Your suggested change has been received. Thank you.


Suggest A Change….


Docker Integrations

Apache Mesos Integration


Apache Mesos Integration

Apache Mesos Integration

Apache Mesos makes it easier to develop and manage fault-tolerant and scalable distributed applications. Mesos is a cluster manager aiming for improved resource utilization by dynamically sharing resources among multiple frameworks. This section demonstrates configuring Apache Mesos to use a Luna Cloud HSM Service.

This integration assumes that an Apache Mesos configuration with an active Master (elected using ZooKeeper) and at least one Slave.


Before proceeding with the integration complete the following:

Provision Luna Cloud HSM service

Create a Luna Cloud HSM service in DPoD and transfer the Luna Cloud HSM service client to your host machine. Do not initialize the service. This step is included as part of the integration process.

Download and install Docker

You need to download and install Docker to use the Docker command line interface (CLI) to complete the integration. Visit the Docker documentation portal for detailed instructions and procedures for installing Docker on your system.

Setup Java Development Kit (JDK)

The example procedure at the end of the Docker Container Integration Guide uses the Java Development Kit (JDK) to demonstrate the Luna Cloud HSM service's functionality within a Docker Container. If you would like to complete this integration guide fully, install the Java Development Kit inside of the Docker Container.

We recommend you familiarize yourself with the Java Development Kit documentation before beginning the integration.


Integrate your Luna Cloud HSM Service with Apache Mesos.

Creating the DPoD Docker Image

To use a Luna Cloud HSM Service with OpenShift Origin you create and run the DPoD Docker Image. Create the Docker file and extract the Luna Cloud HSM Service inside of the Docker container.

Unzip the downloaded client package and store the files in a directory named /clientfiles excluding certificates and configuration file which have server and client information.

Store the certificates and configuration file in separate directory named /secrets.

Create the file Dockerfile in the current working directory and add the following:

FROM centos:centos7
RUN yum -y install unzip
RUN mkdir -p /usr/local/dpod
COPY clientfiles /usr/local/dpod
ENV ChrystokiConfigurationPath=/usr/local/dpod/secrets
CMD ["sh", "-c", "tail -f /dev/null"]
#End of the Dockerfile

Build the Docker Image using the Dockerfile.

docker build . -t DPoD-image

Verify the Docker Image was created.

docker images

Log in to Docker Registry. Provide the username and password for Docker Registry when prompted.

docker login

Tag the Luna Cloud HSM Service Client build using the following command. Replace the <username> with your Docker Registry username.

docker tag DPoD-image <username>/DPoD

Push the image to the docker hub.

docker push <username>/DPoD

Creating a Sample Application in Marathon

Create a sample application in Marathon to secure in the Docker Container. By default, Marathon runs on port 8080. Open the browser to public IP address and port 8080 to access the Marathon GUI.

Click Create Application on the console.

Enable the JSON Mode toggle on the New Application window.

Create the sample application app.json. Add the following to the sample application:

"id": "testapp",
"cmd": null,
"cpus": 1,
"mem": 128,
"disk": 1000,
"instances": 1,
"acceptedResourceRoles": [
"container": {
"type": "DOCKER",
"docker": {
"forcePullImage": false,
"image": "<username>/DPoD",
"parameters": [],
"privileged": false
"portDefinitions": [
"port": 10000,
"name": "default",
"protocol": "tcp"
"fetch": [
"uri": "file:///secrets/",
"extract": true,
"executable": false,
"cache": false

Click on Create Application.

The application generates under Apps.

Wait for the application to go from the Deploying to the Running state.

You can also deploy application on mesos slave by creating app.json on master and use the HTTP API to deploy the app on the Marathon ip-address. Execute the following command: curl -X POST http://<ip address>:8080/v2/apps -d @app.json -H "Content-type: application/json".

Switch to the Mesos console to see the active task running.

Starting an Interactive Session with the Running Docker Container

Deploy the Luna Cloud HSM Service to the Container application. Execute the following in the terminal of the Docker Container where you want to use the Luna Cloud HSM Service.

Obtain the running container id.

docker ps -a

Start the interactive session of a running container using the container id.

docker attach <container_id>

Copy the configuration file and certificate from /mnt/mesos/sandbox to the /usr/local/dpod directory.

Run LunaCM and verify the connection to the partition.


Initialize the application partition, to create the partition's Security Officer (SO), and set the initial password and cloning domain.

partition init -label <par_label>

Log in as Partition SO. You can also use the shortcut po.

role login -name Partition SO

Initialize the Crypto Officer role and set the initial password. You can also use the shortcut co.

role init -name Crypto Officer

The Partition SO can create the Crypto Officer, but only the Crypto Officer can create the Crypto User. You must log out to allow the Crypto Officer to log in with the newly-set password.

role logout

Once the Crypto Officer logs in and changes the initial credential set by the Partition SO, applications using the CO's challenge secret/password can perform cryptographic operations in the partition. The Crypto Officer can create, modify and delete crypto objects within the partition, and use existing crypto objects (sign/verify). You can also create a limited-capability role called Crypto User that can use the objects created by the Crypto Officer, but cannot modify them. The separation of roles is important in some security regimes and operational situations, and where you might be required to satisfy audit criteria for industry or government oversight.

Log in as the Crypto Officer. You can also use the shortcut co.

role login -name Crypto Officer

The password for the Crypto Officer role is valid for the initial login only. You must change the initial password using the command role changepw during the initial login session, or a subsequent login. Failing to change the password will result in a CKR_PIN_EXPIRED error when you perform role-dependent actions.

If you have not already done so, change the initial password set by the Partition SO.

role changepw -name Crypto Officer

Create the Crypto User. You can also use the shortcut cu.

role init -name Crypto User

The Crypto User can now log in with the credentials provided by the Crypto Officer, and change the initial password. The Crypto User can now use applications to perform cryptographic operations using keys and objects created in the partition by the Crypto Officer.

You can scale up or down for the number of pods you want. To scale up or down use the following command:

oc scale dc mylunaapp --replicas=3
oc get pods
NAME                READY     STATUS    RESTARTS     AGE
mylunaapp-1-v6jh9   1/1       Running   0            5m
mylunaapp-1-qnt5r   1/1       Running   0            18s
mylunaapp-1-rtn4f   1/1       Running   0            18s

This completes the integration of Apache Mesos OpenShift Origin with a Luna Cloud HSM Service. To verify the integration with the Luna Cloud HSM Service, run any application in the Pod that uses the Luna Cloud HSM Service. See Using the Luna Cloud HSM Service inside Docker Container for an application demonstration inside of OpenShift Origin pod using the DPoD Luna Cloud HSM Service.