Apache Mesos Integration
Apache Mesos makes it easier to develop and manage fault-tolerant and scalable distributed applications. Mesos is a cluster manager aiming for improved resource utilization by dynamically sharing resources among multiple frameworks. This section demonstrates configuring Apache Mesos to use a Luna Cloud HSM Service.
This integration assumes that an Apache Mesos configuration with an active Master (elected using ZooKeeper) and at least one Slave.
Prerequisites
Before proceeding with the integration complete the following:
Provision Luna Cloud HSM service
Create a Luna Cloud HSM service in DPoD and transfer the Luna Cloud HSM service client to your host machine. Do not initialize the service. This step is included as part of the integration process.
Download and install Docker
You need to download and install Docker to use the Docker command line interface (CLI) to complete the integration. Visit the Docker documentation portal for detailed instructions and procedures for installing Docker on your system.
Setup Java Development Kit (JDK)
The example procedure at the end of the Docker Container Integration Guide uses the Java Development Kit (JDK) to demonstrate the Luna Cloud HSM service's functionality within a Docker Container. If you would like to complete this integration guide fully, install the Java Development Kit inside of the Docker Container.
We recommend you familiarize yourself with the Java Development Kit documentation before beginning the integration.
Integration
Integrate your Luna Cloud HSM Service with Apache Mesos.
Creating the DPoD Docker Image
To use a Luna Cloud HSM Service with OpenShift Origin you create and run the DPoD Docker Image. Create the Docker file and extract the Luna Cloud HSM Service inside of the Docker container.
Unzip the downloaded client package and store the files in a directory named /clientfiles
excluding certificates and configuration file which have server and client information.
Store the certificates and configuration file in separate directory named /secrets
.
Create the file Dockerfile
in the current working directory and add the following:
FROM centos:centos7
RUN yum -y install unzip
RUN mkdir -p /usr/local/dpod
COPY clientfiles /usr/local/dpod
ENV ChrystokiConfigurationPath=/usr/local/dpod/secrets
CMD ["sh", "-c", "tail -f /dev/null"]
#End of the Dockerfile
Build the Docker Image using the Dockerfile
.
docker build . -t DPoD-image
Verify the Docker Image was created.
docker images
Log in to Docker Registry. Provide the username and password for Docker Registry when prompted.
docker login
Tag the Luna Cloud HSM Service Client build using the following command. Replace the <username> with your Docker Registry username.
docker tag DPoD-image <username>/DPoD
Push the image to the docker hub.
docker push <username>/DPoD
Creating a Sample Application in Marathon
Create a sample application in Marathon to secure in the Docker Container. By default, Marathon runs on port 8080. Open the browser to public IP address and port 8080 to access the Marathon GUI.
Click Create Application on the console.
Enable the JSON Mode toggle on the New Application window.
Create the sample application app.json
. Add the following to the sample application:
{
"id": "testapp",
"cmd": null,
"cpus": 1,
"mem": 128,
"disk": 1000,
"instances": 1,
"acceptedResourceRoles": [
"*"
],
"container": {
"type": "DOCKER",
"docker": {
"forcePullImage": false,
"image": "<username>/DPoD",
"parameters": [],
"privileged": false
}
},
"portDefinitions": [
{
"port": 10000,
"name": "default",
"protocol": "tcp"
}
],
"fetch": [
{
"uri": "file:///secrets/secrets.zip",
"extract": true,
"executable": false,
"cache": false
}
]
}
Click on Create Application.
The application generates under Apps.
Wait for the application to go from the Deploying to the Running state.
You can also deploy application on mesos slave by creating app.json
on master and use the HTTP API to deploy the app on the Marathon ip-address. Execute the following command: curl -X POST http://<ip address>:8080/v2/apps -d @app.json -H "Content-type: application/json"
.
Switch to the Mesos console to see the active task running.
Starting an Interactive Session with the Running Docker Container
Deploy the Luna Cloud HSM Service to the Container application. Execute the following in the terminal of the Docker Container where you want to use the Luna Cloud HSM Service.
Obtain the running container id.
docker ps -a
Start the interactive session of a running container using the container id.
docker attach <container_id>
Copy the configuration file and certificate from /mnt/mesos/sandbox
to the /usr/local/dpod
directory.
Run LunaCM and verify the connection to the partition.
bin/64/lunacm
./lunacm
Initialize the application partition, to create the partition's Security Officer (SO), and set the initial password and cloning domain.
partition init -label <par_label>
Log in as Partition SO. You can also use the shortcut po.
role login -name Partition SO
Initialize the Crypto Officer role and set the initial password. You can also use the shortcut co.
role init -name Crypto Officer
The Partition SO can create the Crypto Officer, but only the Crypto Officer can create the Crypto User. You must log out to allow the Crypto Officer to log in with the newly-set password.
role logout
Once the Crypto Officer logs in and changes the initial credential set by the Partition SO, applications using the CO's challenge secret/password can perform cryptographic operations in the partition. The Crypto Officer can create, modify and delete crypto objects within the partition, and use existing crypto objects (sign/verify). You can also create a limited-capability role called Crypto User that can use the objects created by the Crypto Officer, but cannot modify them. The separation of roles is important in some security regimes and operational situations, and where you might be required to satisfy audit criteria for industry or government oversight.
Log in as the Crypto Officer. You can also use the shortcut co.
role login -name Crypto Officer
The password for the Crypto Officer role is valid for the initial login only. You must change the initial password using the command role changepw during the initial login session, or a subsequent login. Failing to change the password will result in a CKR_PIN_EXPIRED
error when you perform role-dependent actions.
If you have not already done so, change the initial password set by the Partition SO.
role changepw -name Crypto Officer
Create the Crypto User. You can also use the shortcut cu.
role init -name Crypto User
The Crypto User can now log in with the credentials provided by the Crypto Officer, and change the initial password. The Crypto User can now use applications to perform cryptographic operations using keys and objects created in the partition by the Crypto Officer.
You can scale up or down for the number of pods you want. To scale up or down use the following command:
oc scale dc mylunaapp --replicas=3
oc get pods
NAME READY STATUS RESTARTS AGE
mylunaapp-1-v6jh9 1/1 Running 0 5m
mylunaapp-1-qnt5r 1/1 Running 0 18s
mylunaapp-1-rtn4f 1/1 Running 0 18s
This completes the integration of Apache Mesos OpenShift Origin with a Luna Cloud HSM Service. To verify the integration with the Luna Cloud HSM Service, run any application in the Pod that uses the Luna Cloud HSM Service. See Using the Luna Cloud HSM Service inside Docker Container for an application demonstration inside of OpenShift Origin pod using the DPoD Luna Cloud HSM Service.