teamcity-docker-agent
teamcity-docker-agent copied to clipboard
JetBrains
Generating Self Singed Certificated for TeamCity Agent & Connection to Teamcity Server in Docker
We are evaluating Teamcity for an Enterprise solution.
What I am trying to achieve.
:white_check_mark: Create and host Teamcity Server :white_check_mark: It is working with SSL able to access outside the home network :white_check_mark: Install Agent 1 and check the connection with the Teamcity server ✗ Agent SSL handshake with Teamcity Server
- I don't know how to set up an agent to talk to the Teamcity server using SSL tried this link. But this is for standalone installation not for docker image.
- Hosting Agent and Teamcity server on same WSL Docker environment
- Tried this link. But not clear in terms of docker
- #41 This issue I tried to follow but didn't get working
My Docker Compose
version: '3.3'
networks:
teamcity:
driver: bridge
services:
nginx-proxy:
container_name: nginx-proxy
image: jwilder/nginx-proxy
labels:
com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy: "true"
ports:
- "80:80"
- "443:443"
volumes:
- /var/run/docker.sock:/tmp/docker.sock:ro
- /usr/share/nginx/html
- ./teamcity/nginx/certs:/etc/nginx/certs:ro
- ./teamcity/nginx/vhost:/etc/nginx/vhost.d
environment:
- DEFAULT_HOST=teamcity.mydomain.com
networks:
- teamcity
nginx-letsencrypt:
container_name: nginx-letsencrypt
image: jrcs/letsencrypt-nginx-proxy-companion
environment:
- NGINX_PROXY_CONTAINER=nginx-proxy
volumes:
- ./teamcity/nginx/certs:/etc/nginx/certs:rw
- /var/run/docker.sock:/var/run/docker.sock:ro
volumes_from:
- "nginx-proxy"
networks:
- teamcity
teamcity-server:
container_name: teamcity-server-instance
user: root
volumes:
- './teamcity/data:/data/teamcity_server/datadir'
- './teamcity/logs/:/opt/teamcity/logs'
ports:
- '8111:8111'
image: jetbrains/teamcity-server
environment:
- VIRTUAL_HOST=teamcity.mydomain.com
- LETSENCRYPT_HOST=teamcity.mydomain.com
- [email protected]
- SERVER_URL=teamcity.mydomain.com
depends_on:
- postgres
networks:
- teamcity
postgres:
image: postgres:10
volumes:
- ./postgress/srv/postgresql/data:/var/lib/postgresql/data
environment:
- POSTGRES_PASSWORD=******
- POSTGRES_USER=*****
- POSTGRES_DB=teamcity
expose:
- 5432
ports:
- "5432:5432"
networks:
- teamcity
teamcity-agent-1:
container_name: teamcity-agent-1
user: root
environment:
- 'SERVER_URL=https://teamcity-server-instance:8111'
- DOCKER_IN_DOCKER=start
volumes:
- ./agent1/conf:/data/teamcity_agent/conf
- ./agent1/volumes:/var/lib/docker
privileged: true
depends_on:
- teamcity-server-instance
links:
- "teamcity-server-instance"
image: jetbrains/teamcity-agent
networks:
- teamcity
Error from Agent Log :
[2021-12-29 07:09:19,354] WARN - buildServer.AGENT.registration - Error while asking server for the communication protocols via URL https://teamcity.mydomain.com/app/agents/protocols. Will try later: java.net.ConnectException: Connection refused (Connection refused) (enable debug to see stacktrace)
[2021-12-29 07:09:19,354] WARN - buildServer.AGENT.registration - Error registering on the server via URL https://teamcity.mydomain.com. Will continue repeating connection attempts.
What I am missing
Old but I just ran into the same problem. This is applicable on the jetbrains/teamcity-agent:2021.1.2-linux-sudo image. I was able to fix it as follows:
Firstly, you need to grab agent.sh from /opt/buildagent/bin/agent.sh from the Dockerfile, as you will need to make two edits.
Changes to agent.sh:
TEAMCITY_AGENT_OPTS_ACTUAL="$TEAMCITY_AGENT_OPTS -ea $TEAMCITY_AGENT_MEM_OPTS_ACTUAL -Dteamcity_logs=$LOG_DIR/ -Djavax.net.ssl.keyStore=/opt/java/openjdk/jre/lib/security/cacerts -Djavax.net.ssl.trustStore=/opt/java/openjdk/jre/lib/security/cacerts -Djavax.net.ssl.keyStorePassword=changeit -Djavax.net.ssl.trustStorePassword=changeit"
And within the start|run) function of agent.sh:
keytool -importcert -noprompt -alias mycert -file /data/teamcity_agent/conf/trustedCertificates/mycert.crt \
-keystore /opt/java/openjdk/jre/lib/security/cacerts -storepass changeit
Finally, copy the cert and updated agent.sh file to the Dockerfile:
RUN mkdir -p /data/teamcity_agent/conf/trustedCertificates
COPY certs/mycert /data/teamcity_agent/conf/trustedCertificates/mycert.crt
COPY agent.sh /opt/buildagent/bin/agent.sh
You don't have to patch the Dockerfile or rebuild the image: a correct combination of environment variables ($TEAMCITY_AGENT_OPTS) and mounted keystores (/data/teamcity_agent/conf/trustedCertificates) would work just fine:
# First, import your certificate into a keystore file (mind the keystore type, the default/implicit one failed in my tests)
keytool -importcert -alias my_cert -file ~/my_cert.pem -deststoretype jks -keystore /etc/teamcity_agent/conf/trustedCertificates/my_keystore.jks -storepass changeit
# Now, run the agent
sudo docker run -e 'TEAMCITY_AGENT_OPTS=-Djavax.net.ssl.keyStore=/data/teamcity_agent/conf/trustedCertificates/my_keystore.jks -Djavax.net.ssl.trustStore=/data/teamcity_agent/conf/trustedCertificates/my_keystore.jks -Djavax.net.ssl.keyStorePassword=changeit -Djavax.net.ssl.trustStorePassword=changeit' -e SERVER_URL="https://teamcity.internal.your-org.com" -v /etc/teamcity_agent/conf/:/data/teamcity_agent/conf --name TeamcityAgent -u 0 --privileged -e DOCKER_IN_DOCKER=start jetbrains/teamcity-agent:2021.1.1-linux-sudo
(I had to run Docker-in-Docker, hence this specific image and addition options)
What I also tried but unsuccessfully:
- (contrary to the official documentation) just putting PEM and/or JKS files into
/data/teamcity_agent/conf/trustedCertificateswithout adding the$TEAMCITY_AGENT_OPTSenvironment variable: the certificates and keystores seem to be ignored, the agent throws errors about failing the certificate validation; - using
keytoolwithout specifying keystore format: Java thrown an error about wrong file format.
Hope this helps.
