SpringBoot项目的CI配置 # 安全变量

运行GitLab Runner容器

参考Run GitLab Runner in a container - Docker image installation and configuration

执行下述命令运行gitlab-runner容器。

docker run -d --name gitlab-runner --restart always \
  -v /srv/gitlab-runner/config:/etc/gitlab-runner \
  -v /var/run/docker.sock:/var/run/docker.sock \
  gitlab/gitlab-runner:latest

# 注册GitLab Runner

参考Registering Runners

使用 docker exec -it gitlab-runner /bin/bash 命令进入 gitlab-runner 容器命令行环境。

执行 gitlab-runner register 命令开始注册一个 runner。

注册时只有输入共享Runner的注册令牌（token）才能注册为共享Runner。关于Runner executor的介绍可以查看 Executors

。Runner executor选择Docker时会要求填写要使用的默认docker镜像。

安全变量

GitLab CI/CD的安全变量有两种，群组安全变量和项目安全变量，群组安全变量可作用于当前群组下所有项目以及子群组项目，递归继承；项目安全变量只作用当前项目。

实际项目配置的群组变量有：CI_REGISTRY（本地Docker Registry的地址），项目变量有：CI_REGISTRY_IMAGE（项目构建的docker镜像名称）

# Dockerfile

FROM java:8-jre

ADD target/discovery-server-1.0.0.jar app.jar

RUN bash -c 'touch /app.jar'

EXPOSE 10030

ENTRYPOINT ["java", "-Djava.security.edg=file:/dev/./urandom", "-Duser.timezone=Asia/Shanghai", "-Xmx128m", "-Xms64m", "-jar", "/app.jar"]

# .gitlab-ci.yml

.gitlab-ci.yml文件可以使用的变量除了手动配置的安全变量外，默认还可以使用预定义变量（详情见GitLab CI/CD Variables

）。

示例：

image: docker:latest

services:
  - name: docker:dind
    command: ["--insecure-registry=172.17.0.1:5000"]    # 将本地Docker Registry私服设置为insecure，避免registry默认需要https才能访问

stages:
  - package
  - build
  - deploy

maven-package:
  image: maven:3.5-jdk-8-alpine
  tags:
    - maven
  stage: package
  script:
    - mvn clean install -Dmaven.test.skip=true
  artifacts:
    paths:
      - target/*.jar    # 将maven构建成功的jar包作为构建产出导出，可在下一个stage的任务中使用

build-master:
  tags:
    - docker
  stage: build
  script:
    - docker build --pull -t "$CI_REGISTRY/$CI_REGISTRY_IMAGE" .
    - docker push "$CI_REGISTRY/$CI_REGISTRY_IMAGE"
  only:
    - master

build:
  tags:
    - docker
  stage: build
  script:
    - docker build --pull -t "$CI_REGISTRY/$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG" .
    - docker push "$CI_REGISTRY/$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG"
  except:
    - master

# Runner容器的配置

将maven构建runner容器使用的maven仓库使用数据卷方式进行共享，解决容器每次构建时都要重新下载依赖的问题。具体方法为使用 docker exec -it gitlab-runner /bin/bash 进入gitlab-runner容器，编辑 /etc/gitlab-runner/config.toml 文件，在maven构建runner下的volumes加上 /root/.m2 本地仓库的数据卷映射关系。

docker构建runner的privileged设置为true，以root用户身份进入容器进行构建任务，避免了由于权限不足无法访问/var/run/docker.sock的问题。

concurrent = 6
check_interval = 0

[[runners]]
  name = "public docker runner"
  url = "http://172.17.0.1:800/"
  token = "5223e807ba2c42b18e2aadeceb0e0b"
  executor = "docker"
  [runners.docker]
    registry_mirrors = ["https://ub9x5g6o.mirror.aliyuncs.com/"]
    extra_hosts = ["git.yupaits.com:172.17.0.1"]
    tls_verify = false
    image = "docker:latest"
    privileged = true
    disable_cache = false
    volumes = ["/cache"]
    shm_size = 0
  [runners.cache]

[[runners]]
  name = "public maven runner"
  url = "http://172.17.0.1:800/"
  token = "b97734914a435c7f3409bea71e122a"
  executor = "docker"
  [runners.docker]
    extra_hosts = ["git.yupaits.com:172.17.0.1"]
    tls_verify = false
    image = "maven:3.5-jdk-8-alpine"
    privileged = true
    disable_cache = false
    volumes = ["/cache", "/home/maven/.m2:/root/.m2"]
    pull_policy = "if-not-present"
    shm_size = 0
  [runners.cache]

[[runners]]
  name = "public node runner"
  url = "http://172.17.0.1:800/"
  token = "e0dea1b0cb42a8d2e1df94ee442b82"
  executor = "docker"
  [runners.docker]
    extra_hosts = ["git.yupaits.com:172.17.0.1"]
    tls_verify = false
    image = "node:8-alpine"
    privileged = true
    disable_cache = false
    volumes = ["/cache"]
    shm_size = 0
  [runners.cache]

[[runners]]
  name = "public ssh runner"
  url = "http://172.17.0.1:800/"
  token = "266dc28d04f012a5ead3987c1f004e"
  executor = "ssh"
  [runners.ssh]
    user = "root"
    password = "password"
    host = "172.17.0.1"
    port = "22"
    identity_file = "/root/.ssh/id_rsa"
  [runners.cache]