Description:
OpenShift uses the CRI-O container runtime. OpenShift 4.9 uses CRI-O 1.22
For
containerd-runc
andcrio-runc
container drivers, Gremlin relies on the presence of a “sandbox” container to resolve container namespaces (e.g. the network namespace shared by all containers of a pod)In CRI-O 1.22, this sandbox container (referred to as “infra” container in CRI-O documentation) is dropped after the pod is created. This is controlled by an option:
drop_infra_ctr
(which istrue
by default)
Expected: attack runs successfully
Actual: attack fails with following message
Problem: The absence of a sandbox container prevents Gremlin from running attacks. They fail like this:
container details : time="2022-05-11T13:07:21Z" level=error msg="container \"2584cede1cf01e77d9d9ac8f864f99f1c155268ec1095af2bbde850e73d936a2\" does not exist"
Workaround
The problem occurs when drop_infra_ctr = true
defined in the CRI-O run config. Changing this to false
gets attacks working again. The attached file is an example of a machine config that will set drop_infra_ctr = false
.
To apply this workaround, install the machine config attached to this article:
1 oc apply -f 95-gremlin-drop_infra_ctr.yaml
Wait (as seen in the wait.PNG screenshot) for the apply to go through by monitoring the machine config pool
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article