top | item 35323730

(no title)

derobert | 2 years ago

Here you probably want fanotify, not inotify. The later would require setting up a lot of inotify entries, recursing through the filesystem.

https://man7.org/linux/man-pages/man7/fanotify.7.html

I think fanotify does xattrs, but I haven't tested.

discuss

patrakov|2 years ago

I would still think that eBPF is a better suited approach. With fanotify, you would need to manage the mount points for which notifications need to be received. This works semi-OK for a static use case, but not for dynamically-created mounts and, worse, mount namespaces. In other words, fanotify is not suitable at all, without a lot of glue, for monitoring events happening in containers. And, for example, clamonacc (on-access file checking for ClamAV) does not work with removable storage, temporary network mounts, and containers for this very reason.

javierhonduco|2 years ago

Exactly this. I should have mentioned it in the post. Might amend it.

Would be interesting to compare the chances of race conditions with inotify vs BPF for this contrived use-case.

ec109685|2 years ago

Just curious why you wouldn’t amend it?

Doesn’t take away from the original point that bpf is cool.