How to Install and Use Gremlin in a Docker Container

How to Install and Use Gremlin in a Docker Container

Introduction

Gremlin is a simple, safe and secure way to use Chaos Engineering to improve system resilience. You can use Gremlin with Docker in a variety of ways. It is possible to attack Docker containers and it is also possible to run Gremlin in a container to create attacks against the host or other containers.

To run Gremlin on a host to attack Docker containers, view the guide on How to Install and Use Gremlin with Docker on Ubuntu 16.04.

This tutorial will provide a walkthrough of the following:

  • How to install Docker
  • How to create an Nginx Docker container to attack using Gremlin
  • How to install Gremlin in a Docker container
  • How to create a CPU Attack from a Gremlin Container against the host
  • How to create a CPU Attack from a Gremlin Container against a Nginx Docker container

Prerequisites

Before you begin this tutorial, you’ll need the following:

Step 1 - Installing Docker

In this step, you’ll install Docker.

Add official Docker GPG key:

bash
1curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -

Use the following command to set up the stable repository.

bash
1sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"

Update the apt package index:

bash
1sudo apt-get update

Make sure you are about to install from the Docker repo instead of the default Ubuntu 16.04 repo:

bash
1apt-cache policy docker-ce

Install the latest version of Docker CE:

bash
1sudo apt-get install docker-ce

Docker should now be installed, the daemon started, and the process enabled to start on boot. Check that it is running:

bash
1sudo systemctl status docker

Make sure you are in the Docker usergroup, replace tammy with your username:

bash
1sudo usermod -aG docker tammy

Step 2 - Create an htop container for monitoring

htop is an interactive process viewer for unix.

First create the Dockerfile for your htop container:

bash
1vim Dockerfile

Add the following to the Dockerfile:

docker
1FROM alpine:latest
2RUN apk add --update htop && rm -rf /var/cache/apk/*
3ENTRYPOINT ["htop"]

Build the Dockerfile and tag the image:

bash
1sudo docker build -t htop .

Run htop inside a container, this will monitor the host:

bash
1sudo docker run -it --rm --pid=host htop

To exit htop, use the q key.

Next we will create an nginx container and monitor the new container directly by joining the container pid namespace.

Step 3: Create an nginx Docker container to be used for Gremlin Attacks

First we will create a directory for the html page we will serve using nginx:

bash
1mkdir -p ~/docker-nginx/html
2cd ~/docker-nginx/html

Create a simple html page:

bash
1vim index.html

Paste in the content shown below:

html
1<html>
2 <head>
3 <title>Docker nginx tutorial</title>
4 <link
5 rel="stylesheet"
6 href="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/css/bootstrap.min.css"
7 integrity="sha384-Gn5384xqQ1aoWXA+058RXPxPg6fy4IWvTNh0E263XmFcJlSAwiGgFAW/dAiS6JXm"
8 crossorigin="anonymous"
9 />
10 </head>
11 <body>
12 <div class="container">
13 <h1>Hello it is your container speaking</h1>
14 <p>This nginx page was created by your Docker container.</p>
15 <p>Now it's time to create a Gremlin attack.</p>
16 </div>
17 </body>
18</html>

Create a container using the nginx Docker image:

bash
1sudo docker run -l service=nginx --name docker-nginx -p 80:80 -d -v ~/docker-nginx/html:/usr/share/nginx/html nginx

View the docker-nginx container

bash
1sudo docker ps -a

You will see the following:

bash
1CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
2352609a67e95 nginx "nginx -g 'daemon off..." 33 seconds ago Up 32 seconds 0.0.0.0:80->80/tcp docker-nginx

Step 4 - Installing Gremlin in a Docker container

After you have created your Gremlin account (sign up here) you will need to find your Gremlin Daemon credentials. Login to the Gremlin App using your Company name and sign-on credentials. These were emailed to you when you signed up to start using Gremlin.

Navigate to Team Settings and click on your Team.

Store your Gremlin client credentials as environment variables, for example:

bash
1export GREMLIN_TEAM_ID=3f242793-018a-5ad5-9211-fb958f8dc084
bash
1export GREMLIN_TEAM_SECRET=eac3a31b-4a6f-6778-1bdb813a6fdc

By default, Gremlin launches sidecars with no user namespace. However, when Docker is configured to remap container users to the host, Gremlin sidecars must be launched in the host’s user namespace to successfully execute attacks. To see if your Docker instance is configured to remap users, check the following:

bash
1/etc/docker/daemon.json

To tell Gremlin to launch sidecars with the host’s user namespace, pass the following environment variable to the Gremlin daemon:

bash
1export GREMLIN_BYPASS_USERNS_REMAP=1

Next run the Gremlin Daemon in a Container.

Use docker run to pull the official Gremlin Docker image and run the Gremlin daemon:

bash
1$ docker run -d --net=host \
2 --cap-add=NET_ADMIN --cap-add=SYS_BOOT --cap-add=SYS_TIME \
3 --cap-add=KILL \
4 -v $PWD/var/lib/gremlin:/var/lib/gremlin \
5 -v $PWD/var/log/gremlin:/var/log/gremlin \
6 -v /var/run/docker.sock:/var/run/docker.sock \
7 -e GREMLIN_TEAM_ID="$GREMLIN_TEAM_ID" \
8 -e GREMLIN_TEAM_SECRET="$GREMLIN_TEAM_SECRET" \
9 gremlin/gremlin daemon

If you have set GREMLIN_BYPASS_USERNS_REMAP environment variable above, you need to run the Gremlin daemon by setting that environment variable like so:

bash
1$ docker run -d --net=host \
2 --cap-add=NET_ADMIN --cap-add=SYS_BOOT --cap-add=SYS_TIME \
3 --cap-add=KILL \
4 -v $PWD/var/lib/gremlin:/var/lib/gremlin \
5 -v $PWD/var/log/gremlin:/var/log/gremlin \
6 -v /var/run/docker.sock:/var/run/docker.sock \
7 -e GREMLIN_TEAM_ID="$GREMLIN_TEAM_ID" \
8 -e GREMLIN_TEAM_SECRET="$GREMLIN_TEAM_SECRET" \
9 -e GREMLIN_BYPASS_USERNS_REMAP="$GREMLIN_BYPASS_USERNS_REMAP" \
10 gremlin/gremlin daemon

Use docker ps to see all running Docker containers:

bash
1$ sudo docker ps
1CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
2b281e749ac33 gremlin/gremlin "/entrypoint.sh daem…" 5 seconds ago Up 4 seconds relaxed_heisenberg

Jump into your Gremlin container with an interactive shell (replace b281e749ac33 with the real ID of your Gremlin container):

bash
1$ sudo docker exec -it b281e749ac33 /bin/bash

From within the container, check out the available attack types:

bash
1$ gremlin help attack-container
1Usage: gremlin attack-container CONTAINER TYPE [type-specific-options]Type "gremlin help attack-container TYPE" for more details: blackhole # An attack which drops all matching network traffic cpu # An attack which consumes CPU resources io # An attack which consumes IO resources latency # An attack which adds latency to all matching network traffic memory # An attack which consumes memory packet_loss # An attack which introduces packet loss to all matching network traffic shutdown # An attack which forces the target to shutdown dns # An attack which blocks access to DNS servers time_travel # An attack which changes the system time. disk # An attack which consumes disk resources process_killer # An attack which kills the specified process

Exit the container:

bash
1exit

Step 5 - How to create a CPU Attack from a Gremlin Container against the host using the Gremlin CLI

We will use the Gremlin CLI attack command to create a CPU attack. This attack will consume CPU using the default settings of 1 core for 60 seconds.

Run the following to create the CPU attack:

bash
1sudo docker run -d \
2 --net=host \
3 --pid=host \
4 --cap-add=NET_ADMIN \
5 --cap-add=SYS_BOOT \
6 --cap-add=SYS_TIME \
7 --cap-add=KILL \
8 -e GREMLIN_TEAM_ID="${GREMLIN_TEAM_ID}" \
9 -e GREMLIN_TEAM_SECRET="${GREMLIN_TEAM_SECRET}" \
10 -v /var/run/docker.sock:/var/run/docker.sock \
11 -v /var/log/gremlin:/var/log/gremlin \
12 -v /var/lib/gremlin:/var/lib/gremlin \
13 gremlin/gremlin attack cpu

View the progress of the attack using the htop container you created earlier:

bash
1sudo docker run -it --rm --pid=host htop

If you have setup the Gremlin Slackbot it will also notify your team via Slack:

slackcpu

Step 6 - How to create a CPU Attack from a Gremlin Container against the Nginx Docker container using the Gremlin CLI

Gremlin has an attack-container argument that can be used to attack containers by their container ID or name. We will use the Gremlin CLI attack-container argument to create a CPU attack. This attack will consume CPU using the default settings of 1 core for 60 seconds.

Before the attack use htop to monitor the docker-nginx container, replace f291a040a6aa with your container ID:

bash
1sudo docker run -it --rm --pid=container:f291a040a6aa htop

You will see the following:

bash
11 [ 0.0%] Tasks: 3, 0 thr; 1 running
2 2 [| 0.7%] Load average: 0.72 0.41 0.21
3 Mem[||||||||||||||||||||||||| 141M/3.86G] Uptime: 00:30:34
4 Swp[ 0K/0K]
5
6 PID USER PRI NI VIRT RES SHR S CPU% MEM% TIME+ Command
7 47 root 20 0 4488 2236 932 R 0.0 0.1 0:00.07 htop
8 1 root 20 0 32428 5180 4504 S 0.0 0.1 0:00.03 nginx: master process nginx -g daemon off;
9 8 101 20 0 32900 2476 1448 S 0.0 0.1 0:00.00 nginx: worker process

Run the following to create the CPU container attack against a container, replacef291a040a6aa with your container ID:

bash
1sudo docker run -d -it \
2 --cap-add=NET_ADMIN \
3 -e GREMLIN_TEAM_ID="${GREMLIN_TEAM_ID}" \
4 -e GREMLIN_TEAM_SECRET="${GREMLIN_TEAM_SECRET}" \
5 -v /var/run/docker.sock:/var/run/docker.sock \
6 gremlin/gremlin attack-container f291a040a6aa cpu

View the progress of the attack using the htop container you created earlier:

bash
1sudo docker run -it --rm --pid=container:f291a040a6aa htop

You will see the following result:

bash
11 [| 0.7%] Tasks: 4, 1 thr; 2 running
2 2 [||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| 100.0%] Load average: 0.30 0.33 0.19
3 Mem[||||||||||||||||||||||||| 163M/3.86G] Uptime: 00:32:09
4 Swp[ 0K/0K]
5
6 PID USER PRI NI VIRT RES SHR S CPU% MEM% TIME+ Command
7 51 root 20 0 15456 13696 4112 S 99.0 0.3 0:11.25 gremlin attack cpu
8 70 root 20 0 4488 1988 948 R 0.0 0.0 0:00.04 htop
9 1 root 20 0 32428 5180 4504 S 0.0 0.1 0:00.03 nginx: master process nginx -g daemon off;
10 8 101 20 0 32900 2476 1448 S 0.0 0.1 0:00.00 nginx: worker process

Example: Create a blackhole attack on an Nginx Docker container

bash
1sudo docker run -it \
2 --cap-add=NET_ADMIN \
3 -e GREMLIN_TEAM_ID="${GREMLIN_TEAM_ID}" \
4 -e GREMLIN_TEAM_SECRET="${GREMLIN_TEAM_SECRET}" \
5 -v /var/run/docker.sock:/var/run/docker.sock \
6 gremlin/gremlin attack-container f291a040a6aa blackhole -h google.com

View the progress of the attack using the htop container you created earlier:

bash
1sudo docker run -d -it --rm --pid=container:f291a040a6aa htop

You will see the following result:

bash
1Attacking container 'f291a040a6aa' with command ["attack", "blackhole", "-h", "google.com"] ...
2Spawning sidecar container 'gremlin-f291a040a6aa' based on 'gremlin/gremlin:latest' for attack ...
3Setting up blackhole gremlin with guid '0df1ccf5-0801-11e8-9acf-0242fe3ba0bc' for 60 seconds
4Setup successfully completed
5Running blackhole gremlin with guid '0df1ccf5-0801-11e8-9acf-0242fe3ba0bc' for 60 seconds
6Dropping all egress traffic to 172.217.12.174
7Dropping all ingress traffic from 172.217.12.174
8Dropping all ingress traffic from 172.217.11.46
9Dropping all egress traffic to 172.217.11.46
10Dropping all egress traffic to 172.217.10.110
11Dropping all ingress traffic from 172.217.10.110
12Reverting impact!

Conclusion

You’ve installed Gremlin in a Docker container and validated that Gremlin works by running the hello World of Chaos Engineering for Docker Containers, the CPU Resource attack. You have run a CPU resource attack from the Gremlin Docker container against the host. You have also run a CPU resource attack and blackhole attack from the Gremlin Docker container against an nginx Docker container. You now possess tools that make it possible for you to explore additional Gremlin Attacks including attacks that impact State and Network.

Gremlin’s Developer Guide is a great resource and reference for using Gremlin to do Chaos Engineering. You can also explore the Gremlin Community for more information on how to use Chaos Engineering with your application infrastructure.

Related

Avoid downtime. Use Gremlin to turn failure into resilience.

Gremlin empowers you to proactively root out failure before it causes downtime. See how you can harness chaos to build resilient systems by requesting a demo of Gremlin.

Request a demo