Workaround - Gremlin attacks fail when pause container is dropped [OpenShift 4.9 / CRI-O 1.22]

Modified on Tue, 18 Oct, 2022 at 4:49 PM

Description:




  • OpenShift uses the CRI-O container runtime. OpenShift 4.9 uses CRI-O 1.22




  • For containerd-runc and crio-runc container drivers, Gremlin relies on the presence of a “sandbox” container to resolve container namespaces (e.g. the network namespace shared by all containers of a pod)




  • In CRI-O 1.22, this sandbox container (referred to as “infra” container in CRI-O documentation) is dropped after the pod is created. This is controlled by an option: drop_infra_ctr (which is true by default)




Expected: attack runs successfully


Actual: attack fails with following message


Problem: The absence of a sandbox container prevents Gremlin from running attacks. They fail like this:


container details : time="2022-05-11T13:07:21Z" level=error msg="container \"2584cede1cf01e77d9d9ac8f864f99f1c155268ec1095af2bbde850e73d936a2\" does not exist"

 


Workaround


The problem occurs when drop_infra_ctr = true defined in the CRI-O run config. Changing this to false gets attacks working again. The attached file is an example of a machine config that will set drop_infra_ctr = false.


To apply this workaround, install the machine config attached to this article:


1 oc apply -f 95-gremlin-drop_infra_ctr.yaml

Wait (as seen in the wait.PNG screenshot) for the apply to go through by monitoring the machine config pool


 


 


 




Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article