Preview Agent Process Collection

Gremlin can collect information about the running processes on the Linux machines in which the agent is installed. This process information will help inform Gremlin's service discovery features.

What is Collected?

For every process visible to the Gremlin agent, Gremlin will collect

process ID (PID)
parent process ID (PPID)
active UDP and TCP sockets (ipaddress:port)
path to process executable
command line argument to process

Requirements

Gremlin version 2.16.4+

Kubernetes Requirements

When running Gremlin on Kubernetes, there are some additional requirements

Gremlin must run within the PID namespace of the host; for Kubernetes this means hostPID=true
Gremlin needs the CAP_SYS_PTRACE capability
If AppArmor is running, Gremlin must run in the unconfined profile (See Known Issues)

Enable Process Collection

Gremlin 2.16.x disables process collection by default. Follow the relevant sections to enable process collection on your platform.

Existing Installation

shell

1sudo setcap cap_sys_ptrace+ep /usr/sbin/gremlind \
2  && echo GREMLIN_COLLECT_PROCESSES=true | sudo tee -a /etc/default/gremlind \
3  && sudo systemctl restart gremlind

APT

shell

1echo "deb https://deb.gremlin.com/ release non-free" | sudo tee /etc/apt/sources.list.d/gremlin.list \
2  && sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 9CDB294B29A5B1E2E00C24C022E8EF3461A50EF6 \
3  && sudo apt update \ 
4  && GREMLIN_COLLECT_PROCESSES=true sudo -E apt install gremlin gremlind

YUM

shell

1sudo curl https://rpm.gremlin.com/gremlin.repo -o /etc/yum.repos.d/gremlin.repo \
2  && GREMLIN_COLLECT_PROCESSES=true sudo -E yum install gremlin gremlind

Kubernetes

shell

1helm repo add gremlin https://helm.gremlin.com
2helm repo update
3helm install gremlin gremlin/gremlin \
4  --namespace gremlin \
5  --set      gremlin.hostPID=true \
6  --set      gremlin.collect.processes=true \
7  --set      gremlin.apparmor=unconfined \
8  --set      gremlin.secret.managed=true \
9  --set      gremlin.secret.type=secret \
10  --set      gremlin.secret.clusterID=my-cluster \
11  --set      gremlin.secret.teamID=$GREMLIN_TEAM_ID \
12  --set      gremlin.secret.teamSecret=$GREMLIN_TEAM_SECRET

Docker

shell

1docker run -d \
2  --pid=host \
3  --cap-add=SYS_PTRACE \
4  -v /var/lib/gremlin:/var/lib/gremlin \
5  -v /var/log/gremlin:/var/log/gremlin \
6  -v /var/run/docker.sock:/var/run/docker.sock \
7  -e GREMLIN_TEAM_ID \
8  -e GREMLIN_TEAM_SECRET \
9  -e GREMLIN_IDENTIFIER \
10  -e GREMLIN_COLLECT_PROCESSES=true \
11  gremlin/gremlin daemon

Known Issues

Default AppArmor Profiles

Gremlin process collection will fail to collect some information about processes when run under default AppArmor profiles, because they prevent readlink syscalls on all /proc/*/ns/* that are not owned by Gremlin. If you have already installed Gremlin, the following steps will update Gremlin to run in the unconfined apparmor profile.

kubectl

shell

1kubectl patch daemonset -n gremlin gremlin -p "{
2  \"spec\":{
3    \"template\":{
4      \"metadata\":{
5        \"annotations\":{
6          \"container.apparmor.security.beta.kubernetes.io/gremlin\":\"unconfined\"}}}}}"