Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mounts table for linux #316

Merged
merged 3 commits into from
Nov 2, 2014
Merged

Mounts table for linux #316

merged 3 commits into from
Nov 2, 2014

Conversation

polachok
Copy link
Contributor

@polachok polachok commented Nov 1, 2014

mount + df
Issue #255

@theopolis
Copy link
Member

Nice, this is looking good. What do you think of the column names?

table_name("mounts")
schema([
    Column(name="fsname", type="std::string"),
    Column(name="fsname_real", type="std::string"),
    Column(name="dir", type="std::string"),
    Column(name="type", type="std::string"),
    Column(name="opts", type="std::string"),
    Column(name="freq", type="int"),
    Column(name="passno", type="int"),
    Column(name="block_size", type="long long int"),
    Column(name="blocks", type="long long int"),
    Column(name="blocks_free", type="long long int"),
    Column(name="blocks_avail", type="long long int"),
    Column(name="inodes", type="long long int"),
    Column(name="inodes_free", type="long long int"),
])
implementation("mounts@genMounts")

My only nit-picks are (1) clang-format should move the cpp code to using a 2-space indent, and (2) the column name dir; path is used often in other column specs. Do you think subbing dir for path works? If I wanted to query for the NFS or SMB mounts would I: SELECT * FROM mounts WHERE type = 'NFS';? Or how about everything mounted in /mnt/ can I: SELECT * from mounts WHERE path LIKE '/mnt/%'? What are fsname, fsname_real?

Could you paste in an example output?

@theopolis
Copy link
Member

Feel free to swap "in progress" to "ready for review" when you think it's solid. I'd just ask for:

clang-format -i osquery/tables/system/linux/mounts.cpp

And I know the TravisCI build is failing on some boost build here.

@polachok
Copy link
Contributor Author

polachok commented Nov 1, 2014

Nice, this is looking good. What do you think of the column names?

I've not thought much about them, just copied field names of struct mntent.

the column name dir; path is used often in other column specs. Do you think subbing dir for path works?

sounds good

If I wanted to query for the NFS or SMB mounts would I: SELECT * FROM mounts WHERE type = 'NFS';?

That's right

osquery> select * from mounts where type = 'ext4';

+--------------------------------------------------------+-------------+-----+------+------------------------------------------------------------------------------+------+--------+------------+---------+-------------+--------------+---------+-------------+
| fsname                                                 | fsname_real | dir | type | opts                                                                         | freq | passno | block_size | blocks  | blocks_free | blocks_avail | inodes  | inodes_free |
+--------------------------------------------------------+-------------+-----+------+------------------------------------------------------------------------------+------+--------+------------+---------+-------------+--------------+---------+-------------+
| /dev/disk/by-uuid/e9d1be20-80ec-43f5-83b6-90d8f10f93f5 | /dev/vda1   | /   | ext4 | rw,noatime,nodiratime,quota,usrquota,grpquota,errors=remount-ro,data=ordered | 0    | 0      | 4096       | 5127327 | 453998      | 187784       | 1310720 | 752204      |
+--------------------------------------------------------+-------------+-----+------+------------------------------------------------------------------------------+------+--------+------------+---------+-------------+--------------+---------+-------------+

Or how about everything mounted in /mnt/ can I: SELECT * from mounts WHERE path LIKE '/mnt/%'?

osquery> select * from mounts where dir like '/sys/fs/cgroup%';

+--------+-------------+---------------------------+--------+---------------------------------------+------+--------+------------+--------+-------------+--------------+--------+-------------+
| fsname | fsname_real | dir                       | type   | opts                                  | freq | passno | block_size | blocks | blocks_free | blocks_avail | inodes | inodes_free |
+--------+-------------+---------------------------+--------+---------------------------------------+------+--------+------------+--------+-------------+--------------+--------+-------------+
| cgroup | cgroup      | /sys/fs/cgroup            | tmpfs  | rw,relatime,mode=755                  | 0    | 0      | 4096       | 505933 | 505933      | 505933       | 505933 | 505922      |
| cgroup | cgroup      | /sys/fs/cgroup/cpuset     | cgroup | rw,relatime,cpuset,clone_children     | 0    | 0      | 4096       | 0      | 0           | 0            | 0      | 0           |
| cgroup | cgroup      | /sys/fs/cgroup/cpu        | cgroup | rw,relatime,cpu,clone_children        | 0    | 0      | 4096       | 0      | 0           | 0            | 0      | 0           |
| cgroup | cgroup      | /sys/fs/cgroup/cpuacct    | cgroup | rw,relatime,cpuacct,clone_children    | 0    | 0      | 4096       | 0      | 0           | 0            | 0      | 0           |
| cgroup | cgroup      | /sys/fs/cgroup/memory     | cgroup | rw,relatime,memory,clone_children     | 0    | 0      | 4096       | 0      | 0           | 0            | 0      | 0           |
| cgroup | cgroup      | /sys/fs/cgroup/devices    | cgroup | rw,relatime,devices,clone_children    | 0    | 0      | 4096       | 0      | 0           | 0            | 0      | 0           |
| cgroup | cgroup      | /sys/fs/cgroup/freezer    | cgroup | rw,relatime,freezer,clone_children    | 0    | 0      | 4096       | 0      | 0           | 0            | 0      | 0           |
| cgroup | cgroup      | /sys/fs/cgroup/net_cls    | cgroup | rw,relatime,net_cls,clone_children    | 0    | 0      | 4096       | 0      | 0           | 0            | 0      | 0           |
| cgroup | cgroup      | /sys/fs/cgroup/blkio      | cgroup | rw,relatime,blkio,clone_children      | 0    | 0      | 4096       | 0      | 0           | 0            | 0      | 0           |
| cgroup | cgroup      | /sys/fs/cgroup/perf_event | cgroup | rw,relatime,perf_event,clone_children | 0    | 0      | 4096       | 0      | 0           | 0            | 0      | 0           |
| cgroup | cgroup      | /sys/fs/cgroup/hugetlb    | cgroup | rw,relatime,hugetlb,clone_children    | 0    | 0      | 4096       | 0      | 0           | 0            | 0      | 0           |
+--------+-------------+---------------------------+--------+---------------------------------------+------+--------+------------+--------+-------------+--------------+--------+-------------+

What are fsname, fsname_real?

These are actually device names. fsname comes from struct mntent, and fsname_real is a "canonicalized" version. You can see the difference in ext4 example above. I added fsname_real because I'm working on another table (for block devices), which uses canonicalized names and it's nice to do joins.

@theopolis
Copy link
Member

Checked out locally, looks solid! Going to merge and assume Travis is still broken on boost compiles.

theopolis pushed a commit that referenced this pull request Nov 2, 2014
Merge pull request #316 from LTD-Beget/mounts
287bbc0 
Mounts table for linux
@theopolis theopolis merged commit 287bbc0 into osquery:master Nov 2, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@theopolis theopolis

Labels
in progress Linux virtual tables
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@polachok @theopolis