1. Upgrading Console (Amazon ECS)

To upgrade Console, update the service with a new task definition that points to the latest image.

This procedure assumes you’re using images from Twistlock’s registry. If you’re using your own private registry, push the latest Console image there first.

1.1. Copy the Twistlock config file into place

Procedure

  1. Go to the Releases page and download the latest release to your local machine.

    $ wget <LINK_TO_CURRENT_RECOMMENDED_RELEASE_LINK>
  2. Unpack the Twistlock release tarball.

    $ mkdir twistlock
    $ tar xvzf twistlock_<VERSION>.tar.gz  -C twistlock/
  3. Upload the twistlock.cfg files to the host that runs Console.

    $ scp twistlock.cfg <ECS_INFRA_NODE>:/twistlock_console/var/lib/twistlock-config

1.2. Create a new revision of the task definition

Procedure

  1. Log into the Amazon ECS console.

  2. In the left menu, click Task Definitions.

  3. Check the box for the Twistlock Console task definition, and click Create new revision.

  4. Scroll to the bottom of the page and click Configure via JSON.

    1. Update the image field to point to the latest Console image.

      For example, if you were upgrading from Twistlock version 2.4.88 to 2.4.95, simply change the version string in the image tag.

      "image": "registry-auth.twistlock.com/tw_<accesstoken>/twistlock/console:console_2_4_95"
    2. Click Save.

  5. Click Create.

1.3. Update the Console service

Procedure

  1. In the left menu of the Amazon ECS console, click Clusters.

  2. Click on your cluster.

  3. Select the Services tab.

  4. Check the box next the Console service, and click Update.

  5. In Task Definition, select the version of the task definition that points to the latest Console image.

  6. Validate that Cluster, Service name, and Number of tasks are correct. These values are set based on the values for the currently running task, so the defaults should be correct. The number of tasks must be 1.

  7. Set Minimum healthy percent to 0.

    This lets ECS safely stop the single Console container so that it can start an updated Console container.

  8. Set Maximum percent to 100.

  9. Click Next.

  10. In the Configure network page, accept the defaults, and click Next.

  11. In the Set Auto Scaling page, accept the defaults, and click Next.

  12. Click Update Service.

    It takes a few moments for the old Console service to be stopped, and for the new service to be started. Open Console, and validate that the UI shows new version number in the bottom left corner.

You can now upgrade all your Defenders from the Console UI.

2. Upgrading Container Defenders

The Console user interface lets you upgrade all Defenders in a single shot. This method minimizes the effort required to upgrade all your deployed Defenders.

Alternatively, you can select which Defenders to upgrade. Use this method when you have different maintenance windows for different deployments. For example, you might have an open window on Tuesday to upgrade thirty Defenders in your development environment, but no available window until Saturday to upgrade the remaining twenty Defenders in your production environment. In order to give you sufficient time to upgrade your environment, older versions of Defender can coexist with the latest version of Defender and the latest version of Console.

Prerequisites

  • You have already upgraded Console.

Procedure

  1. Open Console.

  2. On the left menu bar, go to Manage > Defender > Manage and click Defenders to see a list of all your deployed stand-alone Container Defenders.

  3. Upgrade your stand-alone Defenders. You can either:

    • Upgrade all Defenders at the same time by clicking Upgrade all.

    • Upgrade a subset of your Defenders by clicking the individual Actions > Upgrade button in the row that corresponds to the Defender you want to upgrade.

      The Restart and Decommission buttons are not available for DaemonSet Defenders. They are only available for stand-alone Defenders.