Semaphore是一个开源工具,它提供了一个漂亮的 Web 界面来运行 ansible playbook。这个用 Go 语言编写的工具可以安装在 Windows、Linux(x64、ARM、ARM64)和 macOS 系统上。当您的项目增长并且您不需要从命令行部署它时,此工具会派上用场。
与 Semaphore Ansible Web UI 相关的惊人功能是:
- Pure Go允许为多个平台交叉编译它。这是 DevOps 首选它的主要原因。
- 它允许一个人按计划运行剧本
- 随时查看任何运行的详细日志
- 将剧本分组到项目
- 轻松管理环境、库存、存储库和访问密钥。
- 如果需要,您可以从浏览器使用它来构建、部署和回滚。
- 获取有关剧本运行的通知
- 它允许一个授予其他用户运行剧本的权限
除了上述特性,Semaphore 还支持 MySQL、PostgreSQL 和 BoltDB。可以通过多种方式安装和使用 Semaphore Ansible Web UI。这些包括使用 Snap、包管理器、二进制文件等
本文深入说明了如何在 Docker 容器中运行 Semaphore Ansible Web UI。
开始之前准备
本文内容要求同时安装 Docker 引擎和 docker-compose。可以使用以下指南中的帮助将 Docker 安装在 Linux 系统上。
安装 Docker 引擎后,使用以下命令将您的系统用户添加到 Docker 组:
sudo usermod -aG docker $USER
newgrp docker使用专用指南继续安装 Docker-compose:
验证安装
$ docker-compose version
Docker Compose version v2.4.1现在启动并启用 docker 在系统启动时运行。
sudo systemctl start docker && sudo systemctl enable docker第 1 步 – 提供Semaphore容器
容器将包含两个部分,即
- 数据库 – (MySQL) 用于数据存储
- Ansible Semaphore(最新图片)
使用以下命令创建 docker-compose 文件:
mkdir semaphore && cd semaphore
vim docker-compose.yml将以下行添加到文件中,在需要的地方替换变量。
version: '2'
services:
mysql:
ports:
- 3306:3306
image: mysql:5.6
container_name: mysql
hostname: mysql
environment:
MYSQL_RANDOM_ROOT_PASSWORD: 'yes'
MYSQL_DATABASE: semaphore_db
MYSQL_USER: semaphore_user
MYSQL_PASSWORD: StrongPassw0rd
semaphore:
ports:
- 3000:3000
image: ansiblesemaphore/semaphore:latest
container_name: semaphore
environment:
SEMAPHORE_DB_USER: semaphore_user
SEMAPHORE_DB_PASS: StrongPassw0rd
SEMAPHORE_DB_HOST: mysql
SEMAPHORE_DB_PORT: 3306
SEMAPHORE_DB: semaphore_db
SEMAPHORE_PLAYBOOK_PATH: /tmp/semaphore/
SEMAPHORE_ADMIN_PASSWORD: AdminPassword
SEMAPHORE_ADMIN_NAME: admin
SEMAPHORE_ADMIN_EMAIL: admin@computingforgeeks.com
SEMAPHORE_ADMIN: admin
SEMAPHORE_ACCESS_KEY_ENCRYPTION: MflCLIUF5bn6Lgkuwy4BoAdIFhoZ4Ief2oocXmuZSjs=
depends_on:
- mysql在文件中,替换:
- MYSQL_USER和SEMAPHORE_DB_USER与所需的数据库用户。
- MYSQL_PASSWORD和SEMAPHORE_DB_PASS以及用户的数据库密码
- SEMAPHORE_ADMIN_PASSWORD与 Semaphore Ansible Web UI 的管理员用户的密码
- SEMAPHORE_ACCESS_KEY_ENCRYPTION使用密钥来加密数据库中的访问密钥。可以使用以下命令生成此密钥加密:
$ head -c32 /dev/urandom | base64
MflCLIUF5bn6Lgkuwy4BoAdIFhoZ4Ief2oocXmuZSjs=第 2 步 – 在 Docker 容器中运行 Semaphore Ansible Web UI
现在配置好容器后,我们可以使用以下命令运行 Semaphore:
docker-compose up -d执行输出:
[+] Running 19/19
⠿ semaphore Pulled 21.2s
⠿ 4e9f2cdf4387 Pull complete 0.9s
⠿ 8eba5c7ef78e Pull complete 1.3s
⠿ 4b2e0cc6dd21 Pull complete 18.3s
⠿ 5d4e24327603 Pull complete 18.4s
⠿ b53de92b8d36 Pull complete 18.9s
⠿ 8ada155f2bd8 Pull complete 19.2s
⠿ mysql Pulled 19.0s
⠿ 35b2232c987e Pull complete 5.1s
⠿ fc55c00e48f2 Pull complete 5.5s
⠿ 0030405130e3 Pull complete 6.2s
⠿ e1fef7f6a8d1 Pull complete 6.9s
⠿ 1c76272398bb Pull complete 7.6s
⠿ f57e698171b6 Pull complete 9.4s
⠿ f5b825b269c0 Pull complete 9.8s
⠿ dcb0af686073 Pull complete 10.4s
⠿ 27bbfeb886d1 Pull complete 15.6s
⠿ 6f70cc868145 Pull complete 15.9s
⠿ 1f6637f4600d Pull complete 16.3s
[+] Running 3/3
⠿ Network semaphore_default Created 0.3s
⠿ Container semaphore-mysql-1 Started 1.6s
⠿ Container semaphore-semaphore-1 Started验证容器是否在暴露服务的情况下运行。
$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
ea51aeb59791 ansiblesemaphore/semaphore:latest "/sbin/tini -- /usr/…" 17 seconds ago Up 15 seconds 0.0.0.0:3000->3000/tcp, :::3000->3000/tcp semaphore
abf873ba28c2 mysql:5.6 "docker-entrypoint.s…" 18 seconds ago Up 16 seconds 0.0.0.0:3306->3306/tcp, :::3306->3306/tcp mysql第 3 步 – 使用 SSL 证书保护 Semaphore Ansible Web UI
本指南演示了如何使用 Let's Encrypt 和自签名证书保护 Semaphore Ansible Web UI。
首先安装 Nginx Web 服务器。
##On RHEL/CentOS/Rocky Linux 8
sudo yum install nginx
##On Debian/Ubuntu
sudo apt install nginx继续并为 Semaphore 创建虚拟主机文件。
sudo vim /etc/nginx/conf.d/semaphore.conf在打开的文件中,添加以下行:
upstream semaphore {
server 127.0.0.1:3000;
}
server {
listen 80;
server_name semaphore.example.com;
client_max_body_size 0;
chunked_transfer_encoding on;
location / {
proxy_pass http://semaphore/;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering off;
proxy_request_buffering off;
}
location /api/ws {
proxy_pass http://semaphore/api/ws;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Origin "";
}
}保存文件并继续生成 SSL 证书。
1、使用 Let's Encrypt SSL 保护 Semaphore Ansible Web UI
Let's Encrypt 用于免费向域名颁发受信任的 SSL 证书。为了能够生成 SSL 证书,请安装所需的软件包。
##On RHEL 8/CentOS 8/Rocky Linux 8/Fedora
sudo dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
sudo dnf install certbot python3-certbot-nginx
##On Debian/Ubuntu
sudo apt install certbot python3-certbot-nginx使用以下命令颁发 SSL 证书:
sudo certbot --nginx进行如下:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): Enter a valid Email address here
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
Account registered.
Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: semaphore.example.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Requesting a certificate for semaphore.example.com
Performing the following challenges:
http-01 challenge for semaphore.example.com
....
Successfully received certificate.
Certificate is saved at: a2enmod ssl就是这样,你将把你的证书添加到你的 Nginx 配置文件中。
2、使用自签名证书保护 Semaphore Ansible Web UI。
如果您没有 FQDN,您可以为您的域名/IP 地址生成自签名证书,如下所示。
创建一个用于生成证书的配置文件。
$ vim semaphore_ssl.conf
[req]
default_bits = 2048
default_keyfile = semaphore_ssl.key
distinguished_name = req_distinguished_name
req_extensions = req_ext
x509_extensions = v3_ca
[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = KE
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Nairobi
localityName = Locality Name (eg, city)
localityName_default = Nairobi
organizationName = Organization Name (eg, company)
organizationName_default = Computingforgeeks
organizationalUnitName = organizationalunit
organizationalUnitName_default = Development
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = Your_IP-Address
commonName_max = 64
[req_ext]
subjectAltName = @alt_names
[v3_ca]
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
DNS.2 = Your_IP-Address使用 OpenSSL 生成 SSL 证书,如下所示:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout semaphore_ssl.key -out semaphore_ssl.crt -config semaphore_ssl.conf按回车键到最后,您将生成一个 SSL 证书对。将证书复制到/etc/ssl/certs目录。
sudo cp semaphore_ssl.crt /etc/ssl/certs/semaphore_ssl.crt
sudo mkdir -p /etc/ssl/private/
sudo cp semaphore_ssl.key /etc/ssl/private/semaphore_ssl.key现在编辑您的 Nginx 配置文件,如下所示。
sudo vim /etc/nginx/conf.d/semaphore.conf对文件进行以下更改。
upstream semaphore {
server 127.0.0.1:3000;
}
server {
server_name semaphore.example.com;
client_max_body_size 0;
chunked_transfer_encoding on;
location / {
proxy_pass http://semaphore/;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering off;
proxy_request_buffering off;
}
location /api/ws {
proxy_pass http://semaphore/api/ws;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Origin "";
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/ssl/certs/semaphore_ssl.crt;
ssl_certificate_key /etc/ssl/private/semaphore_ssl.key;
}
server {
if ($host = semaphore.example.com) {
return 301 https://$host$request_uri;
}
listen 80;
server_name semaphore.example.com;
return 404;
}保存文件并重启 Nginx。
sudo systemctl restart nginx第 4 步 – 访问 Semaphore Ansible Web UI
此时,您将可以通过 HTTPS 访问 Semaphore。允许 HTTP 和 HTTPS 通过防火墙。
##For Firewalld
sudo firewall-cmd --add-service=http --permanent
sudo firewall-cmd --add-service=https --permanent
sudo firewall-cmd --reload
##For UFW
sudo ufw allow http
sudo ufw allow https现在继续并使用 URL https://doamin_name访问 Semaphore Ansible Web UI
使用创建的管理员用户和密码登录。继续并创建一个项目。
创建项目后,仪表板将被授予如下。
创建任务模板。模板用于定义 ansible 将如何运行 playbook 。创建新模板需要提供:
- Inventory
- Playbook filename
- Playbook repository
- Environment
- Vault password file
- Extra CLI arguments e.t.c
任务模板可以是:
- 任务
- 建造
- 部署
任务只是运行指定的剧本。
构建模板用于创建工件。在这里,您需要指定工件的起始版本。
部署模板现在将工件部署到服务器。这通常与构建模板相关联。
第 5 步 – 管理容器
在本指南中,我们有两个容器可以使用下面的 docker start 和 stop 命令进行管理:
##To stop
docker stop semaphore
docker stop mysql
##To start
docker start semaphore
docker start mysql
##To delete
docker rm semaphore
docker rm mysql这些容器可以作为系统服务进行管理。为了能够实现这一点,我们将为每个容器创建服务文件。
For MYSQL
$ sudo vim /etc/systemd/system/mysql_container.service
[Unit]
Description=MySQL container
[Service]
Restart=always
ExecStart=/usr/bin/docker start -a mysql
ExecStop=/usr/bin/docker stop -t 2 mysql
[Install]
WantedBy=local.targetFor Semaphore
$ sudo vim /etc/systemd/system/semaphore_container.service
[Unit]
Description=Semaphore container
[Service]
Restart=always
ExecStart=/usr/bin/docker start -a semaphore
ExecStop=/usr/bin/docker stop -t 2 semaphore
[Install]
WantedBy=local.target重新加载系统守护程序。
sudo systemctl daemon-reload启动并启用容器服务以在启动时运行。
##For MySQL
sudo systemctl start mysql_container
sudo systemctl enable mysql_container
##For Semaphore
sudo systemctl start semaphore_container
sudo systemctl enable semaphore_container检查服务状态:
$ systemctl status mysql_container semaphore_container
● mysql_container.service - MySQL container
Loaded: loaded (/etc/systemd/system/mysql_container.service; enabled; vendor preset: disabled)
Active: active (running) since Thu 2022-04-28 10:48:47 EDT; 1min 11s ago
Main PID: 8906 (docker)
Tasks: 5 (limit: 23682)
Memory: 38.7M
CGroup: /system.slice/mysql_container.service
└─8906 /usr/bin/docker start -a mysql
● semaphore_container.service - Semaphore container
Loaded: loaded (/etc/systemd/system/semaphore_container.service; enabled; vendor preset: disabled)
Active: active (running) since Thu 2022-04-28 10:49:09 EDT; 49s ago
Main PID: 8957 (docker)
Tasks: 6 (limit: 23682)
Memory: 19.4M
CGroup: /system.slice/semaphore_container.service
└─8957 /usr/bin/docker start -a semaphore现在,您可以使用Semaphore Ansible Web UI 轻松部署应用程序/服务。
