GitLab-CI and Docker Registry

Similar documents
Investigating Containers for Future Services and User Application Support

Stephan Hochdörfer //

Getting Started With Containers

Think Small to Scale Big

Arup Nanda VP, Data Services Priceline.com

UP! TO DOCKER PAAS. Ming

An introduction to Docker

Infoblox Kubernetes1.0.0 IPAM Plugin

Dockerfile Best Practices

[Docker] Containerization

Setting up Docker Datacenter on VMware Fusion

Linux System Management with Puppet, Gitlab, and R10k. Scott Nolin, SSEC Technical Computing 22 June 2017

9 Reasons To Use a Binary Repository for Front-End Development with Bower

agenda PAE Docker Docker PAE

swiftenv Documentation

Follow me!

Docker Swarm installation Guide

DGX-1 DOCKER USER GUIDE Josh Park Senior Solutions Architect Contents created by Jack Han Solutions Architect

A continuous integration system for MPD Root: Deployment and setup in GitLab

INDIGO PAAS TUTORIAL. ! Marica Antonacci RIA INFN-Bari

Run containerized applications from pre-existing images stored in a centralized registry

DOCKER 101 FOR JS AFFICIONADOS. Christian Ulbrich, Zalari UG

Harbor Registry. VMware VMware Inc. All rights reserved.

Who is Docker and how he can help us? Heino Talvik

Container-based virtualization: Docker

Table of Contents. Configure and Manage Logging in to the Management Portal Verify and Trust Certificates

PREPARING TO USE CONTAINERS

A New Model for Image Distribution

Load Balancing Nginx Web Servers with OWASP Top 10 WAF in Azure

Docker A FRAMEWORK FOR DATA INTENSIVE COMPUTING

Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor via

Continuous Delivery the hard way with Kubernetes. Luke Marsden, Developer

INSTALLATION RUNBOOK FOR Iron.io + IronWorker

Automating the Build Pipeline for Docker Container

Git Basi, workflow e concetti avanzati (pt2)

Dockerized Tizen Platform

Docker und IBM Digital Experience in Docker Container

PHP Composer 9 Benefits of Using a Binary Repository Manager

UDS Enterprise- Preparing Templates Xubuntu XRDP UDS Actor

Revision Control and GIT

Docker Enterprise Edition 2.0 Platform Public Beta Install and Exercises Guide

Android meets Docker. Jing Li

Con$nuous Deployment with Docker Andrew Aslinger. Oct

Travis Cardwell Technical Meeting

Installation and setup guide of 1.1 demonstrator

Kuber-what?! Learn about Kubernetes

Cloud Computing with APL. Morten Kromberg, CXO, Dyalog

Optimizing Docker Images

ASP.NET Core & Docker

DEPLOYMENT MADE EASY!

Table of Contents DevOps Administrators

Advanced Continuous Delivery Strategies for Containerized Applications Using DC/OS

OpenShift 3 Technical Architecture. Clayton Coleman, Dan McPherson Lead Engineers

BUILDING A GPU-FOCUSED CI SOLUTION

Load Balancing Web Servers with OWASP Top 10 WAF in Azure

Continuous integration & continuous delivery. COSC345 Software Engineering

~Deep dive into Windows Containers and Docker~

DevOps Workflow. From 0 to kube in 60 min. Christian Kniep, v Technical Account Manager, Docker Inc.

Portainer Documentation

Fixing the "It works on my machine!" Problem with Docker

RDO container registry Documentation

Red Hat Quay 2.9 Deploy Red Hat Quay on OpenShift

TangeloHub Documentation

Creating pipelines that build, test and deploy containerized artifacts Slides: Tom Adams

"Charting the Course... MOC B Active Directory Services with Windows Server Course Summary

Microsoft Active Directory Services with Windows Server

Test Automation with Jenkins & TidalScale WaveRunner

By: Jeeva S. Chelladhurai

GIT. A free and open source distributed version control system. User Guide. January, Department of Computer Science and Engineering

Linux application virtualization with UDS Enterprise. Versión Rev. 1

Best Practices for Developing & Deploying Java Applications with Docker

OPENSTACK CLOUD RUNNING IN A VIRTUAL MACHINE. In Preferences, add 3 Host-only Ethernet Adapters with the following IP Addresses:

The Long Road from Capistrano to Kubernetes

USING GIT FOR AUTOMATION AND COLLABORATION JUSTIN ELLIOTT - MATT HANSEN PENN STATE UNIVERSITY

Active Directory Services with Windows Server

Red Hat Quay 2.9 Deploy Red Hat Quay - Basic

Singularity CRI User Documentation

CircleCI Server v2.16 Installation Guide. Final Documentation

Active Directory Services with Windows Server

CYAN SECURE WEB HOWTO. SSL Intercept

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

Neale Ferguson

The specifications and information in this document are subject to change without notice. Companies, names, and data used

Containers. Pablo F. Ordóñez. October 18, 2018

Running Docker applications on Linux on the Mainframe

Deployment Patterns using Docker and Chef

Step 1: Setup a Gitlab account

Pursuit of stability. Growing AWS ECS in production. Alexander Köhler Frankfurt, September 2018

Prototyping Data Intensive Apps: TrendingTopics.org

VMware Horizon View Deployment

Running Splunk Enterprise within Docker

Dockerize Your IT! Centrale Nantes Information Technology Department Yoann Juet Dec, 2018

VMware AirWatch Content Gateway for Linux. VMware Workspace ONE UEM 1811 Unified Access Gateway

Infrastructure at your Service. Oracle over Docker. Oracle over Docker

Entrust. Discovery 2.4. Administration Guide. Document issue: 3.0. Date of issue: June 2014

AWS Amplify: Console User Guide

vrealize Code Stream Trigger for Git

Midterm Presentation Schedule

Deploying and Using ArcGIS Enterprise in the Cloud. Bill Major

Helix4Git Administrator Guide October 2017

Transcription:

GitLab-CI and Docker Registry Oleg Fiksel Security Consultant @ CSPI GmbH oleg.fiksel@cspi.com oleg@fiksel.info Matrix: @oleg:fiksel.info FrOSCon 2017

AGENDA ABOUT INTRODUCTION GitLab 101 Deploying on-premise Known issues END Q & A

ABOUT ME Security Consultant @ CSPI 1 (former MODCOMP 2 ) Main topics Architecture Development cycle Perl Coding 1 About CSPi 2 Wikipedia: MODCOMP

GOALS OF THIS TALK

GOALS OF THIS TALK This is not a comparision of CI tools

GOALS OF THIS TALK This is not a comparision of CI tools Provide an overview of dependencies needed to deploy GitLab-CI Community Edition and Docker Registry on-premise

GOALS OF THIS TALK This is not a comparision of CI tools Provide an overview of dependencies needed to deploy GitLab-CI Community Edition and Docker Registry on-premise Disclamer: The means and methods presented are my own expirience

GITLAB 101

WHAT IS GITLAB?

WHAT IS GITLAB? Web-based Git repository manager and more...

WHAT IS GITLAB? Web-based Git repository manager and more... Started as a pet-project in 2011 and now has more then 150 employees

WHAT IS GITLAB? Web-based Git repository manager and more... Started as a pet-project in 2011 and now has more then 150 employees Introduced Pipelines (CI) in version 8.8 (2016-05-28)

WHAT IS GITLAB? Web-based Git repository manager and more... Started as a pet-project in 2011 and now has more then 150 employees Introduced Pipelines (CI) in version 8.8 (2016-05-28) GitLab is used by many organisations such as: IBM, Sony, NASA, Alibaba, SpaceX and CSPi

WHAT IS DOCKER?

WHAT IS DOCKER? client docker build docker host docker daemon registry docker pull docker run containers images...

WORDING

WORDING GitLab Server: git repository hosting service

WORDING GitLab Server: git repository hosting service GitLab-CI Runner: user-space daemon that executes build/tests

WORDING GitLab Server: git repository hosting service GitLab-CI Runner: user-space daemon that executes build/tests Artifacts: build results pushed into an internal GitLab storage

WORDING GitLab Server: git repository hosting service GitLab-CI Runner: user-space daemon that executes build/tests Artifacts: build results pushed into an internal GitLab storage GitLab Container Registry: integrated docker registry frontend

WORDING GitLab Server: git repository hosting service GitLab-CI Runner: user-space daemon that executes build/tests Artifacts: build results pushed into an internal GitLab storage GitLab Container Registry: integrated docker registry frontend Docker Registry: mandatory container registry service

DEPLOYING ON-PREMISE

CHECKLIST

CHECKLIST 2 VMs or Rancher/Kubernetes/Mesos cluster

CHECKLIST 2 VMs or Rancher/Kubernetes/Mesos cluster Reverse proxy/loadabalancer for SSL offload (optional) supporting HTTP 1.1 to the backend (! Lighttpd)

CHECKLIST 2 VMs or Rancher/Kubernetes/Mesos cluster Reverse proxy/loadabalancer for SSL offload (optional) supporting HTTP 1.1 to the backend (! Lighttpd) Direct internet connection (for pulling docker images)

CHECKLIST 2 VMs or Rancher/Kubernetes/Mesos cluster Reverse proxy/loadabalancer for SSL offload (optional) supporting HTTP 1.1 to the backend (! Lighttpd) Direct internet connection (for pulling docker images) SSL Certificates (own CA or official)

PITFALLS

PITFALLS Internal CA

PITFALLS Internal CA Forward proxy

PITFALLS Internal CA Forward proxy DNS split horizon (not handled in this talk)

GITLAB-CI RUNNER ARCHITECTURE

GITLAB-CI RUNNER ARCHITECTURE GitLab-CI-Runner Shell Container GitLab-CI GitLab-CI-Runner Docker Container Container GitLab-CI-Runner GitLab-CI-Runner GitLab-CI-Runner

ON-PREMISE DEPLOYMENT ARCHITECTURE

ON-PREMISE DEPLOYMENT ARCHITECTURE hub.docker.com Pull (HTTPS) GitLab GitLab-CI Artifacts Docker registry (frontend) Auth git clone GitLab-CI Runner pull/push (HTTPS) push (HTTPS) run Docker Container Test, Build, etc auth (HTTPS) Docker client auth token (HTTPS) [separate CA] push/pull (HTTPS) Docker registry (container) read/write access store blob local S3 Azure GCS Swift

INTERNAL CA

INTERNAL CA Every GitLab HTTPS client must trust internal CA including:

INTERNAL CA Every GitLab HTTPS client must trust internal CA including: gitlab-ci-runner

INTERNAL CA Every GitLab HTTPS client must trust internal CA including: gitlab-ci-runner docker container building docker images

INTERNAL CA Problem: docker images are pulled from docker hub and doesn t trust intern CA.

INTERNAL CA Problem: docker images are pulled from docker hub and doesn t trust intern CA. Solution: extend all base images with internal CA and use them for building.

SWITCH DOCKER STORAGE BACKEND 1 Source

SWITCH DOCKER STORAGE BACKEND By default, when using docker:dind, Docker uses the vfs storage driver which copies the filesystem on every run. This is a very disk-intensive operation which can be avoided if a different driver is used, for example overlay. 1 1 Source

SWITCH DOCKER STORAGE BACKEND OS Setup:

SWITCH DOCKER STORAGE BACKEND OS Setup: add overlay to /etc/modules (Ubuntu 16.04)

SWITCH DOCKER STORAGE BACKEND OS Setup: add overlay to /etc/modules (Ubuntu 16.04) modprobe overlay or reboot the system

SWITCH DOCKER STORAGE BACKEND Adjust /etc/docker/daemon.json 1 { 2 " storage driver " : " overlay " 3 } and restart Docker. Warning: make sure you have no important local images or containers. You will start with an empty Docker storage.

INTERNAL CA - BOOTSTRAP PROCEDURE

INTERNAL CA - BOOTSTRAP PROCEDURE Adjust runner configuration

INTERNAL CA - BOOTSTRAP PROCEDURE Adjust runner configuration Build docker first docker images locally and push them to the registry

INTERNAL CA - BOOTSTRAP PROCEDURE Adjust runner configuration Build docker first docker images locally and push them to the registry Create CI configuration and build images automatically

INTERNAL CA - BOOTSTRAP PROCEDURE Adjust runner configuration Build docker first docker images locally and push them to the registry Create CI configuration and build images automatically Update images daily using scheduled builds (CI feature)

INTERNAL CA - BOOTSTRAP PROCEDURE Adjust runner configuration: 1 # / e t c / g i t l a b runner/config. toml 2 [ [ runners ] ] 3... 4 executor = " docker " 5 [ runners. docker ] 6... 7 p r i v i l e g e d = true 8 volumes = ["/ cache ", "/ var/run/docker. sock :/ var/run/docker. sock : rw " ]

INTERNAL CA - DOCKER IMAGE Dockerfile for Docker image with internal CA:

INTERNAL CA - DOCKER IMAGE Dockerfile for Docker image with internal CA: 1 # D o c k e r f i l e 2 FROM docker : l a t e s t 3 4 COPY my_ca. c r t /tmp/ 5 RUN c a t /tmp/my_ca. c r t >>/ e t c / s s l / c e r t s /ca c e r t i f i c a t e s. c r t && rm /tmp/my_ca. c r t 6 7 ENTRYPOINT [ " docker entrypoint. sh " ] 8 CMD [ " sh " ]

INTERNAL CA - DOCKER IMAGE CI configuration for Docker image with internal CA:

INTERNAL CA - DOCKER IMAGE CI configuration for Docker image with internal CA: 1 #.gitlab-ci.yml 2 v a r i a b l e s : 3 DOCKER_DRIVER: overlay 4 IMAGE_TAG: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME 5 6 b e f o r e _ s c r i p t : 7 - docker login u g i t l a b ci token p $CI_JOB_TOKEN $CI_REGISTRY 8 9 build_docker_image: 10 stage: build 11 image: $CI_REGISTRY/ g i t l a b c i /docker:master 12 s e r v i c e s : 13 - $CI_REGISTRY/ g i t l a b c i /dind:master 14 tags: 15 - dind 16 s c r i p t : 17 - docker build t $IMAGE_TAG. 18 - docker push $IMAGE_TAG

INTERNAL CA - DOCKER-IN-DOCKER IMAGE Dockerfile for Docker-in-Docker image with internal CA:

INTERNAL CA - DOCKER-IN-DOCKER IMAGE Dockerfile for Docker-in-Docker image with internal CA: 1 # D o c k e r f i l e 2 FROM docker : dind 3 4 COPY my_ca. c r t /tmp/ 5 RUN c a t /tmp/my_ca. c r t >>/ e t c / s s l / c e r t s /ca c e r t i f i c a t e s. c r t && rm /tmp/my_ca. c r t 6 7 VOLUME /var/ l i b /docker 8 EXPOSE 2375 9 10 ENTRYPOINT [ " dockerd entrypoint. sh " ] 11 CMD [ ]

INTERNAL CA - DOCKER-IN-DOCKER IMAGE CI configuration for Docker-in-Docker image with internal CA:

INTERNAL CA - DOCKER-IN-DOCKER IMAGE CI configuration for Docker-in-Docker image with internal CA: 1 #.gitlab-ci.yml 2 v a r i a b l e s : 3 DOCKER_DRIVER: overlay 4 IMAGE_TAG: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME 5 6 b e f o r e _ s c r i p t : 7 - docker login u g i t l a b ci token p $CI_JOB_TOKEN $CI_REGISTRY 8 9 build_docker_image: 10 stage: build 11 image: $CI_REGISTRY/ g i t l a b c i /docker:master 12 s e r v i c e s : 13 - $CI_REGISTRY/ g i t l a b c i /dind:master 14 tags: 15 - dind 16 s c r i p t : 17 - docker build t $IMAGE_TAG. 18 - docker push $IMAGE_TAG

INTERNAL CA - BUILDING IMAGES Now we can build Docker images with GitLab-CI!

INTERNAL CA - BUILDING IMAGES Now we can build Docker images with GitLab-CI! 1 #.gitlab-ci.yml 2 v a r i a b l e s : 3 DOCKER_DRIVER: overlay 4 IMAGE_TAG: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME 5 6 b e f o r e _ s c r i p t : 7 - docker login u g i t l a b ci token p $CI_JOB_TOKEN $CI_REGISTRY 8 9 build_docker_image: 10 stage: build 11 image: $CI_REGISTRY/ g i t l a b c i /docker:master 12 s e r v i c e s : 13 - $CI_REGISTRY/ g i t l a b c i /dind:master 14 tags: 15 - dind 16 s c r i p t : 17 - docker build t $IMAGE_TAG. 18 - docker push $IMAGE_TAG

FORWARD PROXY

FORWARD PROXY Not every application have proxy support

FORWARD PROXY Not every application have proxy support Some application configuration is tricky

FORWARD PROXY Not every application have proxy support Some application configuration is tricky Configuring proxy every time bloats CI configuration

FORWARD PROXY Not every application have proxy support Some application configuration is tricky Configuring proxy every time bloats CI configuration Set proxy configuration via environmental variables while integrating your CA in the docker image

FORWARD PROXY - LOCAL TRANSPARENT PROXY For applications not supporting proxy local squid in tranparent mode (doesn t work for HTTPS) 1 # squid c o n f i g u r a t i o n 2 a c l docker s r c 1 7 2. 1 7. 0. 0 / 1 6 3 a c l SSL_ports port 443 4 cache_mem 16 MB 5 # upstream proxy ip 6 cache_peer 1 0. 0. 0. 1 0 parent 8080 0 no query proxy only d e f a u l t 7 d n s _ v 4 _ f i r s t on 8 h t t p _ a c c e s s allow docker 9 h t t p _ a c c e s s deny CONNECT! SSL_ports 10 h t t p _ a c c e s s deny! Safe_ports 11 http_port 3129 i n t e r c e p t 12 memory_pools o f f

FORWARD PROXY - LOCAL TRANSPARENT PROXY iptables configuration: 1 i p t a b l e s t nat A PREROUTING s 1 7 2. 1 7. 0. 0 / 1 6 p tcp m tcp dport 80 j REDIRECT to ports 3129

KNOWN ISSUES

GITLAB-CI WITH SUBMODULES

GITLAB-CI WITH SUBMODULES Submodule init failing due to "SSL certificate problem". f a t a l : unable to a c c e s s https :// github. com/minio/minio go / : SSL c e r t i f i c a t e problem : unable to get l o c a l i s s u e r c e r t i f i c a t e

GITLAB-CI WITH SUBMODULES Submodule init failing due to "SSL certificate problem". f a t a l : unable to a c c e s s https :// github. com/minio/minio go / : SSL c e r t i f i c a t e problem : unable to get l o c a l i s s u e r c e r t i f i c a t e Issue: 2148

GITLAB-CI WITH SUBMODULES Submodule init failing due to "SSL certificate problem". f a t a l : unable to a c c e s s https :// github. com/minio/minio go / : SSL c e r t i f i c a t e problem : unable to get l o c a l i s s u e r c e r t i f i c a t e Issue: 2148 Will be fixed in gitlab-ci-multi-runner v9.4

GIT-LFS 1 https://git-lfs.github.com

GIT-LFS Git Large File Storage (LFS) replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while storing the file contents on a remote server. 1 1 https://git-lfs.github.com

GIT-LFS Problem: GitLab-CI doesn t download git-lfs objects on CI run (probably fixed by now)

GIT-LFS Problem: GitLab-CI doesn t download git-lfs objects on CI run (probably fixed by now) Workaround: download git-lfs objects manually via CI script

GIT-LFS 1 #.gitlab-ci.yml 2 s t a g e s : 3 build 4 5 create_ package: 6 stage: build 7 image: $CI_REGISTRY/ g i t l a b c i /ubuntu: x e n i a l 8 s c r i p t : 9 - apt get update && apt get i n s t a l l y wget g i t 10 - wget https://packagecloud. io/github/ g it l f s /packages/ubuntu/ x e n i a l /git l f s _ 1. 5. 2 _amd64. deb/download O /tmp/git l f s _ 1. 5. 2 _amd64. deb && dpkg i /tmp/git l f s _ 1. 5. 2 _amd64. deb 11 - g i t l f s i n s t a l l && g i t l f s f e t c h && g i t l f s checkout 12 - t a r c z f a p p l i c a t i o n c a t a p p l i c a t i o n /version. t x t. t a r. gz a p p l i c a t i o n 13 a r t i f a c t s : 14 e x p i r e _ i n : 2 weeks 15 paths: 16 - a p p l i c a t i on *. t a r. gz 17 only: 18 - /^ r e l e a s e. * $/

SUMMARY

SUMMARY GitLab is a great product evolving rapidly

SUMMARY GitLab is a great product evolving rapidly Deploying GitLab-CI in an enterprise environment can be quite challenging

SUMMARY GitLab is a great product evolving rapidly Deploying GitLab-CI in an enterprise environment can be quite challenging Some of use cases and videos are focused on frontend development using Ruby-On-Rails and deployment to a Kubernetes cluster

Q & A

Thanks! Oleg Fiksel oleg.fiksel@cspi.com oleg@fiksel.info Matrix: @oleg:fiksel.info

LINKS Files from this talk on Github Introduction to GitLab pipelines Install a root CA in Ubuntu

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback