containers-roadmap icon indicating copy to clipboard operation
containers-roadmap copied to clipboard

Published 20 hours ago verified publisher icon aws

[Fargate] [enhancement request]: elevated privileges for executing reliability tests

Open gremlinjed opened this issue 3 years ago • 3 comments

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Tell us about your request What do you want us to build?

The community needs to be able to exercise reliability tests within serverless environments. Many members of the community already use external tools for that and those tools need to be granted permissions to run the tests intended to simulate the failures critical to their businesses.

Which service(s) is this request for? Fargate

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard? Trying to orchestrate and simulate faults and failures of my services and their underlying infrastructure which use containers running in Fargate.

Are you currently working around this issue? Currently unable to do this effectively and thus carrying additional risk and concern for the stability and reliability of the environment, which prevents confidence in running workloads.

Additional context Here are the requirements

network, file, umount, mount,

/entrypoint.sh rix, /var/lib/gremlin/** rwix, /var/log/gremlin/** rwix, /etc/gremlin/** rwix,

/dev/null

/dev rix, /dev/null rwlix,

Container runtime

/run/docker/runtime-runc/moby rwix, /var/run/docker.sock rwix, /run/crio/crio.sock rwix, /run/runc rwix, /run/containers/containers.sock rwix, /run/containerd/runc/k8s.io rwix,

We need access to Pid 1's real pid to resolve the container driver

we're just taking a read perm here to accomplish this

file r @{PROC}/1/ns/pid, ptrace read,

fault injection capabilities

/proc/sysrq-trigger w, /sys/fs/cgroup/** rw, /proc/** rl,

In order to join target container network space

/proc/[0-9]+/ns/net w,

In order to assume the root of the target container

pivot_root,

Needed for simulating faults

capability sys_boot, capability sys_time, capability sys_admin, # needed for setns capability net_admin, capability kill, capability setfcap, capability audit_write, capability mknod, capability net_bind_service, capability setuid, capability setgid, capability chown,

Needed for discovering services

capability dac_read_search, capability sys_ptrace,

Attachments If you think you might have additional information that you'd like to include via an attachment, please do - we'll take a look. (Remember to remove any personally-identifiable information.)

gremlinjed avatar Feb 10 '22 17:02 gremlinjed

@gremlinjed, would you be willing to set a more specific title for this issue?

sftim avatar Feb 24 '22 14:02 sftim

@sftim oops! yeah, took care of that. thanks for the reminder. fixed.

gremlinjed avatar Feb 24 '22 14:02 gremlinjed

+1 would love to try out gremlin and keep our docker containers on fargate!

mlstubblefield avatar Jul 27 '22 18:07 mlstubblefield