github.com/imran-kn/cilium-fork@v1.6.9/Documentation/gettingstarted/mesos.rst (about) 1 .. only:: not (epub or latex or html) 2 3 WARNING: You are looking at unreleased Cilium documentation. 4 Please use the official rendered version released here: 5 http://docs.cilium.io 6 7 .. _gsg_mesos: 8 9 ************************** 10 Cilium with Mesos/Marathon 11 ************************** 12 13 This tutorial leverages Vagrant and VirtualBox to deploy Apache Mesos, Marathon 14 and Cilium. You will run Cilium to apply a simple policy between a simulated 15 web-service and clients. This tutorial can be run on any operating system 16 supported by Vagrant including Linux, macOS, and Windows. 17 18 For more information on Apache Mesos and Marathon orchestration, check out the 19 `Mesos <https://github.com/apache/mesos>`_ and `Marathon 20 <https://mesosphere.github.io/marathon/>`_ GitHub pages, respectively. 21 22 Step 0: Install Vagrant 23 ======================= 24 25 You need to run at least Vagrant version 1.8.3 or you will run into issues 26 booting the Ubuntu 17.04 base image. You can verify by running ``vagrant 27 --version``. 28 29 If you don't already have Vagrant installed, follow the 30 `Vagrant Install Instructions <https://www.vagrantup.com/docs/installation/>`_ 31 or see `Download Vagrant <https://www.vagrantup.com/downloads.html>`_ for newer versions. 32 33 34 Step 1: Download the Cilium Source Code 35 ======================================= 36 37 Download the latest Cilium `source code <https://github.com/cilium/cilium/archive/master.zip>`_ 38 and unzip the files. 39 40 Alternatively, if you are a developer, feel free to clone the repository: 41 42 :: 43 44 $ git clone https://github.com/cilium/cilium 45 46 Step 2: Starting a VM with Cilium 47 ================================= 48 49 Open a terminal and navigate into the top of the ``cilium`` source directory. 50 51 Then navigate into ``examples/mesos`` and run ``vagrant up``: 52 53 :: 54 55 $ cd examples/mesos 56 $ vagrant up 57 58 The script usually takes a few minutes depending on the speed of your internet 59 connection. Vagrant will set up a VM, install Mesos & Marathon, run Cilium with 60 the help of Docker compose, and start up the Mesos master and slave services. 61 When the script completes successfully, it will print: 62 63 :: 64 65 ==> default: Creating cilium-kvstore 66 Creating cilium-kvstore ... done 67 ==> default: Creating cilium ... 68 ==> default: Creating cilium 69 Creating cilium ... done 70 ==> default: Installing loopback driver... 71 ==> default: Installing cilium-cni to /host/opt/cni/bin/ ... 72 ==> default: Installing new /host/etc/cni/net.d/00-cilium.conf ... 73 ==> default: Deploying Vagrant VM + Cilium + Mesos...done 74 $ 75 76 If the script exits with an error message, do not attempt to proceed with the 77 tutorial, as later steps will not work properly. Instead, contact us on the 78 `Cilium Slack channel <https://cilium.herokuapp.com>`_. 79 80 Step 3: Accessing the VM 81 ======================== 82 83 After the script has successfully completed, you can log into the VM using 84 ``vagrant ssh``: 85 86 :: 87 88 $ vagrant ssh 89 90 91 All commands for the rest of the tutorial below should be run from inside this 92 Vagrant VM. If you end up disconnecting from this VM, you can always reconnect 93 by going to the ``examples/mesos`` directory and then running the command ``vagrant ssh``. 94 95 Step 4: Confirm that Cilium is Running 96 ====================================== 97 98 The Cilium agent is now running and you can interact with it using the 99 ``cilium`` CLI client. Check the status of the agent by running ``cilium 100 status``: 101 102 :: 103 104 $ cilium status 105 KVStore: Ok Consul: 172.18.0.2:8300 106 ContainerRuntime: Ok docker daemon: OK 107 Kubernetes: Disabled 108 Cilium: Ok OK 109 NodeMonitor: Disabled 110 Cilium health daemon: Ok 111 IPv4 address pool: 3/65535 allocated 112 IPv6 address pool: 2/65535 allocated 113 Controller Status: 10/10 healthy 114 Proxy Status: OK, ip 10.15.0.1, port-range 10000-20000 115 Cluster health: 1/1 reachable (2018-06-19T15:10:28Z) 116 117 The status indicates that all necessary components are operational. 118 119 Step 5: Run Script to Start Marathon 120 ==================================== 121 122 Start Marathon inside the Vagrant VM: 123 124 :: 125 126 $ ./start_marathon.sh 127 Starting marathon... 128 ... 129 ... 130 ... 131 ... 132 Done 133 134 Step 6: Simulate a Web-Server and Clients 135 ========================================= 136 137 Use ``curl`` to submit a task to Marathon for scheduling, with data to run the 138 simulated web-server provided by the ``web-server.json``. The web-server simply 139 responds to requests on a particular port. 140 141 :: 142 143 $ curl -i -H 'Content-Type: application/json' -d @web-server.json 127.0.0.1:8080/v2/apps 144 145 You should see output similar to the following: 146 147 :: 148 149 HTTP/1.1 201 Created 150 ... 151 Marathon-Deployment-Id: [UUID] 152 ... 153 154 Confirm that Cilium sees the new workload. The output should return the 155 endpoint with label ``mesos:id=web-server`` and the assigned IP: 156 157 :: 158 159 $ cilium endpoint list 160 ENDPOINT POLICY (ingress) POLICY (egress) IDENTITY LABELS (source:key[=value]) IPv6 IPv4 STATUS 161 ENFORCEMENT ENFORCEMENT 162 20928 Disabled Disabled 59281 mesos:id=web-server f00d::a0f:0:0:51c0 10.15.137.206 ready 163 23520 Disabled Disabled 4 reserved:health f00d::a0f:0:0:5be0 10.15.162.64 ready 164 165 Test the web-server provides OK output: 166 167 :: 168 169 $ export WEB_IP=`cilium endpoint list | grep web-server | awk '{print $7}'` 170 $ curl $WEB_IP:8181/api 171 OK 172 173 174 Run a script to create two client tasks ("good client" and "bad client") that 175 will attempt to access the web-server. The output of these tasks will be used 176 to validate the Cilium network policy enforcement later in the exercise. The 177 script will generate ``goodclient.json`` and ``badclient.json`` files for the 178 client tasks, respectively: 179 180 :: 181 182 $ ./generate_client_file.sh goodclient 183 $ ./generate_client_file.sh badclient 184 185 186 Then submit the client tasks to Marathon, which will generate ``GET /public`` and ``GET /private`` requests: 187 188 :: 189 190 $ curl -i -H 'Content-Type: application/json' -d @goodclient.json 127.0.0.1:8080/v2/apps 191 $ curl -i -H 'Content-Type: application/json' -d @badclient.json 127.0.0.1:8080/v2/apps 192 193 You can observe the newly created endpoints in Cilium, similar to the following output: 194 195 :: 196 197 $ cilium endpoint list 198 ENDPOINT POLICY (ingress) POLICY (egress) IDENTITY LABELS (source:key[=value]) IPv6 IPv4 STATUS 199 ENFORCEMENT ENFORCEMENT 200 20928 Disabled Disabled 59281 mesos:id=web-server f00d::a0f:0:0:51c0 10.15.137.206 ready 201 23520 Disabled Disabled 4 reserved:health f00d::a0f:0:0:5be0 10.15.162.64 ready 202 37835 Disabled Disabled 15197 mesos:id=goodclient f00d::a0f:0:0:93cb 10.15.152.208 ready 203 51053 Disabled Disabled 5113 mesos:id=badclient f00d::a0f:0:0:c76d 10.15.34.97 ready 204 205 Marathon runs the tasks as batch jobs with ``stdout`` logged to task-specific 206 files located in ``/var/lib/mesos``. To simplify the retrieval of the 207 ``stdout`` log, use the ``tail_client.sh`` script to output each of the client 208 logs. In a new terminal, go to ``examples/mesos``, start a new ssh session to 209 the Vagrant VM with ``vagrant ssh`` and tail the *goodclient* logs: 210 211 :: 212 213 $ ./tail_client.sh goodclient 214 215 and in a separate terminal, do the same thing with ``vagrant ssh`` and observe the *badclient* logs: 216 217 :: 218 219 $ ./tail_client.sh badclient 220 221 Make sure both tail logs continuously prints the result of the clients accessing the */public* and */private* API of the web-server: 222 223 :: 224 225 ... 226 ---------- Test #X ---------- 227 Request: GET /public 228 Reply: OK 229 230 Request: GET /private 231 Reply: OK 232 ------------------------------- 233 ... 234 235 Note that both clients are able to access the web-server and retrieve both URLs because no Cilium policy has been applied yet. 236 237 Step 7: Apply L3/L4 Policy with Cilium 238 ====================================== 239 240 Apply an L3/L4 policy only allowing the *goodclient* to access the *web-server*. The L3/L4 json policy looks like: 241 242 .. literalinclude:: ../../examples/policies/getting-started/l3-l4-policy.json 243 244 In your original terminal session, use ``cilium`` CLI to apply the L3/L4 policy above, saved in the ``l3-l4-policy.json`` file on the VM: 245 246 :: 247 248 $ cilium policy import l3-l4-policy.json 249 Revision: 1 250 251 **L3/L4 Policy with Cilium and Mesos** 252 253 .. image:: images/cilium_mesos_demo_l3-l4-policy-170817.png 254 255 You can observe that the policy is applied via ``cilium`` CLI as the *POLICY ENFORCEMENT* column changed from *Disabled* to *Enabled*: 256 257 :: 258 259 $ cilium endpoint list 260 ENDPOINT POLICY (ingress) POLICY (egress) IDENTITY LABELS (source:key[=value]) IPv6 IPv4 STATUS 261 ENFORCEMENT ENFORCEMENT 262 20928 Enabled Disabled 59281 mesos:id=web-server f00d::a0f:0:0:51c0 10.15.137.206 ready 263 23520 Disabled Disabled 4 reserved:health f00d::a0f:0:0:5be0 10.15.162.64 ready 264 37835 Disabled Disabled 15197 mesos:id=goodclient f00d::a0f:0:0:93cb 10.15.152.208 ready 265 51053 Disabled Disabled 5113 mesos:id=badclient f00d::a0f:0:0:c76d 10.15.34.97 ready 266 267 You should also observe that the *goodclient* logs continue to output the *web-server* responses, whereas the *badclient* request does not reach the *web-server* because of policy enforcement, and logging output similar to below. 268 269 :: 270 271 ... 272 ---------- Test #X ---------- 273 Request: GET /public 274 Reply: Timeout! 275 276 Request: GET /private 277 Reply: Timeout! 278 ------------------------------- 279 ... 280 281 Remove the L3/L4 policy in order to give *badclient* access to the *web-server* again. 282 283 :: 284 285 $ cilium policy delete --all 286 Revision: 2 287 288 The *badclient* logs should resume outputting the *web-server*'s response and Cilium is configured to no longer enforce policy: 289 290 :: 291 292 $ cilium endpoint list 293 ENDPOINT POLICY (ingress) POLICY (egress) IDENTITY LABELS (source:key[=value]) IPv6 IPv4 STATUS 294 ENFORCEMENT ENFORCEMENT 295 29898 Disabled Disabled 37948 reserved:health f00d::a0f:0:0:74ca 10.15.242.54 ready 296 33115 Disabled Disabled 38072 mesos:id=web-server f00d::a0f:0:0:815b 10.15.220.6 ready 297 38061 Disabled Disabled 46430 mesos:id=badclient f00d::a0f:0:0:94ad 10.15.0.173 ready 298 64189 Disabled Disabled 31645 mesos:id=goodclient f00d::a0f:0:0:fabd 10.15.152.27 ready 299 300 Step 8: Apply L7 Policy with Cilium 301 =================================== 302 303 Now, apply an L7 Policy that only allows access for the *goodclient* to the */public* API, included in the ``l7-policy.json`` file: 304 305 .. literalinclude:: ../../examples/policies/getting-started/l7-policy.json 306 307 Apply using ``cilium`` CLI: 308 309 :: 310 311 $ cilium policy import l7-policy.json 312 Revision: 3 313 314 **L7 Policy with Cilium and Mesos** 315 316 .. image:: images/cilium_mesos_demo_l7-policy-230817.png 317 318 In the terminal sessions tailing the *goodclient* and *badclient* logs, check the *goodclient*'s log to see that */private* is no longer accessible, and the *badclient*'s requests are the same results as the enforced policy in the previous step. 319 320 :: 321 322 ... 323 ---------- Test #X ---------- 324 Request: GET /public 325 Reply: OK 326 327 Request: GET /private 328 Reply: Access Denied 329 ------------------------------- 330 ... 331 332 (optional) Remove the policy and notice that the access to */private* is unrestricted again: 333 334 :: 335 336 $ cilium policy delete --all 337 Revision: 4 338 339 Step 9: Clean-Up 340 ================ 341 342 Exit the vagrant VM by typing ``exit`` in original terminal session. When you want to tear-down the Cilium + Mesos VM and destroy all local state (e.g., the VM disk image), ensure you are in the ``cilium/examples/mesos`` directory and type: 343 344 :: 345 346 $ vagrant destroy 347 348 You can always re-create the VM using the steps described above. 349 350 If instead you just want to shut down the VM but may use it later, 351 ``vagrant halt default`` will work, and you can start it again later. 352 353 Troubleshooting 354 =============== 355 356 For assistance on any of the Getting Started Guides, please reach out and ask a question on the `Cilium 357 Slack channel <https://cilium.herokuapp.com>`_.