DC/OS is a distributed operating system. It integrates several open-source components to enable the management of multiple machines as if they were a single computer. DC/OS is built on the Apache Mesos distributed systems kernel and the Marathon container orchestration system. This procedure was tested on Mesosphere DC/OS 1.11.
To deploy Twistlock to a Kubernetes cluster running on DC/OS, see the Install Kubernetes guide. |
Twistlock Console is deployed to a public slave node. Public slave nodes are accessible from outside the cluster. Because Console provides a management interface through a browser window, it must be accessible from outside the cluster.
Twistlock Defender is deployed on every private slave node. Slave nodes run your applications. Slave nodes reside on a private subnet, so they are not accessible from outside the cluster.
The following diagram shows the components in a DC/OS cluster, and where Twistlock gets deployed.
Use the twistlock.sh script to install Console onto a public agent in your cluster.
You have installed the DC/OS CLI tool.
Ports 8083 and 8084 on the public agent are open.
Console’s web interface and API are served on port 8083, and Defender communicates with Console on port 8084.
If you deploy DC/OS with the Terraform-based Universal Installer, add 8083 and 8084 to the public_agents_additional_ports
input in your main.tf configuration file.
Go to Releases and copy the link to current recommended release.
SSH to a public agent in your cluster.
$ dcos node ssh --master-proxy --mesos-id=<PUBLIC-AGENT>
Retrieve the Twistlock release tarball.
$ wget <LINK-TO-CURRENT-RECOMMENDED-RELEASE>
Unpack the Twistlock release tarball.
$ mkdir twistlock $ tar xvzf twistlock_<VERSION>.tar.gz -C twistlock/
Install Twistlock.
We recommend that you install both Console and Defender on the public agent. To simplify the installation of both components, use the onebox install target.
$ cd twistlock $ sudo ./twistlock.sh -s onebox
Where:
-s
|
Agree to the EULA. |
-z
|
(Optional) Emit additional debug messages. Use this option if an error occurs while running twistlock.sh. |
onebox
|
Install Console and Defender onto a single server. |
Verify that Twistlock has been properly installed, and that it is running on your host:
$ sudo docker ps --format "table {{.ID}}\t{{.Status}}\t{{.Names}}" CONTAINER ID STATUS NAMES 764ecb72207e Up 5 minutes twistlock_defender be5e385fea32 Up 5 minutes twistlock_console
Open a browser window, and navigate to Console’s front page.
Where <PUBLIC-AGENT> is the hostname or IP address of the public agent. To get the IP address for your public agent, run the following command:
$ for id in $(dcos node --json | \ jq --raw-output \ '.[] | select(.reserved_resources.slave_public != null) | .id'); \ do dcos node ssh \ --option StrictHostKeyChecking=no \ --option LogLevel=quiet \ --master-proxy \ --mesos-id=$id "curl -s ifconfig.co" ; \ done 2>/dev/null
Create your first admin user by entering a username and password.
Enter your license key.
After your license is validated, the dashboard is unlocked.
Go to Manage > Defenders > Names. Verify that the Subject Alternative Name (SAN) table contains the IP address for the public agent where Console runs. If not, click Add SAN, then enter the IP address.
Deploy Defender to all slave agents in your cluster. Use twistcli to generate the Defender app in JSON format, and then start it with the DC/OS CLI tool. By default, the Defender image is retrieved from Twistlock’s cloud registry.
You have deployed Console to a public agent in your cluster.
Download the Twistlock release to the host where you’ve installed the DC/OS CLI.
Go to Releases, and copy the link to current recommended release.
Download the release tarball.
$ wget <LINK_TO_CURRENT_RECOMMENDED_RELEASE>
Unpack the release tarball.
$ mkdir twistlock $ tar xvzf twistlock_<VERSION>.tar.gz -C twistlock/
Generate the Defender app JSON using twistcli, where:
<PLATFORM> can be linux or osx.
<CONSOLE> is the IP address of the public agent where Console runs.
<ADMIN_USER> is a Twistlock Console user with a role of Defender Manager or higher.
<NUMBER_OF_AGENTS> is the number of private agent nodes in your cluster.
The following command connects to Console’s API (specified in --address) as user <TWISTLOCK_USER> (specified in --user), and generates a Defender app in JSON format according to the configuration options passed to twistcli.
$ <PLATFORM>/twistcli defender export dcos \ --address https://<CONSOLE>:8083 \ --user <TWISTLOCK_USER> \ --cluster-address <CONSOLE> \ --agents <NUMBER_OF_AGENTS>
Deploy the Defender app on your cluster using the dcos CLI tool.
Alternatively, you could deploy the Defender app using the DC/OS web interface, Marathon web interface, or Marathon REST API.
$ dcos marathon app add ./dcos.json
Validate the Defender app is running.
$ dcos marathon app list