Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
a
Adrian Hains
10/08/2019, 9:27 PMI am investigating running osquery in a kubernetes daemonset as a privileged container. I see references to folks changing the hard coded paths like /proc to e.g. /host/proc, and mounting these from the host machine down into the container filesystem. Does anyone have an osquery fork they can point me to with these paths updated throughout the codebase?
I tried a basic search and replace to update all hard coded /proc references to /host/proc. I then deployed this build as a kubernetes daemonset with the host /proc mounted to this location. The osquery agent fails to start because it calls getpid() to get the current process pid, and then looks for info on that pid under /host/proc. The getpid() returns the pid from the process namespace of the container, so of course this isn’t found in the list of processes under /host/proc. The Linux docs (http://man7.org/linux/man-pages/man7/pid_namespaces.7.html) mention that getpid() will be scoped to the current process namespace. I’m not clear on if I can use ioctl (http://man7.org/linux/man-pages/man2/ioctl_ns.2.html) to get the current pid from the context of the parent namespace, or if I need to add code to evaluate /host/proc to find the current osquery process.