1. Hardware

Metal: Twistlock has the following hardware requirements:

  • Console — 

    • When fewer than 100 Defenders are connected, Console requires 1GB of RAM and 10GB of persistent storage.

    • When more than 100 Defenders are connected, Console requires 3GB of RAM and 50GB of persistent storage.

  • Defender — 256MB of RAM and 8GB of host storage.

    Defender uses cgroups to cap resource usage at 512MB of RAM and 900 CPU shares; typical load is ~1-2% CPU and 20-40MB RAM
    Defender stores its data in /var. When allocating disk space for Defender, be sure the required space is available in /var.
    Defenders are designed to be portable containers that collect data. Any data that must be persisted is sent to to Console for storage. Defenders themselves do not require persistent storage. Do not deploy persistent storage for Defenders because it can corrupt Defender files.
  • Registry scanning — 2GB of RAM, 20GB of storage, and 2 CPU cores.

  • CI integration (Jenkins, twistcli) — Required storage space depends on the size of the scanned images. The required disk space is 1.5 times the size of the largest image to be scanned, per executor. For example, if you have a Jenkins instance with two executors, and your largest container image is 500MB, then you need at least 1.5GB of storage space (500MB * 1.5 * 2).

VMs: Twistlock has been tested on the following hypervisors:

  • Microsoft Hyper-V

  • VirtualBox

  • VMware

Cloud: Twistlock can run on nearly any cloud IaaS platform. Twistlock has been tested on the following services:

  • Amazon Web Services

  • Google Compute Engine

  • IBM Cloud

  • Microsoft Azure

  • Oracle Cloud

2. Host operating systems

Twistlock is supported on the following host operating systems:

Distro Version

Amazon Linux v1

2017.09

Amazon Linux 2

Latest LTS release

CentOS

CentOS 7

CoreOS

CoreOS latest stable channel

Host Defender isn’t supported on CoreOS. CoreOS is specifically designed for running containers. Install Container Defender instead.

Debian

Debian 9 (Stretch), Debian 8 (Jessie)

EulerOS

V2.0SP3

GCOOS

Container-Optimized OS on Google Cloud latest

Red Hat

Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8

Ubuntu

Ubuntu Server 18.04 LTS, 16.04 LTS

Ubuntu 14.04 LTS does not support system call monitoring. The required kernel option is not enabled in the default kernel.
Host Defender isn’t supported on Ubuntu 14.04.

Windows

Windows Server 2016, Windows Server 2019

Console must be installed on a supported Linux operating system, either natively or through virtualization (such as Hyper-V). Defender is supported on Windows Server 2016 (vulnerability and compliance scanning), and Windows Server 2019 (vulnerability scanning, compliance scanning, runtime defense for containers, CNNF for containers).

3. Kernel

Twistlock Defender requires the following kernel capabilities. More info about each capability can be found on the Linux capabilities man page.

  • CAP_NET_ADMIN

  • CAP_SYS_ADMIN

  • CAP_SYS_PTRACE

  • CAP_AUDIT_CONTROL

    When running on a Docker host, Twistlock Defender uses the following files/folder on the host
  • /var/run/docker.sock — Required for accessing Docker runtime.

  • /var/lib/twistlock — Required for storing Twistlock data.

  • /dev/log — Required for writing to syslog.

4. Docker

Since Twistlock often adds new features that take advantage of new capabilities in Docker, Twistlock provides commercial support for only for the versions of Docker that Docker itself supports. This ensures that updates can be properly tested and supported throughout customers' environments. Twistlock follows the same support lifecycle policy as Docker Enterprise Edition. For more information, see Docker’s Maintenance Lifecycle.

New versions of Docker Engine are supported shortly after they are released. Twistlock supports the following and later versions. Only official mainstream Docker releases are supported.

  • CE 18.09

  • EE 18.09

For storage drivers, overlay2, overlay, and devicemapper are supported. For more information, please refer to Docker’s guide to selecting a storage driver.

The supported versions of Docker called out in this section are for versions independently installed on a host. These versions might not correspond to the versions shipped as a part of an orchestrator, such as RedHat OpenShift. In such cases, Twistlock supports the version of Docker shipped with any Twistlock-supported version of the orchestrator.

5. Orchestrators

Twistlock is supported on the following orchestrators. We support the following versions and later of official mainstream vendor/project releases.

Orchestrator Version

DC/OS

1.11.4

Docker Swarm

EE 18.03

Kubernetes

1.14, 1.13 (GKE)

OpenShift

4.1.2, 3.11

Pivotal Cloud Foundry - PCF PAS

v2.5

6. Container runtimes

Twistlock supports the following container runtimes:

Container runtime Version

Docker

See the Docker section

cri-containerd

containerd 1.1.x (which is periodically updated with the cri plugin)

CRI-O

1.11.x (for Kubernetes 1.11), 1.10.x (for Kubernetes 1.10)

7. File systems

If you’re deploying Twistlock Console to AWS and you’re using the EFS file system, the following minimum performance characteristics are required:

  • Performance mode: General purpose

  • Throughput mode: Provisioned. Provision 0.1 MiB/s per deployed Defender. For example, if you plan to deploy 10 Defenders, provision 1 MiB/s of throughput.

8. Jenkins

Twistlock provides a Jenkins plugin that scans images for vulnerabilities after they are built.

The Twistlock plugin supports Jenkins 2.164 and 2.150.

Twistlock tests the latest (or near-latest) LTS releases of Jenkins. These versions are guaranteed to be compatible with Twistlock. Other recent LTS versions should also work. However, if you’re having issues with the Twistlock plugin, we recommend that you upgrade to the version of Jenkins that Twistlock has tested.

9. Shell

For Linux, Twistlock depends on the Bash shell. For Windows, Twistlock depends on PowerShell.

The shell environment variable DOCKER_CONTENT_TRUST should be set to 0 or unset before running any commands that interact with the Twistlock cloud registry, such as Console installs or upgrades.

10. Browsers

Twistlock supports the latest versions of Chrome, Safari, and Edge.

11. Image base layers

Twistlock can protect containers built on nearly any base layer operating system. Comprehensive Common Vulnerabilities and Exposures (CVE) data is provided for the following base layers:

  • Alpine

  • Amazon Linux container image

  • Amazon Linux 2

  • BusyBox

  • CentOS

  • Debian

  • Red Hat Enterprise Linux

  • SUSE

  • Ubuntu (LTS releases only)

  • Windows Server