These are docker partitions which belong specific containers.
Actually each container works on a jailed folder in the apphost's filesystem.
For instance in this example first I discovered QVI app id and found related mount paths for my app's container. I hope it helps.
[root@IBM-QRadar ~]# psql -U qradar -c "select id, name from installed_application" |grep 'QRadar Vulnerability Insights'
1057 | QRadar Vulnerability Insights
[root@IBM-QRadar ~]# ssh 10.10.2.11
Last login: Thu Jul 8 10:44:01 2021 from 10.10.2.10
This server has QRadar 7.4.3 (Build 20210517144015) installed on Fri Jun 18 03:08:58 EDT 2021.
[root@IBM-QRadarAppHost ~]# docker ps |grep 1057
fbdcfe674dc3 console.localdeployment:5000/qapp/1057:1.1.2-20210620135250 "sh /start_container…" 2 days ago Up 2 days 0.0.0.0:32813->5000/tcp qapp-1057-FBULMbUs
[root@IBM-QRadarAppHost ~]# df -h |grep fbdcfe674dc3
shm 64M 0 64M 0% /store/docker-data/engine/VMware-56-4d-da-95-e1-ea-1a-38-7d-e0-02-29-e3-91-e2-d2/containers/fbdcfe674dc33e2836550fbbca7ec798dccbd4e33d7ab3b066347a275b0767cc/mounts/shm
[root@IBM-QRadarAppHost ~]# ls /store/docker-data/engine/VMware-56-4d-da-95-e1-ea-1a-38-7d-e0-02-29-e3-91-e2-d2/containers/fbdcfe674dc33e2836550fbbca7ec798dccbd4e33d7ab3b066347a275b0767cc/
checkpoints config.v2.json hostconfig.json hostname hosts mounts resolv.conf resolv.conf.hash
[root@IBM-QRadarAppHost ~]# docker inspect fbdcfe674dc3 |grep docker-data
"ResolvConfPath": "/store/docker-data/engine/VMware-56-4d-da-95-e1-ea-1a-38-7d-e0-02-29-e3-91-e2-d2/containers/fbdcfe674dc33e2836550fbbca7ec798dccbd4e33d7ab3b066347a275b0767cc/resolv.conf",
"HostnamePath": "/store/docker-data/engine/VMware-56-4d-da-95-e1-ea-1a-38-7d-e0-02-29-e3-91-e2-d2/containers/fbdcfe674dc33e2836550fbbca7ec798dccbd4e33d7ab3b066347a275b0767cc/hostname",
"HostsPath": "/store/docker-data/engine/VMware-56-4d-da-95-e1-ea-1a-38-7d-e0-02-29-e3-91-e2-d2/containers/fbdcfe674dc33e2836550fbbca7ec798dccbd4e33d7ab3b066347a275b0767cc/hosts",
------------------------------
Ali Okan Yuksel
------------------------------
Original Message:
Sent: Wed July 07, 2021 12:33 PM
From: Muhammad Burhan Faruqi
Subject: /dev/dm-xx partitions in QRadar
Hi Expert,
From quite sometime I am observing some disk partitions in linux when i run command df -h. Previously the output of this command didnt show anything like this. But now I can see such partitions. Can any one tell why these partition details are appearing in qradar?
/dev/dm-11 10G 71M 10G 1% /store/docker-data/engine/VMware-31-2d-30-17-b8-7b-cd-1z-ze-d0-0z-a3-be-7e-3d-41/devicemapper/mnt/bef43ddc3c9d1051889gb7c09bg3db09b1279be7462058ce632ase1d8
shm 64M 0 64M 0% /store/docker-data/engine/VMware-31-2d-30-17-b8-7b-cd-1z-ze-d0-0z-a3-be-7e-3d-41/containers/fgw1235v3x42g3800m12f56ba327893401c87231g2h01123463g293h13mxfg0/mounts/shm
/dev/dm-15 10G 456M 9.6G 5% /store/docker-data/engine/VMware-31-2d-30-17-b8-7b-cd-1z-ze-d0-0z-a3-be-7e-3d-41/devicemapper/mnt/d6b52h62g0915h034ab657ca7dca50f0de0faa9592ef03bh21cbd75ghq1305d
shm 64M 0 64M 0% /store/docker-data/engine/VMware-31-2d-30-17-b8-7b-cd-1z-ze-d0-0z-a3-be-7e-3d-41/containers/810vg45h15x24hw09l1bd4n907e76631f065d435ge443f454gj9tyw/mounts/shm
/dev/dm-17 10G 598M 9.5G 6% /store/docker-data/engine/VMware-31-2d-30-17-b8-7b-cd-1z-ze-d0-0z-a3-be-7e-3d-41/devicemapper/mnt/vs84fjwkenf9859nmvwn2ndfniure9823948jfwe0943ytrht
shm 64M 0 64M 0% /store/docker-data/engine/VMware-31-2d-30-17-b8-7b-cd-1z-ze-d0-0z-a3-be-7e-3d-41/containers/0dvtdfkj65909efwlkjcq309eskclm045dskc09trjnds12354/mounts/shm
BR,
MFaruqi
------------------------------
Muhammad Burhan Faruqi
------------------------------