query that'll actually work on 4.9? Like I think I want something like
, where ??? points to a container that's running something debian-flavored, but I'm not sure what that should be or the results I should expect.
select * from deb_packages where pid_with_namespace=???
, where 15934 is the PID of a container process, did not work for me; no output at all.
select * from deb_packages where pid_with_namespace=15934;
, where 4026533189 is the pid namespace id of said container, also doesn't work but in a far more interesting way.
osquery> select * from deb_packages where pid_with_namespace=4026533189; E0924 18:03:15.583657 13777 linux_table_container_ipc.cpp:125] Container worker of table deb_packages exited with exit status: 1 E0924 18:03:15.583695 13777 linux_table_container_ipc.cpp:443] Table deb_packages failed to retrieve QueryData from the container: Pipe to the table deb_packages closed while reading
should indeed be compared against a pid that is running inside the container namespace
? Btw osquery should run as root, and to get a pid to test, if the container is Docker, you could use the
table and its
it shows the shell.
is another way to get the shell. So it's all the same binary that needs those permissions 🙂
, it's not going to try to talk to containers when I just do a normal query from one of these tables? I've looked at the code and I'd place money that that's correct, that it only talks into containners when
is given, but I'd love confirmation.
Ah, see, I assumed osqueryi was talking to the running osqueryd. This is a common assumption, but osquery is completely different. 🙂Though it looks like a database, it’s much closer to an API translation layer. Run
and that’s translated into some API call, and massaged into sqlite, and returned. in that light, osqueryi and osqueryd are totally separate, both launch that same translation layer.
select * from x
to connect an osqueryi to a running osqueryd, but those are the special cases
, when it’s not present, and yes that’s correct. The column exists to say to the table to join the namespace of the container to permit the container querying, otherwise the table behaves as normal, querying the host.
in the table spec file; for instance for