Check for and log information about stale osquery database lock files #2006
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
RebeccaMahany
force-pushed
the
becca/rm-old-db-lock
branch
from
ebe2a4c to
a833edf
Compare
James-Pickett
previously approved these changes
Dec 17, 2024
James-Pickett
previously approved these changes
Dec 17, 2024
zackattack01
previously approved these changes
Dec 17, 2024
directionless
requested changes
Dec 18, 2024
RebeccaMahany
dismissed stale reviews from zackattack01 and James-Pickett
via
511dbb0
RebeccaMahany
changed the title
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
James-Pickett
previously approved these changes
Dec 19, 2024
RebeccaMahany
force-pushed
the
becca/rm-old-db-lock
branch
from
07f0c5b to
32d9ed3
Compare
RebeccaMahany
force-pushed
the
becca/rm-old-db-lock
branch
from
d7a1d24 to
897aa0e
Compare
RebeccaMahany
force-pushed
the
becca/rm-old-db-lock
branch
from
897aa0e to
ea7ea44
Compare
James-Pickett
previously approved these changes
Dec 19, 2024
| @@ -80,3 +82,39 @@ func isExitOk(err error) bool { | |||
| } | |||
| return false | |||
| } | |||
|
|
|||
| func getProcessesHoldingFile(ctx context.Context, pathToFile string) ([]*process.Process, error) { | |||
There was a problem hiding this comment.
I think this is a fairly expensive call. Might be okay, given how infrequent it occurs. But we should know that it's not cheap
There was a problem hiding this comment.
It takes about 6 seconds in test, which is definitely not nothing. But we'll only hit this if the lock file exists -- and in that case, we'll never successfully start up osquery anyway, so the delay is a moot point. I figure we can remove this once we have more info from the logs to figure out how to detect/remediate.
zackattack01
previously approved these changes
Dec 20, 2024
RebeccaMahany
dismissed stale reviews from zackattack01 and James-Pickett
via
fc409fd
directionless
approved these changes
Dec 30, 2024
| @@ -33,3 +40,41 @@ func platformArgs() []string { | |||
| func isExitOk(_ error) bool { | |||
| return false | |||
| } | |||
|
|
|||
| func getProcessesHoldingFile(ctx context.Context, pathToFile string) ([]*process.Process, error) { | |||
| cmd, err := allowedcmd.Lsof(ctx, "-t", pathToFile) | |||
There was a problem hiding this comment.
I wish we had a better option, but I concur we do not.
| @@ -80,3 +82,39 @@ func isExitOk(err error) bool { | |||
| } | |||
| return false | |||
| } | |||
|
|
|||
| func getProcessesHoldingFile(ctx context.Context, pathToFile string) ([]*process.Process, error) { | |||
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Relates to #2004.
launcher is currently completely unable to recover if the osquery lock file is left behind. However, we want to be cautious about removing this file. For now, we detect whether there's a stale lock file, and collect + log information about it if so.
Also adds a test for launching an instance, plus a test for detecting lock file presence.