Infrastructure Layer

Targets


Gremlin can inject fault into targets running on any infrastructure environment whether it be an EC2 instance on Amazon Web Services, a droplet in DigitalOcean, or a bare metal server in your own data center.

With your hosts registered to the Gremlin Control Plane, users can create attacks targeting either hosts or containers in your environment.

Hosts

Clients (hosts or cluster nodes) registered to the Gremlin Control Plane will show as active targets available for attacks. In the Web UI, users can filter selected hosts based on their tags, and select individual hosts by their Identifier, in order to run attacks and inject fault into targeted hosts.

In a container environment, when users select hosts as targets to run attacks, the resulting attack is scoped at the host level with the potential to affect anything (processes, containers, etc.) on the host. Users are encouraged to minimize the blast radius of their attacks via attack parameters (network device, port, etc.).

Cloud Tagging

As of version 2.11.6 the Gremlin client supports automatic tagging of all hosts running in the three major cloud providers. If the Gremlin client is able to detect and parse cloud metadata it will automatically append specific attributes to the host in the form of tags. This allows users to easily utilize cloud metadata to target particular sections of their infrastructure out of the box.

AWS

The following AWS metadata attributes are supported for automatic tagging.

  • image-id
  • instance-id
  • instance-type
  • local-hostname
  • local-ip
  • public-hostname
  • public-ip
  • region
  • zone
Azure

The following Azure metadata attributes are supported for automatic tagging.

  • azEnvironment
  • location
  • name
  • osType
  • privateIpAddress
  • publicIpAddress
  • sku
  • vmId
  • vmScaleSetName
  • zone
GCP

The following GCP metadata attributes are supported for automatic tagging.

  • hostname
  • id
  • image
  • local-ip
  • name
  • public-ip
  • zone

Containers

Container and pod labels are exposed in the Web UI. Users can individually select the container they wish to attack. By definition, containers of a Kubernetes Pod all share a namespace and cgroup. This means when Gremlin applies a network impact to one container within a Kubernetes pod, the impact will be observed for all containers in the Pod. Note that this does not apply to containers in Pod replicas. If you attack a specific Pod replica, the effect applies to containers within that replica only, and does not apply to the rest of the replicas.

It is always recommended to target only a single container of a Pod. If you wish to exclude some containers from the network impact, reduce your blast radius by specifying ports relevant to the containers you wish to see impact.

Containers and Resource Attacks

NOTE: Update Gremlin to at least 2.13 in order to use resource attacks against containers with proper integration with cgroups.

What are Cgroups?

Control Groups (cgroups) are used by the Linux kernel to limit access to a host’s hardware resources among a group of processes. Container run times like Docker use cgroups to establish Memory, CPU, Disk, and IOPS limits.

Gremlin and Cgroups

With Cgroup integration, Gremlin resource consumption is designed to behave as if it were running inside the containers it targets. Gremlin accomplishes this by running under the cgroup of its target container so that any limits enforced on the target, are also enforced on Gremlin. Kernel protections like Out-of-Memory killers (OOMKillers) can terminate container processes when they compete for all of the resources available to them, including Gremlin.

Kubernetes Pod Eviction and Failed Attacks

On Gremlin 2.13.0, Kubernetes may evict pods targeted by Gremlin resource attacks when they exhaust their resource limits. When this happens, Gremlin and all pod resources are deleted by the Kubernetes scheduler, and sometimes Gremlin displays this as a Failed attack. Gremlin will show some warning messages when targets are potential candidates for eviction.

In future versions of Gremlin, attacks that result in pod eviction will not show up as Failed, and the effect Gremlin made on the Kubernetes targets will be made more clear.

Supported Cgroup Drivers

Currently Gremlin only supports the cgroupfs cgroup driver. If your system is running the systemd cgroup driver, you may observe the following:

  • Attacks against Kubernetes pods will abide by the resource limits of the pods targeted in the attack, but the resulting resource usage Gremlin generates will not be reflected in cAdvisor metrics (like from metrics-server) and may not impact autoscaling group triggers
  • Attacks against Docker containers (not running within Kubernetes) may not abide by container limits and instead abide by the system.slice root cgroup of the host machine

Container Attack Examples

Here are some examples of infrastructure layer attack options you can try that may be better suited to your intended experiment:

  • Use a CPU, Memory, Disk, or IOPS attack on the target container to test how your orchetrator handles the corresponding resource pressure
  • Use a shutdown attack to find out what happens when a container disappears, becomes uncommunicative, or is otherwise unusable.
  • Use a blackhole attack to find out what happens when communication between a container and the rest of your system is disrupted; make sure you target a single container within a pod here if that is what you are looking to test. If you target a pod it will impact all containers in the pod.
  • Use a process killer attack to kill specific processes on the underlying host machine to find out what happens as you simulate dependency crashes, for example. If you do, remember that it has the potential to impact all containers on that host.

Exact vs Random

There are two ways to select targets when you create an attack, choosing the exact targets, or to randomly select some, or all, of the targets by the supplied tags. Exact target selection uses the host or container’s Identifier as the selection method, while Random target selection takes advantage of tags on that host or container. For automated scheduling of attacks in a dynamic environment where hosts and containers are spun up and down, Random selection is preferred.

Exact

Exact selection offers deterministic behavior. It impacts exactly the target hosts or containers that are selected. To select the specific hosts or containers you would like to attack, narrow your search by a tag, and select your targets. All hosts or containers selected will be attacked.

Random

Random selection helps introduce entropy, and produces a more realistic scenario of partial and probabilistic failure on some targets. Hosts and containers that are impacted as a result of an attack are selected using a combination of tags to select them, and the impact field to narrow the blast radius.

To select targets using the Random method, select 1 or more tags per tag category. Tags in the same category select targets using the OR operation. Tags in different categories use the AND operation.

For example, if there are 5 tags in a category named Services and 3 tags API, Events, Caching are selected, Gremlin will Target API or Events or Caching. Then, if you select a tag in a category Zone, Gremlin will target any of the 3 services API, Events, or Caching but only in zone us-west-1a.

To further narrow your attack beyond the tags selected, random targets can be selected by a specific count of targets to impact (M of N targets), or by percentage of targets to impact (X percent of total applicable targets). For example, Gremlin can impact 5 of 37 targets, or 50% of 37 targets.

In the case of a Kubernetes attack, after selecting the deployments to test, you can indicate a percentage or a number of pods to be selected at random to run the attack on. For example, Gremlin can impact a randomly selected 5 of 37 pods, or 50% of 37 pods.