DC/OS (Marathon/Mesos)

DC/OS is a distributed operating system. It integrates several open-source components to enable the management of multiple machines as if they were a single computer. DC/OS is built on the Apache Mesos distributed systems kernel and the Marathon container orchestration system. This procedure was tested on Mesosphere DC/OS 1.11.
To deploy Prisma Cloud to a Kubernetes cluster running on DC/OS, see the Install Kubernetes guide.

Deployment architecture

Prisma Cloud Console is deployed to a public slave node. Public slave nodes are accessible from outside the cluster. Because Console provides a management interface through a browser window, it must be accessible from outside the cluster.
Prisma Cloud Defender is deployed on every private slave node. Slave nodes run your applications. Slave nodes reside on a private subnet, so they are not accessible from outside the cluster.
The following diagram shows the components in a DC/OS cluster, and where Prisma Cloud gets deployed.
dcos-arch-tw.png

Install Console

Use the
twistlock.sh
script to install Console onto a public agent in your cluster.
Prerequisites:
  • Ports 8083 and 8084 on the public agent are open. Console’s web interface and API are served on port 8083, and Defender communicates with Console on port 8084. If you deploy DC/OS with the Terraform-based Universal Installer, add 8083 and 8084 to the
    public_agents_additional_ports
    input in your
    main.tf
    configuration file.
  1. Go to Releases and copy the link to current recommended release.
  2. SSH to a public agent in your cluster.
    $ dcos node ssh --master-proxy --mesos-id=<PUBLIC-AGENT>
  3. Retrieve the Prisma Cloud release tarball.
    $ wget <LINK-TO-CURRENT-RECOMMENDED-RELEASE>
  4. Unpack the Prisma Cloud release tarball.
    $ mkdir twistlock $ tar xvzf twistlock_<VERSION>.tar.gz -C twistlock/
  5. Install Prisma Cloud.
    We recommend that you install both Console and Defender on the public agent. To simplify the installation of both components, use the onebox install target.
    $ cd twistlock $ sudo ./twistlock.sh -s onebox
    Where:
    • -s
      --
      Agree to the EULA.
    • -z
      --
      (Optional) Emit additional debug messages. Use this option if an error occurs while running
      twistlock.sh
      .
    • onebox
      --
      Install Console and Defender onto a single server.
  6. Verify that Prisma Cloud has been properly installed, and that it is running on your host:
    $ sudo docker ps --format "table {{.ID}}\t{{.Status}}\t{{.Names}}" CONTAINER ID STATUS NAMES 764ecb72207e Up 5 minutes twistlock_defender be5e385fea32 Up 5 minutes twistlock_console
  7. Open a browser window, and navigate to Console’s front page.
    Go to https://<PUBLIC-AGENT>:8083
    Where <PUBLIC-AGENT> is the hostname or IP address of the public agent. To get the IP address for your public agent, run the following command:
    $ for id in $(dcos node --json | \ jq --raw-output \ '.[] | select(.reserved_resources.slave_public != null) | .id'); \ do dcos node ssh \ --option StrictHostKeyChecking=no \ --option LogLevel=quiet \ --master-proxy \ --mesos-id=$id "curl -s ifconfig.co" ; \ done 2>/dev/null
  8. Create your first admin user by entering a username and password.
  9. Enter your license key.
    After your license is validated, the dashboard is unlocked.
  10. Go to
    Manage > Defenders > Names
    . Verify that the Subject Alternative Name (SAN) table contains the IP address for the public agent where Console runs. If not, click
    Add SAN
    , then enter the IP address.

Install Defender

Deploy Defender to all slave agents in your cluster. Use
twistcli
to generate the Defender app in JSON format, and then start it with the DC/OS CLI tool. By default, the Defender image is retrieved from Prisma Cloud’s cloud registry.
Prerequisites:
  • You have deployed Console to a public agent in your cluster.
  1. Download twistcli to a host where you’ve installed the DC/OS CLI.
    1. Open Compute Console and go to
      Manage > System > Downloads
      .
    2. Under
      twistcli tool
      , download the version for your operating system.
  2. Generate the Defender app JSON using
    twistcli
    , where:
    • <PLATFORM> can be linux or osx.
    • <CONSOLE> is the IP address of the public agent where Console runs.
    • <ADMIN_USER> is a Twistlock Console user with a role of Defender Manager or higher.
    • <NUMBER_OF_AGENTS> is the number of private agent nodes in your cluster.
      The following command connects to Console’s API (specified in
      --address
      ) as user <TWISTLOCK_USER> (specified in
      --user
      ), and generates a Defender app in JSON format according to the configuration options passed to
      twistcli
      .
      $ <PLATFORM>/twistcli defender export dcos \ --address https://<CONSOLE>:8083 \ --user <TWISTLOCK_USER> \ --cluster-address <CONSOLE> \ --agents <NUMBER_OF_AGENTS>
  3. Deploy the Defender app on your cluster using the
    dcos
    CLI tool.
    Alternatively, you could deploy the Defender app using the DC/OS web interface, Marathon web interface, or Marathon REST API.
    $ dcos marathon app add ./dcos.json
  4. Validate the Defender app is running.
    $ dcos marathon app list

Recommended For You