<password>") ) do not change, there is no need to run docker login on every build or to store your credentials as variables for your CI job. 只要主机上存在config.json文件并且您的凭据(在这种情况下只是存储为base64("<username>:<password>") )不更改,就不需要运行docker login on每次构建或将您的凭据存储为CI作业的变量。

My suggestion would be to simply ensure that the config.json file is present on your target machine (either by running docker login once manually or by deploying the file using whatever configuration management tool you like). 我的建议是简单地确保目标机器上存在config.json文件(通过手动运行docker login或使用您喜欢的任何配置管理工具部署文件)。 This saves you from handling the login and managing credentials within your build pipeline. 这使您无需在构建管道中处理登录和管理凭据。

Regarding the SSH login per se; 关于SSH登录本身; this should work just fine. 这应该工作得很好。 If you really want to eliminate the SSH login, you could setup the Docker engine on your target machine to listen on an external socket, configure authentication and encryption using TLS client certificates as described in the official documentation and directly talk to the remote server's Docker API from within the build job: 如果您真的想要消除SSH登录,可以在目标计算机上设置Docker引擎以侦听外部套接字,使用官方文档中所述的TLS客户端证书配置身份验证和加密,并直接与远程服务器的Docker API进行通信从构建工作中: 

variables:
  DOCKER_HOST: "tcp://<target-server>:2376"
  DOCKER_TLS_VERIFY: "1"
script:
  - docker run registry.gitlab.com/my-group/my-project:tag

解决方案3
 0  2016-12-21 16:56:21

We had the same "problem" on other hosting providers. 我们在其他托管服务提供商处遇到了同样的“问题”。 Our solution is to use some kind of custom script which runs on the target machine and can be called via a Rest-Api Endpoint (secured by Basic-Auth or what ever). 我们的解决方案是使用在目标机器上运行的某种自定义脚本,并且可以通过Rest-Api端点调用(由Basic-Auth或任何其他设备保护)。

So you could just trigger the remote host to do the docker login and upgrade your service without granting SSH Access via gitlab-ci. 因此,您可以触发远程主机执行docker登录并升级您的服务,而无需通过gitlab-ci授予SSH访问权限。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Gitlab CI - 注册表和 nginx - Gitlab CI - registry and nginx CI/CD Gitlab 与 Harbor Registry - CI/CD Gitlab with Harbor Registry Gitlab 注册表:登录不一致 - Gitlab Registry: login inconsistency 从 Gitlab CI 登录 Google Cloud Registry 时出错:无法从非 TTY 设备执行交互式登录 - Error logging in to Google Cloud Registry from Gitlab CI: Cannot perform interactive login from a non TTY device Gitlab Docker 登录到错误的注册表 - Gitlab Docker login on wrong registry GitLab私有注册表 - 登录错误 - GitLab private registry - login error 对GitLab CI使用私有Docker注册表 - Using private docker registry for GitLab CI 在 CI 中使用来自 gitlab Registry 的图像 - use image from gitlab Registry in CI Gitlab CI/CD 与 JHipster 和 Docker 注册表 - Gitlab CI/CD with JHipster and Docker registry 为 gitlab-ci 使用没有注册表的 docker - Use docker without registry for gitlab-ci
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM