Workaround - Gremlin attacks fail when pause container is dropped [OpenShift 4.9 / CRI-O 1.22]

Description:

• 
  

  OpenShift uses the CRI-O container runtime. OpenShift 4.9 uses CRI-O 1.22

  
  


• 
  

  For containerd-runc and crio-runc container drivers, Gremlin relies on the presence of a “sandbox” container to resolve container namespaces (e.g. the network namespace shared by all containers of a pod)

  
  


• 
  

  In CRI-O 1.22, this sandbox container (referred to as “infra” container in CRI-O documentation) is dropped after the pod is created. This is controlled by an option: drop_infra_ctr (which is true by default)

  
  

Expected: attack runs successfully

Actual: attack fails with following message

Problem: The absence of a sandbox container prevents Gremlin from running attacks. They fail like this:

Workaround

The problem occurs when drop_infra_ctr = true defined in the CRI-O run config. Changing this to false gets attacks working again. The attached file is an example of a machine config that will set drop_infra_ctr = false.

To apply this workaround, install the machine config attached to this article:

Wait (as seen in the wait.PNG screenshot) for the apply to go through by monitoring the machine config pool