Amazon ECS

Upgrade Prisma Cloud running on Amazon ECS.

Upgrading Console (Amazon ECS)

To upgrade Console, update the service with a new task definition that points to the latest image.
This procedure assumes you’re using images from Prisma Cloud’s registry. If you’re using your own private registry, push the latest Console image there first.

Copy the Prisma Cloud config file into place

  1. Go to the Releases page and download the latest release to your local machine.
    $ wget <LINK_TO_CURRENT_RECOMMENDED_RELEASE_LINK>
  2. Unpack the Prisma Cloud release tarball.
    $ mkdir twistlock $ tar xvzf twistlock_<VERSION>.tar.gz -C twistlock/
  3. Upload the
    twistlock.cfg
    files to the host that runs Console.
    $ scp twistlock.cfg <ECS_INFRA_NODE>:/twistlock_console/var/lib/twistlock-config

Create a new revision of the task definition

Create a new revision of the task definition.
  1. Log into the Amazon ECS console.
  2. In the left menu, click
    Task Definitions
    .
  3. Check the box for the Prisma Cloud Console task definition, and click
    Create new revision
    .
  4. Scroll to the bottom of the page and click
    Configure via JSON
    .
    1. Update the
      image
      field to point to the latest Console image.
      For example, if you were upgrading from Prisma Cloud version 2.4.88 to 2.4.95, simply change the version string in the image tag.
      "image": "registry-auth.twistlock.com/tw_<accesstoken>/twistlock/console:console_2_4_95"
    2. Click
      Save
      .
  5. Click
    Create
    .

Update the Console service

Update the Console service.
  1. In the left menu of the Amazon ECS console, click
    Clusters
    .
  2. Click on your cluster.
  3. Select the
    Services
    tab.
  4. Check the box next the Console service, and click
    Update
    .
  5. In
    Task Definition
    , select the version of the task definition that points to the latest Console image.
  6. Validate that
    Cluster
    ,
    Service name
    , and
    Number of tasks
    are correct. These values are set based on the values for the currently running task, so the defaults should be correct. The number of tasks must be 1.
  7. Set
    Minimum healthy percent
    to
    0
    .
    This lets ECS safely stop the single Console container so that it can start an updated Console container.
  8. Set
    Maximum percent
    to
    100
    .
  9. Click
    Next
    .
  10. In the
    Configure network
    page, accept the defaults, and click
    Next
    .
  11. In the
    Set Auto Scaling
    page, accept the defaults, and click
    Next
    .
  12. Click
    Update Service
    .
    It takes a few moments for the old Console service to be stopped, and for the new service to be started. Open Console, and validate that the UI shows new version number in the bottom left corner.
    You can now upgrade all your Defenders from the Console UI.

Upgrade single Container Defenders

The Console user interface lets you upgrade all Defenders in a single shot. This method minimizes the effort required to upgrade all your deployed Defenders.
Alternatively, you can select which Defenders to upgrade. Use this method when you have different maintenance windows for different deployments. For example, you might have an open window on Tuesday to upgrade thirty Defenders in your development environment, but no available window until Saturday to upgrade the remaining twenty Defenders in your production environment. In order to give you sufficient time to upgrade your environment, older versions of Defender can coexist with the latest version of Defender and the latest version of Console.
Prerequisites:
You have already upgraded Console.
  1. Open Console.
  2. On the left menu bar, go to
    Manage > Defender > Manage
    and click
    Defenders
    to see a list of all your deployed stand-alone Container Defenders.
  3. Upgrade your stand-alone Defenders. You can either:
    • Upgrade all Defenders at the same time by clicking
      Upgrade all
      .
    • Upgrade a subset of your Defenders by clicking the individual
      Actions > Upgrade
      button in the row that corresponds to the Defender you want to upgrade.
      The
      Restart
      and
      Decommission
      buttons are not available for DaemonSet Defenders. They are only available for stand-alone Defenders.

Recommended For You