This repo is made to provide a guide to install a basic infrastructure for Continuous integration on a NAS Synology.
Here is a schema of the architecture:
Everything run on the NAS itself. The Firewall, DNS Server and Reverse Proxy are available in DSM 6. The other elements come from the official docker hub.
A brief introduction:
- Gogs: a self-hosted Git service.
- Nexus: an artifact repository for java, javascript, docker, C#, Python or Ruby packages
- Jenkins: an automation server used to automate the CI jobs.
- Portainer: an UI to manage the docker environnment
This has only been tested on a Synology DS716+ upgraded with 8Gb of ram (If you are interested to upgrade yours as well, this one Kingston 8GB DDR3L 1600MHz KVR16LS11/8 works). In theory, it should work with any other x86 NAS Synology with at least 4Gb of ram.
- First go check this page to add extra security on your NAS.
- Activate the ssh service of the NAS by following this page.
- Install Git server and Docker in the package center of the DSM
- Optional: Copy the
.bashrclocated insynologyMachine/configof the project and paste it in your/volume1/homes/<userName>and/rootof your NAS.
When Docker is installed, two directories are created on the NAS:
/volume1/docker/volume1/@docker
From what I understood, /volume1/@docker contains all the data generated by docker i.e. the images, the containers, the volumes and other things. The other directory /volume1/docker contains a directory called "docker_registry" but we won't use it. The interesting part is that /volume1/docker is a shared folder and therefore can be easily encrypted directly in DSM UI.
All the docker containers that we will run will have a data volume attached to them. This data volume won't be lost if the container is stopped or removed. By default, docker volumes are created here /volume1/@docker/volumes. We have to change that and put the volumes directory in the /volume1/docker folder. Connect yourself to your NAS with SSH and type the following commands:
# Swith to root user
sudo su
# Move the old folder to the new place
mv /volume1/@docker/volumes /volume1/docker/volumes
# Create a symbolic link to keep the same structure as before.
ln -s /volume1/docker/volumes /volume1/@docker/volumes- In your DSM => Control Panel => Shared Folder, click on the "docker" folder and Edit => "Encrypt this shared folder"
- Do the same with the "homes" folder. Your valuable data won't be accessible if the NAS is shut down. Limitation: When you relaunch the NAS, you need first to mount the docker folder manually in the Control Panel before launching the docker service in the package center.
Connect yourself to your NAS with SSH and type the following commands:
# In your home folder clone this project
git clone [email protected]:Winbee/SynoCI.git
# Swith to root user
sudo su
# Go inside the project
cd /volume1/homes/<userName>/SynoCI/synologyMachine/CI
# Launch the docker container
docker-compose up -d
# Watch the log to check that everything is launching properly
docker-compose logs -f- On your local machine try to connect to the Portainer on this adress: http://<IP_OF_YOUR_NAS>:18050
- Choose to connect to the local docker
- You should be able to see all your containers
- Install the DNS server in the package center
- Open the DNS server in the DSM
- In the resolution panel:
- Configure your router to select the IP of the NAS as your DNS
- You should be able to access internet normaly
- Open again the DNS server in the DSM
- Create a master zone :
- Domain type: Forward Zone
- Domain name: mydomain.com
- Master DNS server: IP of your NAS
- Double click on this newly created zone and create a "A type" resource record for every adress you need. You should have a table resembling to that:
| Name | TTL | Type | Information |
|---|---|---|---|
| gogs.mydomain.com. | 86400 | A | <IP_OF_YOUR_NAS> |
| docker-hosted.mydomain.com. | 86400 | A | <IP_OF_YOUR_NAS> |
| docker-all.mydomain.com. | 86400 | A | <IP_OF_YOUR_NAS> |
| jenkins.mydomain.com. | 86400 | A | <IP_OF_YOUR_NAS> |
| nexus.mydomain.com. | 86400 | A | <IP_OF_YOUR_NAS> |
| mydomain.com. | 86400 | NS | ns.mydomain.com. |
| ns.mydomain.com. | 86400 | A | <IP_OF_YOUR_NAS> |
Limitation: For some reason, I couldn1t make Portainer to work with a specific name like portainer.mydomain.com. You have to access it directly with the IP.
- Go in your DSM => Control Panel => Application Portal => Reverse Proxy
- Create entry for each adress you need. When http, the port should be 80, When https, the port should be 443. At the end, you should have a table resembling to that:
| Description | Source | Destination |
|---|---|---|
| gogs | http://gogs.mydomain.com | http://localhost:18061 |
| gogs https | https://gogs.mydomain.com | http://localhost:18061 |
| jenkins | https://jenkins.mydomain.com | http://localhost:8082 |
| jenkins https | https://jenkins.mydomain.com | http://localhost:8082 |
| nexus | https://nexus.mydomain.com | http://localhost:8081 |
| nexus https | https://nexus.mydomain.com | http://localhost:8081 |
| nexus docker group | https://docker-hosted.mydomain.com | http://localhost:18044 |
| nexus docker hosted | https://docker-all.mydomain.com | http://localhost:18045 |
- Go in your DSM => Control Panel => Security => Certificate
- Click on Add => Add a new certificate => Create a self-signed Certificate
- Fill up all the inputs. Do not forget to fill up the "Subject Alternative Name" field. This one should contain all the domain you want to access so: gogs.mydomain.com;docker-hosted.mydomain.com;docker-all.mydomain.com;jenkins.mydomain.com;nexus.mydomain.com
- As it is a self-signed certificate the root certificate of the certificate authority is unknown. You will have to add this authority in your local computer to be able to have https access on your website.
- Export the certificate on your local computer
- In the zip file, you should find a file named "syno-ca-cert.pem". This is the one you need to add to all your tools on your local machine in order to work.
To create a docker registry in Nexus, you have to have a specific port for each one you want to reach. I've created 3 docker repositories:
- docker-hosted: responsible for hosting all my private images
- docker-proxy: responsible for proxying docker hub (This one doesn't need a specific port as it will be distributed by docker-all)
- docker-all: responsible for distributing artifacts stored in docker-hosted and docker-proxy repos.
The official documentation should be enough for the rest.
Nexus is able to provide a docker registry. Once you've configured it, it needs extra steps to be able to be used. Docker command always use https and ssl. If you created a self-signed certificate like explained in the Certificate part of this README, you have to configure your client computer to tell docker that this is an insecure-registry.
If you want to access the registry from the NAS, you have to modify this file /var/packages/Docker/etc/dockerd.json and add the
insecure-registries property.
vim /var/packages/Docker/etc/dockerd.json
{
"ipv6": true,
"insecure-registries": ["docker-all.mydomain.com", "docker-hosted.mydomain.com"]
}Once it is saved, go back to your DSM => Package Center => Docker and restart the service. You should now be able to pull and push from the nexus registry.
Depending of the plateform you're using, there are different ways to solve the problem. This [stackoverflow answer](http://stackoverflow .com/questions/26710153/remote-access-to-a-private-docker-registry) can help you.
On linux mint, I could make it work by changing this file:
sudo vim /etc/docker/daemon.json
{
"hosts": ["fd://"],
"insecure-registries": ["docker-all.mydomain.com", "docker-hosted.mydomain.com"]
}and this file:
sudo vim /lib/systemd/system/docker.service
ExecStart=/usr/bin/dockerd
#ExecStart=/usr/bin/dockerd -H fd://and by restarting the service:
sudo systemctl stop docker
sudo systemctl daemon-reload
systemctl start dockerI didn't encounter any particular problem. The official doc should be enough to start.
If you are paranoid about losing your git repo on your NAS, you can easily duplicate your repo by adding multiple remote location in git config. See this stackoverflow answer for more details.
I didn't encounter any particular problem. The official doc should be enough to start.
I coudn't not access Portainer through a domain name. I had to type the IP of my NAS. Another important thing, when Portainer start for the first time, select the local Docker option.
Don't forget to backup everything by following the recommendation of each products.