topic Re: container defenre inside google's distroless container in Prisma Cloud Discussions

container defenre inside google's distroless container

giulianoz — Wed, 02 Sep 2020 18:04:08 GMT

Hello,

I'm trying to run defender in fargate/sidecar mode. It works fin if I use alpine/ubuntu images as base, but It fails when I try to use google's distroless static/base images

The only log I get is

tandard_init_linux.go:190: exec user process caused "no such file or directory"

The container works fine if I don't run the defender, so it seems not to be related to my binary

Any hint on how to fix this , if possible at all ?

thanks

update: it seems that the fargate_defender.sh is the issue. I changed the entrypoint to use the defender command directly and it seems to work. However this way I will not have the sleeping loop, so I might end adding some workaround...

Re: container defenre inside google's distroless container

kiwi — Tue, 21 Jan 2020 15:54:03 GMT

Thank you for the update !

Cheers !

-Kiwi.

Re: container defenre inside google's distroless container

Zulkarnain — Fri, 19 Mar 2021 18:32:14 GMT

I am having problems deploying the defender in a sidecar pattern using aws fargate eks. I get the /var/lib/twistlock/fargate/fargate_defender.sh logs Waiting for defender..., but the pod never gets registered to the console.

the setup I have is as below:

image: registry-auth.twistlock.com/tw_qbwexdrqucvju1oewzidiwvg1tjqybuk/twistlock/defender:defender_20_12_541
name: twistlockdefender
workingDir: /var/lib/twistlock/fargate/policy
command: ["/bin/sh", "-c"]
args: ["/var/lib/twistlock/fargate/fargate_defender.sh fargate & /usr/local/bin/defender "]
volumeMounts:
- name: twpolicy
mountPath: /var/lib/twistlock/fargate/policy

- name: DEFENDER_TYPE
value: fargate

would appreciate an example of a deploy file which deploys an app and defender as a sidecar in same pod.

Thanks

Zul

Re: container defenre inside google's distroless container

AKing9 — Tue, 16 Aug 2022 20:47:22 GMT

Greetings Zulkarnain,

I hope that this note finds you well! I know that it has been a while since you had posted this question but I wanted to see if you still potentially needed any help. Thank you for your time and I hope that you have a good remainder of your day.

Kind Regards,

J. Avery King

Re: container defenre inside google's distroless container

giulianoz — Wed, 17 Aug 2022 23:16:38 GMT

Hello,
we are in the process of moving to a different solution before the license
expires, as it is not acceptable for us to introduce additional software
(sh and sleep) in our containers

Re: container defenre inside google's distroless container

MDavis29 — Wed, 17 Aug 2022 23:28:34 GMT

Giulianoz,

Thanks for reaching out, can you share more details on you use case? also we offer app embedded defenders for situations a container defender cannot be used.

https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/install/install_defender/install_app_embedded_defender