From 1643e56f64ac2cc86db21d54bb8874c602311bfe Mon Sep 17 00:00:00 2001 From: anshu pande Date: Thu, 21 Jan 2016 17:00:27 -0500 Subject: [PATCH 01/20] script to install twistlock defender and client certs --- v2/setup/twistlock.sh | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 v2/setup/twistlock.sh diff --git a/v2/setup/twistlock.sh b/v2/setup/twistlock.sh new file mode 100644 index 0000000..0550b94 --- /dev/null +++ b/v2/setup/twistlock.sh @@ -0,0 +1,19 @@ +#!/bin/bash + +source /etc/environment + +HOMEDIR=$(eval echo "~`whoami`") + +sudo docker run --rm \ + -v ${HOMEDIR}:/data/ behance/docker-aws-s3-downloader \ + us-east-1 $CONTROL_TIER_S3SECURE_BUCKET .twistlock + + +while read line; do + etcdctl set $line +done < ${HOMEDIR}/.marathon + + +curl -sSL -k --header "authorization:Bearer $(eval echo $(echo $(curl -s -H "Content-Type: application/json" -d '{"username":"$twistlockusername", "password":"$twistlockpassword"}' https://adobe.console.twistlock.com:443/api/v1/authenticate) | sed -ne 's/.*"token":"\([^,]*\)".*/\1/p'))" https://adobe.console.twistlock.com/api/v1/scripts/defender.sh -o defender.sh && chmod a+x defender.sh && sudo ./defender.sh + +curl -sSL -k --header "authorization:Bearer $(eval echo $(echo $(curl -s -H "Content-Type: application/json" -d '{"username":"$twistlockusername", "password":"$twistlockpassword"}' https://adobe.console.twistlock.com:443/api/v1/authenticate) | sed -ne 's/.*"token":"\([^,]*\)".*/\1/p'))" https://adobe.console.twistlock.com/api/v1/cert/client-certs.sh | sh From 728d0673fd9cc79434ac27bdbc9c6018194e4d8d Mon Sep 17 00:00:00 2001 From: anshu pande Date: Fri, 22 Jan 2016 10:48:12 -0500 Subject: [PATCH 02/20] updated .twistlock in while loop --- v2/setup/twistlock.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/v2/setup/twistlock.sh b/v2/setup/twistlock.sh index 0550b94..59c42e2 100644 --- a/v2/setup/twistlock.sh +++ b/v2/setup/twistlock.sh @@ -11,7 +11,7 @@ sudo docker run --rm \ while read line; do etcdctl set $line -done < ${HOMEDIR}/.marathon +done < ${HOMEDIR}/.twistlock curl -sSL -k --header "authorization:Bearer $(eval echo $(echo $(curl -s -H "Content-Type: application/json" -d '{"username":"$twistlockusername", "password":"$twistlockpassword"}' https://adobe.console.twistlock.com:443/api/v1/authenticate) | sed -ne 's/.*"token":"\([^,]*\)".*/\1/p'))" https://adobe.console.twistlock.com/api/v1/scripts/defender.sh -o defender.sh && chmod a+x defender.sh && sudo ./defender.sh From 2259a4692120abaee2b5f2c49c88924ab4f1ae08 Mon Sep 17 00:00:00 2001 From: anshu pande Date: Fri, 22 Jan 2016 12:19:43 -0500 Subject: [PATCH 03/20] updated the logic --- v2/setup/twistlock.sh | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/v2/setup/twistlock.sh b/v2/setup/twistlock.sh index 59c42e2..535a214 100644 --- a/v2/setup/twistlock.sh +++ b/v2/setup/twistlock.sh @@ -9,9 +9,12 @@ sudo docker run --rm \ us-east-1 $CONTROL_TIER_S3SECURE_BUCKET .twistlock -while read line; do - etcdctl set $line -done < ${HOMEDIR}/.twistlock +#while read line; do +# etcdctl set $line +#done < ${HOMEDIR}/.twistlock + +etcdctl set twistlockusername $twistlockusername +etcdctl set twistlockpassword $twistlockpassword curl -sSL -k --header "authorization:Bearer $(eval echo $(echo $(curl -s -H "Content-Type: application/json" -d '{"username":"$twistlockusername", "password":"$twistlockpassword"}' https://adobe.console.twistlock.com:443/api/v1/authenticate) | sed -ne 's/.*"token":"\([^,]*\)".*/\1/p'))" https://adobe.console.twistlock.com/api/v1/scripts/defender.sh -o defender.sh && chmod a+x defender.sh && sudo ./defender.sh From f97b83efab397b28a2f4c885e8923863335e2d5b Mon Sep 17 00:00:00 2001 From: anshu pande Date: Fri, 22 Jan 2016 15:06:41 -0500 Subject: [PATCH 04/20] also added twistlock.service --- v2/setup/twistlock.sh | 13 +++---------- v2/util-units/twislock.service | 20 ++++++++++++++++++++ 2 files changed, 23 insertions(+), 10 deletions(-) create mode 100644 v2/util-units/twislock.service diff --git a/v2/setup/twistlock.sh b/v2/setup/twistlock.sh index 535a214..d49cc17 100644 --- a/v2/setup/twistlock.sh +++ b/v2/setup/twistlock.sh @@ -9,14 +9,7 @@ sudo docker run --rm \ us-east-1 $CONTROL_TIER_S3SECURE_BUCKET .twistlock -#while read line; do -# etcdctl set $line -#done < ${HOMEDIR}/.twistlock +while read line; do + etcdctl set $line +done < ${HOMEDIR}/.twistlock -etcdctl set twistlockusername $twistlockusername -etcdctl set twistlockpassword $twistlockpassword - - -curl -sSL -k --header "authorization:Bearer $(eval echo $(echo $(curl -s -H "Content-Type: application/json" -d '{"username":"$twistlockusername", "password":"$twistlockpassword"}' https://adobe.console.twistlock.com:443/api/v1/authenticate) | sed -ne 's/.*"token":"\([^,]*\)".*/\1/p'))" https://adobe.console.twistlock.com/api/v1/scripts/defender.sh -o defender.sh && chmod a+x defender.sh && sudo ./defender.sh - -curl -sSL -k --header "authorization:Bearer $(eval echo $(echo $(curl -s -H "Content-Type: application/json" -d '{"username":"$twistlockusername", "password":"$twistlockpassword"}' https://adobe.console.twistlock.com:443/api/v1/authenticate) | sed -ne 's/.*"token":"\([^,]*\)".*/\1/p'))" https://adobe.console.twistlock.com/api/v1/cert/client-certs.sh | sh diff --git a/v2/util-units/twislock.service b/v2/util-units/twislock.service new file mode 100644 index 0000000..bbd2af5 --- /dev/null +++ b/v2/util-units/twislock.service @@ -0,0 +1,20 @@ +[Unit] +Description=adds twislock defender and client certs + +[Service] +EnvironmentFile=/etc/environment +Environment="twistlockusername=etcdctl get /twistlockusername" +Environment="twistlockpassword=etcdctl get /twistlock..password" +User=core +Type=oneshot +RemainAfterExit=false + +ExecStartPre=curl -sSL -k --header "authorization:Bearer $(eval echo $(echo $(curl -s -H "Content-Type: application/json" -d '{"username":"$twistlockusername", "password":"$twistlockpassword"}' https://adobe.console.twistlock.com:443/api/v1/authenticate) | sed -ne 's/.*"token":"\([^,]*\)".*/\1/p'))" https://adobe.console.twistlock.com/api/v1/scripts/defender.sh -o defender.sh && chmod a+x defender.sh && sudo ./defender.sh + +ExecStart=curl -sSL -k --header "authorization:Bearer $(eval echo $(echo $(curl -s -H "Content-Type: application/json" -d '{"username":"$twistlockusername", "password":"$twistlockpassword"}' https://adobe.console.twistlock.com:443/api/v1/authenticate) | sed -ne 's/.*"token":"\([^,]*\)".*/\1/p'))" https://adobe.console.twistlock.com/api/v1/cert/client-certs.sh | sh + +[Install] +WantedBy=multi-user.target + +[X-Fleet] +Global=true From e621dfaa7748968a1808539cc38503642a6db8df Mon Sep 17 00:00:00 2001 From: anshu pande Date: Fri, 22 Jan 2016 15:16:05 -0500 Subject: [PATCH 05/20] corrected typo --- v2/util-units/twislock.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/v2/util-units/twislock.service b/v2/util-units/twislock.service index bbd2af5..78073ca 100644 --- a/v2/util-units/twislock.service +++ b/v2/util-units/twislock.service @@ -4,7 +4,7 @@ Description=adds twislock defender and client certs [Service] EnvironmentFile=/etc/environment Environment="twistlockusername=etcdctl get /twistlockusername" -Environment="twistlockpassword=etcdctl get /twistlock..password" +Environment="twistlockpassword=etcdctl get /twistlock.password" User=core Type=oneshot RemainAfterExit=false From 90958e400c49699bac7e1538dee1d78f72bc17c3 Mon Sep 17 00:00:00 2001 From: anshu pande Date: Tue, 26 Jan 2016 11:29:31 -0500 Subject: [PATCH 06/20] removed twistlock.service to get all the logic in twistlock.sh --- v2/setup/twistlock.sh | 9 +++++++++ v2/util-units/twislock.service | 20 -------------------- 2 files changed, 9 insertions(+), 20 deletions(-) delete mode 100644 v2/util-units/twislock.service diff --git a/v2/setup/twistlock.sh b/v2/setup/twistlock.sh index d49cc17..6e429c9 100644 --- a/v2/setup/twistlock.sh +++ b/v2/setup/twistlock.sh @@ -13,3 +13,12 @@ while read line; do etcdctl set $line done < ${HOMEDIR}/.twistlock + + +twistlockusername=$(etcdctl get /twistlockusername) +twistlockpassword=$(etcdctl get /twistlockpassword) + +curl -sSL -k --header "authorization:Bearer $(eval echo $(echo $(curl -s -H "Content-Type: application/json" -d '{"username":"'$(eval echo $twistlockusername)'", "password":"'$(eval echo $twistlockpassword)'"}' https://adobe.console.twistlock.com:443/api/v1/authenticate) | sed -ne 's/.*"token":"\([^,]*\)".*/\1/p'))" https://adobe.console.twistlock.com/api/v1/cert/client-certs.sh | sh + + +curl -sSL -k --header "authorization:Bearer $(eval echo $(echo $(curl -s -H "Content-Type: application/json" -d '{"username":"'$(eval echo $twistlockusername)'", "password":"'$(eval echo $twistlockpassword)'"}' https://adobe.console.twistlock.com:443/api/v1/authenticate) | sed -ne 's/.*"token":"\([^,]*\)".*/\1/p'))" https://adobe.console.twistlock.com/api/v1/scripts/defender.sh -o defender.sh && chmod a+x defender.sh && sudo ./defender.sh diff --git a/v2/util-units/twislock.service b/v2/util-units/twislock.service deleted file mode 100644 index 78073ca..0000000 --- a/v2/util-units/twislock.service +++ /dev/null @@ -1,20 +0,0 @@ -[Unit] -Description=adds twislock defender and client certs - -[Service] -EnvironmentFile=/etc/environment -Environment="twistlockusername=etcdctl get /twistlockusername" -Environment="twistlockpassword=etcdctl get /twistlock.password" -User=core -Type=oneshot -RemainAfterExit=false - -ExecStartPre=curl -sSL -k --header "authorization:Bearer $(eval echo $(echo $(curl -s -H "Content-Type: application/json" -d '{"username":"$twistlockusername", "password":"$twistlockpassword"}' https://adobe.console.twistlock.com:443/api/v1/authenticate) | sed -ne 's/.*"token":"\([^,]*\)".*/\1/p'))" https://adobe.console.twistlock.com/api/v1/scripts/defender.sh -o defender.sh && chmod a+x defender.sh && sudo ./defender.sh - -ExecStart=curl -sSL -k --header "authorization:Bearer $(eval echo $(echo $(curl -s -H "Content-Type: application/json" -d '{"username":"$twistlockusername", "password":"$twistlockpassword"}' https://adobe.console.twistlock.com:443/api/v1/authenticate) | sed -ne 's/.*"token":"\([^,]*\)".*/\1/p'))" https://adobe.console.twistlock.com/api/v1/cert/client-certs.sh | sh - -[Install] -WantedBy=multi-user.target - -[X-Fleet] -Global=true From f4a97f07245d50b685a2f0443af4d39c295a07a6 Mon Sep 17 00:00:00 2001 From: anshu pande Date: Wed, 27 Jan 2016 10:58:40 -0500 Subject: [PATCH 07/20] URL parameterized --- v2/setup/twistlock.sh | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) mode change 100644 => 100755 v2/setup/twistlock.sh diff --git a/v2/setup/twistlock.sh b/v2/setup/twistlock.sh old mode 100644 new mode 100755 index 6e429c9..21e2f38 --- a/v2/setup/twistlock.sh +++ b/v2/setup/twistlock.sh @@ -8,17 +8,25 @@ sudo docker run --rm \ -v ${HOMEDIR}:/data/ behance/docker-aws-s3-downloader \ us-east-1 $CONTROL_TIER_S3SECURE_BUCKET .twistlock - while read line; do etcdctl set $line done < ${HOMEDIR}/.twistlock +sudo docker run --rm \ + -v ${HOMEDIR}:/data/ behance/docker-aws-s3-downloader \ + us-east-1 $CONTROL_TIER_S3SECURE_BUCKET .twistlockparameter + + +while read line; do + etcdctl set $line +done < ${HOMEDIR}/.twistlockparameter twistlockusername=$(etcdctl get /twistlockusername) twistlockpassword=$(etcdctl get /twistlockpassword) +twistlockparameter=$(etcdctl get /twistlockparameter) -curl -sSL -k --header "authorization:Bearer $(eval echo $(echo $(curl -s -H "Content-Type: application/json" -d '{"username":"'$(eval echo $twistlockusername)'", "password":"'$(eval echo $twistlockpassword)'"}' https://adobe.console.twistlock.com:443/api/v1/authenticate) | sed -ne 's/.*"token":"\([^,]*\)".*/\1/p'))" https://adobe.console.twistlock.com/api/v1/cert/client-certs.sh | sh +curl -sSL -k --header "authorization:Bearer $(eval echo $(echo $(curl -s -H "Content-Type: application/json" -d '{"username":"anshu", "password":"anshu"}' https://'$(eval echo $twistlockparameter)':443/api/v1/authenticate) | sed -ne 's/.*"token":"\([^,]*\)".*/\1/p'))" https://'$(eval echo $twistlockparameter)'/api/v1/cert/client-certs.sh | sh -curl -sSL -k --header "authorization:Bearer $(eval echo $(echo $(curl -s -H "Content-Type: application/json" -d '{"username":"'$(eval echo $twistlockusername)'", "password":"'$(eval echo $twistlockpassword)'"}' https://adobe.console.twistlock.com:443/api/v1/authenticate) | sed -ne 's/.*"token":"\([^,]*\)".*/\1/p'))" https://adobe.console.twistlock.com/api/v1/scripts/defender.sh -o defender.sh && chmod a+x defender.sh && sudo ./defender.sh +curl -sSL -k --header "authorization:Bearer $(eval echo $(echo $(curl -s -H "Content-Type: application/json" -d '{"username":"'$(eval echo $twistlockusername)'", "password":"'$(eval echo $twistlockpassword)'"}' https://'$(eval echo $twistlockparameter)':443/api/v1/authenticate) | sed -ne 's/.*"token":"\([^,]*\)".*/\1/p'))" https://'$(eval echo $twistlockparameter)'/api/v1/scripts/defender.sh -o defender.sh && chmod a+x defender.sh && sudo ./defender.sh From 614f229baa9c1125ae67775a75b195b0c4564ec5 Mon Sep 17 00:00:00 2001 From: anshu pande Date: Wed, 27 Jan 2016 11:02:20 -0500 Subject: [PATCH 08/20] parameterized URL --- v2/setup/twistlock.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/v2/setup/twistlock.sh b/v2/setup/twistlock.sh index 21e2f38..f8c41a4 100755 --- a/v2/setup/twistlock.sh +++ b/v2/setup/twistlock.sh @@ -26,7 +26,7 @@ twistlockusername=$(etcdctl get /twistlockusername) twistlockpassword=$(etcdctl get /twistlockpassword) twistlockparameter=$(etcdctl get /twistlockparameter) -curl -sSL -k --header "authorization:Bearer $(eval echo $(echo $(curl -s -H "Content-Type: application/json" -d '{"username":"anshu", "password":"anshu"}' https://'$(eval echo $twistlockparameter)':443/api/v1/authenticate) | sed -ne 's/.*"token":"\([^,]*\)".*/\1/p'))" https://'$(eval echo $twistlockparameter)'/api/v1/cert/client-certs.sh | sh +curl -sSL -k --header "authorization:Bearer $(eval echo $(echo $(curl -s -H "Content-Type: application/json" -d '{"username":"anshu", "password":"anshu"}' https://"$(eval echo $twistlockparameter)":443/api/v1/authenticate) | sed -ne 's/.*"token":"\([^,]*\)".*/\1/p'))" https://"$(eval echo $twistlockparameter)"/api/v1/cert/client-certs.sh | sh -curl -sSL -k --header "authorization:Bearer $(eval echo $(echo $(curl -s -H "Content-Type: application/json" -d '{"username":"'$(eval echo $twistlockusername)'", "password":"'$(eval echo $twistlockpassword)'"}' https://'$(eval echo $twistlockparameter)':443/api/v1/authenticate) | sed -ne 's/.*"token":"\([^,]*\)".*/\1/p'))" https://'$(eval echo $twistlockparameter)'/api/v1/scripts/defender.sh -o defender.sh && chmod a+x defender.sh && sudo ./defender.sh +curl -sSL -k --header "authorization:Bearer $(eval echo $(echo $(curl -s -H "Content-Type: application/json" -d '{"username":"'$(eval echo $twistlockusername)'", "password":"'$(eval echo $twistlockpassword)'"}' https://"$(eval echo $twistlockparameter)":443/api/v1/authenticate) | sed -ne 's/.*"token":"\([^,]*\)".*/\1/p'))" https://"$(eval echo $twistlockparameter)"/api/v1/scripts/defender.sh -o defender.sh && chmod a+x defender.sh && sudo ./defender.sh From 9472e2148f94defaccb8c0456312088cc14b7af7 Mon Sep 17 00:00:00 2001 From: anshu pande Date: Wed, 27 Jan 2016 11:09:12 -0500 Subject: [PATCH 09/20] hiding password --- v2/setup/twistlock.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/v2/setup/twistlock.sh b/v2/setup/twistlock.sh index f8c41a4..0f53deb 100755 --- a/v2/setup/twistlock.sh +++ b/v2/setup/twistlock.sh @@ -26,7 +26,7 @@ twistlockusername=$(etcdctl get /twistlockusername) twistlockpassword=$(etcdctl get /twistlockpassword) twistlockparameter=$(etcdctl get /twistlockparameter) -curl -sSL -k --header "authorization:Bearer $(eval echo $(echo $(curl -s -H "Content-Type: application/json" -d '{"username":"anshu", "password":"anshu"}' https://"$(eval echo $twistlockparameter)":443/api/v1/authenticate) | sed -ne 's/.*"token":"\([^,]*\)".*/\1/p'))" https://"$(eval echo $twistlockparameter)"/api/v1/cert/client-certs.sh | sh +curl -sSL -k --header "authorization:Bearer $(eval echo $(echo $(curl -s -H "Content-Type: application/json" -d '{"username":"'$(eval echo $twistlockusername)'", "password":"'$(eval echo $twistlockpassword)'"}' https://"$(eval echo $twistlockparameter)":443/api/v1/authenticate) | sed -ne 's/.*"token":"\([^,]*\)".*/\1/p'))" https://"$(eval echo $twistlockparameter)"/api/v1/cert/client-certs.sh | sh curl -sSL -k --header "authorization:Bearer $(eval echo $(echo $(curl -s -H "Content-Type: application/json" -d '{"username":"'$(eval echo $twistlockusername)'", "password":"'$(eval echo $twistlockpassword)'"}' https://"$(eval echo $twistlockparameter)":443/api/v1/authenticate) | sed -ne 's/.*"token":"\([^,]*\)".*/\1/p'))" https://"$(eval echo $twistlockparameter)"/api/v1/scripts/defender.sh -o defender.sh && chmod a+x defender.sh && sudo ./defender.sh From 1362a9b24c34066db98a010e91c210f1637bfa81 Mon Sep 17 00:00:00 2001 From: anshu pande Date: Wed, 27 Jan 2016 11:25:07 -0500 Subject: [PATCH 10/20] split out separate sections of the command using \ to make it readable(multiline) --- v2/setup/twistlock.sh | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/v2/setup/twistlock.sh b/v2/setup/twistlock.sh index 0f53deb..b1ad937 100755 --- a/v2/setup/twistlock.sh +++ b/v2/setup/twistlock.sh @@ -26,7 +26,16 @@ twistlockusername=$(etcdctl get /twistlockusername) twistlockpassword=$(etcdctl get /twistlockpassword) twistlockparameter=$(etcdctl get /twistlockparameter) -curl -sSL -k --header "authorization:Bearer $(eval echo $(echo $(curl -s -H "Content-Type: application/json" -d '{"username":"'$(eval echo $twistlockusername)'", "password":"'$(eval echo $twistlockpassword)'"}' https://"$(eval echo $twistlockparameter)":443/api/v1/authenticate) | sed -ne 's/.*"token":"\([^,]*\)".*/\1/p'))" https://"$(eval echo $twistlockparameter)"/api/v1/cert/client-certs.sh | sh - - -curl -sSL -k --header "authorization:Bearer $(eval echo $(echo $(curl -s -H "Content-Type: application/json" -d '{"username":"'$(eval echo $twistlockusername)'", "password":"'$(eval echo $twistlockpassword)'"}' https://"$(eval echo $twistlockparameter)":443/api/v1/authenticate) | sed -ne 's/.*"token":"\([^,]*\)".*/\1/p'))" https://"$(eval echo $twistlockparameter)"/api/v1/scripts/defender.sh -o defender.sh && chmod a+x defender.sh && sudo ./defender.sh +curl -sSL -k --header "authorization:Bearer \ +$(eval echo $(echo $(curl -s -H "Content-Type: application/json" \ +-d '{"username":"'$(eval echo $twistlockusername)'", "password":"'$(eval echo $twistlockpassword)'"}' \ +https://"$(eval echo $twistlockparameter)":443/api/v1/authenticate) | sed -ne 's/.*"token":"\([^,]*\)".*/\1/p'))" \ +https://"$(eval echo $twistlockparameter)"/api/v1/cert/client-certs.sh | sh + + +curl -sSL -k --header "authorization:Bearer \ +$(eval echo $(echo $(curl -s -H "Content-Type: application/json" \ +-d '{"username":"'$(eval echo $twistlockusername)'", "password":"'$(eval echo $twistlockpassword)'"}' \ +https://"$(eval echo $twistlockparameter)":443/api/v1/authenticate) | sed -ne 's/.*"token":"\([^,]*\)".*/\1/p'))" \ +https://"$(eval echo $twistlockparameter)"/api/v1/scripts/defender.sh \ +-o defender.sh && chmod a+x defender.sh && sudo ./defender.sh From 58964dfa13c1890fa94cc7bf3dfaa486b6615c8a Mon Sep 17 00:00:00 2001 From: anshu pande Date: Wed, 27 Jan 2016 14:09:36 -0500 Subject: [PATCH 11/20] moved logic to install client certs in separate file so that each users gets unique permisssions --- v2/setup/twistlock.sh | 6 ------ v2/setup/twistlockclientcert.sh | 25 +++++++++++++++++++++++++ 2 files changed, 25 insertions(+), 6 deletions(-) create mode 100644 v2/setup/twistlockclientcert.sh diff --git a/v2/setup/twistlock.sh b/v2/setup/twistlock.sh index b1ad937..5194a51 100755 --- a/v2/setup/twistlock.sh +++ b/v2/setup/twistlock.sh @@ -26,12 +26,6 @@ twistlockusername=$(etcdctl get /twistlockusername) twistlockpassword=$(etcdctl get /twistlockpassword) twistlockparameter=$(etcdctl get /twistlockparameter) -curl -sSL -k --header "authorization:Bearer \ -$(eval echo $(echo $(curl -s -H "Content-Type: application/json" \ --d '{"username":"'$(eval echo $twistlockusername)'", "password":"'$(eval echo $twistlockpassword)'"}' \ -https://"$(eval echo $twistlockparameter)":443/api/v1/authenticate) | sed -ne 's/.*"token":"\([^,]*\)".*/\1/p'))" \ -https://"$(eval echo $twistlockparameter)"/api/v1/cert/client-certs.sh | sh - curl -sSL -k --header "authorization:Bearer \ $(eval echo $(echo $(curl -s -H "Content-Type: application/json" \ diff --git a/v2/setup/twistlockclientcert.sh b/v2/setup/twistlockclientcert.sh new file mode 100644 index 0000000..44c837f --- /dev/null +++ b/v2/setup/twistlockclientcert.sh @@ -0,0 +1,25 @@ +#!/bin/bash + +source /etc/environment + +HOMEDIR=$(eval echo "~`whoami`") + +sudo docker run --rm \ + -v ${HOMEDIR}:/data/ behance/docker-aws-s3-downloader \ + us-east-1 $CONTROL_TIER_S3SECURE_BUCKET ."$(echo $USER)" + + +while read line; do + etcdctl set $line +done < ${HOMEDIR}/."$(echo $USER)" + + +twistlockclientusername=$(etcdctl get /twistlockclientusername) +twistlockclientpassword=$(etcdctl get /twistlockclientpassword) +twistlockparameter=$(etcdctl get /twistlockparameter) + +curl -sSL -k --header "authorization:Bearer \ +$(eval echo $(echo $(curl -s -H "Content-Type: application/json" \ +-d '{"username":"'$(eval echo $twistlockclientusername)'", "password":"'$(eval echo $twistlockclientpassword)'"}' \ +https://"$(eval echo $twistlockparameter)":443/api/v1/authenticate) | sed -ne 's/.*"token":"\([^,]*\)".*/\1/p'))" \ +https://"$(eval echo $twistlockparameter)"/api/v1/cert/client-certs.sh | sh From de10aa0f6cc0a282026b0b2e34f53d579388b9f0 Mon Sep 17 00:00:00 2001 From: anshu pande Date: Fri, 29 Jan 2016 11:23:46 -0500 Subject: [PATCH 12/20] updated logic to run twistlock as proxy server --- v2/setup/twistlockclientcert.sh | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) mode change 100644 => 100755 v2/setup/twistlockclientcert.sh diff --git a/v2/setup/twistlockclientcert.sh b/v2/setup/twistlockclientcert.sh old mode 100644 new mode 100755 index 44c837f..70cb068 --- a/v2/setup/twistlockclientcert.sh +++ b/v2/setup/twistlockclientcert.sh @@ -18,8 +18,24 @@ twistlockclientusername=$(etcdctl get /twistlockclientusername) twistlockclientpassword=$(etcdctl get /twistlockclientpassword) twistlockparameter=$(etcdctl get /twistlockparameter) +#steps to generate private cert for each ssh user in HOMEDIR/.docker + curl -sSL -k --header "authorization:Bearer \ $(eval echo $(echo $(curl -s -H "Content-Type: application/json" \ -d '{"username":"'$(eval echo $twistlockclientusername)'", "password":"'$(eval echo $twistlockclientpassword)'"}' \ https://"$(eval echo $twistlockparameter)":443/api/v1/authenticate) | sed -ne 's/.*"token":"\([^,]*\)".*/\1/p'))" \ https://"$(eval echo $twistlockparameter)"/api/v1/cert/client-certs.sh | sh + +#steps to run twistlock as proxy server + +etcdctl set DOCKER_HOST tcp://$(eval echo $COREOS_PRIVATE_IPV4):9998 +etcdctl set DOCKER_TLS_VERIFY 1 + + +DOCKER_HOST=$(etcdctl get DOCKER_HOST) +export DOCKER_HOST + +DOCKER_TLS_VERIFY=$(etcdctl get DOCKER_TLS_VERIFY) +export DOCKER_TLS_VERIFY + + From 6fffd01e86faf53535dd91a6c341fc6d6e377139 Mon Sep 17 00:00:00 2001 From: anshu pande Date: Thu, 4 Feb 2016 13:57:40 -0500 Subject: [PATCH 13/20] add twistlock clientcerts for each user --- v2/util/add_users.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/v2/util/add_users.sh b/v2/util/add_users.sh index cf9b771..7ee4e1f 100755 --- a/v2/util/add_users.sh +++ b/v2/util/add_users.sh @@ -1,5 +1,7 @@ #!/bin/bash +SCRIPTDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" + USERS_DIRECTORY=$1 USAGE_MESSAGE="Please provide a directory of users to add." @@ -19,6 +21,7 @@ if [[ -d "$USERS_DIRECTORY" ]]; then sudo useradd -p "*" -U -m $username -G sudo,docker sudo update-ssh-keys -u $username -a $username $user + sudo /bin/bash ${SCRIPTDIR}/v2/setup/twistlockclientcert.sh done exit 0; From fe0c3b00077bc7dec6f7b398ee00efa8bee8c0c2 Mon Sep 17 00:00:00 2001 From: anshu pande Date: Thu, 4 Feb 2016 17:30:54 -0500 Subject: [PATCH 14/20] created a fleet unit for twistlock --- v2/fleet/twistlock-defender.service | 18 ++++++++++++++++++ v2/setup/twistlock.sh | 7 +------ 2 files changed, 19 insertions(+), 6 deletions(-) create mode 100644 v2/fleet/twistlock-defender.service diff --git a/v2/fleet/twistlock-defender.service b/v2/fleet/twistlock-defender.service new file mode 100644 index 0000000..43285cd --- /dev/null +++ b/v2/fleet/twistlock-defender.service @@ -0,0 +1,18 @@ +[Unit] +Description=Install Twistlock Defender +After=docker.service bootstrap.service +Requires=docker.service + +[Service] +User=core +TimeoutStartSec=0 +ExecStart=curl -sSL -k --header "authorization:Bearer \ +$(eval echo $(echo $(curl -s -H "Content-Type: application/json" \ +-d '{"username":"'$(eval echo $twistlockusername)'", "password":"'$(eval echo $twistlockpassword)'"}' \ +https://"$(eval echo $twistlockparameter)":443/api/v1/authenticate) | sed -ne 's/.*"token":"\([^,]*\)".*/\1/p'))" \ +https://"$(eval echo $twistlockparameter)"/api/v1/scripts/defender.sh \ +-o defender.sh && chmod a+x defender.sh && sudo ./defender.sh + +[X-Fleet] +Global=true + diff --git a/v2/setup/twistlock.sh b/v2/setup/twistlock.sh index 5194a51..639dd51 100755 --- a/v2/setup/twistlock.sh +++ b/v2/setup/twistlock.sh @@ -27,9 +27,4 @@ twistlockpassword=$(etcdctl get /twistlockpassword) twistlockparameter=$(etcdctl get /twistlockparameter) -curl -sSL -k --header "authorization:Bearer \ -$(eval echo $(echo $(curl -s -H "Content-Type: application/json" \ --d '{"username":"'$(eval echo $twistlockusername)'", "password":"'$(eval echo $twistlockpassword)'"}' \ -https://"$(eval echo $twistlockparameter)":443/api/v1/authenticate) | sed -ne 's/.*"token":"\([^,]*\)".*/\1/p'))" \ -https://"$(eval echo $twistlockparameter)"/api/v1/scripts/defender.sh \ --o defender.sh && chmod a+x defender.sh && sudo ./defender.sh + From 1d2be008f0895a54cf8c2a7a323ecfe468e67989 Mon Sep 17 00:00:00 2001 From: anshu pande Date: Sat, 6 Feb 2016 16:37:33 -0500 Subject: [PATCH 15/20] created fleet unit to install client certs for each ssh hosts --- v2/util-units/twistlock-client.service | 12 ++++++++++++ v2/util/twistlock-user.sh | 10 ++++++++++ v2/{setup => util}/twistlockclientcert.sh | 2 -- 3 files changed, 22 insertions(+), 2 deletions(-) create mode 100644 v2/util-units/twistlock-client.service create mode 100755 v2/util/twistlock-user.sh rename v2/{setup => util}/twistlockclientcert.sh (99%) diff --git a/v2/util-units/twistlock-client.service b/v2/util-units/twistlock-client.service new file mode 100644 index 0000000..1b45860 --- /dev/null +++ b/v2/util-units/twistlock-client.service @@ -0,0 +1,12 @@ +[Unit] +Description=Install Twistlock Client keys +After=docker.service bootstrap.service cretae-users.service +Requires=docker.service + +[Service] +User=core +TimeoutStartSec=0 +ExecStart=/usr/bin/sudo bash /home/core/mesos-systemd/v2/util/twistlock-user.sh + +[X-Fleet] +Global=true diff --git a/v2/util/twistlock-user.sh b/v2/util/twistlock-user.sh new file mode 100755 index 0000000..c81d401 --- /dev/null +++ b/v2/util/twistlock-user.sh @@ -0,0 +1,10 @@ +#!/bin/bash +source /etc/environment +/usr/bin/bash /home/core/mesos-systemd/v2/util/twistlockclientcert.sh + +for i in `ls /home`; + + do sudo cp -rf /home/core/.docker /home/$i + + +done diff --git a/v2/setup/twistlockclientcert.sh b/v2/util/twistlockclientcert.sh similarity index 99% rename from v2/setup/twistlockclientcert.sh rename to v2/util/twistlockclientcert.sh index 70cb068..5fee4b7 100755 --- a/v2/setup/twistlockclientcert.sh +++ b/v2/util/twistlockclientcert.sh @@ -37,5 +37,3 @@ export DOCKER_HOST DOCKER_TLS_VERIFY=$(etcdctl get DOCKER_TLS_VERIFY) export DOCKER_TLS_VERIFY - - From 71df700645852f19407004f66c27b8aefbf2b834 Mon Sep 17 00:00:00 2001 From: anshu pande Date: Sat, 6 Feb 2016 16:43:40 -0500 Subject: [PATCH 16/20] reverted changes to add_users.sh --- v2/util/add_users.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/v2/util/add_users.sh b/v2/util/add_users.sh index 7ee4e1f..2c9c999 100755 --- a/v2/util/add_users.sh +++ b/v2/util/add_users.sh @@ -21,7 +21,6 @@ if [[ -d "$USERS_DIRECTORY" ]]; then sudo useradd -p "*" -U -m $username -G sudo,docker sudo update-ssh-keys -u $username -a $username $user - sudo /bin/bash ${SCRIPTDIR}/v2/setup/twistlockclientcert.sh done exit 0; From b26db38f52c79e4bac6749cb9ee61d367ccc2801 Mon Sep 17 00:00:00 2001 From: anshu pande Date: Sat, 6 Feb 2016 16:46:09 -0500 Subject: [PATCH 17/20] reverted changes to add_users.sh --- v2/util/add_users.sh | 2 -- 1 file changed, 2 deletions(-) diff --git a/v2/util/add_users.sh b/v2/util/add_users.sh index 2c9c999..cf9b771 100755 --- a/v2/util/add_users.sh +++ b/v2/util/add_users.sh @@ -1,7 +1,5 @@ #!/bin/bash -SCRIPTDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" - USERS_DIRECTORY=$1 USAGE_MESSAGE="Please provide a directory of users to add." From 18ce3ec35fe6e4e1ddea4eb3a498e664f5369dde Mon Sep 17 00:00:00 2001 From: anshu pande Date: Tue, 9 Feb 2016 12:06:35 -0500 Subject: [PATCH 18/20] update twistlock defender --- v2/fleet/twistlock-defender.service | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/v2/fleet/twistlock-defender.service b/v2/fleet/twistlock-defender.service index 43285cd..61a02ae 100644 --- a/v2/fleet/twistlock-defender.service +++ b/v2/fleet/twistlock-defender.service @@ -3,7 +3,11 @@ Description=Install Twistlock Defender After=docker.service bootstrap.service Requires=docker.service + [Service] +Environment="twistlockusername=$(etcdctl get /twistlockusername)" +Environment="twistlockpassword=$(etcdctl get /twistlockpassword)" +Environment="twistlockparameter=$(etcdctl get /twistlockparameter)" User=core TimeoutStartSec=0 ExecStart=curl -sSL -k --header "authorization:Bearer \ From 993180b47947f4a8cdf8b1b29d89ce5fcd0bda49 Mon Sep 17 00:00:00 2001 From: anshu pande Date: Tue, 9 Feb 2016 12:08:45 -0500 Subject: [PATCH 19/20] made chage to twistlock.sh --- v2/setup/twistlock.sh | 3 --- 1 file changed, 3 deletions(-) diff --git a/v2/setup/twistlock.sh b/v2/setup/twistlock.sh index 639dd51..0c11275 100755 --- a/v2/setup/twistlock.sh +++ b/v2/setup/twistlock.sh @@ -22,9 +22,6 @@ while read line; do done < ${HOMEDIR}/.twistlockparameter -twistlockusername=$(etcdctl get /twistlockusername) -twistlockpassword=$(etcdctl get /twistlockpassword) -twistlockparameter=$(etcdctl get /twistlockparameter) From ae48936f7a99c0a5465c06fa0c977221349aa587 Mon Sep 17 00:00:00 2001 From: anshu pande Date: Tue, 9 Feb 2016 14:15:36 -0500 Subject: [PATCH 20/20] updated environment for fleet --- v2/fleet/twistlock-defender.service | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/v2/fleet/twistlock-defender.service b/v2/fleet/twistlock-defender.service index 61a02ae..35c10f3 100644 --- a/v2/fleet/twistlock-defender.service +++ b/v2/fleet/twistlock-defender.service @@ -5,9 +5,9 @@ Requires=docker.service [Service] -Environment="twistlockusername=$(etcdctl get /twistlockusername)" -Environment="twistlockpassword=$(etcdctl get /twistlockpassword)" -Environment="twistlockparameter=$(etcdctl get /twistlockparameter)" +Environment="twistlockusername=etcdctl get /twistlockusername" +Environment="twistlockpassword=etcdctl get /twistlockpassword" +Environment="twistlockparameter=etcdctl get /twistlockparameter" User=core TimeoutStartSec=0 ExecStart=curl -sSL -k --header "authorization:Bearer \