Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
w
wennan.he
01/25/2023, 9:13 PMHi osquery team, could u indicate the code of osquery controlling the the live query / schedule query running serially?
r
Ryan Mack
01/25/2023, 10:54 PMDistributed query waits for jobs is in one thread. Scheduler runs in its own thread. Each thread runs only one query at a time but the two threads may run concurrently with each other. There is no control per se.
w
wennan.he
01/25/2023, 11:00 PMwell this is different from what i heard.
image.png
r
Ryan Mack
01/25/2023, 11:01 PMI believe that is what Stefano was trying to convey.
Out of curiosity, what are you trying to do that depends on this behavior?
w
wennan.he
01/25/2023, 11:02 PMso let me ask it in this way, can 2 live queries run simultaneously on host?
and can 2 scheduled queries run simultaneously on host?
r
Ryan Mack
01/25/2023, 11:02 PMI do not believe so. One distributed and one scheduled at a time.
w
wennan.he
01/25/2023, 11:03 PMso how does osquery implement this.
by running 2 independent threads to run live query and scheduled query respectively?
r
Ryan Mack
01/25/2023, 11:03 PMYes.
w
wennan.he
01/25/2023, 11:03 PMso could u show me the code for details?
the code osquery starts 2 threads.
r
Ryan Mack
01/25/2023, 11:06 PMosquery/dispatcher/distributed_runner.cpp: Dispatcher::addService(std::make_shared<DistributedRunner>());
osquery/dispatcher/scheduler.cpp: Dispatcher::addService(std::make_shared<SchedulerRunner>(