Infrastructure Layer

Targets


Gremlin can inject fault into targets running on any infrastructure environment whether it be an EC2 instance on Amazon Web Services, a droplet in DigitalOcean, or a bare metal server in your own data center.

With your hosts registered to the Gremlin Control Plane, users can create attacks targeting either hosts or containers in your environment.

Hosts

Clients (hosts or cluster nodes) registered to the Gremlin Control Plane will show as active targets available for attacks. In the Web UI, users can filter selected hosts based on their tags, and select individual hosts by their Identifier, in order to run attacks and inject fault into targeted hosts.

In a container environment, when users select hosts as targets to run attacks, the resulting attack is scoped at the host level with the potential to affect anything (processes, containers, etc.) on the host. Users are encouraged to minimize the blast radius of their attacks via attack parameters (network device, port, etc.).

Host States

When host clients first authenticate, they will appear on the hosts page in the Active state. So long as they continue to phone home to the Gremlin Control Plane, they will remain in this state. If for any reason the host stops polling the Gremlin Control Plane our system will wait five (5) minutes before putting the host into the Idle state. If the host does not resume polling in the next twelve (12) hours the host will be automatically deleted from our systems.

Users also have the option to manually revoke access to the Gremlin Control Plane for a host client. In this case the host will be put into a Revoked state and will not be allowed any access to the Gremlin Control Plane regardless of whether or not it continue to actively poll. This action can be reversed by the user should they to regrant the host access to the Gremlin Control Plane.

Cloud Tagging

As of version 2.11.6 the Gremlin client supports automatic tagging of all hosts running in the three major cloud providers. If the Gremlin client is able to detect and parse cloud metadata it will automatically append specific attributes to the host in the form of tags. This allows users to easily utilize cloud metadata to target particular sections of their infrastructure out of the box.

AWS

The following AWS metadata attributes are supported for automatic tagging.

  • azid
  • image-id
  • instance-id
  • instance-type
  • local-hostname
  • local-ip
  • public-hostname
  • public-ip
  • region
  • zone

To include AWS tags, attach the DescribeTags policy to your EC2 instances. Some details are available here and here.

NOTE: Update Gremlin to at least Linux 2.15.9 / Windows 1.0.11 to use azid or AWS tags.

Azure

The following Azure metadata attributes are supported for automatic tagging.

  • azEnvironment
  • location
  • name
  • osType
  • privateIpAddress
  • publicIpAddress
  • sku
  • vmId
  • vmScaleSetName
  • zone
GCP

The following GCP metadata attributes are supported for automatic tagging.

  • hostname
  • id
  • image
  • local-ip
  • name
  • public-ip
  • zone

Containers

Container and pod labels are exposed in the Web UI. Users can individually select the container they wish to attack. By definition, containers of a Kubernetes Pod all share a namespace and cgroup. This means when Gremlin applies a network impact to one container within a Kubernetes pod, the impact will be observed for all containers in the Pod. Note that this does not apply to containers in Pod replicas. If you attack a specific Pod replica, the effect applies to containers within that replica only, and does not apply to the rest of the replicas.

It is always recommended to target only a single container of a Pod. If you wish to exclude some containers from the network impact, reduce your blast radius by specifying ports relevant to the containers you wish to see impact.

Containers and Resource Attacks

What are Cgroups?

Control Groups (cgroups) are used by the Linux kernel to limit access to a host's hardware resources among a group of processes. Container run times like Docker use cgroups to establish Memory, CPU, Disk, and IOPS limits.

Gremlin and Cgroups

With Cgroup integration, Gremlin resource consumption is designed to behave as if it were running inside the containers it targets. Gremlin accomplishes this by running under the cgroup of its target container so that any limits enforced on the target, are also enforced on Gremlin. Kernel protections like Out-of-Memory killers (OOMKillers) can terminate container processes when they compete for all of the resources available to them, including Gremlin.

Kubernetes Pod Eviction and Failed Attacks

On Gremlin versions 2.13 and later, Kubernetes may evict pods targeted by Gremlin resource attacks when they exhaust their resource limits. When this happens, the Kubernetes scheduler deletes Gremlin and all targeted pod resources. Sometimes Gremlin displays this as a Failed attack. Gremlin will show some warning messages when targets are potential candidates for eviction.

Updates to the Gremlin Agent regularly improve the observability around pod eviction, and the effect Gremlin made on the Kubernetes targets.

Supported Cgroup Drivers

Container runtimes generally provide support for two cgroup drivers: cgroupfs, and systemd. If your system is running the systemd cgroup driver, and you are running Gremlin's legacy docker container driver, you may observe the following:

  • Attacks against Kubernetes pods will abide by the resource limits of the pods targeted in the attack, but the resulting resource usage Gremlin generates will not be reflected in cAdvisor metrics (like from metrics-server) and may not impact autoscaling group triggers
  • Attacks against Docker containers (not running within Kubernetes) may not abide by container limits and instead abide by the system.slice root cgroup of the host machine

Container Attack Examples

Here are some examples of infrastructure layer attack options you can try that may be better suited to your intended experiment:

  • Use a CPU, Memory, Disk, or IOPS attack on the target container to test how your orchetrator handles the corresponding resource pressure
  • Use a shutdown attack to find out what happens when a container disappears, becomes uncommunicative, or is otherwise unusable.
  • Use a blackhole attack to find out what happens when communication between a container and the rest of your system is disrupted; make sure you target a single container within a pod here if that is what you are looking to test. If you target a pod it will impact all containers in the pod.
  • Use a process killer attack to kill specific processes on the underlying host machine to find out what happens as you simulate dependency crashes, for example. If you do, remember that it has the potential to impact all containers on that host.

Exact vs Random

There are two ways to select targets when you create an attack, choosing the exact targets, or to randomly select some, or all, of the targets by the supplied tags. Exact target selection uses the host or container's Identifier as the selection method, while Random target selection takes advantage of tags on that host or container. For automated scheduling of attacks in a dynamic environment where hosts and containers are spun up and down, Random selection is preferred.

Exact

Exact selection offers deterministic behavior. It impacts exactly the target hosts or containers that are selected. To select the specific hosts or containers you would like to attack, narrow your search by a tag, and select your targets. All hosts or containers selected will be attacked.

Random

Random selection helps introduce entropy, and produces a more realistic scenario of partial and probabilistic failure on some targets. Hosts and containers that are impacted as a result of an attack are selected using a combination of tags to select them, and the impact field to narrow the blast radius.

To select targets using the Random method, select 1 or more tags per tag category. Tags in the same category select targets using the OR operation. Tags in different categories use the AND operation.

For example, if there are 5 tags in a category named Services and 3 tags API, Events, Caching are selected, Gremlin will Target API or Events or Caching. Then, if you select a tag in a category Zone, Gremlin will target any of the 3 services API, Events, or Caching but only in zone us-west-1a.

To further narrow your attack beyond the tags selected, random targets can be selected by a specific count of targets to impact (M of N targets), or by percentage of targets to impact (X percent of total applicable targets). For example, Gremlin can impact 5 of 37 targets, or 50% of 37 targets.

In the case of a Kubernetes attack, after selecting the deployments to test, you can indicate a percentage or a number of pods to be selected at random to run the attack on. For example, Gremlin can impact a randomly selected 5 of 37 pods, or 50% of 37 pods.