Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Reading File System Events from Linux Kernel without Inotify

In Linux to read File System Events, most of us use Inotify which is really a Good One. But it has it's limitations. I have to keep track of all the directories i have to watch and get a inotify descriptor for each and every directory. Let's say i want to monitor my Whole System and it has about 10 million directories. Listing and queuing them for inotify API itself would take hours. It would eat a lot of memory also. And i certainly can't watch directories more than that specified in max_user_watches in /etc/syscntl.conf or /proc/sys/fs/inotify/max_user_watches .

But we know that each and every file system event is monitored by Kernel and we use inotify API to register for a certain directory modifications. But how do i read fs events directly from kernel without API ..? [ In Mac OS X, i can read from /dev/fsevents , likewise if i can read from /proc or something like that, it would be great]. I'm ready to write a Kernel Module too, but please share some light on this.

like image 769
Manikandaraj Srinivasan Avatar asked May 05 '13 08:05

Manikandaraj Srinivasan


1 Answers

Did you look at the virus scanner stuff? Ie, Fanotify, also fsnotify and hooked to dnotify and inotify. This depends on kernel version; present in some form since approximately 2.6.36 (early 2011).

Some kernel files,

  • proc documentation
  • fsnotify.h
  • fsnotify_backend.h
  • fanotify.h

Lwn.net links,

  • API overview
  • Main Commit notice
  • Various commits
like image 150
artless noise Avatar answered Oct 19 '22 01:10

artless noise