Hi everyone! Could you help me with collecting information from LXC? I have a VM and a lot of LXC on this VM. I want to collect all information about deb packages from all LXC on this VM. How can I do this? For manual query, I used the following code:

sudo osqueryi -json "select name, version FROM deb_packages WHERE pid_with_namespace = 749147"

But I want to automate this because my system can delete and create LXC.

what exactly would you like to automate? running this query against your host on a schedule? are you using fleet? if just this one host, have you considered something like cron to run the example you have given? if you mean that you would like to dynamically run the query against any and all LXC you could achieve that with a sub-query to grab all pids that match your condition. I am not sure what that table is exactly but something like this would work:

sudo osqueryi -json "SELECT name, version FROM deb_packages WHERE pid_with_namespace IN (SELECT pid FROM processes WHERE <process_matches_your_condition)"

I want to create a pack with scheduled queries. We have many different hosts (VMs and HW) and each has some LXC. I want to write packs with scheduled queries which will monitor deb-packages on LXC (not only deb but I want to solve this issue). I don't use fleet (we write our own small server) Yes, I can try to use something like this:

osqueryi --json "SELECT name, version FROM deb_packages WHERE pid_with_namespace IN (SELECT pid, name, path FROM processes WHERE name LIKE 'lxc%' OR name LIKE 'containerd%' AND cgroup_path LIKE 'lxc.payload%');"

But I hope that OSQuery has a more convenient table for lxc