File System

The CloudShark OVA uses a specific file system layout to organize application files, configuration, and user data. Understanding this structure is important for maintenance and disaster recovery.

Overview

CloudShark organizes its files across several key directories:

  • /usr/cloudshark - Main application directory containing code and libraries
  • /storage - External data disk containing all persistent data and configuration
  • System-level symlinks in /etc and /var/lib to store configurations in /usr/cloudshark/etc

Directory Structure

The complete file system layout is organized as follows:

/
├── etc/suricata → /usr/cloudshark/etc/suricata/config     # Symlink for Suricata config
├── storage/                                               # Data disk containing all persistent data
│   ├── data/                                              # Capture files
│   ├── db/                                                # MySQL/MariaDB database files
│   └── etc/                                               # Configuration and other persistent data
├── usr/cloudshark/                                        # CloudShark application directory
│       ├── app/                                           # Application code
│       ├── bin/                                           # CloudShark-specific binaries
│       ├── data → /storage/data                           # Symlink to data directory on the data disk
│       ├── db → /storage/db                               # Symlink to database on the data disk
│       ├── etc → /storage/etc                             # Symlink to configuration directory on the data disk
│       ├── include/                                       # Header files
│       ├── lib/                                           # Shared libraries
│       ├── lib64/                                         # 64-bit shared libraries
│       ├── log/                                           # Log files
│       ├── repo/                                          # Repository files
│       ├── ruby/                                          # Ruby dependencies
│       ├── share/zeek/site → /usr/cloudshark/etc/zeek     # Symlink for Zeek site config 
│       └── var/lib/zkg                                    # Zeek package manager data files
└── var/lib                                                # System state and persistent application data 
        ├── suricata → /usr/cloudshark/etc/suricata/rules  # Symlink for Suricata rules
        └── mysql → /usr/cloudshark/db                     # Symlink for MariaDB/MySQL database

Data Disk

The /storage directory contains all persistent data needed to run CloudShark:

/storage/
├── data/  # Capture files
├── db/    # MariaDB/MySQL database files
└── etc/   # Configuration and other persistent data

CloudShark uses symlinks to connect the application and system services to directories under the CloudShark application directory, /usr/cloudshark.

The symlinks created when CloudShark is installed are::

  • /usr/cloudshark/share/zeek/site/usr/cloudshark/etc/zeek
  • /etc/suricata/usr/cloudshark/etc/suricata/config
  • /var/lib/suricata/usr/cloudshark/etc/suricata/rules
  • /var/lib/mysql/usr/cloudshark/db

The following directories contain the configuration, capture files, and database that CloudShark uses. On the OVA these are stored on a separate disk mounted as /storage with these symlinks:

  • /usr/cloudshark/data/storage/data
  • /usr/cloudshark/db/storage/db
  • /usr/cloudshark/etc/storage/etc

These symlinks allow CloudShark to maintain a consistent directory structure while keeping all persistent data on the separate data disk. If you are not deploying CloudShark using the OVA or using a separate data disk, these three directories should be backed up so that they can be restored to a new system.