Black and white still image of C3PO

How to Setup a Secure Docker Drone Runner with Drone CI

BeeYoop BeeDeepBoom Weeop DEEpaEEya

BeeYoop BeeDeepBoom Weeop DEEpaEEya

In general, this article describes how to setup SSL with a Drone Runner. This is part II of a part I series. If you would like to learn how-to setup the Drone Server, please visit: Setup Drone CI Server.

This part II creates a pipeline runner with a Docker machine; what that means is, like GitHub Actions, but with Drone super powers. The configuration file is stored as .drone.yml in the root of your site directory and drone server uses that application yml file to do a series of commands or actions within the virtual docker machine.

This is empowering because you can automate a fresh build every time. Also, you create a drone trigger for when you push to a branch master as an example. Here is the configuration of all the possible things you can do. Docker Pipelines Overview

Note 1: If you see a [name-goes-here], I am linking to the references I shared below. Note 2: If you want to use Docker Engine without sudo, follow this url: Linux Docker Post-Install

Requirements

  • Basic Linux CLI knowledge
  • A hardened remote SSH server see Linux VPS hardening
  • A running Gitea server: Git with a cup of tea
  • Docker Engine
  • a basic understanding of how to use Docker Engine
  • basic Nginx, Gitea and Certbot/Let’s Encrypt experience
  • openssl
  • a running drone ci server see part I

Let’s Begin!

Pull docker image from dockerhub

docker pull drone/drone-runner-docker:1

Make public access to repo in drone GUI

For testing, I made sure the repo was publicly available.

Screenshot Drone UI

Launch a Secure Docker Drone Runner

For the DRONE_RPC_SECRET use the same ssl secret we created in Part I. See Configuration for a complete list of configuration options.

Please see the reference to understand what this docker config is doing. That is important for you to do yourself.

docker run --detach \
  --volume=/var/run/docker.sock:/var/run/docker.sock \
  --env=DRONE_RPC_PROTO=https \
  --env=DRONE_RPC_HOST=drone.example.com \
  --env=DRONE_RPC_SECRET=bea26a2221fd8090ea38720fc445eca6 \
  --env=DRONE_RUNNER_CAPACITY=2 \
  --env=DRONE_RUNNER_NAME=st-runner \
  --env=DRONE_UI_USERNAME=youruserhere \
  --env=DRONE_UI_PASSWORD=yourpasshere \
  --env=DRONE_DEBUG=true \
  --env=DRONE_TRACE=true \
  --publish=3000:3000 \
  --restart=always \
  --name=st-drone-runner \
  drone/drone-runner-docker:1

A Pipeline Config Example

An example of a custom pipeline I have created. I ain’t going to explain this to you in detail; I expect you to determine your own pipeline and this is only for a reference point. Essentially, what you will be doing is launching your own virtual machine for your specific use case scenario.

In this example, on drone.example.com, I have created a secret pass that needs to be passed to the virtual machine so I can package the build aka _site only, then auto push to www_data branch on my git server. Furthermore, I rsync this data through an ssh tunnel to a Gitea Pages server that serves the WWW or edge data.

Note: 3: The example configuration is a .drone.yml file stored in the root of your site project.

---
kind: pipeline
type: docker
name: build

workspace:
  path: /drone/src

platform:
  os: linux
  arch: amd64

trigger:
  branch:
  - master

steps:
- name: build-website
  image: ruby:latest
  environment:
    SSH_USER:
      from_secret: ssh_user
    SSH_HOST:
      from_secret: ssh_host
    NO_HOSTKEY:
      from_secret: no_hostkey
  privileged: false
  volumes:
    - name: jekyll
      path: /srv/jekyll

  commands:
    # general vm information for debugging
    - whoami
    - pwd
    - gem environment

Verify

docker logs st-drone-runner

INFO[0000] starting the server
INFO[0000] successfully pinged the remote server

Stop & Start Container

sudo docker container stop st-drone-ssl
sudo docker container start st-drone-ssl

References

Support

If you have any questions, concerns, want to say hi, please join the following channel: SharpeTronics Discord Support Channel Eventually, I plan on having a commenting system on here..

Want to buy me a coffee?

Recently, I have had many folk as about how to send me a donation. If you want to give back andor support my efforts, I have shared various ways to donate. Thank You!

Charles SharpeCharles