Prisma Cloud Compute : How to update the CPU and Memory of Defenders

Prisma Cloud Compute : How to update the CPU and Memory of Defenders

8293
Created On 02/02/23 03:36 AM - Last Modified 08/21/23 02:09 AM


Objective


  • Daemonset defenders or Container defenders are used for the Registry image scanning.
  • The Defender uses cgroups to cap resource usage at 512MB of RAM and 900 CPU shares.
  • If Defenders provide registry scanning they require the following resources:
    • 2GB of RAM
    • 20GB of storage
    • 2 CPU cores Defenders that are part of CI integrations (Jenkins, twistcli) require storage space depending on the size of the scanned images. The required disk space is 1.5 times the size of the largest image to be scanned, per executor. For example, if you have a Jenkins instance with two executors, and your largest container image is 500MB, then you need at least 1.5GB of storage space: 500MB x 1.5 x 2
  • This article shows how to update the CPU and Memory of Defenders from the default values. 

Environment


  • Prisma Cloud Compute
    • SaaS
    • Self-Hosted

Procedure


Daemonset Defenders:

  • Download the Daemonset YAML to install the defender from the Console Manage > Defenders > Deploy: 
  • The YAML file has the default values of 512MB of RAM and 900 CPU shares.
          limits:
            memory: "512Mi"
            cpu: "900m"
  • Change these values as per your requirement. Say 2 GB RAM and 2 CPU shares
          limits:
            memory: "2Gi"
            cpu: "2"

Single Container Defender:

  • Updating the CPU and Memory option using YAML or HELM is not available for the Single container defender
  • However, the DOCKER UPDATE command is used to update the single defender containers. 
  • Check the current limit using the docker inspect or docker stats 
# docker inspect <DEFENDER CONTAINER ID>
            .
            .
            "CpuShares": 900,
            "Memory": 536870912,
            .
            .

# docker stats <DEFENDER CONTAINER ID>

CONTAINER ID   NAME                           CPU %     MEM USAGE / LIMIT   MEM %     NET I/O   BLOCK I/O       PIDS
8bee1b89606e   twistlock_defender_22_12_415   0.32%     132.5MiB / 512MiB   25.87%    0B / 0B   111MB / 2.9MB   13
  • Use the Docker update to update the CPU-Shares and Memory:
# docker update --cpu-shares 2 --memory 2Gi <DEFENDER CONTAINER ID>
  • Now, check the stats and confirm the changes.
# docker inspect <DEFENDER CONTAINER ID>
            .
            .
            "CpuShares": 2,
            "Memory": 2147483648,
            .
            .
# docker stats <DEFENDER CONTAINER ID>
CONTAINER ID   NAME                           CPU %     MEM USAGE / LIMIT   MEM %     NET I/O   BLOCK I/O      PIDS
8bee1b89606e   twistlock_defender_22_12_415   0.29%     130.9MiB / 2GiB     6.39%     0B / 0B   219MB / 10MB   13
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kGlpCAE&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail