Workaround - Gremlin attacks fail when pause container is dropped [OpenShift 4.9 / CRI-O 1.22]

Created by Jamie Martin, Modified on Tue, 18 Oct 2022 at 04:49 PM by Jamie Martin


  • OpenShift uses the CRI-O container runtime. OpenShift 4.9 uses CRI-O 1.22

  • For containerd-runc and crio-runc container drivers, Gremlin relies on the presence of a “sandbox” container to resolve container namespaces (e.g. the network namespace shared by all containers of a pod)

  • In CRI-O 1.22, this sandbox container (referred to as “infra” container in CRI-O documentation) is dropped after the pod is created. This is controlled by an option: drop_infra_ctr (which is true by default)

Expected: attack runs successfully

Actual: attack fails with following message

Problem: The absence of a sandbox container prevents Gremlin from running attacks. They fail like this:

container details : time="2022-05-11T13:07:21Z" level=error msg="container \"2584cede1cf01e77d9d9ac8f864f99f1c155268ec1095af2bbde850e73d936a2\" does not exist"



The problem occurs when drop_infra_ctr = true defined in the CRI-O run config. Changing this to false gets attacks working again. The attached file is an example of a machine config that will set drop_infra_ctr = false.

To apply this workaround, install the machine config attached to this article:

1 oc apply -f 95-gremlin-drop_infra_ctr.yaml

Wait (as seen in the wait.PNG screenshot) for the apply to go through by monitoring the machine config pool




Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select atleast one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article