Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
w
wennan.he
11/28/2022, 6:43 PMHi osquery team, does osquery generate any processes in any case?
j
Jason
11/28/2022, 6:45 PMAFAIK osquery runs entirely in a single process and doesn't spawn new ones.
s
Stefano Bonicatti
11/28/2022, 7:16 PMIt depends; in daemon mode osquery starts as the watchdog process, then forks and proceeds as the worker process.
Then the worker might fork again, on Linux only, if you’re querying tables that support the
pid_with_namespaceBut otherwise osquery never executes other binaries; if that happens is a bug and should be fixed.
w
wennan.he
11/28/2022, 7:27 PMcould u explain "Then the worker might fork again, on Linux only"? when it would fork?
s
Stefano Bonicatti
11/28/2022, 7:28 PMas I mentioned “if you’re querying tables that support the
pid_with_namespacenamely, the file table supports this, so when doing a query like
select * from file where path = <path> AND pid_with_namespace = <pid in container>a fork will be created, because for osquery to be able to switch namespace and access the container filesystem, it has to be a process with only 1 thread and the main worker potentially has multiple threads.
w
wennan.he
11/28/2022, 7:31 PMa fork means one independent process?
and for each run of query would spawn one process?
s
Stefano Bonicatti
11/28/2022, 7:32 PMIt’s a new process but it’s a child of the osquery worker, so the process of the binary is always osqueryd
w
wennan.he
11/28/2022, 7:33 PMok, there might be multiple processes with "osqueryd" running simultaneously?
s
Stefano Bonicatti
11/28/2022, 7:33 PMtechnically it’s every time the table logic is hit.. unfortunately.. so a JOIN might cause a fork being executed and terminated at every row of the first table being joined
“there might be multiple processes with “osqueryd” running simultaneously” correct. There are always at least 2 when you run osquery as a daemon, provided you keep the watchdog enabled, otherwise if you run with
--disable_watchdog=truew
wennan.he
11/28/2022, 7:40 PMbut whatever how many processes it would spawns, they are all restricted with mem by watch dog settings, right?
s
Stefano Bonicatti
11/28/2022, 7:43 PMI forgot another case, which actually enters in the “osquery runs a different binary than itself”, I was totally forgetting extensions!
That been said, the watchdog monitors the worker and the extensions (if instructed).
But there’s a shortcoming currently with the forked process created by the container support I was talking about; that is not tracked by the watchdog, because there’s currently no way of letting the watchdog know of that process existence.
w
wennan.he
11/28/2022, 7:45 PMbut the spawn process is for running queries, right? if there is no way to control the resource it consume, will it cause potential problem?
s
Stefano Bonicatti
11/28/2022, 7:46 PMYes the spawned process is to execute the table logic that is triggered by the query.
And yes, it can.
w
wennan.he
11/28/2022, 7:49 PMok, do you have plan in the future, osquery could change this situation and fix it?
s
Stefano Bonicatti
11/28/2022, 8:24 PMThere’s no current plan I’m aware of. There has been talk in the past about adding communication between the watchdog and the worker, but it’s not an easy task, also because there are other interests around it, so it can’t be a one off.