Description
This Gremlin Time Travel Experiment Pack shares how you can utilize the Gremlin Time Travel attack to change the clock time of cloud infrastructure instances. This attack is cloud-agnostic and will work across AWS, GCP, Azure, DigitalOcean, Linode and more. There are many reasons to regularly use the Time Travel attack. One important reason is to ensure your systems can effectively handle certificate expiration.
What’s Included
- Ability to time travel cloud infrastructure hosts on AWS, Azure, GCP & more
- Ability to time travel with Gremlin installed directly on the instance
What we’ll break
With Gremlin, you have the ability to time travel any instance wherever it may reside.
This pack includes 3 x 5-minute experiments:
- Experiment 1: Time Travel a cloud infrastructure instance using Gremlin
- Experiment 2: Time Travel a cloud infrastructure instance using Gremlin in a Docker container
- Experiment 3: Time Travel a kubernetes node using Gremlin
What you’ll need
- A Gremlin account (sign up here)
- Your Gremlin daemon credentials
- Cloud Infrastructure hosts (e.g. an AWS EC2 instance)
- Cloud Infrastructure containers (e.g. A DigitalOcean Docker Droplet)
- A kubernetes cluster (e.g. Azure AKS)
Get ready to unleash chaos, get your credentials!
After you have created your Gremlin account (sign up here) you will need to get your Gremlin Daemon credentials. Time Travel requires a full account, contact our team to get an upgrade: sales@gremlin.com
Login to the Gremlin App using your Company name and sign-on credentials. These details were emailed to you when you signed up to start using Gremlin. Make a note of your Team ID and Secret.
Experiment 1: Time Travel a cloud infrastructure host using Gremlin
Step 1.0 - Installing the Gremlin Daemon and CLI
First, ssh into your server and add the Gremlin Debian repository:
echo "deb https://deb.gremlin.com/ release non-free" | sudo tee /etc/apt/sources.list.d/gremlin.listImport the repo’s GPG key:
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys C81FC2F43A48B25808F9583BDFF170F324D41134 9CDB294B29A5B1E2E00C24C022E8EF3461A50EF6Then install the Gremlin daemon and CLI:
sudo apt-get update && sudo apt-get install -y gremlind gremlinStep 1.1 - Register your server to the Gremlin control plane
Using your Gremlin login credentials (which were emailed to you when you created your account), log in to the Gremlin App. Open Settings and copy your Team ID and Secret.
Initialize Gremlin by running the following command and follow the prompts to enter your Gremlin Team ID and Secret
gremlin initNow you’re ready to run attacks using the Gremlin.
Step 1.2 - View the current clock time and disable NTP
Using the built in Linux date tool check the current system time:
$ dateYou will see a result similar to below:
Sat Mar 2 00:44:08 UTC 2019Disable NTP on the instance:
sudo timedatectl set-ntp falseStep 1.3 - Run a Time Travel Attack Using Gremlin
First click Create Attack.
First choose your target by selecting the host you registered with Gremlin.
Next we will use the Gremlin App to create a Time Travel Attack. Choose the State Category and Select the Time Travel Attack.
Click Unleash Gremlin and the Gremlin Time Travel Attack will time travel your host.
Step 1.4 - Check the new adjusted clock time
Using the built in Linux date tool check the adjusted system time:
$ dateExperiment 2 - Time Travel a cloud infrastructure instance using Gremlin in a Docker container
Step 2.0 – Install Docker
In this step, you’ll install Docker.
Add Docker’s official GPG key:
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -Use the following command to set up the stable repository.
sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"Update the apt package index:
sudo apt-get updateMake sure you are about to install from the Docker repo instead of the default Ubuntu 16.04 repo:
apt-cache policy docker-ceInstall the latest version of Docker CE:
sudo apt-get install docker-ceDocker should now be installed, the daemon started, and the process enabled to start on boot. Check that it’s running:
sudo systemctl status dockerMake sure you are in the Docker usergroup, replace $USER with your username:
sudo usermod -aG docker $USERLog out and back in for your permissions to take effect, or type the following:
su - ${USER}Step 2.1 View the current clock time
Use the built in Linux date tool check the current system time
$ dateYou will see a result similar to the following:
Sat Mar 2 00:44:08 UTC 2019Disable NTP on the instance:
sudo timedatectl set-ntp falseStep 2.2 – Set up your Gremlin client credentials
Using your Gremlin login credentials (which were emailed to you when you created your account), log in to the Gremlin App. Open Settings and copy your Team ID and Secret.
Set the following export variables:
export GREMLIN_TEAM_ID=your_team_idexport GREMLIN_TEAM_SECRET=your_team_secretStep 2.3 - Run the Gremlin Daemon in a Container
Use docker run to pull the official Gremlin Docker image and run the Gremlin daemon:
$ sudo docker run -d \ --net=host \ --pid=host \ --cap-add=NET_ADMIN \ --cap-add=SYS_BOOT \ --cap-add=SYS_TIME \ --cap-add=KILL \ -e GREMLIN_TEAM_ID="${GREMLIN_TEAM_ID}" \ -e GREMLIN_TEAM_SECRET="${GREMLIN_TEAM_SECRET}" \ -v /var/run/docker.sock:/var/run/docker.sock \ -v /var/log/gremlin:/var/log/gremlin \ -v /var/lib/gremlin:/var/lib/gremlin \ gremlin/gremlin attack time_travelMake sure to pass in the three environment variables you set in Step 4. If you don’t, the Gremlin daemon cannot connect to the Gremlin backend.
Use docker ps to see all running Docker containers:
$ sudo docker psYou will see a result similar to the following:
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES7167cacb2536 gremlin/gremlin "/entrypoint.sh daem…" 40 seconds ago Up 39 seconds practical_benzStep 2.4 - Check the new adjusted clock time
Using the built in Linux date tool check the adjusted system time:
$ dateExperiment 3 - Time Travel a kubernetes node using Gremlin
Kubernetes is a container management system which is built with reliability in mind. Architecture is commonly 1 primary and 2 or more nodes which are replicated from the master. When the primary dies the nodes are ready to replace it. When one node dies another will be ready to replace it.
To create a Kubernetes cluster follow our guide on "How to Use and Install Kubernetes with Weave Net". Alternatively you can use a managed Kubernetes service such as GKE, EKS and AKS.
Step 3.0 - Downloading your Gremlin client certificates
After you have created your Gremlin account (sign up here) you will need to find your Gremlin Daemon credentials. Login to the Gremlin App using your Company name and sign-on credentials. These were emailed to you when you signed up to start using Gremlin.
Navigate to Team Settings and click on your Team. Click the blue Download button to save your certificates to your local computer. The downloaded certificate.zip contains both a public-key certificate and a matching private key.
Step 3.1 – Set up your Gremlin credentials
Unzip the certificate.zip and save it to your gremlin folder on your desktop. Rename your certificate and key files to gremlin.cert and gremlin.key.
Next create your secret as follows:
kubectl create secret generic gremlin-team-cert --from-file=./gremlin.cert --from-file=./gremlin.keyInstallation with Helm
The simplest way to install the Gremlin client on your Kubernetes cluster is to use Helm. If you do not already have Helm installed, go here to get started. Once Helm is installed and configured, the next steps are to add the Gremlin repo and install the client.
To run the Helm install, you will need your Gremlin Team ID. It can be found in the Gremlin app on the Team Settings page, where you downloaded your certs earlier. Click on the name of your team in the list. The ID you’re looking for is found under Configuration as Team ID.
Export your Team ID as an environment variable:
export GREMLIN_TEAM_ID="YOUR_TEAM_ID"Replace YOUR_TEAM_ID with the Team ID you obtained from the Gremlin UI.
Next, export your cluster ID, which is just a friendly name for your Kubernetes cluster. It can be whatever you want.
export GREMLIN_CLUSTER_ID="Your cluster id"Now add the Gremlin Helm repo, and install Gremlin:
helm repo add gremlin https://helm.gremlin.comhelm install gremlin/gremlin \
\--namespace gremlin \
\--name gremlin \
\--set gremlin.teamID=$GREMLIN_TEAM_ID \
\--set gremlin.clusterID=$GREMLIN_CLUSTER_IDFor more information on the Gremlin Helm chart, including more configuration options, check out the chart on Github.
Step 3.2 View the current clock time and disable NTP
Use the built in Linux date tool check the current system time
$ dateYou will see a result similar to the following:
Sat Mar 2 00:44:08 UTC 2019Disable NTP on the instance:
sudo timedatectl set-ntp falseStep 3.3 - Creating attacks using the Gremlin App
Example: Creating a Time Travel Attack against a Kubernetes node using the Gremlin App
You can use the Gremlin App or the Gremlin API to trigger Gremlin attacks. You can view the available range of Gremlin Attacks in Gremlin Help.
To create a Time Travel Attack, click Attacks in the left Navigation bar and New Attack.
Host targeting should be selected by default. Click on “local-hostname” to expand the list of available hosts, and select one of them. You’ll see the Blast Radius for the attack is limited to 1 host.
Click “Choose a Gremlin,” and then select State and Time Travel.
Leave the Length set to 60 seconds. Leave the radio button for NTP set to “No,” as we’ve already disabled NTP on the host. Leave the offset set to 86400 second. That’s the amount of clock drift that will be introduced. Then hit the green Unleash Gremlin button.
When your attack is finished it will move to Completed Attacks in the Gremlin App. To view the logs of the Attack, click on the Attack in Completed Attacks then click to the arrow to view the logs.
Step 3.4 - Check the new adjusted clock time
Using the built in Linux date tool check the adjusted system time:
$ dateFurther Attacks
Gremlin free unlocks the ability to perform Shutdown and CPU attacks. To unlock Time Travel upgrade your Gremlin account by contacting our team sales@gremlin.com.
