1. Overview

DC/OS is a distributed operating system. It integrates several open-source components to enable the management of multiple machines as if they were a single computer. DC/OS is built on the Apache Mesos distributed systems kernel and the Marathon container orchestration system. This procedure was tested on Mesosphere DC/OS 1.11.

To deploy Prisma Cloud to a Kubernetes cluster running on DC/OS, see the Install Kubernetes guide.

2. Deployment architecture

Prisma Cloud Console is deployed to a public slave node. Public slave nodes are accessible from outside the cluster. Because Console provides a management interface through a browser window, it must be accessible from outside the cluster.

Prisma Cloud Defender is deployed on every private slave node. Slave nodes run your applications. Slave nodes reside on a private subnet, so they are not accessible from outside the cluster.

The following diagram shows the components in a DC/OS cluster, and where Prisma Cloud gets deployed.

dcos arch tw

3. Install Console

Use the twistlock.sh script to install Console onto a public agent in your cluster.

Prerequisites:

  • You have installed the DC/OS CLI tool.

  • Ports 8083 and 8084 on the public agent are open. Console’s web interface and API are served on port 8083, and Defender communicates with Console on port 8084. If you deploy DC/OS with the Terraform-based Universal Installer, add 8083 and 8084 to the public_agents_additional_ports input in your main.tf configuration file.

  1. Get a link to the current recommended release.

  2. SSH to a public agent in your cluster.

    $ dcos node ssh --master-proxy --mesos-id=<PUBLIC-AGENT>
  3. Retrieve the Prisma Cloud release tarball.

    $ wget <LINK-TO-CURRENT-RECOMMENDED-RELEASE>
  4. Unpack the Prisma Cloud release tarball.

    $ mkdir twistlock
    $ tar xvzf twistlock_<VERSION>.tar.gz -C twistlock/
  5. Install Prisma Cloud.

    We recommend that you install both Console and Defender on the public agent. To simplify the installation of both components, use the onebox install target.

    $ cd twistlock
    $ sudo ./twistlock.sh -s onebox

    Where:

    -s

    Agree to the EULA.

    -z

    (Optional) Emit additional debug messages. Use this option if an error occurs while running twistlock.sh.

    onebox

    Install Console and Defender onto a single server.

  6. Verify that Prisma Cloud has been properly installed, and that it is running on your host:

    $ sudo docker ps --format "table {{.ID}}\t{{.Status}}\t{{.Names}}"
    CONTAINER ID        STATUS              NAMES
    764ecb72207e        Up 5 minutes        twistlock_defender
    be5e385fea32        Up 5 minutes        twistlock_console
  7. Open a browser window, and navigate to Console’s front page.

    Go to https://<PUBLIC-AGENT>:8083

    Where <PUBLIC-AGENT> is the hostname or IP address of the public agent. To get the IP address for your public agent, run the following command:

    $ for id in $(dcos node --json | \
      jq --raw-output \
      '.[] | select(.reserved_resources.slave_public != null) | .id'); \
        do dcos node ssh \
          --option StrictHostKeyChecking=no \
          --option LogLevel=quiet \
          --master-proxy \
          --mesos-id=$id "curl -s ifconfig.co" ; \
      done 2>/dev/null
  8. Create your first admin user by entering a username and password.

  9. Enter your license key.

    After your license is validated, the dashboard is unlocked.

  10. Go to Manage > Defenders > Names. Verify that the Subject Alternative Name (SAN) table contains the IP address for the public agent where Console runs. If not, click Add SAN, then enter the IP address.

4. Install Defender

Deploy Defender to all slave agents in your cluster. Use twistcli to generate the Defender app in JSON format, and then start it with the DC/OS CLI tool. By default, the Defender image is retrieved from Prisma Cloud’s cloud registry.

Prerequisites:

  • You have deployed Console to a public agent in your cluster.

  1. Download twistcli to a host where you’ve installed the DC/OS CLI.

    1. Open Compute Console and go to Manage > System > Downloads.

    2. Under twistcli tool, download the version for your operating system.

  2. Generate the Defender app JSON using twistcli, where:

    • <PLATFORM> can be linux or osx.

    • <CONSOLE> is the IP address of the public agent where Console runs.

    • <ADMIN_USER> is a Twistlock Console user with a role of Defender Manager or higher.

    • <NUMBER_OF_AGENTS> is the number of private agent nodes in your cluster.

      The following command connects to Console’s API (specified in --address) as user <TWISTLOCK_USER> (specified in --user), and generates a Defender app in JSON format according to the configuration options passed to twistcli.

      $ <PLATFORM>/twistcli defender export dcos \
        --address https://<CONSOLE>:8083 \
        --user <TWISTLOCK_USER> \
        --cluster-address <CONSOLE> \
        --agents <NUMBER_OF_AGENTS>
  3. Deploy the Defender app on your cluster using the dcos CLI tool.

    Alternatively, you could deploy the Defender app using the DC/OS web interface, Marathon web interface, or Marathon REST API.

    $ dcos marathon app add ./dcos.json
  4. Validate the Defender app is running.

    $ dcos marathon app list