Skip to main content

Running Bitdefender Security Containers on AWS ECS

To run a Bitdefender Security Container instance on AWS ECS, you need to:

  1. Create an Amazon ECS task definition

  2. Run the previously created task

Prerequisites

  • You must have an ECS cluster already created in the Amazon Elastic Container Service console. In the Infrastructure section of the Clusters > Create cluster page:

    • Select Fargate and Self-managed instances.

      create-cluster_cpo_258895_en.png

      Important

      Bitdefender Security Container can not be deployed on an ECS cluster that uses Fargate only.

    • Select an EC2 instance type that provides at least 2 vCPUs and 6 GiB of memory.

  • Retrieve the required values for the BSC_SERVER, BSC_CSRTOKEN, and BSC_COMPANY variables by following these steps:

    1. In GravityZone Control Center, go to Network > Installation packages.

    2. Select a package with the Container Protection module enabled.

      98834_1.png

    3. Click Download and select Security Container.

      98834_2.png

      This opens the Download Security Container screen.

      98834_3.png

    4. Note the values of the --server, --company, and --csrtoken parameters from the scripts provided. These are the values of the BSC_SERVER, BSC_COMPANY, and BSC_CSRTOKEN variables, which you will need later.

Create an Amazon ECS task definition

To create the required Amazon ECS task definition, follow these steps:

  1. In the Amazon Elastic Container Service console, select Task definitions from the menu on the left.

  2. From the Create new task definition drop-down menu, select Create new task definition with JSON.

    You will be redirected to the Create new task definition page.

  3. In the JSON editor box, delete the default JSON.

  4. Copy the JSON below and paste it into the JSON editor box. 

    {
    "containerDefinitions": [{
            "environment": [{
                    "name": "BSC_LOGLEVEL",
                    "value": "<log_level>"
                }, {
                    "name": "BSC_COMPANY",
                    "value": "<customer_company>"
                }, {
                    "name": "BSC_SERVER",
                    "value": "<customer_ecs>"
                }, {
                    "name": "BSC_CSRTOKEN",
                    "value": "<customer_cst_token>"
                }, {
                    "name": "BSC_GID",
                    "value": "<gid>"
                }
            ],
            "essential": true,
            "image": "docker.io/bdfbusiness/bitdefender-security-container:7.0",
            "memory": 4096,
            "mountPoints": [{
                    "containerPath": "/mnt/host-proc",
                    "readOnly": false,
                    "sourceVolume": "proc"
                }, {
                    "containerPath": "/mnt/host-sys",
                    "readOnly": false,
                    "sourceVolume": "sys"
                }, {
                    "containerPath": "/mnt/host-os-release",
                    "readOnly": false,
                    "sourceVolume": "os-release"
                }, {
                    "containerPath": "/mnt/host",
                    "readOnly": false,
                    "sourceVolume": "root"
                }, {
                    "containerPath": "/data",
                    "readOnly": false,
                    "sourceVolume": "data"
                }
            ],
            "name": "bitdefender-security-container",
            "portMappings": [],
            "privileged": true,
            "systemControls": [],
            "volumesFrom": []
        }
    ],
    "enableFaultInjection": false,
    "executionRoleArn": "arn:aws:iam::<ACCOUNT_ID>:role/ecsTaskExecutionRole",
    "family": "<customer_bsc_task_definition>",
    "networkMode": "host",
    "pidMode": "host",
    "placementConstraints": [],
    "requiresCompatibilities": [
        "EC2"
    ],
    "taskRoleArn": "arn:aws:iam::<ACCOUNT_ID>:role/ecsTaskExecutionRole",
    "volumes": [{
            "host": {
                "sourcePath": "/proc"
            },
            "name": "proc"
        }, {
            "host": {
                "sourcePath": "/sys"
            },
            "name": "sys"
        }, {
            "host": {
                "sourcePath": "/etc/os-release"
            },
            "name": "os-release"
        }, {
            "host": {
                "sourcePath": "/"
            },
            "name": "root"
        }, {
            "host": {
                "sourcePath": "/mnt/data"
            },
            "name": "data"
        }
    ]
}

  5. Replace the <log_level> placeholder from the JSON with the desired log level which will be configured in /log/level/bdsecd.json.

    Important

    • The log level can take only the following values: info, debug, and trace.

    • This parameter is optional. If you prefer not to use it, delete the full name–value entry from the JSON.

  6. Replace the <customer_company>, <customer_cst_token>, and <customer_ecs> placeholders from the JSON with the previously retrieved values of the BSC_COMPANY, BSC_CSRTOKEN, and BSC_SERVER variables, respectively.

  7. Replace the <gid> placeholder from the JSON with the group ID under which the product services will run.

    Important

    • This parameter is optional. If you prefer not to use it, delete the full name–value entry from the JSON.

    • The group ID must be previously unused and in the interval greater than 999 and up to 60000.

  8. Replace the <ACCOUNT_ID> placeholder from the JSON with your Account ID from the top-right corner of the Amazon Elastic Container Service console.

  9. Replace the <customer_bsc_task_definition> placeholder from the JSON with a descriptive name for the task definition.

  10. This task definition JSON uses the latest version of Bitdefender Security Container. If you need to run an older version, change the version number in the image field.

  11. Click Create.

    If the JSON successfully passes validation, the new task definition will be displayed on the Task definitions page.

Run the Amazon ECS task

To run the previously created task:

  1. In the Amazon Elastic Container Service console, select Clusters from the menu on the left.

  2. Click the name of the previously created cluster.

  3. Select the Tasks tab.

  4. Click Run new task.

  5. In the Task details section, under Task definition family, select the previously created task definition.

  6. In the Environment section, under Compute configuration > Compute options, select Launch type.

  7. Select the EC2 launch type.

  8. Click Create.

The Bitdefender Security Container will run on the ECS cluster.

In this section: