This Gremlin Shutdown Experiment Pack shares how you can utilise the Gremlin Shutdown attack. Shutdown is available with your Gremlin account.
With Gremlin, you have the ability to shutdown any host or container wherever it may reside.
This pack includes 4 x 5 minute experiments:
After you have created your Gremlin account (request a trial here) you will need to get your Gremlin daemon credentials.
Login to the Gremlin App using your Company name and sign-on credentials. These details were emailed to you when you signed up to start using Gremlin. Make a note of your Team ID and Secret.
First, ssh into your server and add the Gremlin Debian repository:
1echo "deb https://deb.gremlin.com/ release non-free" | sudo tee /etc/apt/sources.list.d/gremlin.list
Import the repo’s GPG key:
1sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys C81FC2F43A48B25808F9583BDFF170F324D41134 9CDB294B29A5B1E2E00C24C022E8EF3461A50EF6
Then install the Gremlin daemon and CLI:
1sudo apt-get update && sudo apt-get install -y gremlind gremlin
Using your Gremlin login credentials (which were emailed to you when you created your account), log in to the Gremlin App. Open Settings and copy your Team ID and Secret.
SSH into your server:
1ssh -i your-key.pem ubuntu@server-ip
Initialise Gremlin by running the following command and follow the prompts to enter your Gremlin Team ID and Secret
1gremlin init
Now you’re ready to run attacks using Gremlin.
First click Create Attack.
First choose your target by selecting the host you registered with Gremlin.
Next we will use the Gremlin App to create a Shutdown Attack. Choose the State Category and Select the Shutdown Attack. If you like, you can change the delay to 0 and turn reboot off to trigger an immediate full shutdown.
Click Unleash Gremlin and the Gremlin Shutdown Attack will shutdown your host.
In this step, you’ll install Docker.
Add Docker’s official GPG key:
1curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
Use the following command to set up the stable repository.
1sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
Update the apt package index:
1sudo apt-get update
Make sure you are about to install from the Docker repo instead of the default Ubuntu 16.04 repo:
1apt-cache policy docker-ce
Install the latest version of Docker CE:
1sudo apt-get install docker-ce
Docker should now be installed, the daemon started, and the process enabled to start on boot. Check that it’s running:
1sudo systemctl status docker
Make sure you are in the Docker usergroup, replace $USER with your username:
1sudo usermod -aG docker $USER
Log out and back in for your permissions to take effect, or type the following:
1su - ${USER}
Htop is an interactive process viewer for UNIX. We’ll use it to monitor the progress of our attacks.
First create the Dockerfile for your htop container:
1vim Dockerfile
Add the following to the Dockerfile:
1FROM alpine:latestRUN apk add --update htop && rm -rf /var/cache/apk/*ENTRYPOINT ["htop"]
Build the Dockerfile and tag the image:
1sudo docker build -t htop .
Run htop inside a container, this will monitor the host:
1sudo docker run -it --rm --pid=host htop
To exit htop, enter q.
Next we will create an NGINX container and monitor it directly by joining the container’s pid namespace.
First we will create a directory for the html page we will serve using nginx:
1mkdir -p ~/docker-nginx/html
1cd ~/docker-nginx/html
Create a simple HTML page:
1vim index.html
Paste in this content:
1<html> <head> <title>Docker nginx tutorial</title> <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/css/bootstrap.min.css" integrity="sha384-Gn5384xqQ1aoWXA+058RXPxPg6fy4IWvTNh0E263XmFcJlSAwiGgFAW/dAiS6JXm" crossorigin="anonymous"> </head> <body> <div class="container"> <h1>Hello it is your container speaking</h1> <p>This nginx page was created by your Docker container.</p> <p>Now it’s time to create a Gremlin attack.</p> </div> </body></html>
Create a container using the nginx Docker image:
1sudo docker run -l service=nginx --name docker-nginx -p 80:80 -d -v ~/docker-nginx/html:/usr/share/nginx/html nginx
Make sure the docker-nginx container is running:
1sudo docker ps
1CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES352609a67e95 nginx "nginx -g 'daemon of…" 33 seconds ago Up 32 seconds 0.0.0.0:80->80/tcp docker-nginx
Using your Gremlin login credentials (which were emailed to you when you created your account), log in to the Gremlin App. Open Settings and copy your Team ID and Secret.
Set the following export variables:
1export GREMLIN_TEAM_ID=your_team_id
1export GREMLIN_TEAM_SECRET=your_team_secret
Use docker run to pull the official Gremlin Docker image and run the Gremlin daemon:
1sudo docker run -d \ --net=host \ --pid=host \ --cap-add=NET_ADMIN \ --cap-add=SYS_BOOT \ --cap-add=SYS_TIME \ --cap-add=KILL \ -e GREMLIN_TEAM_ID="${GREMLIN_TEAM_ID}" \ -e GREMLIN_TEAM_SECRET="${GREMLIN_TEAM_SECRET}" \ -v /var/run/docker.sock:/var/run/docker.sock \ -v /var/log/gremlin:/var/log/gremlin \ -v /var/lib/gremlin:/var/lib/gremlin \ gremlin/gremlin daemon
Make sure to pass in the three environment variables you set in Step 4. If you don’t, the Gremlin daemon cannot connect to the Gremlin backend.
Use docker ps to see all running Docker containers:
1sudo docker ps
1CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES7167cacb2536 gremlin/gremlin "/entrypoint.sh daem…" 40 seconds ago Up 39 seconds practical_benzfb58b77e5ef8 nginx "nginx -g 'daemon of…" 10 minutes ago Up 10 minutes 0.0.0.0:80->80/tcp docker-nginx
Jump into your Gremlin container with an interactive shell (replace 7167cacb2536 with the real ID of your Gremlin container):
1sudo docker exec -it 7167cacb2536 /bin/bash
From within the container, check out the available attack types:
1gremlin help attack-container
1Usage: gremlin attack-container CONTAINER TYPE [type-specific-options]Type "gremlin help attack-container TYPE" for more details: blackhole # An attack which drops all matching network traffic cpu # An attack which consumes CPU resources io # An attack which consumes IO resources latency # An attack which adds latency to all matching network traffic memory # An attack which consumes memory packet_loss # An attack which introduces packet loss to all matching network traffic shutdown # An attack which forces the target to shutdown dns # An attack which blocks access to DNS servers time_travel # An attack which changes the system time. disk # An attack which consumes disk resources process_killer # An attack which kills the specified process
Then exit the container.
In this step we will run gremlin attack-container to target the NGINX container by its ID and run a Shutdown Attack against it.
Before running the Shutdown attack, use htop to monitor the docker-nginx container (replace f291a040a6aa with your docker-nginx container ID):
1sudo docker run -it --rm --pid=container:f291a040a6aa htop
You will see the following:
11 [ 0.0%] Tasks: 3, 0 thr; 1 running 2 [| 0.7%] Load average: 0.72 0.41 0.21 Mem[||||||||||||||||||||||||| 141M/3.86G] Uptime: 00:30:34 Swp[ 0K/0K] PID USER PRI NI VIRT RES SHR S CPU% MEM% TIME+ Command 47 root 20 0 4488 2236 932 R 0.0 0.1 0:00.07 htop 1 root 20 0 32428 5180 4504 S 0.0 0.1 0:00.03 nginx: master process nginx -g daemon off; 8 101 20 0 32900 2476 1448 S 0.0 0.1 0:00.00 nginx: worker process
Run the following to create the Shutdown container attack against the container (replace f291a040a6aa with your docker-nginx container ID):
1sudo docker run -d -it \ --cap-add=NET_ADMIN \ -e GREMLIN_TEAM_ID="${GREMLIN_TEAM_ID}" \ -e GREMLIN_TEAM_CERTIFICATE_OR_FILE="${GREMLIN_TEAM_CERTIFICATE_OR_FILE}" \ -e GREMLIN_TEAM_PRIVATE_KEY_OR_FILE="${GREMLIN_TEAM_PRIVATE_KEY_OR_FILE}" \ -v /var/run/docker.sock:/var/run/docker.sock \ gremlin/gremlin attack-container f291a040a6aa shutdown
Kubernetes is a container management system which is built with reliability in mind. Architecture is commonly 1 master and 2 or more nodes which are replicated from the master. When the master dies the nodes are ready to replace it. When one node dies another will be ready to replace it.
To create a Kubernetes cluster follow our guide on "How to Use and Install Kubernetes with Weave Net".
To install the Gremlin agent and Kubernetes agent, you will need your Gremlin Team ID and Secret Key. If you don’t know what your Team ID and Secret Key are, you can get them from the Gremlin web app.
Visit the Teams page in Gremlin, and then click on your team’s name in the list.
On the Teams screen click on Configuration.
Make a note of your Team ID.
If you don’t know your Secret Key, you will need to reset it. Click the Reset button. You’ll get a popup reminding you that any running agents using the current Secret Key will need to be configured with the new key. Hit Continue.
Next you’ll see a popup screen that will show you the new Secret Key. Make a note of it.
The simplest way to install the Gremlin agent on your Kubernetes cluster is to use Helm. If you do not already have Helm installed, go here to get started. Once Helm is installed and configured, the next steps are to add the Gremlin repo and install the agent.
Add the Gremlin Helm chart:
1helm repo add gremlin https://helm.gremlin.com
Create a namespace for the Gremlin Kubernetes agent:
1kubectl create namespace gremlin
Next you will run the helm
command to install the Gremlin agent. In this command there are three placeholder variables that you will need to replace with real data. Replace $GREMLIN_TEAM_ID
with your Team ID from step1, and replace $GREMLIN_TEAM_SECRET
with your Secret Key from step 1. Replace $GREMLIN_CLUSTER_ID
with a name for the cluster.
If you are using Helm v3, run this command:
1helm install gremlin gremlin/gremlin \2 --namespace gremlin \3 --set gremlin.secret.managed=true \4 --set gremlin.secret.type=secret \5 --set gremlin.secret.teamID=$GREMLIN_TEAM_ID \6 --set gremlin.secret.clusterID=$GREMLIN_CLUSTER_ID \7 --set gremlin.secret.teamSecret=$GREMLIN_TEAM_SECRET
For older versions of Helm, use the --name option:
1helm install gremlin/gremlin \2 --name gremlin \3 --namespace gremlin \4 --set gremlin.secret.managed=true \5 --set gremlin.secret.type=secret \6 --set gremlin.secret.teamID=$GREMLIN_TEAM_ID \7 --set gremlin.secret.clusterID=$GREMLIN_CLUSTER_ID \8 --set gremlin.secret.teamSecret=$GREMLIN_TEAM_SECRET
If you’re not sure which version of Helm you’re using, run this command:
1helm version
For more information on the Gremlin Helm chart, including more configuration options, check out the chart on Github.
You can use the Gremlin App or the Gremlin API to trigger Gremlin attacks. You can view the available range of Gremlin Attacks in Gremlin Help.
To create a Shutdown Attack click Attacks in the left Navigation bar and New Attack.
Host targeting should be selected by default. Click on the Exact button to expand the list of available hosts, and select one of them. You’ll see the Blast Radius for the attack is limited to 1 host.
Click “Choose a Gremlin,” and then select State and Shutdown.
Leave the Delay set to 1 minute. This is the delay before the attack begins. Leave the Reboot radio button set to On. This will start the host up again after the shutdown.
When your attack is finished it will move to Completed Attacks in the Gremlin App. To view the logs of the Attack, click on the Attack in Completed Attacks then click to the arrow to view the logs.
First you will need to install Docker For Mac if you do not yet have it on your local computer, follow the instructions provided by Docker.
The Gremlin daemon (gremlind) connects to the Gremlin backend and waits for attack orders from you. When it receives attack orders, it uses the CLI (gremlin) to run the attack.
1export GREMLIN_TEAM_ID=your_team_id
1export GREMLIN_TEAM_SECRET=your_team_secret
Use docker pull to pull the official Gremlin Docker image:
1docker pull gremlin/gremlin
First we will create a directory for the html page we will serve using nginx:
1mkdir -p ~/docker-nginx/html2cd ~/docker-nginx/html
Create a simple HTML page:
1vim index.html
Paste in this content:
1<html> <head> <title>Docker nginx tutorial</title> <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/css/bootstrap.min.css" integrity="sha384-Gn5384xqQ1aoWXA+058RXPxPg6fy4IWvTNh0E263XmFcJlSAwiGgFAW/dAiS6JXm" crossorigin="anonymous"> </head> <body> <div class="container"> <h1>Hello it is your container speaking</h1> <p>This nginx page was created by your Docker container.</p> <p>Now it's time to create a Gremlin attack.</p> </div> </body></html>
Create a container using the nginx Docker image:
1sudo docker run -l service=nginx --name docker-nginx -p 80:80 -d -v ~/docker-nginx/html:/usr/share/nginx/html nginx
Make sure the docker-nginx container is running:
1sudo docker ps
1CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES7167cacb2536 gremlin/gremlin "/entrypoint.sh daem…" 40 seconds ago Up 39 seconds practical_benzfb58b77e5ef8 nginx "nginx -g 'daemon of…" 10 minutes ago Up 10 minutes 0.0.0.0:80->80/tcp docker-nginx
Now use the Gremlin CLI (gremlin) to run a Shutdown attack from within a Gremlin container:
1sudo docker run -i \ --cap-add=NET_ADMIN \ -e GREMLIN_TEAM_ID="${GREMLIN_TEAM_ID}" \ -e GREMLIN_TEAM_SECRET="${GREMLIN_TEAM_SECRET}" \ -v /var/run/docker.sock:/var/run/docker.sock \ gremlin/gremlin attack-container docker-nginx shutdown
This attack will shutdown your nginx container.
It is also possible to run attacks programmatically using the Gremlin API. We will run these attacks from a Mac OS laptop.
First, ssh into your server and add the Gremlin Debian repository:
1echo "deb https://deb.gremlin.com/ release non-free" | sudo tee /etc/apt/sources.list.d/gremlin.list
Import the repo’s GPG key:
1sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys C81FC2F43A48B25808F9583BDFF170F324D41134 9CDB294B29A5B1E2E00C24C022E8EF3461A50EF6
Then install the Gremlin daemon and CLI:
1sudo apt-get update && sudo apt-get install -y gremlind gremlin
Using your Gremlin login credentials (which were emailed to you when you created your account), log in to the Gremlin App. Open Settings and copy your Team ID and Secret.
Initialise Gremlin by running the following command and follow the prompts to enter your Gremlin Team ID and Secret:
1gremlin init
Now you’re ready to obtain your Gremlin API token.
First access your Gremlin API token by providing your gremlin username and password to /users/auth, replacing your email, password and company name in the curl request below:
1curl -X POST --header 'Content-Type: application/x-www-form-urlencoded' \ --data-urlencode 'email=name@youremail.com' \ --data-urlencode 'password=changeit' \ --data-urlencode 'companyName=changeit' \ 'https://api.gremlin.com/v1/users/auth'
Your API token will be displayed on the screen. The example below shows "Bearer Y4MGE3MGMzOmdyZW1saW5AZ3JlbWxpbmluYy5jb206NWNhMWFiMWU" as the API token that will be used for interacting with the Gremlin API:
1[ { "expires_at": "2099-01-00T00:00:00.000Z", "header": "Bearer Y4MGE3MGMzOmdyZW1saW5AZ3JlbWxpbmluYy5jb206NWNhMWFiMWU", "identifier": "yourname@email.com", "org_id": "e7352a6b-a9a0-513c-8000-980f680a70c3", "org_name": "My Org (Production)", "renew_token": "5ca1ab1e-ffff-0000ffff0001", "role": "USER", "token": "5ca1ab1e-ffff-0000ffff0000" },]
On your local computer (Mac OS), store your Gremlin API token as an environment variable:
1export bearertoken="Bearer Y4MGE3MGMzOmdyZW1saW5AZ3JlbWxpbmluYy5jb206NWNhMWFiMWU"
Check to ensure you have set your token correctly:
1echo $bearertoken
Your API token will be displayed on your terminal screen:
1Bearer Y4MGE3MGMzOmdyZW1saW5AZ3JlbWxpbmluYy5jb206NWNhMWFiMWU
Now you’re ready to run attacks using the Gremlin API .
Now you’re ready to run a shutdown attack using the Gremlin API . Run the following command on your local computer (Mac OS):
1curl --header "Content-Type: application/json" \ --header "Authorization: $bearertoken" \ https://api.gremlin.com/v1/attacks/new \ --data ' { "command": { "type": "shutdown" }, "target": { "type": "Random" } }'
View the attack in progress using the Gremlin API:
1curl -X GET "https://api.gremlin.com/v1/attacks/active" -H "Authorization: $bearertoken" -H "accept: application/json"
Your current attack will be displayed in terminal:
1[ { "target_type": "Host", "targets": [ "docker-for-desktop" ], "org_id": "3f242793-018a-5ad5-8000-fb958f8dc084", "args": [ "shutdown" ], "created_at": "2019-03-07T18:56:24.232Z", "create_source": "Api", "stage": "Pending", "stage_lifecycle": "Active", "guid": "b452e2a6-410a-11e9-95a4-0242cbd04b28", "start_time": "2019-03-07T18:56:24.232Z", "create_user": "youremail@email.com", "updated_at": "2019-03-07T18:57:31.191Z", "kind": "Api" }
Gremlin empowers you to proactively root out failure before it causes downtime. See how you can harness chaos to build resilient systems by requesting a demo of Gremlin.
Get started