Constraints and Limitations

Server Protection Restrictions

HSS can protect Huawei Cloud servers, third-party cloud servers, and IDCs. The following types of servers can be protected:

Huawei Cloud
- Huawei Cloud Elastic Cloud Server (ECS)
- Huawei Cloud Bare Metal Server (BMS)
- Workspace
Third parties
- Third-party cloud servers
- On-premises IDCs

Container Protection Restrictions

HSS can protect Huawei Cloud cluster containers, third-party cloud cluster containers, and on-premises IDC cluster containers. For details about the supported container types, see Table 1.

**Table 1** Container protection restrictions
Category	Supported Container Type	Constraints and Limitations
Huawei Cloud	CCE cluster containers Independent containers	Supported container runtime: Docker and Containerd Supported cluster editions: CCE standard and Turbo editions Node resource requirements: at least 50 MiB memory and 200m CPU available Resource usage restriction: When an agent is installed in a cluster, HSS creates an HSS namespace in the cluster.
Third parties	Alibaba Cloud cluster containers Tencent Cloud cluster containers Microsoft Cloud cluster containers On-premises cluster containers IDC on-premises cluster containers Independent containers	Supported cluster orchestration platforms: Kubernetes 1.19 or later Supported node OS: Linux Node specifications: at least 2 vCPUs, 4 GiB memory, 40 GiB system disk, and 100 GiB data disk

Protection Quota Limit

A server or container node can be protected by HSS only after a quota is allocated to it. Each server or container needs a quota.

The restrictions on the quotas are as follows:

A protection quota can be bound to only one server or container node.
A maximum of 50,000 protection quotas can be purchased in a region.
After a protection quota is purchased, your server or container is not protected yet. You need to go to the HSS console and install an agent for the server or container and enable protection as prompted.

OS Restrictions

Currently, the HSS agent and system vulnerability scan functions are not supported in certain OSs.

For details about the OS restrictions of HSS, see:

HSS restrictions on Windows (x86)
HSS restrictions on Linux (x86)
HSS restrictions on Linux (Arm)

CentOS 6.x is no longer updated or maintained on the Linux official website, and HSS no longer supports CentOS 6.x or earlier.
The meanings of the symbols in the table are as follows:
- √: supported
- ×: not supported

**Table 2** HSS restrictions on Windows (x86)
OS	Agent	System Vulnerability Scan
Windows 10 (64-bit)	√ NOTE: Only Huawei Cloud Workspace can use this OS.	×
Windows 11 (64-bit)	√ NOTE: Only Huawei Cloud Workspace can use this OS.	×
Windows Server 2012 R2 Standard 64-bit English (40 GB)	√	√
Windows Server 2012 R2 Standard 64-bit Chinese (40 GB)	√	√
Windows Server 2012 R2 Datacenter 64-bit English (40 GB)	√	√
Windows Server 2012 R2 Datacenter 64-bit Chinese (40 GB)	√	√
Windows Server 2016 Standard 64-bit English (40 GB)	√	√
Windows Server 2016 Standard 64-bit Chinese (40 GB)	√	√
Windows Server 2016 Datacenter 64-bit English (40 GB)	√	√
Windows Server 2016 Datacenter 64-bit Chinese (40 GB)	√	√
Windows Server 2019 Datacenter 64-bit English (40 GB)	√	√
Windows Server 2019 Datacenter 64-bit Chinese (40 GB)	√	√
Windows Server 2022 Datacenter 64-bit English (40 GB)	√	×
Windows Server 2022 Datacenter 64-bit Chinese (40 GB)	√	×

**Table 3** HSS restrictions on Linux (x86)
OS	Agent	System Vulnerability Scan
CentOS 7.4 (64-bit)	√	√
CentOS 7.5 (64-bit)	√	√
CentOS 7.6 (64-bit)	√	√
CentOS 7.7 (64-bit)	√	√
CentOS 7.8 (64-bit)	√	√
CentOS 7.9 (64-bit)	√	√
CentOS 8.1 (64-bit)	√	×
CentOS 8.2 (64-bit)	√	×
CentOS 8 (64-bit)	√	×
CentOS 9 (64-bit)	√	×
Debian 9 (64-bit)	√	√
Debian 10 (64-bit)	√	√
Debian 11.0.0 (64-bit)	√	√
Debian 11.1.0 (64-bit)	√	√
Debian 12.0.0 (64-bit)	√	×
EulerOS 2.2 (64-bit)	√	√
EulerOS 2.3 (64-bit)	√	√
EulerOS 2.5 (64-bit)	√	√
EulerOS 2.7 (64-bit)	√	×
EulerOS 2.9 (64-bit)	√	√
Fedora 28 (64-bit)	√	×
Fedora 31 (64-bit)	√	×
Fedora 32 (64-bit)	√	×
Fedora 33 (64-bit)	√	×
Fedora 34 (64-bit)	√	×
Ubuntu 16.04 (64-bit)	√	√
Ubuntu 18.04 (64-bit)	√	√
Ubuntu 20.04 (64-bit)	√	√
Ubuntu 22.04 (64-bit)	√	√
Ubuntu 24.04 (64-bit)	√ NOTE: Currently, brute-force attack detection is not supported.	×
Red Hat 7.4 (64-bit)	√	×
Red Hat 7.6 (64-bit)	√	×
Red Hat 8.0 (64-bit)	√	×
Red Hat 8.7 (64-bit)	√	×
OpenEuler 20.03 LTS (64-bit)	√	×
OpenEuler 22.03 SP3 (64-bit)	√	×
OpenEuler 22.03 (64-bit)	√	×
AlmaLinux 8.4 (64-bit)	√	√
AlmaLinux 9.0 (64-bit)	√	×
Rocky Linux 8.4 (64-bit)	√	×
Rocky Linux 8.5 (64-bit)	√	×
Rocky Linux 9.0 (64-bit)	√	×
HCE 1.1 (64-bit)	√	√
HCE 2.0 (64-bit)	√	√
SUSE 12 SP5 (64-bit)	√	√
SUSE 15 (64-bit)	√	×
SUSE 15 SP1 (64-bit)	√	√
SUSE 15 SP2 (64-bit)	√	√
SUSE 15 SP3 (64-bit)	√	×
SUSE 15.5 (64-bit)	√	×
SUSE 15 SP6 (64-bit)	√ NOTE: Currently, brute-force attack detection is not supported.	×
Kylin V10 (64-bit)	√	√
Kylin V10 SP3 (64-bit)	√	×
UnionTech OS 1050u2e	√ NOTE: Currently, file escape detection is not supported.	√

**Table 4** HSS restrictions on Linux (Arm)
OS	Agent	System Vulnerability Scan
CentOS 7.4 (64-bit)	√	√
CentOS 7.5 (64-bit)	√	√
CentOS 7.6 (64-bit)	√	√
CentOS 7.7 (64-bit)	√	√
CentOS 7.8 (64-bit)	√	√
CentOS 7.9 (64-bit)	√	√
CentOS 8.0 (64-bit)	√	×
CentOS 8.1 (64-bit)	√	×
CentOS 8.2 (64-bit)	√	×
CentOS 9 (64-bit)	√	×
EulerOS 2.8 (64-bit)	√	√
EulerOS 2.9 (64-bit)	√	√
Fedora 29 (64-bit)	√	×
Ubuntu 18.04 (64-bit)	√	×
Ubuntu 24.04 (64-bit)	√ NOTE: Currently, brute-force attack detection is not supported.	×
Kylin V7 (64-bit)	√	×
Kylin V10 (64-bit)	√	√
HCE 2.0 (64-bit)	√	√
UnionTech OS V20 (64-bit)	√	√ NOTE: Only UnionTech OS V20 server editions E and D support system vulnerability scan.

Agent Restrictions

If third-party security software, such as 360 Total Security, Tencent Manager, and McAfee, is installed on the server, uninstall the software before installing the HSS agent. If the third-party security software is incompatible with the HSS agent, the HSS protection functions will be affected.
After the agent is installed on the server or container node, the agent may modify the following system files or configurations:
- Linux system files:
  - /etc/hosts.deny
  - /etc/hosts.allow
  - /etc/rc.local
  - /etc/ssh/sshd_config
  - /etc/pam.d/sshd
  - /etc/docker/daemon.json
  - /etc/sysctl.conf
  - /sys/fs/cgroup/cpu/ (A subdirectory will be created for the HSS process in this directory.)
  - /sys/kernel/debug/tracing/instances (A CSA instance will be created in this directory.)
- Linux system configurations: iptables rules
- Windows system configurations:
  - Firewall rules
  - System login event audit policy
  - Windows Remote Management trusted server list

Restrictions on Brute-force Attack Defense

Authorize the Windows firewall when you enable protection for a Windows server. Do not disable the Windows firewall while you use HSS.

If the Windows firewall is disabled, HSS cannot block the source IP addresses of brute-force attacks. This problem may persist even if the Windows firewall is enabled after being disabled.

Previous topic: HSS Permissions Management

Next topic: Related Services