Read without ads and support Scribd by becoming a Scribd Premium Reader.
See Premium Plans
 
Monitor Linux file system events with inotify
Efficient and effective file system event-monitoring in the 2.6kernel
Skill Level: IntroductoryIan Shields(ishields@us.ibm.com) Senior ProgrammerIBM06 Apr 2010Use inotify when you need efficient, fine-grained, asynchronous monitoring of Linux® file system events. Use it for user-space monitoring for security, performance, orother purposes.
Connect with Ian
Ian is one of our most popular and prolific authors. Browseall ofIan's articleson developerWorks. Check outIan's profileand connect with him, other authors, and fellow readers in MydeveloperWorks.
I am indebted to Eli Dow of IBM who wrote an earlier version of this article, prior tothe final integration of inotify in the Linux kernel. In particular, the sample codeavailable in theDownloadsection is still based heavily on Eli's original sample code.
Introducing inotify
File system event monitoring is essential for many types of programs ranging fromfile managers to security tools. Since the Linux 2.6.13 kernel, Linux has included
inotify 
, which allows a monitoring program to open a single file descriptor and watchone or more files or directories for a specified set of events, such as open, close,move/rename, delete, create or change attributes. Some enhancements have beenmade in later kernels, so check your kernel level before depending on thosefeatures.
Monitor Linux file system events with inotifyTrademarks © Copyright IBM Corporation 2010. All rights reserved.Page 1 of 18
 
In this article, you will learn how to use inotify functions for a simple monitoringapplication.Download the sample codeand compile it on your system to explorefurther.
A little history
Before inotify there was dnotify. Unfortunately, dnotify had limitations that left usershoping for something better. Some of the advantages of inotify are:Inotify uses a single file descriptor, while dnotify requires opening one filedescriptor for each directory that you intend to watch for changes. Thiscan be very costly when you are monitoring several directories at once,and you may even reach a per-process file descriptor limit.The file descriptor used by inotify is obtained using a system call anddoes not have an associated device or file. With dnotify, the file descriptorpins the directory, preventing the backing device to be unmounted, aparticular problem with removable media. With inotify, a watched file ordirectory on a file system that is unmounted generates an event, and thewatch is automatically removed.Inotify can watch files or directories. Dnotify monitors directories, and soprogrammers had to keep
stat
structures or an equivalent data structurereflecting the files in the directories being watched, then compare thosewith the current state after an event occurred in order to know whathappened to the entry in the directory.As noted above, inotify uses a file descriptor, allowing programmers touse standard
select
or
poll
functions to watch for events. This allowsfor efficient multiplexed I/O or integration with Glib's
mainloop
. Incontrast, dnotify uses signals, which programmers often find more difficultor less than elegant. Signal-drive I.O notification was also added to inotifyin kernel 2.6.25.
The API for inotify
Inotify provides a simple API that uses minimal file descriptors and allows finegranularity of monitoring. Communication with inotify is established through a systemcall. The available functions are as follows:
inotify_init
is the system call that creates an inotify instance and returns a file descriptorreferring to the instance.
inotify_init1
developerWorks® ibm.com/developerWorksMonitor Linux file system events with inotifyTrademarks © Copyright IBM Corporation 2010. All rights reserved.Page 2 of 18
 
is similar to
inotify_init
with additional flags. If the flags are not specified,it behaves the same as
inotify_init
.
inotify_add_watch
adds a watch for a file or directory and specifies which events are to bewatched. Flags control whether events should be added to an existing watch,whether the watch should be done only if the path represents a directory,whether symbolic links should be followed or not, and whether the watch is aone-shot watch that should be stopped after the first event.
inotify_rm_watch
removes a watched item from a watch list.
read
reads a buffer containing information about one or more events.
close
closes the file descriptor, and removes any watches still remaining on thatdescriptor. When all file descriptors for an instance are closed, the resourcesand underlying object are freed so the kernel can reuse them.So, a typical monitoring program will do the following:1. Use inotify_init to open a file descriptor2. Add one or more watches3. Wait for events4. Process events, then return to wait for more5. When no more watches are active or upon some signal, close the filedescriptor, clean up, and exit.In the next section, you'll see the events you can watch, and how they work in oursample program. Finally you'll see how the event monitoring works.
Notifications
When your application reads a notification, a sequence of one or more events isread into a buffer you provide. Events are returned in a variable length structure asshown in Listing 1. If the amount of data fills your buffer, you may need to handle thecase of partial event information or a partial name for the last entry.
Listing 1. The event structure for inotify
ibm.com/developerWorks developerWorks® Monitor Linux file system events with inotifyTrademarks © Copyright IBM Corporation 2010. All rights reserved.Page 3 of 18
Search
Search History:
Searching...
Result 00 of 00
00 results for result for
  • p.
    • Notes
    Load more