Ako nainštalovať a nakonfigurovať Concourse CI na CentOS 7

Úvod

Predpoklady

Nainštalujte a nakonfigurujte databázu PostgreSQL

Stiahnite si a nainštalujte Concourse CI

Generovanie a nastavenie kľúčov RSA

Začiatok večierka

Nakonfigurujte prostredie a službu Systemd

Pripojenie k serveru

Nastavenie reverzného proxy servera Nginx

Úvod

Nepretržitá integrácia je postup vývoja softvéru DevOps, ktorý umožňuje vývojárom častokrát denne spájať upravený kód do zdieľaného úložiska. Po každom zlúčení sa vykonajú automatické zostavenia a testy na zistenie problémov v kóde. Umožňuje vývojárom rýchlo nájsť a vyriešiť chyby, aby sa zlepšila kvalita softvéru a zabezpečila sa nepretržitá dodávka softvéru. Prepínanie medzi Concourse je veľmi jednoduché, pretože všetka jeho konfigurácia sa uchováva v deklaratívnych súboroch, ktoré je možné skontrolovať v správe verzií. Poskytuje tiež webové používateľské rozhranie, ktoré interaktívne zobrazuje informácie o zostavení.

Komponenty haly.

• ATC je hlavnou súčasťou haly. Je zodpovedný za prevádzku webového používateľského rozhrania a API. Tiež sa stará o všetko plánovanie potrubia.
• TSA je prispôsobený server SSH. Je zodpovedný za bezpečnú registráciu pracovníka v ATC.
• Pracovníci ďalej prevádzkujú dve rôzne služby:
  1. Záhrada je runtime kontajnera a rozhranie na organizovanie kontajnerov na diaľku na pracovníkovi.
  2. Baggageclaim je server na správu vyrovnávacej pamäte a artefaktov.
• Fly je rozhranie príkazového riadku používané na interakciu s ATC na konfiguráciu Concourse Pipelines.

Predpoklady

• Inštancia servera Vultr CentOS 7.
• Sudo používateľ .

Nezabudnite nahradiť všetky výskyty 192.0.2.1a ci.example.comvašou skutočnou verejnou IP adresou Vultr a skutočným názvom domény.

Aktualizujte svoj základný systém pomocou príručky Ako aktualizovať CentOS 7 . Po aktualizácii vášho systému pokračujte v inštalácii PostgreSQL.

Nainštalujte a nakonfigurujte databázu PostgreSQL

PostgreSQL je objektový relačný databázový systém. Concourse ukladá svoje údaje potrubia do databázy PostgreSQL. Pridajte úložisko PostgreSQL.

sudo rpm -Uvh https://download.postgresql.org/pub/repos/yum/9.6/redhat/rhel-7-x86_64/pgdg-centos96-9.6-3.noarch.rpm

Nainštalujte databázový server PostgreSQL.

sudo yum -y install postgresql96-server postgresql96-contrib

Inicializujte databázu.

sudo /usr/pgsql-9.6/bin/postgresql96-setup initdb

initdbvytvorí nový databázový klaster PostgreSQL, čo je kolekcia databáz, ktoré spravuje jedna inštancia servera. Upravte pg_hba.confsúbor, aby ste povolili autentifikáciu založenú na MD5.

sudo nano /var/lib/pgsql/9.6/data/pg_hba.conf

Nájdite nasledujúce riadky a zmeňte hodnoty peera identv METHODstĺpci na trusta md5.

# TYPE  DATABASE        USER            ADDRESS                 METHOD

# "local" is for Unix domain socket connections only
local   all             all                                     peer
# IPv4 local connections:
host    all             all             127.0.0.1/32            ident
# IPv6 local connections:
host    all             all             ::1/128                 ident

Po aktualizácii by konfigurácia mala vyzerať takto.

# TYPE  DATABASE        USER            ADDRESS                 METHOD

# "local" is for Unix domain socket connections only
local   all             all                                     trust
# IPv4 local connections:
host    all             all             127.0.0.1/32            md5
# IPv6 local connections:
host    all             all             ::1/128                 md5

Spustite server PostgreSQL a povoľte jeho automatické spustenie pri štarte.

sudo systemctl start postgresql-9.6
sudo systemctl enable postgresql-9.6

Zmeňte heslo pre predvoleného používateľa PostgreSQL.

sudo passwd postgres

Prihláste sa ako používateľ PostgreSQL:

sudo su - postgres

Vytvorte nového používateľa PostgreSQL pre Concourse CI.

createuser concourse

Poznámka : Na autentifikáciu databázy je možné použiť predvoleného používateľa PostgreSQL, ale odporúča sa použiť vyhradeného používateľa na autentifikáciu databázy Concourse v produkčnom nastavení.

PostgreSQL poskytuje shell na spúšťanie dotazov v databáze. Prepnite sa do prostredia PostgreSQL spustením:

psql

Nastavte heslo pre novovytvoreného užívateľa databázy Concourse.

ALTER USER concourse WITH ENCRYPTED password 'DBPassword';

Dôležité : Nahraďte DBPasswordsilným heslom. Poznamenajte si heslo, pretože sa bude vyžadovať neskôr v návode.

Vytvorte novú databázu pre Concourse.

CREATE DATABASE concourse OWNER concourse;

Opustite psqlškrupinu.

\q

Prepnite na používateľa sudo z aktuálneho používateľa postgres.

exit

Stiahnite si a nainštalujte Concourse CI

Stiahnite si najnovšiu verziu spustiteľného súboru Concourse a uložte ho /usr/bin, aby ho bolo možné priamo spustiť. Najnovšiu verziu binárnych súborov Concourse a Fly nájdete na stránke na stiahnutie Concourse . Nové vydania sú veľmi časté. Nahraďte odkaz nižšie novým odkazom na najnovšiu verziu.

sudo wget https://github.com/concourse/concourse/releases/download/v3.4.1/concourse_linux_amd64 -O /usr/bin/concourse

Podobne si stiahnite najnovšiu verziu spustiteľného súboru fly a uložte ho do /usr/bin.

sudo wget https://github.com/concourse/concourse/releases/download/v3.4.1/fly_linux_amd64 -O /usr/bin/fly

Fly je rozhranie príkazového riadka na pripojenie k ATC API Concourse CI. Fly je k dispozícii pre viacero platforiem, ako sú Linux, Windows a MacOS.

Priraďte povolenie na spustenie stiahnutým concoursea flybinárnym súborom.

sudo chmod +x /usr/bin/concourse /usr/bin/fly

Skontrolujte, či Concourse a Fly fungujú správne kontrolou ich verzie.

concourse -version
fly -version

Generovanie a nastavenie kľúčov RSA

Páry kľúčov RSA poskytujú spôsob šifrovania komunikácie medzi komponentmi vestibulu.

Aby Concourse fungoval, musia byť vygenerované aspoň tri páry kľúčov. Na šifrovanie údajov relácie vygenerujte súbor session_signing_key. Tento kľúč bude tiež používať TSA na podpísanie požiadaviek, ktoré odošle ATC. Ak chcete zabezpečiť server TSA SSH, vygenerujte súbor tsa_host_key. Nakoniec vygenerujte worker_keypre každého pracovníka.

Create a new directory to store the keys and configuration related to Concourse CI.

sudo mkdir /opt/concourse

Generate the required keys.

sudo ssh-keygen -t rsa -q -N '' -f /opt/concourse/session_signing_key
sudo ssh-keygen -t rsa -q -N '' -f /opt/concourse/tsa_host_key
sudo ssh-keygen -t rsa -q -N '' -f /opt/concourse/worker_key

Authorize the workers' public key by copying its contents to the authorized_worker_keys file:

sudo cp /opt/concourse/worker_key.pub /opt/concourse/authorized_worker_keys

Starting Concourse

Concourse provides two separate components which need to be started, the web and the worker. Start the Concourse web.

sudo concourse web \
  --basic-auth-username admin \
  --basic-auth-password StrongPass \
  --session-signing-key /opt/concourse/session_signing_key \
  --tsa-host-key /opt/concourse/tsa_host_key \
  --tsa-authorized-keys /opt/concourse/authorized_worker_keys \
  --postgres-user=concourse \
  --postgres-password=DBPassword \
  --postgres-database=concourse \
  --external-url http://192.0.2.1:8080

Change the username and password of the basic-auth if desired. Make sure that the path to the key files are correct and make sure that the correct value for username and password in the PostgreSQL database configuration is provided.

Note: ATC will listen to the default port 8080 and TSA will listen to port 2222. If authentication is not desired, pass the --no-really-i-dont-want-any-auth option after removing the basic auth options.

Once the web server is started, the following output should be displayed.

{"timestamp":"1503657859.661247969","source":"tsa","message":"tsa.listening","log_level":1,"data":{}}
{"timestamp":"1503657859.666907549","source":"atc","message":"atc.listening","log_level":1,"data":{"debug":"127.0.0.1:8079","http":"0.0.0.0:8080"}}

Stop the server for now, as a few more things still must be setup.

Start the Concourse CI Worker.

sudo concourse worker \
  --work-dir /opt/concourse/worker \
  --tsa-host 127.0.0.1 \
  --tsa-public-key /opt/concourse/tsa_host_key.pub \
  --tsa-worker-private-key /opt/concourse/worker_key

The above command will assume that the TSA is running on localhost and listening to the default port 2222.

Though the Concourse web and worker can be started easily using the commands above, it is recommended to use Systemd to manage the server.

Configure Environment and Systemd Service

Using Systemd service for managing the application ensures that the application is automatically started on failures and at boot time. The Concourse server does not take data from any configuration file, but it can access the data from environment variables. Instead of setting global environment variables, create a new file to store the environment variables and then pass the variables to the Concourse CI using the Systemd service.

Create a new environment file for Concourse web.

sudo nano /opt/concourse/web.env

Populate the file.

CONCOURSE_SESSION_SIGNING_KEY=/opt/concourse/session_signing_key
CONCOURSE_TSA_HOST_KEY=/opt/concourse/tsa_host_key
CONCOURSE_TSA_AUTHORIZED_KEYS=/opt/concourse/authorized_worker_keys

CONCOURSE_POSTGRES_USER=concourse
CONCOURSE_POSTGRES_PASSWORD=DBPassword
CONCOURSE_POSTGRES_DATABASE=concourse

CONCOURSE_BASIC_AUTH_USERNAME=admin
CONCOURSE_BASIC_AUTH_PASSWORD=StrongPass
CONCOURSE_EXTERNAL_URL=http://192.0.2.1:8080

Change the username and password of the BASIC_AUTH if desired. Make sure that the path to the key files are correct and make sure that the correct value for username and password in the PostgreSQL database configuration is provided.

Similarly, create an environment file for the worker.

sudo nano /opt/concourse/worker.env

Populate the file.

CONCOURSE_WORK_DIR=/opt/concourse/worker
CONCOURSE_TSA_WORKER_PRIVATE_KEY=/opt/concourse/worker_key
CONCOURSE_TSA_PUBLIC_KEY=/opt/concourse/tsa_host_key.pub
CONCOURSE_TSA_HOST=127.0.0.1

As the environment files contain username and passwords, change its permissions so that it cannot be accessed by other users.

sudo chmod 600 /opt/concourse/*.env

Now create a new user for Concourse to run the web environment. This will ensure that the web server is running in an isolated environment.

sudo adduser --system concourse

Give the concourse user ownership over Concourse CI file's directory.

sudo chown -R concourse:concourse /opt/concourse

Create a new systemd service file for the Concourse web service.

sudo nano /etc/systemd/system/concourse-web.service

Populate the file.

[Unit]
Description=Concourse CI web server
After=postgresql-9.6.service

[Service]
Type=simple
User=concourse
Group=concourse
Restart=on-failure
EnvironmentFile=/opt/concourse/web.env
ExecStart=/usr/bin/concourse web
StandardOutput=syslog
StandardError=syslog
SyslogIdentifier=concourse_web

[Install]
WantedBy=multi-user.target

Save and close the file. Create a new service file for the Concourse worker service.

sudo nano /etc/systemd/system/concourse-worker.service

Populate the file.

[Unit]
Description=Concourse CI worker process
After=concourse-web.service

[Service]
Type=simple
User=root
Group=root
Restart=on-failure
EnvironmentFile=/opt/concourse/worker.env
ExecStart=/usr/bin/concourse worker
StandardOutput=syslog
StandardError=syslog
SyslogIdentifier=concourse_worker

[Install]
WantedBy=multi-user.target

The web and worker service can now be started directly by running:

sudo systemctl start concourse-web concourse-worker

To enable the worker and web process to automatically start at boot time, run:

sudo systemctl enable concourse-worker concourse-web

To check the status of services, run:

sudo systemctl status concourse-worker concourse-web

If the service is not started, or in the FAILED state, remove the cache from the /tmp directory.

sudo rm -rf /tmp/*

Restart the services.

sudo systemctl restart concourse-worker concourse-web

Notice that this time the services have started correctly. The output upon verifying the status of the services should be simil.

[user@vultr ~]$ sudo systemctl status concourse-worker concourse-web
● concourse-worker.service - Concourse CI worker process
   Loaded: loaded (/etc/systemd/system/concourse-worker.service; enabled; vendor preset: disabled)
   Active: active (running) since Sat 2017-08-26 07:27:37 UTC; 55s ago
 Main PID: 3037 (concourse)
   CGroup: /system.slice/concourse-worker.service
           └─3037 /usr/bin/concourse worker

Aug 26 07:27:42 vultr.guest concourse_worker[3037]: {"timestamp":"1503732462.934722900","source":"tsa","message":"t...""}}
Aug 26 07:27:42 vultr.guest concourse_worker[3037]: {"timestamp":"1503732462.941227913","source":"guardian","messag...0"}}
...

● concourse-web.service - Concourse CI web server
   Loaded: loaded (/etc/systemd/system/concourse-web.service; enabled; vendor preset: disabled)
   Active: active (running) since Sat 2017-08-26 07:27:37 UTC; 55s ago
 Main PID: 3036 (concourse)
   CGroup: /system.slice/concourse-web.service
           └─3036 /usr/bin/concourse web

Aug 26 07:27:57 vultr.guest concourse_web[3036]: {"timestamp":"1503732477.925554752","source":"tsa","message":"tsa...ve"}}
Aug 26 07:28:02 vultr.guest concourse_web[3036]: {"timestamp":"1503732482.925430775","source":"tsa","message":"tsa...ve"}}
...
Hint: Some lines were ellipsized, use -l to show in full.

Adjust your firewall to allow port 8080, on which ATS is running and port 2222, on which TSA is running.

sudo firewall-cmd --zone=public --add-port=8080/tcp --permanent
sudo firewall-cmd --zone=public --add-port=2222/tcp --permanent
sudo firewall-cmd --reload

Connecting to the Server

Once the server is started, the web interface of the Concourse CI can be accessed by going to http://192.0.2.1:8080 in any browser. Log in using the username and password provided in the environment file.

To connect to the server using Fly, run:

fly -t my-ci login -c http://192.0.2.1:8080

The above command is used for initial login to the server. -t is used to provide a target name. replace my-ci with any desired target name. The above command will log in to the default team main. It will ask for the username and password provided in the environment file.

The output will look like the following.

[user@vultr ~]$ fly -t my-ci login -c http://192.0.2.1:8080
logging in to team 'main'

username: admin
password:

target saved

The target login will be saved for a day. After that, it will expire.

To log out immediately.

fly -t my-ci logout

fly can be used to login to the server outside of the network, but only if the server has a public IP address and it is accessible from outside the network. The Windows or MacOS binary can be downloaded from the download site or from the web UI of the server.

Setting Up Nginx Reverse Proxy

Logins, and other information sent through the web UI to the Concourse server is not secured. The connection is not encrypted. An Nginx reverse proxy can be set up with a Let's Encrypt free SSL.

Install the Nginx web server and Certbot, which is the client application for the Let's Encrypt CA.

sudo yum -y install certbot-nginx nginx

Start and enable Nginx to automatically start at boot time:

sudo systemctl start nginx
sudo systemctl enable nginx

Before a request can be made for the certificates, port 80 and 443, or standard HTTP and HTTPS services, must be enabled through the firewall. Certbot will check the domain authority before issuing certificates.

sudo firewall-cmd --zone=public --add-service=http --permanent
sudo firewall-cmd --zone=public --add-service=https --permanent

Port 8080 no longer needs to be allowed through the firewall anymore because Concourse will now be run on the standard HTTPS port. Remove the firewall entry to allow port 8080.

sudo firewall-cmd --zone=public --remove-port=8080/tcp --permanent
sudo firewall-cmd --reload

Note

To obtain certificates from Let's Encrypt CA, the domain for which the certificates are to be generated must be pointed towards the server. If not, make the necessary changes to the DNS records of the domain and wait for the DNS to propagate before making the certificate request again. Certbot checks the domain authority before providing the certificates.

Generate the SSL certificates.

sudo certbot certonly --webroot -w /usr/share/nginx/html -d ci.example.com

The generated certificates are likely to be stored in the /etc/letsencrypt/live/ci.example.com/ directory. The SSL certificate will be stored as fullchain.pem and the private key will be stored as privkey.pem.

Let's Encrypt certificates expire in 90 days, so it is recommended auto renewal for the certificates is set up using cronjobs. Cron is a system service which is used to run periodic tasks.

Open the cron job file.

sudo crontab -e

Na koniec súboru pridajte nasledujúci riadok.

30 5 * * 1 /usr/bin/certbot renew --quiet

Vyššie uvedená úloha cron sa spustí každý pondelok o 5:30. Ak platnosť certifikátu vyprší, automaticky sa obnoví.

Vytvorte nového virtuálneho hostiteľa.

sudo nano /etc/nginx/conf.d/concourse-ssl.conf

Vyplňte súbor.

server {
    listen 80;
    server_name ci.example.com;
    return 301 https://$host$request_uri;
}
server {

    listen 443;
    server_name ci.example.com;

    ssl_certificate           /etc/letsencrypt/live/ci.example.com/fullchain.pem;
    ssl_certificate_key       /etc/letsencrypt/live/ci.example.com/privkey.pem;

    ssl on;
    ssl_session_cache  builtin:1000  shared:SSL:10m;
    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
    ssl_prefer_server_ciphers on;

    access_log    /var/log/nginx/concourse.access.log;

    location / {

      proxy_set_header        Host $host;
      proxy_set_header        X-Real-IP $remote_addr;
      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header        X-Forwarded-Proto $scheme;
      proxy_pass          http://localhost:8080;
      proxy_read_timeout  90;

      proxy_redirect      http://localhost:8080 https://ci.example.com;
    }
  }

Poznámka : Nahraďte ci.example.comskutočnou doménou.

Upravte súbor prostredia vytvorený pre web verejného priestoru.

sudo nano /opt/concourse/web.env

Zmeňte hodnotu CONCOURSE_EXTERNAL_URLa pridajte ďalšie dva riadky na koniec súboru.

CONCOURSE_EXTERNAL_URL=https://ci.example.com
CONCOURSE_BIND_IP=127.0.0.1
CONCOURSE_BIND_PORT=8080

Uložte súbor a reštartujte webový server Concourse Web, Worker a Nginx:

sudo systemctl restart concourse-worker concourse-web nginx

Všetky údaje odosielané do a z prehliadača sú teraz zabezpečené šifrovaním SSL.