Chaos Monkey Alternatives

Docker

  • 2 min read
  • Last Updated October 17, 2018

Pumba

Pumba is a powerful Chaos testing tool for injecting Chaos in Docker. It can kill, pause, stop, and remove Docker containers with highly-configurable selection rules. It can also perform network emulation through delays, packet loss, rate limiting, and more.

Get started by downloading the latest binary release and setting its permissions.

bash
1sudo curl -L https://github.com/alexei-led/pumba/releases/download/0.5.2/pumba_linux_amd64 -o /usr/bin/pumba &&
2sudo chmod +x /usr/bin/pumba
bash
1docker run -it --rm -v /var/run/docker.sock:/var/run/docker.sock gaiaadm/pumba \ | <PUMBA_COMMAND> |

Killing a Random Container

  • Create a Docker container.

    bash
    1docker run -l service=nginx --name nginx -p 80:80 -d nginx
    2docker container ls
    bash
    1# OUTPUT
    2CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
    3b9df13525a13 nginx "nginx -g 'daemon ofโ€ฆ" 4 minutes ago Up 4 minutes 0.0.0.0:80->80/tcp nginx
  • This command attempts to kill a random container every 30 seconds. The --dry-run flag simulates the result, so remove it to perform actual killings.

    bash
    1pumba -l info --random --dry-run --interval 30s kill
    2INFO[0000] killing container app=pumba dryrun=true function=github.com/alexei-led/pumba/pkg/container.dockerClient.KillContainer id=b9df13525a139d9a4a55a249b9cff37ba4656b72b4971fbc1f85d93058f2770d name=/nginx signal=SIGKILL source=container/client.go:115

Network Emulation

Pumba uses the tc utility for performing network emulation, which is typically installed with the iproute2 tool set. We'll be creating containers using Alpine Linux distributions in these samples, but make sure your own container images contain a copy of the tc utility when performing network emulations.

Causing Delays

  • Issue the following command to create a container named networker. This ensures iproute2 is up to date and performs a ping on google.com for testing.

    bash
    1docker run --rm --name networker -it alpine sh -c "apk add --update iproute2 && ping google.com"
    bash
    1# OUTPUT
    2fetch http://dl-cdn.alpinelinux.org/alpine/v3.8/main/x86_64/APKINDEX.tar.gz
    3fetch http://dl-cdn.alpinelinux.org/alpine/v3.8/community/x86_64/APKINDEX.tar.gz
    4(1/6) Installing libelf (0.8.13-r3)
    5(2/6) Installing libmnl (1.0.4-r0)
    6(3/6) Installing jansson (2.11-r0)
    7(4/6) Installing libnftnl-libs (1.1.1-r0)
    8(5/6) Installing iptables (1.6.2-r0)
    9(6/6) Installing iproute2 (4.13.0-r0)
    10Executing iproute2-4.13.0-r0.post-install
    11Executing busybox-1.28.4-r1.trigger
    12OK: 8 MiB in 19 packages
    13PING google.com (172.217.3.174): 56 data bytes
    1464 bytes from 172.217.3.174: seq=0 ttl=127 time=8.992 ms
    1564 bytes from 172.217.3.174: seq=1 ttl=127 time=9.965 ms
    1664 bytes from 172.217.3.174: seq=2 ttl=127 time=10.332 ms
  • Open a second terminal and issue the following command to cause a 5000 millisecond delay over a total of 15 seconds.

    bash
    1pumba -l info netem --duration 15s delay --time 5000 networker
    bash
    1# TERMINAL 2: OUTPUT
    2INFO[0000] Running netem command '[delay 5000ms 10ms 20.00]' on container 2a4066e2865ed24464fa458982374795d62df11b0368e0886f77fc62cdc47664 for 15s app=pumba function=github.com/alexei-led/pumba/pkg/container.dockerClient.NetemContainer source=container/client.go:220
    3INFO[0000] start netem for container app=pumba dryrun=false function=github.com/alexei-led/pumba/pkg/container.dockerClient.startNetemContainer id=2a4066e2865ed24464fa458982374795d62df11b0368e0886f77fc62cdc47664 iface=eth0 name=/networker netem=delay 5000ms 10ms 20.00 source=container/client.go:276 tcimage=
    4INFO[0015] stopping netem on container IPs=[] app=pumba dryrun=false function=github.com/alexei-led/pumba/pkg/container.dockerClient.StopNetemContainer id=2a4066e2865ed24464fa458982374795d62df11b0368e0886f77fc62cdc47664 iface=eth0 name=/networker source=container/client.go:240 tc-image=
    5INFO[0015] stop netem for container IPs=[] app=pumba dryrun=false function=github.com/alexei-led/pumba/pkg/container.dockerClient.stopNetemContainer id=2a4066e2865ed24464fa458982374795d62df11b0368e0886f77fc62cdc47664 iface=eth0 name=/networker source=container/client.go:298 tcimage=
    bash
    1# TERMINAL 1: OUTPUT
    264 bytes from 172.217.3.174: seq=509 ttl=127 time=9.638 ms
    364 bytes from 172.217.3.174: seq=512 ttl=127 time=5013.608 ms
    464 bytes from 172.217.3.174: seq=514 ttl=127 time=5011.516 ms
    564 bytes from 172.217.3.174: seq=510 ttl=127 time=9299.192 ms
    664 bytes from 172.217.3.174: seq=511 ttl=127 time=9297.367 ms
    764 bytes from 172.217.3.174: seq=516 ttl=127 time=5011.184 ms
    864 bytes from 172.217.3.174: seq=513 ttl=127 time=9301.741 ms
    964 bytes from 172.217.3.174: seq=518 ttl=127 time=5016.096 ms
    1064 bytes from 172.217.3.174: seq=519 ttl=127 time=5014.941 ms
    1164 bytes from 172.217.3.174: seq=515 ttl=127 time=9304.069 ms
    1264 bytes from 172.217.3.174: seq=527 ttl=127 time=10.468 ms

Dropping Packets

  • Issue the following command to create a container named networker and have it start downloading a fairly large file via curl.

    bash
    1docker run --rm --name networker -it alpine sh -c "apk add --update iproute2 && apk add --update curl && curl -O http://ubuntu-releases.eecs.wsu.edu/18.04.1/ubuntu-18.04.1-desktop-amd64.iso"
    bash
    1# TERMINAL 1: OUTPUT
    2% Total % Received % Xferd Average Speed Time Time Time Current
    3 Dload Upload Total Spent Left Speed
    48 1862M 8 155M 0 0 9698k 0 0:03:16 0:00:16 0:03:00 11.4M
  • Open a second terminal and issue the loss command, which will drop 25% of all packets for the next 2 minutes.

    bash
    1pumba netem --duration 2m loss --percent 10 networker

    You should notice the packet loss affecting the curl download -- in this case, roughly halving download speeds.

    bash
    1# TERMINAL 1: OUTPUT
    2 % Total % Received % Xferd Average Speed Time Time Time Current
    3 Dload Upload Total Spent Left Speed
    413 1862M 13 259M 0 0 7403k 0 0:04:17 0:00:35 0:03:42 5807k

Injecting Failure Into Docker with Gremlin

Gremlin makes it easy to run Chaos Experiments on Docker containers. You can start running experiments in just a few minutes after installing Docker. Once installed, Gremlin is intelligent enough to recognize each of your unique Docker containers and will accurately apply smart identifier tags, so you can target exactly the right services and systems. Use Gremlin to perform shutdown and CPU experiments against Docker containers.

Check out this tutorial to learn how to install Gremlin on Ubuntu and attack Docker containers. Alternatively, this guide shows how to install Gremlin within a Docker container for use against other containers.

Docker Chaos Monkey

Docker Chaos Monkey is a simple shell script that terminates Docker Swarm services. Targetable services are specified by applying the role=disposable label.

bash
1docker service create -l role=disposable --name nginx nginx:stable

The script kills off the first Docker image with the role=disposable label that also meets the following criteria:

  • Must have more than 1 replica.
  • Actual and desired replica counts must be equivalent.

Here it is in action.

bash
1./chaos.sh
bash
1# OUTPUT
2----------------------------------------------------------------------------
3| Running this script will kill off 1 docker image with label: role=disposable
4| You have 5 seconds to change your mind and CTRL+C out of this.
5----------------------------------------------------------------------------
6hsn3ezlkqow7 nginx replicated 2/2 nginx:stable
7jam29chanegg nginx2 replicated 1/1 nginx:stable
8----------------------------------------------------------------------------
9
10hsn3ezlkqow7 nginx: swarm1
11removing a container
12> nginx.2.zecjcxha6zbr0bpfqb017v8vb
13
14jam29chanegg nginx2: service has only one running container - skipping

Docker Simian Army

The Docker Simian Army is a Docker image of the Simian Army Java toolset. It doesn't provide any additional features on its own, but it's a useful alternative to installing the Simian Army locally. You can test it out in dry mode with the following command.

bash
1docker run -d \
2 -e SIMIANARMY_CLIENT_AWS_ACCOUNTKEY=$AWS_ACCESS_KEY_ID \
3 -e SIMIANARMY_CLIENT_AWS_SECRETKEY=$AWS_SECRET_ACCESS_KEY \
4 -e SIMIANARMY_CLIENT_AWS_REGION=$AWS_REGION \
5 -e SIMIANARMY_CALENDAR_ISMONKEYTIME=true \
6 -e SIMIANARMY_CHAOS_ASG_ENABLED=true \
7 mlafeldt/simianarmy

Add the -d -p 8080:8080 flag to forward port 8080 and connect to the Simian Army REST API.

ยฉ 2024 Gremlin Inc.All rights reserved.Privacy Policy
Download PDF