diff --git a/admin_guide/install/attachments/amazon-ecs-task-pc-defender-saas.json b/admin_guide/install/attachments/amazon-ecs-compute-defender.json similarity index 95% rename from admin_guide/install/attachments/amazon-ecs-task-pc-defender-saas.json rename to admin_guide/install/attachments/amazon-ecs-compute-defender.json index 47b04393..3efa4bdf 100644 --- a/admin_guide/install/attachments/amazon-ecs-task-pc-defender-saas.json +++ b/admin_guide/install/attachments/amazon-ecs-compute-defender.json @@ -16,7 +16,7 @@ }, { "name": "DEFENDER_TYPE", - "value": "docker" + "value": "daemonset" }, { "name": "DOCKER_CLIENT_ADDRESS", @@ -44,11 +44,15 @@ }, { "name": "WS_ADDRESS", - "value": "wss://" + "value": "wss://:8084" }, { "name": "INSTALL_BUNDLE", "value": "" + }, + { + "name": "SERVICE_PARAMETER", + "value": "" } ], "ulimits": null, diff --git a/admin_guide/install/attachments/amazon-ecs-task-pc-defender.json b/admin_guide/install/attachments/amazon-ecs-task-pc-defender.json deleted file mode 100644 index aa52be81..00000000 --- a/admin_guide/install/attachments/amazon-ecs-task-pc-defender.json +++ /dev/null @@ -1,172 +0,0 @@ -{ - "executionRoleArn": null, - "containerDefinitions": [ - { - "dnsSearchDomains": null, - "logConfiguration": null, - "entryPoint": null, - "portMappings": [], - "command": null, - "linuxParameters": null, - "cpu": 0, - "environment": [ - { - "name": "DEFENDER_LISTENER_TYPE", - "value": "none" - }, - { - "name": "DEFENDER_TYPE", - "value": "daemonset" - }, - { - "name": "DOCKER_CLIENT_ADDRESS", - "value": "/var/run/docker.sock" - }, - { - "name": "HTTP_PROXY", - "value": "" - }, - { - "name": "LOCAL_DOCKER_AUDIT_ENABLED", - "value": "true" - }, - { - "name": "LOG_PROD", - "value": "true" - }, - { - "name": "NO_PROXY", - "value": "" - }, - { - "name": "SYTEMD_ENABLED", - "value": "false" - }, - { - "name": "WS_ADDRESS", - "value": "wss://:8084" - } - ], - "ulimits": null, - "dnsServers": null, - "mountPoints": [ - { - "readOnly": null, - "containerPath": "/var/lib/twistlock/certificates", - "sourceVolume": "certificates" - }, - { - "readOnly": null, - "containerPath": "/var/lib/twistlock", - "sourceVolume": "data-folder" - }, - { - "readOnly": null, - "containerPath": "/var/run", - "sourceVolume": "docker-sock-folder" - }, - { - "readOnly": true, - "containerPath": "/var/run/docker/netns", - "sourceVolume": "docker-netns" - }, - { - "readOnly": true, - "containerPath": "/etc/passwd", - "sourceVolume": "passwd" - }, - { - "readOnly": null, - "containerPath": "/dev/log", - "sourceVolume": "syslog-socket" - }, - { - "readOnly": null, - "containerPath": "/var/log/audit", - "sourceVolume": "auditd-log" - }, - { - "readOnly": null, - "containerPath": "/run", - "sourceVolume": "iptables-lock" - } - ], - "workingDirectory": null, - "dockerSecurityOptions": null, - "memory": 512, - "memoryReservation": null, - "volumesFrom": [], - "image": "registry-auth.twistlock.com/tw_/twistlock/defender:defender_", - "disableNetworking": null, - "healthCheck": null, - "essential": true, - "links": null, - "hostname": null, - "extraHosts": null, - "user": null, - "readonlyRootFilesystem": true, - "dockerLabels": null, - "privileged": true, - "name": "twistlock_defender" - } - ], - "placementConstraints": [], - "memory": "512", - "family": "pc-defender", - "requiresCompatibilities": [ - "EC2" - ], - "networkMode": "host", - "pidMode": "host", - "cpu": "256", - "volumes": [ - { - "name": "certificates", - "host": { - "sourcePath": "/twistlock_certificates" - } - }, - { - "name": "data-folder", - "host": { - "sourcePath": "/var/lib/twistlock" - } - }, - { - "name": "docker-sock-folder", - "host": { - "sourcePath": "/var/run" - } - }, - { - "name": "syslog-socket", - "host": { - "sourcePath": "/dev/log" - } - }, - { - "name": "docker-netns", - "host": { - "sourcePath": "/var/run/docker/netns" - } - }, - { - "name": "passwd", - "host": { - "sourcePath": "/etc/passwd" - } - }, - { - "name": "auditd-log", - "host": { - "sourcePath": "/var/log/audit" - } - }, - { - "name": "iptables-lock", - "host": { - "sourcePath": "/run" - } - } - ] -} diff --git a/admin_guide/install/install_amazon_ecs.adoc b/admin_guide/install/install_amazon_ecs.adoc index 5afdb51b..66335106 100644 --- a/admin_guide/install/install_amazon_ecs.adoc +++ b/admin_guide/install/install_amazon_ecs.adoc @@ -279,36 +279,6 @@ NOTE: The EFS file system and ECS cluster must be in the same VPC and security g + You will use this mount command to configure your launch configuration for the Console. -endif::compute_edition[] - -[.task] -=== Create EFS file system for Defender - -Create the Defender EFS file system, then capture the mount command that will be used to mount the file system on every worker node. - -NOTE: The EFS file system and ECS cluster must be in the same VPC and security group. - -[.procedure] -. Log into the AWS Management Console. - -. Go to *Services > Storage > EFS*. - -. Click *Create File System*. - -. Select a VPC, select the *pc-security-group* for each mount target, then click *Next Step*. - -. Enter a value for Name, such as *pc-efs-defender*, then click *Next Step*. - -. For *Configure client access*, keep the default settings and click *Next Step*. - -. Review your settings and select *Create file system*. - -. Click on the *Amazon EC2 mount instructions (from local VPC)* link and copy the mount command (Using the NFS client) and set it aside as the Defender mount command. -+ -You will use this mount command to configure your launch configuration for the Defenders. - -ifdef::compute_edition[] - === Set up a classic load balancer Set up an AWS Classic Load Balancer, and capture the Load Balancer DNS name. @@ -391,10 +361,6 @@ mkdir -p /twistlock_console/var/lib/twistlock mkdir -p /twistlock_console/var/lib/twistlock-backup mkdir -p /twistlock_console/var/lib/twistlock-config -mkdir /twistlock_certificates -chown root:root /twistlock_certificates -chmod 700 /twistlock_certificates - /twistlock_certificates ---- + @@ -403,9 +369,7 @@ If you've named your cluster something other than *pc-ecs-cluster*, then modify + __ is the Console mount command you copied from the AWS Management Console after creating your console EFS file system. The mount target must be _/twistlock_console_, not the _efs_ mount target provided in the sample command. -+ -__ is the defender mount command you copied from the AWS Management Console after creating your defender EFS file system. -The mount target must be _/twistlock_certificates_, not the _efs_ mount target provided in the sample command. + + .. (Optional) Under *IP Address Type*, select *Assign a public IP address to every instance*. @@ -719,31 +683,13 @@ ifdef::compute_edition[] -H 'Authorization: Bearer ' \ -X GET \ "https:///api/v1/defenders/install-bundle?consoleaddr=&defenderType=appEmbedded" | jq -r '.installBundle' -+ - - * Replace with the retrieve API token. - * Replace with the Console address URL. - -. Copy the service-parameter file to the Defender EFS file system under /twistlock_certificates. - -. Set the ownership and permissions for the service-parameter file under twistlock_certificates: - $ sudo chown root:root service-parameter - $ sudo chmod 600 ca.pem service-parameter + * Replace with the retrieve API token. + * Replace with the Console address URL. endif::compute_edition[] -ifdef::prisma_cloud[] -+ - -. Copy the service-parameter file to the Defender EFS file system under /twistlock_certificates. -. Set the ownership and permissions for the service-parameter file under twistlock_certificates: - - $ sudo chown root:root service-parameter - $ sudo chmod 600 ca.pem service-parameter - -endif::prisma_cloud[] [.task] ==== Create a launch configuration for worker nodes @@ -783,30 +729,14 @@ Create a launch configuration named _pc-worker-node_ that: .. Select *Enable CloudWatch detailed monitoring*. -.. Expand *Advanced Details*, -.. In *User Data*, enter the following text: -+ -[source,sh] ----- -#!/bin/bash -echo ECS_CLUSTER=pc-ecs-cluster >> /etc/ecs/ecs.config - -yum install -y nfs-utils -mkdir /twistlock_certificates -chown root:root /twistlock_certificates -chmod 700 /twistlock_certificates - /twistlock_certificates ----- + Where: + * _ECS_CLUSTER_ must match your cluster name. If you've named your cluster something other than _pc_ecs_cluster_, then modify your User Data script accordingly. -* __ is the mount command you copied from the AWS Management Console after creating your Defender EFS file system. -The mount target must be _/twistlock_certificates_, replacing the _efs_ mount target provided in the sample mount command. - ++ .. (Optional) Under *IP Address Type*, select *Assign a public IP address to every instance*. + With this option, you can easily SSH to any worker nodes instances and troubleshoot issues. @@ -911,13 +841,8 @@ Finally, load the task definition in ECS. [.procedure] -ifdef::compute_edition[] . Download the https://cdn.twistlock.com/docs/attachments/amazon-ecs-compute-defender.json[Prisma Cloud Defender task definition], and open it for editing. -endif::compute_edition[] -ifdef::prisma_cloud[] -. Download the https://cdn.twistlock.com/docs/attachments/amazon-ecs-compute-defender.json[Prisma Cloud Defender task definition], -endif::prisma_cloud[] . Update the value for `image` to point to Prisma Cloud's cloud registry: + @@ -951,6 +876,8 @@ Use just "us-west1.cloud.twistlock.com" for the wss address - wss://us-west1.clo * `` — Output from the installBundle endpoint. +* `` — Output from the service-parameter endpoint. + endif::prisma_cloud[] . Go to *Services > Containers > Elastic Container Service*.