This Steadybit extension provides a host discovery and various actions for host targets.
Learn about the capabilities of this extension in our Reliability Hub.
| Environment Variable | Helm value | Meaning | Required | Default |
|---|---|---|---|---|
STEADYBIT_LABEL_<key>=<value> |
Environment variables starting with STEADYBIT_LABEL_ will be added to discovered targets' attributes. Example: STEADYBIT_LABEL_TEAM=Fullfillment adds to each discovered target the attribute team=Fullfillment |
no | ||
STEADYBIT_DISCOVERY_ENV_LIST |
List of environment variables to be evaluated and added to discovered targets' attributes. Example: STEADYBIT_DISCOVERY_ENV_LIST=STAGE adds to each target the attribute stage=<value of $STAGE> |
no | ||
STEADYBIT_EXTENSION_DISCOVERY_ATTRIBUTES_EXCLUDES_HOST |
discovery.attributes.excludes.host | List of Target Attributes which will be excluded during discovery. Checked by key equality and supporting trailing "*" | false |
The extension supports all environment variables provided by steadybit/extension-kit.
When installed as linux package this configuration is in/etc/steadybit/extension-host.
The capabilities needed by this extension are: (which are provided by the helm chart)
SYS_ADMINSYS_RESOURCESYS_BOOTNET_RAWSYS_TIMESYS_PTRACEKILLNET_ADMINDAC_OVERRIDESETUIDSETGIDAUDIT_WRITE
Detailed information about agent and extension installation in kubernetes can also be found in our documentation.
All extensions provide a helm chart that is also integrated in the helm-chart of the agent.
The extension is installed by default when you install the agent.
You can provide additional values to configure this extension.
Additional configuration options can be found in the helm-chart of the extension.
If you need more control, you can install the extension via its dedicated helm-chart.
helm repo add steadybit-extension-host https://steadybit.github.io/extension-host
helm repo update
helm upgrade steadybit-extension-host \
--install \
--wait \
--timeout 5m0s \
--create-namespace \
--namespace steadybit-agent \
steadybit-extension-host/steadybit-extension-hostPlease use our agent-linux.sh script to install the extension on your Linux machine. The script will download the latest version of the extension and install it using the package manager.
After installing, configure the extension by editing /etc/steadybit/extension-host and then restart the service.
Make sure that the extension is registered with the agent. In most cases this is done automatically. Please refer to the documentation for more information about extension registration and how to verify.
We try to limit the access needed for the extension to the absolute minimum. So the extension itself can run as a non-root user on a read-only root file-system and will, by default, if deployed using the provided helm chart.
In order to execute certain actions the extension needs extended capabilities, see details below.
The resource attacks are starting processes in the target containers cgroup/namespaces using runc (APL2.0) for this the following capabilities are needed: CAP_SYS_CHROOT, CAP_SYS_ADMIN, CAP_SYS_PTRACE, CAP_NET_BIND_SERVICE, CAP_DAC_OVERRIDE, CAP_SETUID, CAP_SETGID, CAP_AUDIT_WRITE, CAP_KILL.
These processes are executed with the root user, but are short-lived and terminated after the attack is finished.
The resource attacks optionally need CAP_SYS_RESOURCE. We'd recommend it to be used, otherwise the resource attacks are more likely to be oom-killed by the kernel and fail to carry out the attack.
Under the hood stress-ng (GPL2.0) is used to perform the stress attacks.
For the fill disk dd or fallocate and nsmount (MIT) is used.
For the fill memory memfill (MIT) is used.
All needed binaries are included in the extension container image.
The network attacks are starting processes in the target containers network namespaces using runc (APL2.0) for this the following capabilities are needed: CAP_NET_ADMIN, CAP_SYS_CHROOT, CAP_SYS_ADMIN, CAP_SYS_PTRACE, CAP_NET_BIND_SERVICE, CAP_DAC_OVERRIDE, CAP_SETUID, CAP_SETGID, CAP_AUDIT_WRITE, CAP_KILL.
These processes are executed with the root user, but are short-lived and terminated after the attack is finished.
Under the hood start ip or tc is used to reconfigure the network stack and dig is used in case the hostnames need to be resolved.
All needed binaries are included in the extension container image.
Using cgroups v2 on the host and nsdelegate to mount the cgroup filesystem will prevent
the action from running processes in other cgroups (e.g. stress cpu/memory, disk fill).
In that case you need to remount the cgroup filesystem without the nsdelegate option.
sudo mount -o remount,rw,nosuid,nodev,noexec,relatime -t cgroup2 none /sys/fs/cgroup