From File Manager to security tools, file system monitoring is essential for many programs. Linux has introduced inotify starting from Linux 2.6.13, allowing the monitoring program to open an independent file descriptor and monitor one or more files for the event set, for example, open, close, move/rename, delete, create, or change attributes. There are many enhancements in the later kernel. Therefore, check your kernel version before depending on these features.
In this article, you will learn how to use the inotify function in a simple monitoring application. Download the sample code and compile it on your system for further exploration.
History
Dnotify is available before inotify. Unfortunately, dnotify has limitations and users need better products. Compared with dnotify, inotify has the following advantages:
- Inotify uses an independent file descriptor, while dmeany needs to open a file descriptor for each monitored directory. When you monitor multiple directories at the same time, it will be very high, and you will also encounter file descriptor restrictions for each process.
- The file descriptor used by Inotify can be obtained through a system call without related devices or files. When dnotify is used, the file descriptor fixes the Directory and prevents the standby device from detaching. This is a typical problem of removable media. For inotify, the monitored file or directory on the uninstalled file system generates an event and the monitoring will be automatically removed.
- Inotify can monitor files or directories. Dnotify only monitors directories. Therefore, the programmer must maintain the stat structure or an equivalent data structure to reflect the files in the monitored directory. Then, when an event occurs, compare it with the current status to see what happened to the entries in the current directory.
- As mentioned above, inotify uses file descriptors that allow programmers to monitor events using standard select or poll functions. This allows efficient multiplexing of I/O or integration with the mainloop of Glib. In contrast, dnotify uses signals, which makes it difficult or not smooth for programmers. In kernel 2.6.25, inotify also added the Signal-drive I. O notification feature.
Inotify APIs
Inotify provides a simple API that uses the smallest file descriptor and allows fine-grained monitoring. Communication with inotify is implemented through system calls. The available functions are as follows:
-
Inotify_init
-
Is a system call used to create an inotify instance and returns a file descriptor pointing to the instance.
-
Inotify_init1
-
Similar to inotify_init, and with an additional flag. If these additional flags are not specified, they will use the same value as inotify_init.
-
Inotify_add_watch
-
Add monitoring on files or directories and specify the events to be monitored. Flag is used to control whether to add events to existing monitoring, whether to monitor only directories represented by paths, whether to track symbolic links, and whether to perform one-time monitoring, when an event occurs for the first time, the monitoring is stopped.
-
Inotify_rm_watch
-
Remove a monitoring item from the monitoring list.
-
Read
-
Read the cache that contains one or more event information.
-
Close
-
Disable the file descriptor and remove all monitors on the descriptor. When all file descriptors of an instance are disabled, the resources and lower-level objects are released for the kernel to use again.
Therefore, a typical monitoring program needs to perform the following operations:
In the next section, you will see monitored events and how they run in simple programs. Finally, you will see how event monitoring works.
