From 11ce86eeb7e6aeb78d3038ae707630f91034b650 Mon Sep 17 00:00:00 2001 From: anshu pande Date: Wed, 10 Feb 2016 10:06:59 -0500 Subject: [PATCH 01/22] added just the defender installation --- v2/fleet/twistlock-defender.service | 21 +++++++++++++++++++++ v2/setup/twistlock.sh | 22 ++++++++++++++++++++++ 2 files changed, 43 insertions(+) create mode 100644 v2/fleet/twistlock-defender.service create mode 100644 v2/setup/twistlock.sh diff --git a/v2/fleet/twistlock-defender.service b/v2/fleet/twistlock-defender.service new file mode 100644 index 0000000..7486dc7 --- /dev/null +++ b/v2/fleet/twistlock-defender.service @@ -0,0 +1,21 @@ +[Unit] +Description=Install Twistlock Defender +After=docker.service bootstrap.service +Requires=docker.service + + +[Service] +Environment="twistlockusername=etcdctl get /twistlockusername" +Environment="twistlockpassword=etcdctl get /twistlockpassword" +Environment="twistlockparameter=etcdctl get /twistlockparameter" +User=core +TimeoutStartSec=0 +ExecStart=curl -sSL -k --header "authorization:Bearer \ +$(eval echo $(echo $(curl -s -H "Content-Type: application/json" \ +-d '{"username":"'$(eval echo $twistlockusername)'", "password":"'$(eval echo $twistlockpassword)'"}' \ +https://"$(eval echo $twistlockparameter)":443/api/v1/authenticate) | sed -ne 's/.*"token":"\([^,]*\)".*/\1/p'))" \ +https://"$(eval echo $twistlockparameter)"/api/v1/scripts/defender.sh \ +-o defender.sh && chmod a+x defender.sh && sudo ./defender.sh + +[X-Fleet] +Global=true diff --git a/v2/setup/twistlock.sh b/v2/setup/twistlock.sh new file mode 100644 index 0000000..7a60f4a --- /dev/null +++ b/v2/setup/twistlock.sh @@ -0,0 +1,22 @@ +#!/bin/bash + +source /etc/environment + +HOMEDIR=$(eval echo "~`whoami`") + +sudo docker run --rm \ + -v ${HOMEDIR}:/data/ behance/docker-aws-s3-downloader \ + us-east-1 $CONTROL_TIER_S3SECURE_BUCKET .twistlock + +while read line; do + etcdctl set $line +done < ${HOMEDIR}/.twistlock + +sudo docker run --rm \ + -v ${HOMEDIR}:/data/ behance/docker-aws-s3-downloader \ + us-east-1 $CONTROL_TIER_S3SECURE_BUCKET .twistlockparameter + + +while read line; do + etcdctl set $line +done < ${HOMEDIR}/.twistlockparameter From c4f3d8cbc96c7c55f07e86ee49516e2ca0e0b192 Mon Sep 17 00:00:00 2001 From: anshu pande Date: Wed, 10 Feb 2016 10:18:20 -0500 Subject: [PATCH 02/22] executable file --- v2/setup/twistlock.sh | 0 1 file changed, 0 insertions(+), 0 deletions(-) mode change 100644 => 100755 v2/setup/twistlock.sh diff --git a/v2/setup/twistlock.sh b/v2/setup/twistlock.sh old mode 100644 new mode 100755 From a6f0834de211f727c625b190ad76fcbdc69779fb Mon Sep 17 00:00:00 2001 From: anshu pande Date: Wed, 10 Feb 2016 11:41:36 -0500 Subject: [PATCH 03/22] twistlock-defender.service --- v2/fleet/twistlock-defender.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/v2/fleet/twistlock-defender.service b/v2/fleet/twistlock-defender.service index 7486dc7..694840d 100644 --- a/v2/fleet/twistlock-defender.service +++ b/v2/fleet/twistlock-defender.service @@ -10,7 +10,7 @@ Environment="twistlockpassword=etcdctl get /twistlockpassword" Environment="twistlockparameter=etcdctl get /twistlockparameter" User=core TimeoutStartSec=0 -ExecStart=curl -sSL -k --header "authorization:Bearer \ +ExecStart=/usr/bin/curl -sSL -k --header "authorization:Bearer \ $(eval echo $(echo $(curl -s -H "Content-Type: application/json" \ -d '{"username":"'$(eval echo $twistlockusername)'", "password":"'$(eval echo $twistlockpassword)'"}' \ https://"$(eval echo $twistlockparameter)":443/api/v1/authenticate) | sed -ne 's/.*"token":"\([^,]*\)".*/\1/p'))" \ From f5ecceae5a150f9e7743d22469c2393402da7b7b Mon Sep 17 00:00:00 2001 From: anshu pande Date: Wed, 10 Feb 2016 12:34:39 -0500 Subject: [PATCH 04/22] moving curl execution to twistlock.sh --- v2/fleet/twistlock-defender.service | 10 +--------- v2/setup/twistlock.sh | 11 +++++++++++ 2 files changed, 12 insertions(+), 9 deletions(-) diff --git a/v2/fleet/twistlock-defender.service b/v2/fleet/twistlock-defender.service index 694840d..bbce189 100644 --- a/v2/fleet/twistlock-defender.service +++ b/v2/fleet/twistlock-defender.service @@ -5,17 +5,9 @@ Requires=docker.service [Service] -Environment="twistlockusername=etcdctl get /twistlockusername" -Environment="twistlockpassword=etcdctl get /twistlockpassword" -Environment="twistlockparameter=etcdctl get /twistlockparameter" User=core TimeoutStartSec=0 -ExecStart=/usr/bin/curl -sSL -k --header "authorization:Bearer \ -$(eval echo $(echo $(curl -s -H "Content-Type: application/json" \ --d '{"username":"'$(eval echo $twistlockusername)'", "password":"'$(eval echo $twistlockpassword)'"}' \ -https://"$(eval echo $twistlockparameter)":443/api/v1/authenticate) | sed -ne 's/.*"token":"\([^,]*\)".*/\1/p'))" \ -https://"$(eval echo $twistlockparameter)"/api/v1/scripts/defender.sh \ --o defender.sh && chmod a+x defender.sh && sudo ./defender.sh +ExecStart=/usr/bin/sudo bash /home/core/mesos-systemd/v2/util/twistlock-user.sh [X-Fleet] Global=true diff --git a/v2/setup/twistlock.sh b/v2/setup/twistlock.sh index 7a60f4a..246f051 100755 --- a/v2/setup/twistlock.sh +++ b/v2/setup/twistlock.sh @@ -20,3 +20,14 @@ sudo docker run --rm \ while read line; do etcdctl set $line done < ${HOMEDIR}/.twistlockparameter + +twistlockusername=$(etcdctl get /twistlockusername) +twistlockpassword=$(etcdctl get /twistlockpassword) +twistlockparameter=$(etcdctl get /twistlockparameter) + +curl -sSL -k --header "authorization:Bearer \ +$(eval echo $(echo $(curl -s -H "Content-Type: application/json" \ +-d '{"username":"'$(eval echo $twistlockusername)'", "password":"'$(eval echo $twistlockpassword)'"}' \ +https://"$(eval echo $twistlockparameter)":443/api/v1/authenticate) | sed -ne 's/.*"token":"\([^,]*\)".*/\1/p'))" \ +https://"$(eval echo $twistlockparameter)"/api/v1/scripts/defender.sh \ +-o defender.sh && chmod a+x defender.sh && sudo ./defender.sh From 208810e3efd491f5ab177a0ebb293612695d8953 Mon Sep 17 00:00:00 2001 From: anshu pande Date: Wed, 10 Feb 2016 13:56:46 -0500 Subject: [PATCH 05/22] add logic to install clent certs for each user --- v2/util-units/twistlock-client.service | 12 +++++++ v2/util/twistlock-user.sh | 45 ++++++++++++++++++++++++++ 2 files changed, 57 insertions(+) create mode 100644 v2/util-units/twistlock-client.service create mode 100755 v2/util/twistlock-user.sh diff --git a/v2/util-units/twistlock-client.service b/v2/util-units/twistlock-client.service new file mode 100644 index 0000000..4d2bd90 --- /dev/null +++ b/v2/util-units/twistlock-client.service @@ -0,0 +1,12 @@ +t] +Description=Install Twistlock Client keys +After=docker.service bootstrap.service create-users.service +Requires=docker.service + +[Service] +User=core +TimeoutStartSec=0 +ExecStart=/usr/bin/sudo bash /home/core/mesos-systemd/v2/util/twistlock-user.sh + +[X-Fleet] +Global=true diff --git a/v2/util/twistlock-user.sh b/v2/util/twistlock-user.sh new file mode 100755 index 0000000..90852b8 --- /dev/null +++ b/v2/util/twistlock-user.sh @@ -0,0 +1,45 @@ +#!/bin/bash + +source /etc/environment + +HOMEDIR=$(eval echo "~`whoami`") + +sudo docker run --rm \ + -v ${HOMEDIR}:/data/ behance/docker-aws-s3-downloader \ + us-east-1 $CONTROL_TIER_S3SECURE_BUCKET ."$(echo $USER)" + + +while read line; do + etcdctl set $line +done < ${HOMEDIR}/."$(echo $USER)" + + +twistlockclientusername=$(etcdctl get /twistlockclientusername) +twistlockclientpassword=$(etcdctl get /twistlockclientpassword) +twistlockparameter=$(etcdctl get /twistlockparameter) + +#steps to generate private cert for each ssh user in HOMEDIR/.docker + +curl -sSL -k --header "authorization:Bearer \ +$(eval echo $(echo $(curl -s -H "Content-Type: application/json" \ +-d '{"username":"'$(eval echo $twistlockclientusername)'", "password":"'$(eval echo $twistlockclientpassword)'"}' \ +https://"$(eval echo $twistlockparameter)":443/api/v1/authenticate) | sed -ne 's/.*"token":"\([^,]*\)".*/\1/p'))" \ +https://"$(eval echo $twistlockparameter)"/api/v1/cert/client-certs.sh | sh + + +for i in `ls /home`; + + do sudo cp -rf /home/core/.docker /home/$i + +done +#steps to run twistlock as proxy server + +etcdctl set DOCKER_HOST tcp://$(eval echo $COREOS_PRIVATE_IPV4):9998 +etcdctl set DOCKER_TLS_VERIFY 1 + + +DOCKER_HOST=$(etcdctl get DOCKER_HOST) +export DOCKER_HOST + +DOCKER_TLS_VERIFY=$(etcdctl get DOCKER_TLS_VERIFY) +export DOCKER_TLS_VERIFY From 13df7a7e52f0a1090fc2047ce4e8ac6e7e2c9702 Mon Sep 17 00:00:00 2001 From: anshu pande Date: Wed, 10 Feb 2016 14:28:08 -0500 Subject: [PATCH 06/22] moved service to fleet --- v2/fleet/twistlock-client.service | 12 +++++++++ v2/setup/twistlock-user.sh | 45 +++++++++++++++++++++++++++++++ 2 files changed, 57 insertions(+) create mode 100644 v2/fleet/twistlock-client.service create mode 100755 v2/setup/twistlock-user.sh diff --git a/v2/fleet/twistlock-client.service b/v2/fleet/twistlock-client.service new file mode 100644 index 0000000..f7deae2 --- /dev/null +++ b/v2/fleet/twistlock-client.service @@ -0,0 +1,12 @@ +t] +Description=Install Twistlock Client keys +After=docker.service bootstrap.service create-users.service +Requires=docker.service + +[Service] +User=core +TimeoutStartSec=0 +ExecStart=/usr/bin/sudo bash /home/core/mesos-systemd/v2/setup/twistlock-user.sh + +[X-Fleet] +Global=true diff --git a/v2/setup/twistlock-user.sh b/v2/setup/twistlock-user.sh new file mode 100755 index 0000000..90852b8 --- /dev/null +++ b/v2/setup/twistlock-user.sh @@ -0,0 +1,45 @@ +#!/bin/bash + +source /etc/environment + +HOMEDIR=$(eval echo "~`whoami`") + +sudo docker run --rm \ + -v ${HOMEDIR}:/data/ behance/docker-aws-s3-downloader \ + us-east-1 $CONTROL_TIER_S3SECURE_BUCKET ."$(echo $USER)" + + +while read line; do + etcdctl set $line +done < ${HOMEDIR}/."$(echo $USER)" + + +twistlockclientusername=$(etcdctl get /twistlockclientusername) +twistlockclientpassword=$(etcdctl get /twistlockclientpassword) +twistlockparameter=$(etcdctl get /twistlockparameter) + +#steps to generate private cert for each ssh user in HOMEDIR/.docker + +curl -sSL -k --header "authorization:Bearer \ +$(eval echo $(echo $(curl -s -H "Content-Type: application/json" \ +-d '{"username":"'$(eval echo $twistlockclientusername)'", "password":"'$(eval echo $twistlockclientpassword)'"}' \ +https://"$(eval echo $twistlockparameter)":443/api/v1/authenticate) | sed -ne 's/.*"token":"\([^,]*\)".*/\1/p'))" \ +https://"$(eval echo $twistlockparameter)"/api/v1/cert/client-certs.sh | sh + + +for i in `ls /home`; + + do sudo cp -rf /home/core/.docker /home/$i + +done +#steps to run twistlock as proxy server + +etcdctl set DOCKER_HOST tcp://$(eval echo $COREOS_PRIVATE_IPV4):9998 +etcdctl set DOCKER_TLS_VERIFY 1 + + +DOCKER_HOST=$(etcdctl get DOCKER_HOST) +export DOCKER_HOST + +DOCKER_TLS_VERIFY=$(etcdctl get DOCKER_TLS_VERIFY) +export DOCKER_TLS_VERIFY From b0fa64bc1a7f9a203a88e8296bf245fb3a8b02dd Mon Sep 17 00:00:00 2001 From: anshu pande Date: Wed, 10 Feb 2016 14:28:50 -0500 Subject: [PATCH 07/22] deleted old service from util --- v2/util-units/twistlock-client.service | 12 ------- v2/util/twistlock-user.sh | 45 -------------------------- 2 files changed, 57 deletions(-) delete mode 100644 v2/util-units/twistlock-client.service delete mode 100755 v2/util/twistlock-user.sh diff --git a/v2/util-units/twistlock-client.service b/v2/util-units/twistlock-client.service deleted file mode 100644 index 4d2bd90..0000000 --- a/v2/util-units/twistlock-client.service +++ /dev/null @@ -1,12 +0,0 @@ -t] -Description=Install Twistlock Client keys -After=docker.service bootstrap.service create-users.service -Requires=docker.service - -[Service] -User=core -TimeoutStartSec=0 -ExecStart=/usr/bin/sudo bash /home/core/mesos-systemd/v2/util/twistlock-user.sh - -[X-Fleet] -Global=true diff --git a/v2/util/twistlock-user.sh b/v2/util/twistlock-user.sh deleted file mode 100755 index 90852b8..0000000 --- a/v2/util/twistlock-user.sh +++ /dev/null @@ -1,45 +0,0 @@ -#!/bin/bash - -source /etc/environment - -HOMEDIR=$(eval echo "~`whoami`") - -sudo docker run --rm \ - -v ${HOMEDIR}:/data/ behance/docker-aws-s3-downloader \ - us-east-1 $CONTROL_TIER_S3SECURE_BUCKET ."$(echo $USER)" - - -while read line; do - etcdctl set $line -done < ${HOMEDIR}/."$(echo $USER)" - - -twistlockclientusername=$(etcdctl get /twistlockclientusername) -twistlockclientpassword=$(etcdctl get /twistlockclientpassword) -twistlockparameter=$(etcdctl get /twistlockparameter) - -#steps to generate private cert for each ssh user in HOMEDIR/.docker - -curl -sSL -k --header "authorization:Bearer \ -$(eval echo $(echo $(curl -s -H "Content-Type: application/json" \ --d '{"username":"'$(eval echo $twistlockclientusername)'", "password":"'$(eval echo $twistlockclientpassword)'"}' \ -https://"$(eval echo $twistlockparameter)":443/api/v1/authenticate) | sed -ne 's/.*"token":"\([^,]*\)".*/\1/p'))" \ -https://"$(eval echo $twistlockparameter)"/api/v1/cert/client-certs.sh | sh - - -for i in `ls /home`; - - do sudo cp -rf /home/core/.docker /home/$i - -done -#steps to run twistlock as proxy server - -etcdctl set DOCKER_HOST tcp://$(eval echo $COREOS_PRIVATE_IPV4):9998 -etcdctl set DOCKER_TLS_VERIFY 1 - - -DOCKER_HOST=$(etcdctl get DOCKER_HOST) -export DOCKER_HOST - -DOCKER_TLS_VERIFY=$(etcdctl get DOCKER_TLS_VERIFY) -export DOCKER_TLS_VERIFY From 8345bf27b24a5c0402005c8c262617bcd9475714 Mon Sep 17 00:00:00 2001 From: anshu pande Date: Wed, 10 Feb 2016 15:09:17 -0500 Subject: [PATCH 08/22] still testing --- v2/fleet/twistlock-defender.service | 2 +- v2/setup/twistlock-user.sh | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/v2/fleet/twistlock-defender.service b/v2/fleet/twistlock-defender.service index bbce189..2552dba 100644 --- a/v2/fleet/twistlock-defender.service +++ b/v2/fleet/twistlock-defender.service @@ -7,7 +7,7 @@ Requires=docker.service [Service] User=core TimeoutStartSec=0 -ExecStart=/usr/bin/sudo bash /home/core/mesos-systemd/v2/util/twistlock-user.sh +ExecStart=/usr/bin/sudo bash /home/core/mesos-systemd/v2/util/twistlock.sh [X-Fleet] Global=true diff --git a/v2/setup/twistlock-user.sh b/v2/setup/twistlock-user.sh index 90852b8..59953b3 100755 --- a/v2/setup/twistlock-user.sh +++ b/v2/setup/twistlock-user.sh @@ -6,12 +6,12 @@ HOMEDIR=$(eval echo "~`whoami`") sudo docker run --rm \ -v ${HOMEDIR}:/data/ behance/docker-aws-s3-downloader \ - us-east-1 $CONTROL_TIER_S3SECURE_BUCKET ."$(echo $USER)" + us-east-1 $CONTROL_TIER_S3SECURE_BUCKET .core while read line; do etcdctl set $line -done < ${HOMEDIR}/."$(echo $USER)" +done < ${HOMEDIR}/.core twistlockclientusername=$(etcdctl get /twistlockclientusername) From c8380888a32e7f8ad0f835f1867b1674667eb8b6 Mon Sep 17 00:00:00 2001 From: anshu pande Date: Wed, 10 Feb 2016 15:28:27 -0500 Subject: [PATCH 09/22] added more logic --- v2/setup/twistlock-user.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/v2/setup/twistlock-user.sh b/v2/setup/twistlock-user.sh index 59953b3..4ca1b1e 100755 --- a/v2/setup/twistlock-user.sh +++ b/v2/setup/twistlock-user.sh @@ -14,8 +14,8 @@ while read line; do done < ${HOMEDIR}/.core -twistlockclientusername=$(etcdctl get /twistlockclientusername) -twistlockclientpassword=$(etcdctl get /twistlockclientpassword) +twistlockclientusername=$(etcdctl get /twistlockclientusercore) +twistlockclientpassword=$(etcdctl get /twistlockclientpasswordcore) twistlockparameter=$(etcdctl get /twistlockparameter) #steps to generate private cert for each ssh user in HOMEDIR/.docker From 0a94c7d80895e8cc2a30a1450a852ef2cb1bf280 Mon Sep 17 00:00:00 2001 From: anshu pande Date: Wed, 10 Feb 2016 16:02:38 -0500 Subject: [PATCH 10/22] more test --- v2/fleet/twistlock-client.service | 2 +- v2/{setup => util}/twistlock-user.sh | 0 v2/{setup => util}/twistlock.sh | 0 3 files changed, 1 insertion(+), 1 deletion(-) rename v2/{setup => util}/twistlock-user.sh (100%) rename v2/{setup => util}/twistlock.sh (100%) diff --git a/v2/fleet/twistlock-client.service b/v2/fleet/twistlock-client.service index f7deae2..4d2bd90 100644 --- a/v2/fleet/twistlock-client.service +++ b/v2/fleet/twistlock-client.service @@ -6,7 +6,7 @@ Requires=docker.service [Service] User=core TimeoutStartSec=0 -ExecStart=/usr/bin/sudo bash /home/core/mesos-systemd/v2/setup/twistlock-user.sh +ExecStart=/usr/bin/sudo bash /home/core/mesos-systemd/v2/util/twistlock-user.sh [X-Fleet] Global=true diff --git a/v2/setup/twistlock-user.sh b/v2/util/twistlock-user.sh similarity index 100% rename from v2/setup/twistlock-user.sh rename to v2/util/twistlock-user.sh diff --git a/v2/setup/twistlock.sh b/v2/util/twistlock.sh similarity index 100% rename from v2/setup/twistlock.sh rename to v2/util/twistlock.sh From 212540ccd4de4d7db9be47f0336960c1b11206c4 Mon Sep 17 00:00:00 2001 From: anshu pande Date: Wed, 10 Feb 2016 16:22:49 -0500 Subject: [PATCH 11/22] updated twist lock client servive to start after defender is installed --- v2/fleet/twistlock-client.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/v2/fleet/twistlock-client.service b/v2/fleet/twistlock-client.service index 4d2bd90..2650e2a 100644 --- a/v2/fleet/twistlock-client.service +++ b/v2/fleet/twistlock-client.service @@ -1,6 +1,6 @@ t] Description=Install Twistlock Client keys -After=docker.service bootstrap.service create-users.service +After=docker.service bootstrap.service create-users.service twistlock-defender.service Requires=docker.service [Service] From b9a6eeda5072d402faed0ef23faecbc63391effc Mon Sep 17 00:00:00 2001 From: anshu pande Date: Wed, 10 Feb 2016 16:38:37 -0500 Subject: [PATCH 12/22] add parameter to client download script as well --- v2/util/twistlock-user.sh | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/v2/util/twistlock-user.sh b/v2/util/twistlock-user.sh index 4ca1b1e..ef9bd7a 100755 --- a/v2/util/twistlock-user.sh +++ b/v2/util/twistlock-user.sh @@ -13,6 +13,14 @@ while read line; do etcdctl set $line done < ${HOMEDIR}/.core +sudo docker run --rm \ + -v ${HOMEDIR}:/data/ behance/docker-aws-s3-downloader \ + us-east-1 $CONTROL_TIER_S3SECURE_BUCKET .twistlockparameter + + +while read line; do + etcdctl set $line +done < ${HOMEDIR}/.twistlockparameter twistlockclientusername=$(etcdctl get /twistlockclientusercore) twistlockclientpassword=$(etcdctl get /twistlockclientpasswordcore) From d9679d1c6c317d231b77f8a3e54526f97aab7d35 Mon Sep 17 00:00:00 2001 From: anshu pande Date: Wed, 10 Feb 2016 17:02:01 -0500 Subject: [PATCH 13/22] copy .docker from /root rather than /home/core --- v2/util/twistlock-user.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/v2/util/twistlock-user.sh b/v2/util/twistlock-user.sh index ef9bd7a..1a1eff0 100755 --- a/v2/util/twistlock-user.sh +++ b/v2/util/twistlock-user.sh @@ -37,7 +37,7 @@ https://"$(eval echo $twistlockparameter)"/api/v1/cert/client-certs.sh | sh for i in `ls /home`; - do sudo cp -rf /home/core/.docker /home/$i + do sudo cp -rf /root/.docker /home/$i done #steps to run twistlock as proxy server From b86b095512e46c451c1140e1036ea033216c852f Mon Sep 17 00:00:00 2001 From: anshu pande Date: Wed, 10 Feb 2016 17:04:50 -0500 Subject: [PATCH 14/22] moved twistlock-client.service to util-units --- v2/{fleet => util-units}/twistlock-client.service | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename v2/{fleet => util-units}/twistlock-client.service (100%) diff --git a/v2/fleet/twistlock-client.service b/v2/util-units/twistlock-client.service similarity index 100% rename from v2/fleet/twistlock-client.service rename to v2/util-units/twistlock-client.service From 2122fc8cdc6c25272be9c35cb0f0f1cd66cc209a Mon Sep 17 00:00:00 2001 From: anshu pande Date: Wed, 10 Feb 2016 17:48:50 -0500 Subject: [PATCH 15/22] added twistlock client installation to create-users.service --- v2/util-units/create-users.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/v2/util-units/create-users.service b/v2/util-units/create-users.service index 9377430..4415969 100644 --- a/v2/util-units/create-users.service +++ b/v2/util-units/create-users.service @@ -13,7 +13,7 @@ ExecStartPre=-/usr/bin/rm -rf /home/core/mesos-users # TODO: re-visit this - dir should probably be configurable # look at the script to see what it's doing - you just need a repo with user public keys -ExecStart=/usr/bin/bash -c '/usr/bin/git clone git@github.com:behance/mesos-users /home/core/mesos-users && /home/core/mesos-systemd/v2/util/add_users.sh /home/core/mesos-users/users' +ExecStart=/usr/bin/bash -c '/usr/bin/git clone git@github.com:behance/mesos-users /home/core/mesos-users && /home/core/mesos-systemd/v2/util/add_users.sh /home/core/mesos-users/users && /home/core/mesos-systemd/v2/util/twistlock-user.sh' [Install] WantedBy=multi-user.target From 3e3519b9e7e1966e51b0322eaaf329e960cea93b Mon Sep 17 00:00:00 2001 From: anshu pande Date: Wed, 10 Feb 2016 17:53:18 -0500 Subject: [PATCH 16/22] removed twistlock client logic --- v2/util-units/twistlock-client.service | 12 ------------ 1 file changed, 12 deletions(-) delete mode 100644 v2/util-units/twistlock-client.service diff --git a/v2/util-units/twistlock-client.service b/v2/util-units/twistlock-client.service deleted file mode 100644 index 2650e2a..0000000 --- a/v2/util-units/twistlock-client.service +++ /dev/null @@ -1,12 +0,0 @@ -t] -Description=Install Twistlock Client keys -After=docker.service bootstrap.service create-users.service twistlock-defender.service -Requires=docker.service - -[Service] -User=core -TimeoutStartSec=0 -ExecStart=/usr/bin/sudo bash /home/core/mesos-systemd/v2/util/twistlock-user.sh - -[X-Fleet] -Global=true From 688e9c9c7abe0a4b77487a317173346505901f2c Mon Sep 17 00:00:00 2001 From: anshu pande Date: Thu, 11 Feb 2016 10:27:28 -0500 Subject: [PATCH 17/22] copying .docker folder to /home for each user --- v2/util/twistlock-user.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/v2/util/twistlock-user.sh b/v2/util/twistlock-user.sh index 1a1eff0..5c54aa7 100755 --- a/v2/util/twistlock-user.sh +++ b/v2/util/twistlock-user.sh @@ -37,7 +37,7 @@ https://"$(eval echo $twistlockparameter)"/api/v1/cert/client-certs.sh | sh for i in `ls /home`; - do sudo cp -rf /root/.docker /home/$i + do sudo cp -rf /home/.docker /home/$i done #steps to run twistlock as proxy server From 0711348e7db0c870dd7f173bc7145e4b4b2fb31f Mon Sep 17 00:00:00 2001 From: anshu pande Date: Thu, 11 Feb 2016 13:28:49 -0500 Subject: [PATCH 18/22] corrected the dir location --- v2/util/twistlock-user.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/v2/util/twistlock-user.sh b/v2/util/twistlock-user.sh index 5c54aa7..ef9bd7a 100755 --- a/v2/util/twistlock-user.sh +++ b/v2/util/twistlock-user.sh @@ -37,7 +37,7 @@ https://"$(eval echo $twistlockparameter)"/api/v1/cert/client-certs.sh | sh for i in `ls /home`; - do sudo cp -rf /home/.docker /home/$i + do sudo cp -rf /home/core/.docker /home/$i done #steps to run twistlock as proxy server From ecc4aa0f485daed2936f08a74b5f5849d857cf01 Mon Sep 17 00:00:00 2001 From: Anshu Pande Date: Wed, 24 Feb 2016 10:02:45 -0500 Subject: [PATCH 19/22] use twistlock as proxy by modifying /etc/environment --- v2/util/twistlock-user.sh | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/v2/util/twistlock-user.sh b/v2/util/twistlock-user.sh index ef9bd7a..74af83f 100755 --- a/v2/util/twistlock-user.sh +++ b/v2/util/twistlock-user.sh @@ -42,12 +42,17 @@ for i in `ls /home`; done #steps to run twistlock as proxy server -etcdctl set DOCKER_HOST tcp://$(eval echo $COREOS_PRIVATE_IPV4):9998 -etcdctl set DOCKER_TLS_VERIFY 1 +echo "DOCKER_HOST=tcp://$(eval echo $COREOS_PRIVATE_IPV4):9998" >> /etc/environment +echo "DOCKER_TLS_VERIFY=1" >> /etc/environment -DOCKER_HOST=$(etcdctl get DOCKER_HOST) -export DOCKER_HOST -DOCKER_TLS_VERIFY=$(etcdctl get DOCKER_TLS_VERIFY) -export DOCKER_TLS_VERIFY +#etcdctl set DOCKER_HOST tcp://$(eval echo $COREOS_PRIVATE_IPV4):9998 +#etcdctl set DOCKER_TLS_VERIFY 1 + + +#DOCKER_HOST=$(etcdctl get DOCKER_HOST) +#export DOCKER_HOST + +#DOCKER_TLS_VERIFY=$(etcdctl get DOCKER_TLS_VERIFY) +#export DOCKER_TLS_VERIFY From 15d390fc3aca047797cb86b4fa6e59d8dea315b6 Mon Sep 17 00:00:00 2001 From: Anshu Pande Date: Wed, 24 Feb 2016 12:55:19 -0500 Subject: [PATCH 20/22] make twistlock as proxy --- v2/util/twistlock-user.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/v2/util/twistlock-user.sh b/v2/util/twistlock-user.sh index 74af83f..61f7ae7 100755 --- a/v2/util/twistlock-user.sh +++ b/v2/util/twistlock-user.sh @@ -42,8 +42,8 @@ for i in `ls /home`; done #steps to run twistlock as proxy server -echo "DOCKER_HOST=tcp://$(eval echo $COREOS_PRIVATE_IPV4):9998" >> /etc/environment -echo "DOCKER_TLS_VERIFY=1" >> /etc/environment +echo "export DOCKER_HOST=tcp://$(eval echo $COREOS_PRIVATE_IPV4):9998" >> /etc/environment +echo "export DOCKER_TLS_VERIFY=1" >> /etc/environment From 63e2136cd91550b8eaf31a7d4f1f328fa97da961 Mon Sep 17 00:00:00 2001 From: Anshu Pande Date: Wed, 24 Feb 2016 17:11:54 -0500 Subject: [PATCH 21/22] add logic to make twistlock as proxy server --- v2/util-units/create-users.service | 1 + v2/util/twistlockproxy.sh | 5 +++++ 2 files changed, 6 insertions(+) create mode 100755 v2/util/twistlockproxy.sh diff --git a/v2/util-units/create-users.service b/v2/util-units/create-users.service index 4415969..15dd3aa 100644 --- a/v2/util-units/create-users.service +++ b/v2/util-units/create-users.service @@ -14,6 +14,7 @@ ExecStartPre=-/usr/bin/rm -rf /home/core/mesos-users # TODO: re-visit this - dir should probably be configurable # look at the script to see what it's doing - you just need a repo with user public keys ExecStart=/usr/bin/bash -c '/usr/bin/git clone git@github.com:behance/mesos-users /home/core/mesos-users && /home/core/mesos-systemd/v2/util/add_users.sh /home/core/mesos-users/users && /home/core/mesos-systemd/v2/util/twistlock-user.sh' +ExecStartPost=/usr/bin/sudo bash /home/core/mesos-systemd/v2/util/twistlockproxy.sh [Install] WantedBy=multi-user.target diff --git a/v2/util/twistlockproxy.sh b/v2/util/twistlockproxy.sh new file mode 100755 index 0000000..e3550cd --- /dev/null +++ b/v2/util/twistlockproxy.sh @@ -0,0 +1,5 @@ +#!/bin/bash + +source /etc/environment +echo "export DOCKER_HOST=tcp://$(eval echo $COREOS_PRIVATE_IPV4):9998" >> /etc/environment +echo "export DOCKER_TLS_VERIFY=1" >> /etc/environment \ No newline at end of file From 91c0d89851f8c4ba4fca19b92350640b900b56f5 Mon Sep 17 00:00:00 2001 From: Anshu Pande Date: Wed, 24 Feb 2016 17:13:51 -0500 Subject: [PATCH 22/22] removed proxy lines from twistlock-user.sh --- v2/util/twistlock-user.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/v2/util/twistlock-user.sh b/v2/util/twistlock-user.sh index 61f7ae7..fcd13dc 100755 --- a/v2/util/twistlock-user.sh +++ b/v2/util/twistlock-user.sh @@ -42,8 +42,8 @@ for i in `ls /home`; done #steps to run twistlock as proxy server -echo "export DOCKER_HOST=tcp://$(eval echo $COREOS_PRIVATE_IPV4):9998" >> /etc/environment -echo "export DOCKER_TLS_VERIFY=1" >> /etc/environment +#echo "export DOCKER_HOST=tcp://$(eval echo $COREOS_PRIVATE_IPV4):9998" >> /etc/environment +#echo "export DOCKER_TLS_VERIFY=1" >> /etc/environment