mjhjmtu

I am using ubuntu (ubuntu 16.04.4 LTS with a 4.4.113 kernel) on an embedded device and i see only one entry in fstab

/dev/mmcblk0p7 / ext4 errors=remount-ro,noatime,nodiratime 0 1

when i check the partitions mounted using "mount" command, i see a lot of partitions mounted. Now the concerned partition that got auto mounted somehow is

/dev/mmcblk0p5 on /lib/modules type ext4 (ro,relatime,data=ordered)

I am unable to figure it out that how did it get mounted when there is no entry in /etc/fstab?

Ubuntu 16.04 uses systemd which can mount file systems for you. Ubuntu actually no longer uses /etc/fstab in the traditional way, when the system is booted systemd will check each line in /etc/fstab and create a mount systemd service for each entry.
You should be able to run systemctl status *.mount to view the status of each mount systemd is managing.

So you have Ubuntu, but with some custom boot script.

I would guess the mount is most likely started by some .service file in /etc/systemd/system/. (Based on other comments, it sounds like you do not have a .mount file for it - that is, you have no file lib-modules.mount).

But the mount might be started from a number of other places. It could also be in a .service file in /lib/systemd/system, which would have many files you would have to look through. They might run mount indirectly by running a separate script, so a quick grep mount *.service is not guaranteed to find what you're looking for.

Or maybe your vendor has documented their custom modifications to their embedded "Ubuntu" image.

If they did not, there is a set of methods to search for modified/created files which did not come from Ubuntu.

1. .deb packages installed without an apt source

To search for .deb packages which were installed directly without a source, run aptitude search ?obsolete. (This will also show if a package was installed from an apt source, but is not available from the apt source anymore. Those packages would be considered "obsolete").

-- https://raphaelhertzog.com/2011/02/07/debian-cleanup-tip-2-get-rid-of-obsolete-packages/

If you find some suspect package names, then you can list their files. E.g. for an installed package foo, run dpkg-query -L foo). Vice versa, if you found a suspect file and want to inestigate the package that owns it, run dpkg-query -s /path/to/file.

2. Packages installed from an apt source that does not call itself "Ubuntu"

To search for packages installed from an enabled apt source, which advertises itself as being something other than Ubuntu, you can run aptitude search '?narrow(?installed, !?origin(Ubuntu))!?obsolete'.

You can also check the caveat by looking through the list of your sources first, with apt-cache policy. The origin for a source is shown like o=Ubuntu.

-- https://raphaelhertzog.com/2011/02/14/debian-cleanup-tip-3-get-rid-of-third-party-packages/

For comparison, on 16.04, default official sources might look something like these:

```

deb http://uk.archive.ubuntu.com/ubuntu/ xenial main restricted universe multiverse

deb http://uk.archive.ubuntu.com/ubuntu/ xenial-security main restricted universe multiverse
deb http://uk.archive.ubuntu.com/ubuntu/ xenial-updates main restricted universe multiverse
```

(It's hard to find a good doc for these, so I took them from the popular utility, https://repogen.simplylinux.ch ).

Or the other way round: to search for the source(s) associated with a suspect package foo, run apt-cache policy foo

3. Installed package files which have been (improperly) modified

To check for modifications to files from installed packages (there are extremely good reasons not to modify these, but it's a possibility), install debsums and run debsums -c.

-- https://raphaelhertzog.com/2011/02/21/debian-cleanup-tip-4-find-broken-packages-and-reinstall-them/

4. Files which were not installed as part of a package

It is possible to script a search for files which were created by something other than the apt package managed. This will almost certainly show some false alarms. I looked up an example script for this purpose:

(
 export LC_ALL=C
 comm -23 <(find /etc /lib /bin /sbin /usr -type f | sort) 
 <(sort -u /var/lib/dpkg/info/*.list)
)

But if there's too much noise, maybe it's better to try the cruft command, which apparently does the same but knows some files which can be safely ignored. cruft -d "/etc /lib /bin /sbin /usr" --ignore "/usr/local".

-- https://raphaelhertzog.com/2011/02/28/debian-cleanup-tip-5-identify-cruft-that-can-be-removed-from-your-debian-system/

The list of directories searched here is a bit of a judgement call. Hopefully /etc, /usr, and /lib should cover boot scripts on most Ubuntu systems, e.g. any systemd configuration or sysvinit scripts. Note that in your case, you want to find a very early boot script, which rules out some possible locations. The mounting of /lib/modules needs to be done very early on, so kernel modules can be loaded from it. It needs to be mounted before udev is started.

(On the other hand, this raises the possibility that there is some horrible hack in the initrd. So I guess be on the look out for modifications or replacement of the initrd generator - I think it is called initramfs-tools).

Many thanks to Raphaël Hertzog, for writing the very useful series of blog posts which are linked in this answer.