Prisma Cloud Compute: How to disable "DISABLE_CONSOLE_CGROUP_LIMITS" setting under twistlock.cfg file on Console

• The Prisma Cloud Console uses cgroups to cap resource usage and supports cgroups v1 and cgroups v2. When more than 1,000 Defenders are connected, one should disable this cap using the DISABLE_CONSOLE_CGROUP_LIMITS flag in the twistlock.cfg configuration file under /var/lib/twistlock/scripts/. Refer to System Requirements for more details.
• Behaviour is same for Prisma Cloud Console on different environment.
• When looked into the twistlock.sh file on console, one can see the memory limit of 4Gb for the container and CPU share of 900 if setting is DISABLE_CONSOLE_CGROUP_LIMITS=false and there is no cap when set as true :

$ cat twistlock.sh
...
        console_cgroup_limits="--cpu-shares 900 --memory 4096m"
        if [[ ${DISABLE_CONSOLE_CGROUP_LIMITS} == "true" ]]; then
                console_cgroup_limits=""
        fi

• By default, configured value is DISABLE_CONSOLE_CGROUP_LIMITS=false:

$ cat /var/lib/twistlock/scripts/twistlock.cfg
---omitted---
#### Console cgroup limits ####
# Controls console container's resource constraints. Set to "true" to run without limits.
# See https://docs.docker.com/engine/reference/run/#runtime-constraints-on-resources
DISABLE_CONSOLE_CGROUP_LIMITS=false
---omitted---

• Prisma Cloud Compute

Scenario 1: Configuring the Console for the first time and want to disable the configuration:
Please note, this is required if the number of defenders are more than 1000. Also, make sure that one have the memory and cpu required as per the System Requirement :

1. Get into the image folder which is downloaded as a part of console installation:

/twistlock_31_03_103# ls -l
total 741180
-rw-r--r-- 1 root root    243884 Nov  6 22:47 eula_red_hat_universal_base_image.pdf
drwxr-xr-x 3 root root      4096 Nov  6 22:47 linux
-r--r--r-- 1 root root   1181272 Nov  6 22:47 openapi.json
drwxr-xr-x 3 root root      4096 Nov  6 22:47 osx
-rw-r--r-- 1 root root  52406640 Nov  6 22:47 prisma-cloud-jenkins-plugin.hpi
-rw-r--r-- 1 root root    749579 Nov  6 22:47 prisma-oss-licenses.txt
-rw-r--r-- 1 root root      4211 Nov 27 14:04 twistlock.cfg
-rw-r--r-- 1 root root 616751780 Nov  6 22:39 twistlock_console.tar.gz
-rw-r--r-- 1 root root  87502572 Nov  6 22:34 twistlock_defender.tar.gz
-rw-r--r-- 1 root root      1876 Nov 27 14:07 twistlock-install.log
-rw-r--r-- 1 root root     34341 Nov  6 22:47 twistlock-license.pdf
-rwxr-xr-x 1 root root     51278 Nov  6 22:47 twistlock.sh
drwxr-xr-x 2 root root      4096 Nov  6 22:47 windows

2. Edit the twistlock.cfg file and set the value DISABLE_CONSOLE_CGROUP_LIMITS=true :

3. Confirm the value if the change is present in the file and execute twistlock.sh. One can use onebox if it is a onebox solution:

/twistlock_31_03_103# ./twistlock.sh -syj console

  _____          _     _   _            _
 |_   _|_      _(_)___| |_| | ___   ___| | __
   | | \ \ /\ / / / __| __| |/ _ \ / __| |/ /
   | |  \ V  V /| \__ \ |_| | (_) | (__|   <
   |_|   \_/\_/ |_|___/\__|_|\___/ \___|_|\_\

• One should be able to see the changes under /var/lib/twistlock/scripts/twistlock.cfg file.
• One can also perform inspect on the pod/container to see the change:

root@ubuntu20-04:/home/user1# docker ps
CONTAINER ID   IMAGE                                 COMMAND         CREATED      STATUS                PORTS                                                                     NAMES
1b39b5a7bb79   twistlock/private:console_31_03_103   "/app/server"   5 days ago   Up 5 days (healthy)   8081/tcp, 0.0.0.0:8083-8084->8083-
8084/tcp, :::8083-8084->8083-8084/tcp   twistlock_console

• This indicates that the limit is now removed:

root@ubuntu20-04:/home/user1# docker inspect 1b39b5a7bb79
---omitted---
            "CpuShares": 0,
            "Memory": 0,

Scenario 2: Want to change the existing configuration:

1. Copy the existing files twistlock.cfg and twistlock.sh from /var/lib/twistlock/scripts/ to a new directory. 

2. Modify the file twistlock.cfg at the new location and execute twistlock.sh :

root@ubuntu20-04:/home/TAC# ls -l
total 85532
-rwx------ 1 root  root      4231 Dec 18 02:16 twistlock.cfg
-rwx------ 1 root  root     51278 Dec 18 01:55 twistlock.sh

root@ubuntu20-04:/home/TAC# ./twistlock.sh -sy console

  _____          _     _   _            _
 |_   _|_      _(_)___| |_| | ___   ___| | __
   | | \ \ /\ / / / __| __| |/ _ \ / __| |/ /
   | |  \ V  V /| \__ \ |_| | (_) | (__|   <
   |_|   \_/\_/ |_|___/\__|_|\___/ \___|_|\_\


Using previously user-defined settings in /var/lib/twistlock/scripts/twistlock.cfg.
Performing system checks for console mode...
Loading console images.
Image twistlock/private:console_31_03_103 already loaded.
WARNING: No swap limit support
Previous Twistlock configuration detected, preserving configuration under: /var/lib/twistlock/scripts/twistlock.cfg.old.
Initializing Twistlock environment.
Installing Twistlock Console (ubuntu20-04).
WARNING: No swap limit support

Twistlock Console installed successfully.

root@ubuntu20-04:/home/TAC# ls -l /var/lib/twistlock/scripts/
total 85536
-rwx------ 1 2674 root     4230 Dec 23 05:38 twistlock.cfg
-rwx------ 1 2674 root     4231 Dec 23 05:38 twistlock.cfg.old
-rwx------ 1 2674 root      366 Nov  6 22:38 twistlock-console.service
-rwx------ 1 2674 root      365 Dec 18 02:50 twistlock-defender-server.service
-rwx------ 1 2674 root 87502572 Nov  6 22:34 twistlock_defender.tar.gz
-rwx------ 1 2674 root     2284 Dec 18 02:50 twistlock-install.log
-rwx------ 1 2674 root    51278 Dec 23 05:38 twistlock.sh

Before Change:

root@ubuntu20-04:/home/user1# docker inspect 62d2bb7f6b2a
---omitted---
            "CpuShares": 900,
            "Memory": 4294967296,

After Change:
This indicates that the limit is now removed:

root@ubuntu20-04:/home/user1# docker inspect 62d2bb7f6b2a
---omitted---
            "CpuShares": 0,
            "Memory": 0,