Infrastructure Layer

Advanced Configuration


You can configure the Gremlin Agent with a configuration file or with environment variables. We recommend using the configuration file unless you can't. This is because the Gremlin software is comprised of two processes, gremlin and gremlind and configuration via environment variables requires that they be passed to both processes.

Using the Configuration File

Gremlin's configuration values can be stored in config.yaml (on Linux, this file lives in /etc/gremlin). By default, Gremlin ships with a commented-out version of this file. Use the comments or the example below to set up your configuration.

NOTE: Any changes to config.yaml require a restart of the gremlind service

shell
1# restart gremlind on Linux with systemd
2sudo systemctl restart gremlind

Accepted Variables

VariableDescription
identifiera string that uniquely identifies a gremlin installation (defaults to the hosts IP address)
team_idthe ID of your Gremlin team
tagskey-value pairs that help you target this machine during attacks
team_secretthe secret value (used by secret authentication only)
team_certificatethe public portion of the certificate-pair (required for signature auth only)
team_private_keythe private portion of the certificate-pair (required for signature auth only)
https_proxythe url of a proxy in between Gremlin and api.gremlin.com
push_metricsset to false if you would like to disable system metrics used for attack charting (defaults to true)

Example: config.yaml

yaml
1## Gremlin Identifier; uniquely identifies this machine with Gremlin
2## (can also set with GREMLIN_IDENTIFIER environment variable)
3#identifier:
4
5## Gremlin Team ID; you can find this value at https://app.gremlin.com/settings/teams
6## (can also be set with GREMLIN_TEAM_ID environment variable)
7team_id: 11111111-1111-1111-1111-111111111111
8
9## Gremlin Client Tags; Tag your machine with key-value pairs that help you target this machine during attacks
10## (can also set with GREMLIN_CLIENT_TAGS environment variable)
11tags:
12 service: pet-store
13 interface: http
14
15## Gremlin Team Secret, should not be set when using `team_certificate`+`team_private_key`
16## (can also set with GREMLIN_TEAM_SECRET environment variable)
17team_secret: 11111111-1111-1111-1111-111111111111

Using Environment Variables

The daemon supports the following environment variables:

Environment VariableDescription
GREMLIN_TEAM_IDYour Team ID (required for authentication)
GREMLIN_TEAM_SECRETYour Team Secret (should only require secret or PEM certificates, not both)
GREMLIN_TEAM_PRIVATE_KEY_OR_FILEYour PEM-encoded private key or path to a file containing the private key (required for authentication). Paths should be prefixed with file:// (ex: file:///var/lib/gremlin/key.pem)
GREMLIN_TEAM_CERTIFICATE_OR_FILEThe PEM-encoded public-key certificate or path/filename to the file containing your PEM-encoded public-key certificate (required for authentication). Paths should be prefixed with file:// (ex: file:///var/lib/gremlin/cert.pem)
GREMLIN_IDENTIFIERCustom name for this client (default as the host's IP address)
GREMLIN_CLIENT_TAGSComma-separated list of custom tags to assign to this client. For example: GREMLIN_CLIENT_TAGS="zone=us-east1,role=mysql,foo=bar"

The following are optional environment variables that may be required in Docker containerized deployments:

Environment VariableDescription
GREMLIN_BYPASS_USERNS_REMAPIndicates to run the Gremlin Daemon on the same Docker namespace as the host. By default, Gremlin does not launch with a namespace defined. To set this variable, change the value to 1
GREMLIN_DOCKER_IMAGEIndicates the location and version of the Gremlin Docker image to use. This variable can be used to indicate an internal repository. For example: GREMLIN_DOCKER_IMAGE=registry.hub.docker.com/gremlin/gremlin:latest
net=hostIndicates to run the Gremlin Daemon to use the host network. By default, Gremlin network attacks will not affect the host network for containerized environments.
pid=hostIndicates to run the Gremlin Daemon to affect host processes. By default, Gremlin process killer will not affect host processes for containerized environments.

In addition, the following standard Linux environment variables allow proxy configuration:

Environment VariableDescription
https_proxyIn the form http[s]://[username:password@]address:port
SSL_CERT_FILEIndicates location of the proxy certificates used to authenticate traffic with the proxy. For Example: SSL_CERT_FILE=/etc/ssl/certs/ca-example.crt

Passing Environment Variables to Systemd or SysV

While configuring the daemon with config.yaml is recommended, process managers like systemd and sysvinit can pass environment variables directly to the daemon process from /etc/default/gremlind. Your installation comes with an example of this file at /etc/default/gremlind.example

shell
1# Gremlin Identifier; uniquely identifies this machine with Gremlin
2GREMLIN_IDENTIFIER=gremlin-01
3
4# Gremlin Team ID; you can find this value at https://app.gremlin.com/settings/teams
5GREMLIN_TEAM_ID=11111111-1111-1111-1111-111111111111
6
7# `gremlin init` will run automatically when the gremlind service starts.
8# Supply extra options to `gremlin init` via this variable
9GREMLIN_INIT_OPTS="--tag service=pet-store --tag interface=http"
10
11# Gremlin Team Secret, should not be set when using `team_certificate`+`team_private_key`
12GREMLIN_TEAM_SECRET=11111111-1111-1111-1111-111111111111

You can set any of the environment variables listed in the previous section in the configuration file.