How to Setup a Secure Docker Drone Runner with Drone CI
BeeYoop BeeDeepBoom Weeop DEEpaEEya
BeeYoop BeeDeepBoom Weeop DEEpaEEya
In general, this article describes how to setup SSL with a Drone Runner. This is part II of a part I series. If you would like to learn how-to setup the Drone Server, please visit: Setup Drone CI Server.
This part II creates a pipeline runner with a Docker machine; what that means is, like GitHub Actions, but with Drone super powers. The configuration file is stored as
.drone.yml in the root of your site directory and drone server uses that application yml file to do a series of commands or actions within the virtual docker machine.
This is empowering because you can automate a fresh build every time. Also, you create a drone trigger for when you push to a branch master as an example. Here is the configuration of all the possible things you can do. Docker Pipelines Overview
Note 1: If you see a [name-goes-here], I am linking to the references I shared below. Note 2: If you want to use Docker Engine without sudo, follow this url: Linux Docker Post-Install
- Basic Linux CLI knowledge
- A hardened remote SSH server see Linux VPS hardening
- A running Gitea server: Git with a cup of tea
- Docker Engine
- a basic understanding of how to use Docker Engine
- basic Nginx, Gitea and Certbot/Let’s Encrypt experience
- a running drone ci server see part I
Pull docker image from dockerhub
docker pull drone/drone-runner-docker:1
Make public access to repo in drone GUI
For testing, I made sure the repo was publicly available.
Launch a Secure Docker Drone Runner
For the DRONE_RPC_SECRET use the same ssl secret we created in Part I. See Configuration for a complete list of configuration options.
Please see the reference to understand what this docker config is doing. That is important for you to do yourself.
docker run --detach \ --volume=/var/run/docker.sock:/var/run/docker.sock \ --env=DRONE_RPC_PROTO=https \ --env=DRONE_RPC_HOST=drone.example.com \ --env=DRONE_RPC_SECRET=bea26a2221fd8090ea38720fc445eca6 \ --env=DRONE_RUNNER_CAPACITY=2 \ --env=DRONE_RUNNER_NAME=st-runner \ --env=DRONE_UI_USERNAME=youruserhere \ --env=DRONE_UI_PASSWORD=yourpasshere \ --env=DRONE_DEBUG=true \ --env=DRONE_TRACE=true \ --publish=3000:3000 \ --restart=always \ --name=st-drone-runner \ drone/drone-runner-docker:1
A Pipeline Config Example
An example of a custom pipeline I have created. I ain’t going to explain this to you in detail; I expect you to determine your own pipeline and this is only for a reference point. Essentially, what you will be doing is launching your own virtual machine for your specific use case scenario.
In this example, on drone.example.com, I have created a secret pass that needs to be passed to the virtual machine so I can package the build aka _site only, then auto push to www_data branch on my git server. Furthermore, I rsync this data through an ssh tunnel to a Gitea Pages server that serves the WWW or edge data.
Note: 3: The example configuration is a .drone.yml file stored in the root of your site project.
--- kind: pipeline type: docker name: build workspace: path: /drone/src platform: os: linux arch: amd64 trigger: branch: - master steps: - name: build-website image: ruby:latest environment: SSH_USER: from_secret: ssh_user SSH_HOST: from_secret: ssh_host NO_HOSTKEY: from_secret: no_hostkey privileged: false volumes: - name: jekyll path: /srv/jekyll commands: # general vm information for debugging - whoami - pwd - gem environment
docker logs st-drone-runner INFO starting the server INFO successfully pinged the remote server
Stop & Start Container
sudo docker container stop st-drone-ssl sudo docker container start st-drone-ssl
- Drone Runner Configuration
- Drone Runner Docker Installation
- Docker Pipelines Overview
- Unsplash - Nice M Nshuti
If you have any questions, concerns, want to say hi, please join the following channel: SharpeTronics Discord Support Channel Eventually, I plan on having a commenting system on here..
Want to buy me a coffee?
Recently, I have had many folk as about how to send me a donation. If you want to give back andor support my efforts, I have shared various ways to donate. Thank You!