为Jenkins配置Let’s Encrypt SSL证书

 未分类  No Responses »
6 月 082019
 

为jenkins服务配置域名指向

C:\Users\harveymei>ping jenkins.bcoc.site

正在 Ping jenkins.bcoc.site [18.162.148.195] 具有 32 字节的数据:
来自 18.162.148.195 的回复: 字节=32 时间=169ms TTL=46
来自 18.162.148.195 的回复: 字节=32 时间=153ms TTL=46
来自 18.162.148.195 的回复: 字节=32 时间=168ms TTL=46
来自 18.162.148.195 的回复: 字节=32 时间=167ms TTL=46

18.162.148.195 的 Ping 统计信息:
    数据包: 已发送 = 4,已接收 = 4,丢失 = 0 (0% 丢失),
往返行程的估计时间(以毫秒为单位):
    最短 = 153ms,最长 = 169ms,平均 = 164ms

C:\Users\harveymei>

安装完成后启动jenkins服务并查看端口监听

[root@ip-172-31-40-41 ~]# service jenkins start
Starting jenkins (via systemctl):                          [  OK  ]
[root@ip-172-31-40-41 ~]# netstat -lnt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN     
tcp6       0      0 :::111                  :::*                    LISTEN     
tcp6       0      0 :::8080                 :::*                    LISTEN     
tcp6       0      0 :::22                   :::*                    LISTEN     
tcp6       0      0 ::1:25                  :::*                    LISTEN     
[root@ip-172-31-40-41 ~]#

使用浏览器访问未启用SSL加密的Web控制台

申请Let’s Encrypt证书

[root@ip-172-31-40-41 ~]# yum -y install certbot
[root@ip-172-31-40-41 ~]# certbot certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator standalone, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): harvey.mei@linuxcache.com
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Starting new HTTPS connection (1): supporters.eff.org
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel): jenkins.bcoc.site
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for jenkins.bcoc.site
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/jenkins.bcoc.site/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/jenkins.bcoc.site/privkey.pem
Your cert will expire on 2020-05-24. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

[root@ip-172-31-40-41 ~]#

转换证书格式(使用certtool命令)

[root@ip-172-31-40-41 ~]# yum -y install gnutls-utils

[root@ip-172-31-40-41 ~]# rpm -lq gnutls-utils
/usr/bin/certtool
/usr/bin/crywrap
/usr/bin/danetool
/usr/bin/gnutls-cli
/usr/bin/gnutls-cli-debug
/usr/bin/gnutls-serv
/usr/bin/ocsptool
/usr/bin/p11tool
/usr/bin/psktool
/usr/bin/tpmtool
/usr/share/doc/gnutls-utils-3.3.29
/usr/share/doc/gnutls-utils-3.3.29/certtool.cfg
/usr/share/man/man1/certtool.1.gz
/usr/share/man/man1/danetool.1.gz
/usr/share/man/man1/gnutls-cli-debug.1.gz
/usr/share/man/man1/gnutls-cli.1.gz
/usr/share/man/man1/gnutls-serv.1.gz
/usr/share/man/man1/ocsptool.1.gz
/usr/share/man/man1/p11tool.1.gz
/usr/share/man/man1/psktool.1.gz
/usr/share/man/man1/tpmtool.1.gz
[root@ip-172-31-40-41 ~]#

合并证书公钥私钥为PKCS12格式并设置密码保护(123456)

certtool --to-p12 --load-privkey /etc/letsencrypt/live/jenkins.bcoc.site/privkey.pem \
--pkcs-cipher 3des-pkcs12 \
--load-certificate /etc/letsencrypt/live/jenkins.bcoc.site/fullchain.pem \
--outfile jenkins.p12 --outder

[root@ip-172-31-40-41 ~]# certtool --to-p12 --load-privkey /etc/letsencrypt/live/jenkins.bcoc.site/privkey.pem \
> --pkcs-cipher 3des-pkcs12 \
> --load-certificate /etc/letsencrypt/live/jenkins.bcoc.site/fullchain.pem \
> --outfile jenkins.p12 --outder
Generating a PKCS #12 structure...
Loading private key list...
Loaded 1 private keys.
Enter a name for the key: jenkins.bcoc.site
Enter password:
Confirm password:
[root@ip-172-31-40-41 ~]# ls
anaconda-ks.cfg jenkins.p12 original-ks.cfg
[root@ip-172-31-40-41 ~]#

转换PKCS12格式为JAVA支持的JKS格式

keytool -importkeystore -srckeystore jenkins.p12 \
-srcstorepass '123456' -srcstoretype PKCS12 \
-srcalias jenkins.bcoc.site -deststoretype JKS \
-destkeystore jenkins_keystore.jks \
-deststorepass '123456' -destalias jenkins.bcoc.site

[root@ip-172-31-40-41 ~]# keytool -importkeystore -srckeystore jenkins.p12 \
> -srcstorepass ‘123456’ -srcstoretype PKCS12 \
> -srcalias jenkins.bcoc.site -deststoretype JKS \
> -destkeystore jenkins_keystore.jks \
> -deststorepass ‘123456’ -destalias jenkins.bcoc.site
Importing keystore jenkins.p12 to jenkins_keystore.jks...
keytool error: java.io.IOException: keystore password was incorrect
[root@ip-172-31-40-41 ~]# keytool -importkeystore -srckeystore jenkins.p12 \
> -srcstorepass '123456' -srcstoretype PKCS12 \
> -srcalias jenkins.bcoc.site -deststoretype JKS \
> -destkeystore jenkins_keystore.jks \
> -deststorepass '123456' -destalias jenkins.bcoc.site
Importing keystore jenkins.p12 to jenkins_keystore.jks...

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore jenkins_keystore.jks -destkeystore jenkins_keystore.jks -deststoretype pkcs12".
[root@ip-172-31-40-41 ~]#
[root@ip-172-31-40-41 ~]# ls
anaconda-ks.cfg jenkins_keystore.jks jenkins.p12 original-ks.cfg
[root@ip-172-31-40-41 ~]#

修改证书文件属性

[root@ip-172-31-40-41 ~]# chown jenkins.jenkins jenkins_keystore.jks
[root@ip-172-31-40-41 ~]# chmod 600 jenkins_keystore.jks
[root@ip-172-31-40-41 ~]# mv jenkins_keystore.jks /var/lib/jenkins/
[root@ip-172-31-40-41 ~]#

修改jenins配置文件

[root@ip-172-31-40-41 ~]# vi /etc/sysconfig/jenkins

初始配置文件(SSL部分)

## Type: integer(0:65535)
## Default: ""
## ServiceRestart: jenkins
#
# HTTPS port Jenkins is listening on.
# Default is disabled.
#
JENKINS_HTTPS_PORT=""

## Type: string
## Default: ""
## ServiceRestart: jenkins
#
# Path to the keystore in JKS format (as created by the JDK 'keytool').
# Default is disabled.
#
JENKINS_HTTPS_KEYSTORE=""

## Type: string
## Default: ""
## ServiceRestart: jenkins
#
# Password to access the keystore defined in JENKINS_HTTPS_KEYSTORE.
# Default is disabled.
#
JENKINS_HTTPS_KEYSTORE_PASSWORD=""

## Type: string
## Default: ""
## ServiceRestart: jenkins
#
# IP address Jenkins listens on for HTTPS requests.
# Default is disabled.
#
JENKINS_HTTPS_LISTEN_ADDRESS=""

修改

## Type: integer(0:65535)
## Default: ""
## ServiceRestart: jenkins
#
# HTTPS port Jenkins is listening on.
# Default is disabled.
#
JENKINS_HTTPS_PORT="8443"

## Type: string
## Default: ""
## ServiceRestart: jenkins
#
# Path to the keystore in JKS format (as created by the JDK 'keytool').
# Default is disabled.
#
JENKINS_HTTPS_KEYSTORE="/var/lib/jenkins/jenkins_keystore.jks"

## Type: string
## Default: ""
## ServiceRestart: jenkins
#
# Password to access the keystore defined in JENKINS_HTTPS_KEYSTORE.
# Default is disabled.
#
JENKINS_HTTPS_KEYSTORE_PASSWORD="123456"

## Type: string
## Default: ""
## ServiceRestart: jenkins
#
# IP address Jenkins listens on for HTTPS requests.
# Default is disabled.
#
JENKINS_HTTPS_LISTEN_ADDRESS="0.0.0.0"

禁用8080端口监听

初始配置文件

## Type: integer(0:65535)
## Default: 8080
## ServiceRestart: jenkins
#
# Port Jenkins is listening on.
# Set to -1 to disable
#
JENKINS_PORT="8080"

修改(禁用8080端口监听)

## Type: integer(0:65535)
## Default: 8080
## ServiceRestart: jenkins
#
# Port Jenkins is listening on.
# Set to -1 to disable
#
JENKINS_PORT="-1"

重启服务并查看端口监听变化

[root@ip-172-31-40-41 ~]# service jenkins restart
Restarting jenkins (via systemctl):                        [  OK  ]
[root@ip-172-31-40-41 ~]# netstat -lnt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN     
tcp6       0      0 :::111                  :::*                    LISTEN     
tcp6       0      0 :::22                   :::*                    LISTEN     
tcp6       0      0 ::1:25                  :::*                    LISTEN     
tcp6       0      0 :::8443                 :::*                    LISTEN     
[root@ip-172-31-40-41 ~]#

使用https协议及配置端口访问jenkins服务控制台

使用openssl命令合并公钥私钥为PKCS12命令用法

openssl pkcs12 -export -out jenkins.p12 \
-passout 'pass:123456' -inkey /etc/letsencrypt/live/jenkins.bcoc.site/privkey.pem \
-in /etc/letsencrypt/live/jenkins.bcoc.site/fullchain.pem \
-name jenkins.bcoc.site

GitLab项目仓库及SSH密钥配置与连接

 未分类  No Responses »
5 月 272019
 

新建仓库

在没有配置SSH密钥对之前,无法使用基于SSH的代码推拉操作。

You won’t be able to pull or push project code via SSH until you add an SSH key to your profile

为root用户准备SSH密钥(未设置私钥密码)

[root@client ~]# ssh-keygen -t ed25519 -C "harvey.mei@msn.com"
Generating public/private ed25519 key pair.
Enter file in which to save the key (/root/.ssh/id_ed25519): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_ed25519.
Your public key has been saved in /root/.ssh/id_ed25519.pub.
The key fingerprint is:
SHA256:zZYLuVxm+EDjPAHGjlgJjTGdkw0hrjMwOuLs6r0rrnU harvey.mei@msn.com
The key's randomart image is:
+--[ED25519 256]--+
| =*oOo |
| ..oO.o. |
|o .o + + |
|oo. . .+ B . |
|B S O |
|++ . @ . |
| o. E o o |
|.o.. |
|B+.+o |
+----[SHA256]-----+
[root@client ~]#

为私钥文件添加或者修改密码

ssh-keygen -p -o -f <keyname>

复制公钥内容到GitLab账户设置中

[root@client ~]# cat .ssh/id_ed25519.pub 
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHWIgmnrN7FGjKTdMxYE3y6py3SKp5cO0wnc2dlWNj5o harvey.mei@msn.com
[root@client ~]#
 

查看已导入的SSH公钥信息


测试用户root的SSH密钥有效性,按照提示将服务器端公钥存储在本地已知主机列表文件known_hosts文件中

[root@client ~]# ssh -i .ssh/id_ed25519 -T git@gitlab.licensebox.cn
The authenticity of host 'gitlab.licensebox.cn (47.75.246.214)' can't be established.
ECDSA key fingerprint is SHA256:s+kUB7fDvU43bDqTmukBOoSd/8o/gxzuQC/Kk1aYLio.
ECDSA key fingerprint is MD5:f4:2a:7f:58:6c:d8:d3:ee:90:3a:14:9f:f9:5b:d4:4c.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'gitlab.licensebox.cn,47.75.246.214' (ECDSA) to the list of known hosts.
Welcome to GitLab, @root!
[root@client ~]#

查看保留在本地的服务器端

[root@client ~]# cat .ssh/known_hosts

gitlab.licensebox.cn,47.75.246.214 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLPz49yrtFCwkwt+5/kCXekab8jtrEmf8OpPyfjqtoOuPMlHbhH/rnlNxcicFMF+0U9AD/RIigglJh5SFgSYQ3A=
[root@client ~]#

本地操作系统安装Git客户端程序

[root@client ~]# git
-bash: git: command not found
[root@client ~]# yum -y install git

将仓库Clone到本地磁盘(无需再次验证身份)

[root@client ~]# git clone git@gitlab.licensebox.cn:root/licensebox.git 
Cloning into 'licensebox'...
remote: Enumerating objects: 3, done.
remote: Counting objects: 100% (3/3), done.
remote: Total 3 (delta 0), reused 0 (delta 0)
Receiving objects: 100% (3/3), done.

查看本地Git目录及文件内容,确认成功Clone仓库至本地磁盘

[root@client ~]# ls
licensebox
[root@client ~]# ls licensebox/
README.md
[root@client ~]# cat licensebox/README.md 
# licensebox

LicenseBox Project[root@client ~]#

GitLab本地Git代码仓库的安装与配置

 未分类  No Responses »
5 月 242019
 

配置要求:最低4GB可用内存

查看当前系统版本

[root@iZj6cehstgjoj3qav88fidZ ~]# cat /etc/redhat-release 
CentOS Linux release 7.4.1708 (Core) 
[root@iZj6cehstgjoj3qav88fidZ ~]#

安装GitLab服务YUM仓库

企业版

curl https://packages.gitlab.com/install/repositories/gitlab/gitlab-ee/script.rpm.sh | sudo bash

社区版

curl https://packages.gitlab.com/install/repositories/gitlab/gitlab-ce/script.rpm.sh | sudo bash

查看仓库配置文件

企业版

[root@iZj6cehstgjoj3qav88fidZ ~]# ls /etc/yum.repos.d/
CentOS-Base.repo epel.repo gitlab_gitlab-ee.repo
[root@iZj6cehstgjoj3qav88fidZ ~]#

社区版

[root@iZj6cehstgjoj3qav88fidZ ~]# ls /etc/yum.repos.d/
CentOS-Base.repo epel.repo gitlab_gitlab-ce.repo gitlab_gitlab-ee.repo
[root@iZj6cehstgjoj3qav88fidZ ~]# cat /etc/yum.repos.d/gitlab_gitlab-ce.repo 
[gitlab_gitlab-ce]
name=gitlab_gitlab-ce
baseurl=https://packages.gitlab.com/gitlab/gitlab-ce/el/7/$basearch
repo_gpgcheck=1
gpgcheck=1
enabled=1
gpgkey=https://packages.gitlab.com/gitlab/gitlab-ce/gpgkey
https://packages.gitlab.com/gitlab/gitlab-ce/gpgkey/gitlab-gitlab-ce-3D645A26AB9FBD22.pub.gpg
sslverify=1
sslcacert=/etc/pki/tls/certs/ca-bundle.crt
metadata_expire=300

[gitlab_gitlab-ce-source]
name=gitlab_gitlab-ce-source
baseurl=https://packages.gitlab.com/gitlab/gitlab-ce/el/7/SRPMS
repo_gpgcheck=1
gpgcheck=1
enabled=1
gpgkey=https://packages.gitlab.com/gitlab/gitlab-ce/gpgkey
https://packages.gitlab.com/gitlab/gitlab-ce/gpgkey/gitlab-gitlab-ce-3D645A26AB9FBD22.pub.gpg
sslverify=1
sslcacert=/etc/pki/tls/certs/ca-bundle.crt
metadata_expire=300
[root@iZj6cehstgjoj3qav88fidZ ~]#

执行安装时,变量中设置有效的域名解析并指定为https协议时,将自动请求Let’s Encrypt证书并安装,首次安装建议使用http协议,之后自行安装TLS证书

启用TLS证书安装

sudo EXTERNAL_URL="https://gitlab.licensebox.cn" yum install -y gitlab-ce

禁用TLS证书安装

sudo EXTERNAL_URL="http://gitlab.licensebox.cn" yum install -y gitlab-ce

提示安装成功

Thank you for installing GitLab!
GitLab should be available at http://gitlab.licensebox.cn

查看端口监听及服务进程

使用浏览器访问Gitlab首页,按照提示设置初始密码

使用设置的初始密码进行首次登录

查看GitLab默认首页

社区版的版本升级更新操作

备份数据(默认备份路径/var/opt/gitlab/backups)

sudo gitlab-rake gitlab:backup:create STRATEGY=copy

执行更新

sudo yum install -y gitlab-ce

Jenkins自动化构建部署工具的安装配置

 未分类  No Responses »
5 月 242019
 

官方Yum仓库地址

https://pkg.jenkins.io/redhat-stable/

安装Jenkin LTS版本的Yum仓库源

[root@iZj6cehstgjoj3qav88fidZ ~]# wget -O /etc/yum.repos.d/jenkins.repo https://pkg.jenkins.io/redhat-stable/jenkins.repo
--2019-06-12 18:27:21-- https://pkg.jenkins.io/redhat-stable/jenkins.repo
Resolving pkg.jenkins.io (pkg.jenkins.io)... 52.202.51.185
Connecting to pkg.jenkins.io (pkg.jenkins.io)|52.202.51.185|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 85
Saving to: ‘/etc/yum.repos.d/jenkins.repo’

100%[=======================================================================================================================================================>] 85 --.-K/s in 0s

2019-06-12 18:27:22 (19.3 MB/s) - ‘/etc/yum.repos.d/jenkins.repo’ saved [85/85]

[root@iZj6cehstgjoj3qav88fidZ ~]# rpm --import https://pkg.jenkins.io/redhat-stable/jenkins.io.key
[root@iZj6cehstgjoj3qav88fidZ ~]#

安装OpenJDK环境并查看版本信息
[root@iZj6cehstgjoj3qav88fidZ ~]# yum install java-1.8.0-openjdk
[root@iZj6cehstgjoj3qav88fidZ ~]# java -version
openjdk version "1.8.0_212"
OpenJDK Runtime Environment (build 1.8.0_212-b04)
OpenJDK 64-Bit Server VM (build 25.212-b04, mixed mode)
[root@iZj6cehstgjoj3qav88fidZ ~]#

使用Yum源安装Jenkins服务

[root@iZj6cehstgjoj3qav88fidZ ~]# yum install jenkins

查看安装路径

[root@iZj6cehstgjoj3qav88fidZ ~]# rpm -lq jenkins
/etc/init.d/jenkins
/etc/logrotate.d/jenkins
/etc/sysconfig/jenkins
/usr/lib/jenkins
/usr/lib/jenkins/jenkins.war
/usr/sbin/rcjenkins
/var/cache/jenkins
/var/lib/jenkins
/var/log/jenkins
[root@iZj6cehstgjoj3qav88fidZ ~]#

查看Jenkins服务注册信息

[root@iZj6cehstgjoj3qav88fidZ ~]# chkconfig --list jenkins

Note: This output shows SysV services only and does not include native
systemd services. SysV configuration data might be overridden by native
systemd configuration.

If you want to list systemd services use 'systemctl list-unit-files'.
To see services enabled on particular target use
'systemctl list-dependencies [target]'.

jenkins 0:off 1:off 2:on 3:on 4:on 5:on 6:off
[root@iZj6cehstgjoj3qav88fidZ ~]#

启动服务

[root@iZj6cehstgjoj3qav88fidZ ~]# service jenkins start
Starting jenkins (via systemctl): [ OK ]
[root@iZj6cehstgjoj3qav88fidZ ~]#

查看监听

使用浏览器访问

查看初始密码

[root@iZj6cehstgjoj3qav88fidZ ~]# cat /var/lib/jenkins/secrets/initialAdminPassword
5228940ac30a481d97a4efbabe4147a3
[root@iZj6cehstgjoj3qav88fidZ ~]#

安装推荐的插件

插件安装过程

创建第一个管理员用户

实例配置

安装完成

控制台首页