Infrastructure Layer

Preview Agent Process Collection


Gremlin can collect information about the running processes on the Linux machines in which the agent is installed. This process information will help inform Gremlin's service discovery features.

What is Collected?

For every process visible to the Gremlin agent, Gremlin will collect

  • process ID (PID)
  • parent process ID (PPID)
  • active UDP and TCP sockets (ipaddress:port)
  • path to process executable
  • command line argument to process

Requirements

  • Gremlin version 2.16.4+

Kubernetes Requirements

When running Gremlin on Kubernetes, there are some additional requirements

Enable Process Collection

Gremlin 2.16.x disables process collection by default. Follow the relevant sections to enable process collection on your platform.

Existing Installation

shell
1sudo setcap cap_sys_ptrace+ep /usr/sbin/gremlind \
2 && echo GREMLIN_COLLECT_PROCESSES=true | sudo tee -a /etc/default/gremlind \
3 && sudo systemctl restart gremlind

APT

shell
1echo "deb https://deb.gremlin.com/ release non-free" | sudo tee /etc/apt/sources.list.d/gremlin.list \
2 && sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 9CDB294B29A5B1E2E00C24C022E8EF3461A50EF6 \
3 && sudo apt update \
4 && GREMLIN_COLLECT_PROCESSES=true sudo -E apt install gremlin gremlind

YUM

shell
1sudo curl https://rpm.gremlin.com/gremlin.repo -o /etc/yum.repos.d/gremlin.repo \
2 && GREMLIN_COLLECT_PROCESSES=true sudo -E yum install gremlin gremlind

Kubernetes

shell
1helm repo add gremlin https://helm.gremlin.com
2helm repo update
3helm install gremlin gremlin/gremlin \
4 --namespace gremlin \
5 --set gremlin.hostPID=true \
6 --set gremlin.collect.processes=true \
7 --set gremlin.apparmor=unconfined \
8 --set gremlin.secret.managed=true \
9 --set gremlin.secret.type=secret \
10 --set gremlin.secret.clusterID=my-cluster \
11 --set gremlin.secret.teamID=$GREMLIN_TEAM_ID \
12 --set gremlin.secret.teamSecret=$GREMLIN_TEAM_SECRET

Docker

shell
1docker run -d \
2 --pid=host \
3 --cap-add=SYS_PTRACE \
4 -v /var/lib/gremlin:/var/lib/gremlin \
5 -v /var/log/gremlin:/var/log/gremlin \
6 -v /var/run/docker.sock:/var/run/docker.sock \
7 -e GREMLIN_TEAM_ID \
8 -e GREMLIN_TEAM_SECRET \
9 -e GREMLIN_IDENTIFIER \
10 -e GREMLIN_COLLECT_PROCESSES=true \
11 gremlin/gremlin daemon

Known Issues

Default AppArmor Profiles

Gremlin process collection will fail to collect some information about processes when run under default AppArmor profiles, because they prevent readlink syscalls on all /proc/*/ns/* that are not owned by Gremlin. If you have already installed Gremlin, the following steps will update Gremlin to run in the unconfined apparmor profile.

kubectl
shell
1kubectl patch daemonset -n gremlin gremlin -p "{
2 \"spec\":{
3 \"template\":{
4 \"metadata\":{
5 \"annotations\":{
6 \"container.apparmor.security.beta.kubernetes.io/gremlin\":\"unconfined\"}}}}}"