{"id":25050662,"url":"https://github.com/steadybit/extension-container","last_synced_at":"2026-05-13T08:10:18.971Z","repository":{"id":157185571,"uuid":"630418801","full_name":"steadybit/extension-container","owner":"steadybit","description":"A Steadybit extension for container based actions (discovery / attacks)","archived":false,"fork":false,"pushed_at":"2026-04-27T21:03:49.000Z","size":2471,"stargazers_count":1,"open_issues_count":2,"forks_count":3,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-04-27T22:14:12.662Z","etag":null,"topics":["attack","chaos-engineering","container","fault","helm","kubernetes","network","process","stress"],"latest_commit_sha":null,"homepage":"https://hub.steadybit.com/extension/com.steadybit.extension_container","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/steadybit.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2023-04-20T10:40:55.000Z","updated_at":"2026-04-27T21:03:46.000Z","dependencies_parsed_at":"2026-04-15T10:02:42.623Z","dependency_job_id":null,"html_url":"https://github.com/steadybit/extension-container","commit_stats":null,"previous_names":[],"tags_count":208,"template":false,"template_full_name":null,"purl":"pkg:github/steadybit/extension-container","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/steadybit%2Fextension-container","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/steadybit%2Fextension-container/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/steadybit%2Fextension-container/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/steadybit%2Fextension-container/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/steadybit","download_url":"https://codeload.github.com/steadybit/extension-container/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/steadybit%2Fextension-container/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32973423,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-13T06:31:55.726Z","status":"ssl_error","status_checked_at":"2026-05-13T06:31:51.336Z","response_time":115,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["attack","chaos-engineering","container","fault","helm","kubernetes","network","process","stress"],"created_at":"2025-02-06T09:17:20.675Z","updated_at":"2026-05-13T08:10:18.964Z","avatar_url":"https://github.com/steadybit.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cimg src=\"./logo.svg\" height=\"130\" align=\"right\" alt=\"Container logo\"\u003e\n\n# Steadybit extension-container\n\nThis [Steadybit](https://www.steadybit.com/) extension provides a container discovery and the various actions for container targets.\n\nLearn about the capabilities of this extension in\nour [Reliability Hub](https://hub.steadybit.com/extension/com.steadybit.extension_container).\n\n## Configuration\n\n| Environment Variable | Helm value | Meaning | Required | Default |\n|-----------------------------------------------------|--------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------|----------|---------|\n| `STEADYBIT_EXTENSION_CONTAINER_RUNTIME` | `container.engine` | The container runtime to user either `docker`, `containerd` or `cri-o`. Will be automatically configured if not specified. | yes | (auto) |\n| `STEADYBIT_EXTENSION_CONTAINER_SOCKET` | `containerEngines.(docker/containerd/cri-o).socket` | The socket used to connect to the container runtime. Will be automatically configured if not specified. | yes | (auto) |\n| `STEADYBIT_EXTENSION_OCIRUNTIME_PATH` | `containerEngines.(docker/containerd/cri-o).ociruntime.path` | The OCI runtime to use (`runc` or `crun`). | yes | (auto) |\n| `STEADYBIT_EXTENSION_OCIRUNTIME_ROOT` | `containerEngines.(docker/containerd/cri-o).ociruntime.root` | The OCI runtime root to use. | yes | (auto) |\n| `STEADYBIT_EXTENSION_OCIRUNTIME_DEBUG` | | Activate debug mode for OCI runtime. | yes | k8s.io |\n| `STEADYBIT_EXTENSION_OCIRUNTIME_ROOTLESS` | | Set value for OCI runtime --rootless parameter | yes | k8s.io |\n| `STEADYBIT_EXTENSION_OCIRUNTIME_SYSTEMD_CGROUP` | | Set value for OCI runtime --systemd-cgroup parameter | yes | k8s.io |\n| `STEADYBIT_EXTENSION_CONTAINERD_NAMESPACE` | | The containerd namespace to use. | yes | k8s.io |\n| `STEADYBIT_EXTENSION_DISCOVERY_CALL_INTERVAL` | | Interval for container discovery | false | `30s` |\n| `STEADYBIT_EXTENSION_DISABLE_DISCOVERY_EXCLUDES` | `discovery.disableExcludes` | Ignore discovery excludes specified by `steadybit.com/discovery-disabled` | false | `false` |\n| `STEADYBIT_EXTENSION_DISCOVERY_ATTRIBUTES_EXCLUDES` | `discovery.attributes.excludes` | List of Target Attributes which will be excluded during discovery. Checked by key equality and supporting trailing \"*\" | false | |\n| `STEADYBIT_EXTENSION_HOSTNAME` | | Optional hostname for the targets to be reported. If not given will be read from the UTS namespace of the init process | false | |\n\nThe extension supports all environment variables provided\nby [steadybit/extension-kit](https://github.com/steadybit/extension-kit#environment-variables).\n\nWhen installed as linux package this configuration is in`/etc/steadybit/extension-container`.\n\n## Needed capabilities\n\nThe capabilities needed by this extension are: (which are provided by the helm chart)\n\n- `SYS_ADMIN`\n- `SYS_CHROOT`\n- `SYS_PTRACE`\n- `NET_RAW`\n- `NET_ADMIN`\n- `NET_BIND_SERVICE`\n- `BPF`\n- `DAC_OVERRIDE`\n- `SETUID`\n- `SETGID`\n- `KILL`\n- `AUDIT_WRITE`\n- `SETPCAP`\n- `MKNOD`\n\nOptional:\n\n- `SYS_RESOURCE`\n\n## Installation\n\n### Kubernetes\n\nDetailed information about agent and extension installation in kubernetes can also be found in\nour [documentation](https://docs.steadybit.com/install-and-configure/install-agent/install-on-kubernetes).\n\n#### Recommended (via agent helm chart)\n\nAll extensions provide a helm chart that is also integrated in the\n[helm-chart](https://github.com/steadybit/helm-charts/tree/main/charts/steadybit-agent) of the agent.\n\nThe extension is installed by default when you install the agent.\n\nYou can provide additional values to configure this extension.\n\n```\n--set extension-container.container.runtime=containerd \\\n```\n\nAdditional configuration options can be found in\nthe [helm-chart](https://github.com/steadybit/extension-container/blob/main/charts/steadybit-extension-container/values.yaml)\nof the\nextension.\n\n#### Alternative (via own helm chart)\n\nIf you need more control, you can install the extension via its\ndedicated [helm-chart](https://github.com/steadybit/extension-container/blob/main/charts/steadybit-extension-container).\n\n```bash\nhelm repo add steadybit-extension-container https://steadybit.github.io/extension-container\nhelm repo update\nhelm upgrade steadybit-extension-container \\\n --install \\\n --wait \\\n --timeout 5m0s \\\n --create-namespace \\\n --namespace steadybit-agent \\\n --set container.runtime=docker \\\n steadybit-extension-container/steadybit-extension-container\n```\n\n### Linux Package\n\nPlease use\nour [agent-linux.sh script](https://docs.steadybit.com/install-and-configure/install-agent/install-on-linux-hosts)\nto install the extension on your Linux machine. The script will download the latest version of the extension and install\nit using the package manager.\n\nAfter installing, configure the extension by editing `/etc/steadybit/extension-container` and then restart the service.\n\n## Extension registration\n\nMake sure that the extension is registered with the agent. In most cases this is done automatically. Please refer to\nthe [documentation](https://docs.steadybit.com/install-and-configure/install-agent/extension-registration) for more\ninformation about extension registration and how to verify.\n\n## Security\n\nWe try to limit the access needed for the extension to the absolute minimum. So the extension itself can run as a\nnon-root user on a read-only root file-system and will, by default, if deployed using the provided helm chart.\n\nIn order to execute certain actions the extension needs extended capabilities, see details below.\n\n### Discovery / State attacks\n\nFor discovery and executing state attacks, such as stop or pause container, the extension needs access to the container\nruntime socket.\n\n### Resource Attacks\n\nThe resource attacks are starting processes in the target containers cgroup/namespaces using [runc (APL2.0)](https://github.com/opencontainers/runc) for this\nthe following capabilities are needed: `CAP_SYS_CHROOT`, `CAP_SYS_ADMIN`, `CAP_SYS_PTRACE`, `CAP_NET_BIND_SERVICE`, `CAP_DAC_OVERRIDE`, `CAP_SETUID`,\n`CAP_SETGID`, `CAP_AUDIT_WRITE`, `CAP_KILL`.\nThese processes are executed with the root user, but are short-lived and terminated after the attack is finished.\n\nThe resource attacks optionally need `CAP_SYS_RESOURCE`. We'd recommend it to be used, otherwise the resource attacks are more likely to be oom-killed by the\nkernel and fail to carry out the attack.\n\nUnder the hood [stress-ng (GPL2.0)](https://github.com/ColinIanKing/stress-ng) is used to perform the stress attacks.\nFor the fill disk `dd` or `fallocate` and [nsmount (MIT)](https://github.com/steadybit/nsmount) is used.\nFor the fill memory [memfill (MIT)](https://github.com/steadybit/memfill) is used.\n\nAll needed binaries are included in the extension container image.\n\n### Network Attacks\n\nThe network attacks are starting processes in the target containers network namespaces using [runc (APL2.0)](https://github.com/opencontainers/runc) for this\nthe following capabilities are needed: `CAP_NET_ADMIN`, `CAP_NET_RAW`, `CAP_BPF`, `CAP_SYS_CHROOT`, `CAP_SYS_ADMIN`, `CAP_SYS_PTRACE`, `CAP_NET_BIND_SERVICE`, `CAP_DAC_OVERRIDE`,\n`CAP_SETUID`, `CAP_SETGID`, `CAP_AUDIT_WRITE`, `CAP_KILL`.\nThese processes are executed with the root user, but are short-lived and terminated after the attack is finished.\n\nUnder the hood start `ip` or `tc` is used to reconfigure the network stack and `dig` is used in case the hostnames need to be resolved.\n\nAll needed binaries are included in the extension container image.\n\n### Mark resources as \"do not discover\"\n\nto exclude container from discovery you can add the label `LABEL \"steadybit.com.discovery-disabled\"=\"true\"` to the\ncontainer Dockerfile.\n\n## Troubleshooting\n\nUsing cgroups v2 on the host and `nsdelegate` to mount the cgroup filesystem will prevent\nthe action from running processes in other cgroups (e.g. stress cpu/memory, disk fill).\nIn this case you need to remount the cgroup filesystem without the `nsdelegate` option.\n\n```sh\nsudo mount -o remount,rw,nosuid,nodev,noexec,relatime -t cgroup2 none /sys/fs/cgroup\n```\n\n## OpenShift \u003e= 4.18 (using crun)\n\nFor OpenShift \u003e= 4.18 the extension needs to be configured to use `crun` as the OCI runtime.\nBy setting the helm value `containerEngines.cri-o.ociRuntime.path=crun` or for non-Kubernetes the environment variable\n`STEADYBIT_EXTENSION_OCIRUNTIME_PATH=crun`\n\n## Version and Revision\n\nThe version and revision of the extension:\n\n- are printed during the startup of the extension\n- are added as a Docker label to the image\n- are available via the `version.txt`/`revision.txt` files in the root of the image\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsteadybit%2Fextension-container","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsteadybit%2Fextension-container","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsteadybit%2Fextension-container/lists"}