LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Kernel page

Recent Features

Shumway lands in Firefox

LWN.net Weekly Edition for October 3, 2013

Integrity and embedded devices

NUMA scheduling progress

LWN.net Weekly Edition for September 26, 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Looking at inotify again

July 6, 2005

This article was contributed by Greg Kroah-Hartman.

In September, 2004, LWN.net took a look at the inotify patch. This patch has been reworked a number of times by its primary developers, and has been living in the -mm kernel tree for a few months. With the recent What to merge for 2.6.13? discussion, inotify was mentioned as something that might be considered for merging into the main kernel tree. One thing that few kernel developers had paid attention to in the inotify patch was the userspace interface to the feature. So, let's take a look at how a programmer is supposed to interact with inotify.

From the documentation included in the kernel patch, inotify communicates to userspace through a character device, /dev/inotify. This is a misc character device (it uses the misc_register() kernel interface to create its character device), and if you use udev to manage /dev, the device node is automatically created. If not, the character node needs to be created by hand: 

	mknod /dev/inotify c 10 63
Inotify works with something called "watches". A "watch" is an object and a mask that describe an event that the user wants to receive notification events from. The object is either a file or a directory, as represented by an open file descriptor, and the mask is a bitmask of events. The different types of events that can be monitored are: 
	IN_ACCESS		The file was accessed
	IN_MODIFY		The file was modified
	IN_ATTRIB		The metadata changed
	IN_CLOSE_WRITE		The writtable file was closed
	IN_CLOSE_NOWRITE	The unwrittable file closed
	IN_OPEN			The file was opened
	IN_MOVED_FROM		The file was moved from location X
	IN_MOVED_TO		The file was moved to location Y
	IN_CREATE		A subfile was created
	IN_DELETE		A subfile was deleted
	IN_DELETE_SELF		self was deleted
If the user wants to monitor all events, a handy IN_ALL_EVENTS macro is defined which includes all of the above event flags combined together. To create a watch and register it with the kernel, an ioctl is called on the /dev/inotify node: 

	struct inotify_request request = { fd, mask };
	int watch_desc = ioctl(dev_fd, INOTIFY_WATCH, &request);
where fd is the open file descriptor of the file or directory you wish to watch, and mask is the type of event to monitor. To remove a watch that is already in place, another ioctl should be sent: 

	ioctl(dev_fd, INOTIFY_IGNORE, watch_desc);

Once a watch has been registered with the kernel, a simple read() call to the device node is used to retrieve events based on that watch (and all other watches that have been registered for this process.) The structure of the data that read from the kernel is described in the following C struct: 


struct inotify_event {
	__s32	wd;		/* watch descriptor */
	__u32	mask;		/* watch mask */
	__u32	cookie;		/* cookie to synchronize two events */
	__u32	len;		/* length (including nulls) of name */
	char	name[0];	/* stub for possible name */
};
All of the fields are pretty self explanatory, with the exception of "cookie". If this field is not set to 0, then it is used to tell userspace that multiple events happened at the same time on the same object. An example of this is renaming a file. If a directory is being watched and the following file rename happens in it: 

	mv foo baz
there would be 2 events generated, an IN_MOVE_FROM and an IN_MOVE_TO event. They would both have the same cookie value, which allows userspace to coordinate the events. The /dev/inotify node allows select() and poll() to be called on it, so a blocking read() is not necessary, which would tie up a program's thread.

The FIONREAD ioctl is also supported by inotify, and returns the size of the current pending event queue, if userspace wishes to do dynamic buffer allocation to place the events into. When the userspace program that had the /dev/inotify node open exits, or when the node is closed, all watches that were registered with the kernel are destroyed and cleaned up properly.

For a very simple example program that shows how to register for events, and read events as they happen, see the inotify-utils package that can be found here.

For more details on the kernel design decisions that the inotify developers went through in creating this system, please see the inotify documentation in the kernel patch. It describes why a character node was used instead of signals, and other details.

(Log in to post comments)

Looking at inotify again

Posted Jul 7, 2005 9:03 UTC (Thu) by dvrabel (guest, #9500) [Link]

Are filesystems what are being watched marked as 'busy' (therefore unmountable) until the watches are cleared? I've frequently (in the past) been unable to unmount CDs etc. because Gnome decided to have FAM watch it.

Looking at inotify again

Posted Jul 7, 2005 12:18 UTC (Thu) by bk (guest, #25617) [Link]

From what I understand, much of the motivation for writing inotify was to create a dnotify replacement that doesn't require open file descriptors on the watched object(s).

I don't know whether the fd thing is a typo here, but I can verify that using an inotify-enabled 2.6.12 with gamin doesn't result in the unmounting problems that famd and dnotify does.

Looking at inotify again

Posted Jul 7, 2005 13:14 UTC (Thu) by elanthis (guest, #6227) [Link]

No, it does not. In fact, any watched files/directories will receive a "filesystem unmounted" event if you unmount, so inotify not only allows the unmounting, but makes it dead easy for applications to intelligently handle it when it happens.

Looking at inotify again

Posted Jul 7, 2005 15:23 UTC (Thu) by balbir (guest, #19399) [Link]

I wonder how many notify interfaces we will need. Currently I think there is demand for the following

1. User level IRQ notification
2. RT netlink for socket level notification
3. Now File system notifications

May be we should work on combining them into one single interface so that it is easier to maintain and program

Looking at inotify again

Posted Jul 7, 2005 20:21 UTC (Thu) by gregkh (subscriber, #8) [Link]

Why do we need userlevel IRQ notification?

Anyway, you know that patches are always gladly accepted :)

Looking at inotify again

Posted Jul 8, 2005 4:08 UTC (Fri) by balbir (guest, #19399) [Link]

I was under the impression that the X11 folks wanted IRQ notifications for writing good X screen drivers. In addition, it would make it easier to move some drivers to user space with the capability to receive user level IRQ notifications and implement user level IRQ handlers.

Good point about the patch, assuming that people hardly disable networking, I was wondering if it is a good idea to write an extensible version of rtnetlink to provide user space events. What I liked about rtnetlink is that it imposes no format on the communication except for the rtattr.

Looking at inotify again

Posted Jul 19, 2005 6:58 UTC (Tue) by renox (subscriber, #23785) [Link]

I wonder if X's need of userspace driver is legitimate, I thought there was a push to let the kernel handle the driver to avoid duplication of effort.

IMHO, this is the best solution.

Looking at inotify again

Posted Jul 10, 2005 0:01 UTC (Sun) by jwb (guest, #15467) [Link]

Can the user program close the fd after registering the notification, or does every registered fd need to remain open?

Looking at inotify again

Posted Jul 11, 2005 12:43 UTC (Mon) by amh (guest, #1902) [Link]

Can the user program close the fd after registering the notification, or does every registered fd need to remain open?

Several questions in this thread can be answered by looking at the patch. For example, at http://www.kernel.org/pub/linux/kernel/people/rml/inotify/v2.6/0.23/inotify-0.23-rml-2.6.13-rc2-1.patch.

Indeed the user program can close the fd of the file/directory being watched. Closing the fd associated with the watch (which can be associated with many files/directories) will turn the watch off.

Watch All Files of a Disk?

Posted Jul 10, 2005 21:46 UTC (Sun) by miallen (guest, #10195) [Link]

Is there any way to watch all events for a particular disk? Sometimes my disk rocks periodically and I'd like to know what program is responsible. Can it be done?

Watch All Files of a Disk?

Posted Jul 13, 2005 15:46 UTC (Wed) by dw (subscriber, #12017) [Link]

I haven't used inotify at all, but IIRC this was one of the original "ooh!" points for me when I first saw it: the ability to register one watch and have it affect an entire filesystem subtree. This may or may not be correct. :)

Watch All Files of a Disk?

Posted Aug 10, 2005 22:26 UTC (Wed) by mepr (guest, #4819) [Link]

I think you're referring to IN_ALL_EVENTS, which is mentioned above.
If it is as described above, it is just used for watching for any possible operation on a particular file.

Watch All Files of a Disk?

Posted Sep 29, 2008 12:42 UTC (Mon) by qwe (guest, #54359) [Link]

How you have done this please help me?
I want to monitor the whole directory tree using inotify.
Please help me...

Looking at inotify again

Posted Jul 15, 2005 19:38 UTC (Fri) by dreadnought (subscriber, #27222) [Link]

So is this a replacement or an inclusion of the http://www.dazuko.org/ project and concept? And is there anything which currently does something similar to this for 2.6.11 kernels?

Copyright © 2005, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds