k8s-学习笔记5-jenkins构建java服务
准备私有jenkins镜像
拉取公共镜像
docker pull jenkins/jenkins:2.235.1-lts-centos7
推到自己的仓库
docker tag 08b8cad08fb6 registry-vpc.cn-hangzhou.aliyuncs.com/e-dewin/jenkins:2.235.1 docker push registry-vpc.cn-hangzhou.aliyuncs.com/e-dewin/jenkins:2.235.1
Dockerfile
id_rsa是用来让jenkins免密登录git的,没有也没关系
config.json是docker login后记录的文件,用于jenkins登录仓库
get-docker.sh是docker客户端
#!/bin/sh set -e # This script is meant for quick & easy install via: # $ curl -fsSL get.docker.com -o get-docker.sh # $ sh get-docker.sh # # For test builds (ie. release candidates): # $ curl -fsSL test.docker.com -o test-docker.sh # $ sh test-docker.sh # # NOTE: Make sure to verify the contents of the script # you downloaded matches the contents of install.sh # located at https://github.com/docker/docker-install # before executing. # # Git commit from https://github.com/docker/docker-install when # the script was uploaded (Should only be modified by upload job): SCRIPT_COMMIT_SHA=36b78b2 # This value will automatically get changed for: # edge # test # experimental DEFAULT_CHANNEL_VALUE="edge" if [ -z "$CHANNEL" ]; then CHANNEL=$DEFAULT_CHANNEL_VALUE fi DEFAULT_DOWNLOAD_URL="https://download.docker.com" if [ -z "$DOWNLOAD_URL" ]; then DOWNLOAD_URL=$DEFAULT_DOWNLOAD_URL fi DEFAULT_REPO_FILE="docker-ce.repo" if [ -z "$REPO_FILE" ]; then REPO_FILE="$DEFAULT_REPO_FILE" fi SUPPORT_MAP=" x86_64-centos-7 x86_64-fedora-26 x86_64-fedora-27 x86_64-fedora-28 x86_64-debian-wheezy x86_64-debian-jessie x86_64-debian-stretch x86_64-debian-buster x86_64-ubuntu-trusty x86_64-ubuntu-xenial x86_64-ubuntu-bionic x86_64-ubuntu-artful s390x-ubuntu-xenial s390x-ubuntu-bionic s390x-ubuntu-artful ppc64le-ubuntu-xenial ppc64le-ubuntu-bionic ppc64le-ubuntu-artful aarch64-ubuntu-xenial aarch64-ubuntu-bionic aarch64-debian-jessie aarch64-debian-stretch aarch64-debian-buster aarch64-fedora-26 aarch64-fedora-27 aarch64-fedora-28 aarch64-centos-7 armv6l-raspbian-jessie armv7l-raspbian-jessie armv6l-raspbian-stretch armv7l-raspbian-stretch armv7l-debian-jessie armv7l-debian-stretch armv7l-debian-buster armv7l-ubuntu-trusty armv7l-ubuntu-xenial armv7l-ubuntu-bionic armv7l-ubuntu-artful " mirror='' DRY_RUN=${DRY_RUN:-} while [ $# -gt 0 ]; do case "$1" in –mirror) mirror="$2" shift ;; –dry-run) DRY_RUN=1 ;; –) echo "Illegal option $1" ;; esac shift $(( $# > 0 ? 1 : 0 )) done case "$mirror" in Aliyun) DOWNLOAD_URL="https://mirrors.aliyun.com/docker-ce" ;; AzureChinaCloud) DOWNLOAD_URL="https://mirror.azure.cn/docker-ce" ;; esac command_exists() { command -v "$@" > /dev/null 2>&1 } is_dry_run() { if [ -z "$DRY_RUN" ]; then return 1 else return 0 fi } deprecation_notice() { distro=$1 date=$2 echo echo "DEPRECATION WARNING:" echo " The distribution, $distro, will no longer be supported in this script as of $date." echo " If you feel this is a mistake please submit an issue at https://github.com/docker/docker-install/issues/new" echo sleep 10 } get_distribution() { lsb_dist="" # Every system that we officially support has /etc/os-release if [ -r /etc/os-release ]; then lsb_dist="$(. /etc/os-release && echo "$ID")" fi # Returning an empty string here should be alright since the # case statements don't act unless you provide an actual value echo "$lsb_dist" } add_debian_backport_repo() { debian_version="$1" backports="deb http://ftp.debian.org/debian $debian_version-backports main" if ! grep -Fxq "$backports" /etc/apt/sources.list; then (set -x; $sh_c "echo \"$backports\" >> /etc/apt/sources.list") fi } echo_docker_as_nonroot() { if is_dry_run; then return fi if command_exists docker && [ -e /var/run/docker.sock ]; then ( set -x $sh_c 'docker version' ) || true fi your_user=your-user [ "$user" != 'root' ] && your_user="$user" # intentionally mixed spaces and tabs here – tabs are stripped by "<<-EOF", spaces are kept in the output echo "If you would like to use Docker as a non-root user, you should now consider" echo "adding your user to the \"docker\" group with something like:" echo echo " sudo usermod -aG docker $your_user" echo echo "Remember that you will have to log out and back in for this to take effect!" echo echo "WARNING: Adding a user to the \"docker\" group will grant the ability to run" echo " containers which can be used to obtain root privileges on the" echo " docker host." echo " Refer to https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface" echo " for more information." } # Check if this is a forked Linux distro check_forked() { # Check for lsb_release command existence, it usually exists in forked distros if command_exists lsb_release; then # Check if the -u option is supported set +e lsb_release -a -u > /dev/null 2>&1 lsb_release_exit_code=$? set -e # Check if the command has exited successfully, it means we're in a forked distro if [ "$lsb_release_exit_code" = "0" ]; then # Print info about current distro cat <<-EOF You're using '$lsb_dist' version '$dist_version'. EOF # Get the upstream release info lsb_dist=$(lsb_release -a -u 2>&1 | tr '[:upper:]' '[:lower:]' | grep -E 'id' | cut -d ':' -f 2 | tr -d '[:space:]') dist_version=$(lsb_release -a -u 2>&1 | tr '[:upper:]' '[:lower:]' | grep -E 'codename' | cut -d ':' -f 2 | tr -d '[:space:]') # Print info about upstream distro cat <<-EOF Upstream release is '$lsb_dist' version '$dist_version'. EOF else if [ -r /etc/debian_version ] && [ "$lsb_dist" != "ubuntu" ] && [ "$lsb_dist" != "raspbian" ]; then if [ "$lsb_dist" = "osmc" ]; then # OSMC runs Raspbian lsb_dist=raspbian else # We're Debian and don't even know it! lsb_dist=debian fi dist_version="$(sed 's/\/.//' /etc/debian_version | sed 's/..//')" case "$dist_version" in 9) dist_version="stretch" ;; 8|'Kali Linux 2') dist_version="jessie" ;; 7) dist_version="wheezy" ;; esac fi fi fi } semverParse() { major="${1%%.}" minor="${1#$major.}" minor="${minor%%.}" patch="${1#$major.$minor.}" patch="${patch%%[-.]}" } ee_notice() { echo echo echo " WARNING: $1 is now only supported by Docker EE" echo " Check https://store.docker.com for information on Docker EE" echo echo } do_install() { echo "# Executing docker install script, commit: $SCRIPT_COMMIT_SHA" if command_exists docker; then docker_version="$(docker -v | cut -d ' ' -f3 | cut -d ',' -f1)" MAJOR_W=1 MINOR_W=10 semverParse "$docker_version" shouldWarn=0 if [ "$major" -lt "$MAJOR_W" ]; then shouldWarn=1 fi if [ "$major" -le "$MAJOR_W" ] && [ "$minor" -lt "$MINOR_W" ]; then shouldWarn=1 fi cat >&2 <<-'EOF' Warning: the "docker" command appears to already exist on this system. If you already have Docker installed, this script can cause trouble, which is why we're displaying this warning and provide the opportunity to cancel the installation. If you installed the current Docker package using this script and are using it EOF if [ $shouldWarn -eq 1 ]; then cat >&2 <<-'EOF' again to update Docker, we urge you to migrate your image store before upgrading to v1.10+. You can find instructions for this here: https://github.com/docker/docker/wiki/Engine-v1.10.0-content-addressability-migration EOF else cat >&2 <<-'EOF' again to update Docker, you can safely ignore this message. EOF fi cat >&2 <<-'EOF' You may press Ctrl+C now to abort this script. EOF ( set -x; sleep 20 ) fi user="$(id -un 2>/dev/null || true)" sh_c='sh -c' if [ "$user" != 'root' ]; then if command_exists sudo; then sh_c='sudo -E sh -c' elif command_exists su; then sh_c='su -c' else cat >&2 <<-'EOF' Error: this installer needs the ability to run commands as root. We are unable to find either "sudo" or "su" available to make this happen. EOF exit 1 fi fi if is_dry_run; then sh_c="echo" fi # perform some very rudimentary platform detection lsb_dist=$( get_distribution ) lsb_dist="$(echo "$lsb_dist" | tr '[:upper:]' '[:lower:]')" case "$lsb_dist" in ubuntu) if command_exists lsb_release; then dist_version="$(lsb_release –codename | cut -f2)" fi if [ -z "$dist_version" ] && [ -r /etc/lsb-release ]; then dist_version="$(. /etc/lsb-release && echo "$DISTRIB_CODENAME")" fi ;; debian|raspbian) dist_version="$(sed 's/\/.//' /etc/debian_version | sed 's/..//')" case "$dist_version" in 9) dist_version="stretch" ;; 8) dist_version="jessie" ;; 7) dist_version="wheezy" ;; esac ;; centos) if [ -z "$dist_version" ] && [ -r /etc/os-release ]; then dist_version="$(. /etc/os-release && echo "$VERSION_ID")" fi ;; rhel|ol|sles) ee_notice "$lsb_dist" exit 1 ;; ) if command_exists lsb_release; then dist_version="$(lsb_release –release | cut -f2)" fi if [ -z "$dist_version" ] && [ -r /etc/os-release ]; then dist_version="$(. /etc/os-release && echo "$VERSION_ID")" fi ;; esac # Check if this is a forked Linux distro check_forked # Check if we actually support this configuration if ! echo "$SUPPORT_MAP" | grep "$(uname -m)-$lsb_dist-$dist_version" >/dev/null; then cat >&2 <<-'EOF' Either your platform is not easily detectable or is not supported by this installer script. Please visit the following URL for more detailed installation instructions: https://docs.docker.com/engine/installation/ EOF exit 1 fi # Run setup for each distro accordingly case "$lsb_dist" in ubuntu|debian|raspbian) pre_reqs="apt-transport-https ca-certificates curl" if [ "$lsb_dist" = "debian" ]; then if [ "$dist_version" = "wheezy" ]; then add_debian_backport_repo "$dist_version" fi # libseccomp2 does not exist for debian jessie main repos for aarch64 if [ "$(uname -m)" = "aarch64" ] && [ "$dist_version" = "jessie" ]; then add_debian_backport_repo "$dist_version" fi fi # TODO: August 31, 2018 delete from here, if [ "$lsb_dist" = "ubuntu" ] && [ "$dist_version" = "artful" ]; then deprecation_notice "$lsb_dist $dist_version" "August 31, 2018" fi # TODO: August 31, 2018 delete to here, if ! command -v gpg > /dev/null; then pre_reqs="$pre_reqs gnupg" fi apt_repo="deb [arch=$(dpkg –print-architecture)] $DOWNLOAD_URL/linux/$lsb_dist $dist_version $CHANNEL" ( if ! is_dry_run; then set -x fi $sh_c 'apt-get update -qq >/dev/null' $sh_c "apt-get install -y -qq $pre_reqs >/dev/null" $sh_c "curl -fsSL \"$DOWNLOAD_URL/linux/$lsb_dist/gpg\" | apt-key add -qq - >/dev/null" $sh_c "echo \"$apt_repo\" > /etc/apt/sources.list.d/docker.list" if [ "$lsb_dist" = "debian" ] && [ "$dist_version" = "wheezy" ]; then $sh_c 'sed -i "/deb-src.download.docker/d" /etc/apt/sources.list.d/docker.list' fi $sh_c 'apt-get update -qq >/dev/null' ) pkg_version="" if [ ! -z "$VERSION" ]; then if is_dry_run; then echo "# WARNING: VERSION pinning is not supported in DRY_RUN" else # Will work for incomplete versions IE (17.12), but may not actually grab the "latest" if in the test channel pkg_pattern="$(echo "$VERSION" | sed "s/-ce-/~ce~./g" | sed "s/-/./g").-0~$lsb_dist" search_command="apt-cache madison 'docker-ce' | grep '$pkg_pattern' | head -1 | cut -d' ' -f 4" pkg_version="$($sh_c "$search_command")" echo "INFO: Searching repository for VERSION '$VERSION'" echo "INFO: $search_command" if [ -z "$pkg_version" ]; then echo echo "ERROR: '$VERSION' not found amongst apt-cache madison results" echo exit 1 fi pkg_version="=$pkg_version" fi fi ( if ! is_dry_run; then set -x fi $sh_c "apt-get install -y -qq –no-install-recommends docker-ce$pkg_version >/dev/null" ) echo_docker_as_nonroot exit 0 ;; centos|fedora) yum_repo="$DOWNLOAD_URL/linux/$lsb_dist/$REPO_FILE" if ! curl -Ifs "$yum_repo" > /dev/null; then echo "Error: Unable to curl repository file $yum_repo, is it valid?" exit 1 fi if [ "$lsb_dist" = "fedora" ]; then if [ "$dist_version" -lt "26" ]; then echo "Error: Only Fedora >=26 are supported" exit 1 fi pkg_manager="dnf" config_manager="dnf config-manager" enable_channel_flag="–set-enabled" pre_reqs="dnf-plugins-core" pkg_suffix="fc$dist_version" else pkg_manager="yum" config_manager="yum-config-manager" enable_channel_flag="–enable" pre_reqs="yum-utils" pkg_suffix="el" fi ( if ! is_dry_run; then set -x fi $sh_c "$pkg_manager install -y -q $pre_reqs" $sh_c "$config_manager –add-repo $yum_repo" if [ "$CHANNEL" != "stable" ]; then $sh_c "$config_manager $enable_channel_flag docker-ce-$CHANNEL" fi $sh_c "$pkg_manager makecache" ) pkg_version="" if [ ! -z "$VERSION" ]; then if is_dry_run; then echo "# WARNING: VERSION pinning is not supported in DRY_RUN" else pkg_pattern="$(echo "$VERSION" | sed "s/-ce-/\\.ce./g" | sed "s/-/./g").*$pkg_suffix" search_command="$pkg_manager list –showduplicates 'docker-ce' | grep '$pkg_pattern' | tail -1 | awk '{print \$2}'" pkg_version="$($sh_c "$search_command")" echo "INFO: Searching repository for VERSION '$VERSION'" echo "INFO: $search_command" if [ -z "$pkg_version" ]; then echo echo "ERROR: '$VERSION' not found amongst $pkg_manager list results" echo exit 1 fi # Cut out the epoch and prefix with a '-' pkg_version="-$(echo "$pkg_version" | cut -d':' -f 2)" fi fi ( if ! is_dry_run; then set -x fi $sh_c "$pkg_manager install -y -q docker-ce$pkg_version" ) echo_docker_as_nonroot exit 0 ;; esac exit 1 } # wrapped up in a function so that we have some protection against only getting # half the file during "curl | sh" do_install
去掉密码指纹确认
FROM registry-vpc.cn-hangzhou.aliyuncs.com/e-dewin/jenkins:2.235.1 USER root RUN /bin/cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime &&\ echo 'Asia/Shanghai' >/etc/timezone ADD id_rsa /root/.ssh/id_rsa ADD config.json /root/.docker/config.json ADD get-docker.sh /get-docker.sh RUN echo " StrictHostKeyChecking no" >> /etc/ssh/sshd_config &&\ /get-docker.sh --mirror Aliyun
构建私有镜像并推送到仓库
docker build . -t registry-vpc.cn-hangzhou.aliyuncs.com/e-dewin/jenkins:my_v1
docker push registry-vpc.cn-hangzhou.aliyuncs.com/e-dewin/jenkins:my_v1
部署服务
持久化存储使用阿里NFS,创建NFS后,在k8s所有节点上挂载 /mnt
创建运维专用的ns:devops
创建登录仓库的secret
root@k8s-master:~# kubectl create secret docker-registry regcred \ > --docker-server=repo.mrvolleyball.com/library \ > --docker-username=admin \ > --docker-password='Harbor12345' \ > --docker-email=chaisd63@163.com secret "regcred" created
deployment
挂载docker.sock,为了jenkins里的docker客户端和宿主机的服务端通信
创建完后验证/mnt目录,已经有相关文件
kind: Deployment apiVersion: apps/v1 metadata: name: jenkins namespace: devops spec: replicas: 1 selector: matchLabels: app: jenkins strategy: type: RollingUpdate template: metadata: labels: app: jenkins spec: volumes: - name: data hostPath: path: /mnt/jenkins_home type: '' - name: docker hostPath: path: /run/docker.sock type: '' containers: - name: jenkins image: registry-vpc.cn-hangzhou.aliyuncs.com/e-dewin/jenkins:my_v1 ports: - containerPort: 8080 protocol: TCP volumeMounts: - name: data mountPath: /var/jenkins_home - name: docker mountPath: /run/docker.sock terminationMessagePath: /dev/termination-log terminationMessagePolicy: File imagePullPolicy: IfNotPresent imagePullSecrets: - name: dewin-ali restartPolicy: Always terminationGracePeriodSeconds: 30 securityContext: runAsUser: 0 schedulerName: default-scheduler revisionHistoryLimit: 7 progressDeadlineSeconds: 600
service
kind: Service apiVersion: v1 metadata: name: jenkins namespace: devops spec: ports: - protocol: TCP port: 80 targetPort: 8080 selector: app: jenkins type: ClusterIP sessionAffinity: None
ingress
kind: Ingress apiVersion: extensions/v1beta1 metadata: name: jenkins namespace: devops spec: rules: - host: jenkins.e-dewin.com http: paths: - path: / backend: serviceName: jenkins servicePort: 80
验证
进入jenkins容器
1 用户是root
2 时区正常
3 docker ps命令能连接宿主机
4 验证docker login registry-vpc.cn-hangzhou.aliyuncs.com正常
5 id_rsa测试连接git clone代码 (由于自己这里是http的gogs,所以git地址使用ssh)
jenkins配置
安装mvn工具,修改settings
把jenkins的插件打包放到plugins目录(包含blue ocean)
dubbo微服务部署
制作dubbo底包镜像
Dockerfile
FROM registry-vpc.cn-hangzhou.aliyuncs.com/e-dewin/jre:8u112 RUN /bin/cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime &&\ echo 'Asia/Shanghai' >/etc/timezone ADD config.yml /opt/prom/config.yml ADD jmx_javaagent-0.3.1.jar /opt/prom/ WORKDIR /opt/project_dir ADD entrypoint.sh /entrypoint.sh CMD ["/entrypoint.sh"]
prom监控
config.yml
--- rules: - pattern: '.*'
wget https://repo1.maven.org/maven2/io/prometheus/jmx/jmx_prometheus_javaagent/0.3.1/jmx_prometheus_javaagent-0.3.1.jar -O jmx_javaagent-0.3.1.jar
entrypoint.sh
docker里面维持一个pid=1的进程在前台运行,来保持容器的生命周期。exec 命令用于此目的,使这个shell脚本把pid=1交给java -jar
nohup不行,会变成后台,然后ent.sh退出后,容器也就变成exited
JAR_BALL是jar包文件名,通过在yml文件里env传递进来
#!/bin/sh M_OPTS="-Duser.timezone=Asia/Shanghai -javaagent:/opt/prom/jmx_javaagent-0.3.1.jar=$(hostname -i):${M_PORT:-"12346"}:/opt/prom/config.yml" C_OPTS=${C_OPTS} JAR_BALL=${JAR_BALL} exec java -jar ${M_OPTS} ${C_OPTS} ${JAR_BALL}
chmod +x entrypoint.sh
推送到仓库
docker build . -t registry-vpc.cn-hangzhou.aliyuncs.com/e-dewin/jre:my_8u112 docker push registry-vpc.cn-hangzhou.aliyuncs.com/e-dewin/jre:my_8u112
jenkins流水线
新建一个流水线,写好10个参数化构建,写好pipeline
pipeline { agent any stages { stage('pull') { //get project code from repo steps { sh "git clone ${params.git_repo} ${params.app_name}/${env.BUILD_NUMBER} && cd ${params.app_name}/${env.BUILD_NUMBER} && git checkout ${params.git_ver}" } } stage('build') { //exec mvn cmd steps { sh "cd ${params.app_name}/${env.BUILD_NUMBER} && /var/jenkins_home/maven-${params.maven}/bin/${params.mvn_cmd}" } } stage('package') { //move jar file into project_dir steps { sh "cd ${params.app_name}/${env.BUILD_NUMBER} && cd ${params.target_dir} && mkdir project_dir && mv *.jar ./project_dir" } } stage('image') { //build image and push to registry steps { writeFile file: "${params.app_name}/${env.BUILD_NUMBER}/Dockerfile", text: """FROM registry-vpc.cn-hangzhou.aliyuncs.com/e-dewin/${params.base_image} ADD ${params.target_dir}/project_dir /opt/project_dir""" sh "cd ${params.app_name}/${env.BUILD_NUMBER} && docker build -t registry-vpc.cn-hangzhou.aliyuncs.com/dw-java/${params.image_name}:${params.git_ver}_${params.add_tag} . && docker push registry-vpc.cn-hangzhou.aliyuncs.com/dw-java/${params.image_name}:${params.git_ver}_${params.add_tag}" } } } }
然后手动填参数,构建,构建完后仓库里就有这个镜像了。
交付到k8s
创建一个新的ns,并在这个ns里创建一个secret,用于仓库验证
部署deployment,部署成功后,在xxljobadmin执行器管理里看到对应的服务,则成功(zk已经部署在k8s外面的服务器上,java服务里也已经指定)
kind: Deployment apiVersion: apps/v1 metadata: name: xxl-job-peccancy namespace: dw-java labels: app: xxl-job-peccancy spec: replicas: 1 selector: matchLabels: app: xxl-job-peccancy template: metadata: labels: app: xxl-job-peccancy spec: containers: - name: xxl-job-peccancy image: registry-vpc.cn-hangzhou.aliyuncs.com/dw-java/xxl-job-peccancy:master_20200718_1038 ports: - containerPort: 20880 protocol: TCP env: - name: JAR_BALL value: xxl-job-vehicle-peccancy-client-2.0.2-SNAPSHOT.jar imagePullPolicy: IfNotPresent imagePullSecrets: - name: dw-java restartPolicy: Always terminationGracePeriodSeconds: 30 securityContext: runAsUser: 0 schedulerName: default-scheduler strategy: type: RollingUpdate rollingUpdate: maxUnavailable: 1 maxSurge: 1 revisionHistoryLimit: 7 progressDeadlineSeconds: 600