Preview Agent Process Collection
Gremlin can collect information about the running processes on the Linux machines in which the agent is installed. This process information will help inform Gremlin's service discovery features.
What is Collected?
For every process visible to the Gremlin agent, Gremlin will collect
- process ID (PID)
- parent process ID (PPID)
- active UDP and TCP sockets (
ipaddress:port
) - path to process executable
- command line argument to process
Requirements
- Gremlin version
2.16.4+
Kubernetes Requirements
When running Gremlin on Kubernetes, there are some additional requirements
- Gremlin must run within the PID namespace of the host; for Kubernetes this means hostPID=true
- Gremlin needs the CAP_SYS_PTRACE capability
- If AppArmor is running, Gremlin must run in the
unconfined
profile (See Known Issues)
Enable Process Collection
Gremlin 2.16.x disables process collection by default. Follow the relevant sections to enable process collection on your platform.
Existing Installation
1sudo setcap cap_sys_ptrace+ep /usr/sbin/gremlind \2 && echo GREMLIN_COLLECT_PROCESSES=true | sudo tee -a /etc/default/gremlind \3 && sudo systemctl restart gremlind
APT
1echo "deb https://deb.gremlin.com/ release non-free" | sudo tee /etc/apt/sources.list.d/gremlin.list \2 && sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 9CDB294B29A5B1E2E00C24C022E8EF3461A50EF6 \3 && sudo apt update \4 && GREMLIN_COLLECT_PROCESSES=true sudo -E apt install gremlin gremlind
YUM
1sudo curl https://rpm.gremlin.com/gremlin.repo -o /etc/yum.repos.d/gremlin.repo \2 && GREMLIN_COLLECT_PROCESSES=true sudo -E yum install gremlin gremlind
Kubernetes
1helm repo add gremlin https://helm.gremlin.com2helm repo update3helm install gremlin gremlin/gremlin \4 --namespace gremlin \5 --set gremlin.hostPID=true \6 --set gremlin.collect.processes=true \7 --set gremlin.apparmor=unconfined \8 --set gremlin.secret.managed=true \9 --set gremlin.secret.type=secret \10 --set gremlin.secret.clusterID=my-cluster \11 --set gremlin.secret.teamID=$GREMLIN_TEAM_ID \12 --set gremlin.secret.teamSecret=$GREMLIN_TEAM_SECRET
Docker
1docker run -d \2 --pid=host \3 --cap-add=SYS_PTRACE \4 -v /var/lib/gremlin:/var/lib/gremlin \5 -v /var/log/gremlin:/var/log/gremlin \6 -v /var/run/docker.sock:/var/run/docker.sock \7 -e GREMLIN_TEAM_ID \8 -e GREMLIN_TEAM_SECRET \9 -e GREMLIN_IDENTIFIER \10 -e GREMLIN_COLLECT_PROCESSES=true \11 gremlin/gremlin daemon
Known Issues
Default AppArmor Profiles
Gremlin process collection will fail to collect some information about processes when run under default AppArmor profiles, because they prevent readlink
syscalls on all /proc/*/ns/*
that are not owned by Gremlin.
If you have already installed Gremlin, the following steps will update Gremlin to run in the unconfined
apparmor profile.
kubectl
1kubectl patch daemonset -n gremlin gremlin -p "{2 \"spec\":{3 \"template\":{4 \"metadata\":{5 \"annotations\":{6 \"container.apparmor.security.beta.kubernetes.io/gremlin\":\"unconfined\"}}}}}"