【Ubuntu】【inotify-tools】inotify-tools のメモ【SW】

inotify-tools の使用メモ
 
特定のファイルシステムにおいて、ファイルやディレクトリの増減を検知して updatedb 相当を実行させたいと思っていた。
そこで実現方法を調べたところ、inotify というシステムコールがあるらしく、それらをラッピングした inotify-tools があったので使わせてもらった。
結果的には、(監視すべきファイル数が多いために)導入を見送ったが、以下そのときの記録である。
 

 

inotify-tools リリース場所

Home · rvoicilas/inotify-tools Wiki · GitHub
ソースコードを見たところ C言語で書かれていた。
地道に実装して下さった作成者様に感謝。
ついでに man inotify を見ていたところ、fanotify というファイルシステムを監視するシステムコールというものまであるらしい。。
 

環境

  • Ubuntu 18.04

 

インストール

基本的には https://github.com/rvoicilas/inotify-tools/wiki#getting-inotify-tools に従い進めていけば良い
 

% apt-get install inotify-tools

もしくは以下の手順でビルドすると、./src/ 直下に inotifywait と inotifywatch が作成されている。
必要に応じて make install をする。

% wget http://github.com/downloads/rvoicilas/inotify-tools/inotify-tools-3.14.tar.gz
% tar xvfz inotify-tools-3.14.tar.gz
% cd inotify-tools-3.14
% ./configure
% make

 

使い方

inotifywait は通知、inotifywatch は結果報告の役目を担う。

/tmp 以下のディレクトリに対して、ファイルやディレクトリの作成・削除が行われたら通知する

  • オプション r = 対象ディレクトリ以下全てを監視対象とする (再帰的)
  • オプション e= 監視したいイベント。今回は作成・削除を監視する
  • オプション m= 継続してイベントを監視する。m オプションが無ければ1回の検知で inotifywait を終了する。
% inotifywait  -m -r -e create -e delete /tmp

該当イベントが発生したら、次のようにコンソールに通知が出る。

/tmp/ CREATE,ISDIR a
/tmp/ DELETE,ISDIR a
/tmp/ CREATE aaa

 

/tmp 以下のディレクトリに対する監視結果を報告する

  • オプション v= 詳細表示
  • オプション r = 対象ディレクトリ以下全てを監視対象とする (再帰的)
  • オプション e= 監視したいイベント。今回は作成・削除を監視する
  • オプション t= 監視時間(秒)の設定をする。今回は 1時間。

inotifywatch は、(inotifywait とは異なり) イベント発生直後の通知はせずに、特定の監視期間が過ぎたら報告をする。
あるいは、Ctrl - c などで強制的に停止させた場合でも結果報告が行われた。

% inotifywatch -v -r -e create -e delete -t 3600 /tmp
Establishing watches...
Setting up watch(es) on /tmp
OK, /tmp is now being watched.
Total of 792 watches.
Finished establishing watches, now collecting statistics.
Will listen for events for 3600 seconds.

 

監視可能なファイル数について

  • デフォルト状態では 8192 個
  • 何個まで増やせるのかは不明
  • 今回、私個人の用途として、上限数が明確にはできなかったので、inotify の導入を見送った。

/proc/sys/fs/inotify/max_user_watches/

8192

イベント受信キューのサイズ

  • 検知したイベントを格納しておけるキューのサイズ
  • ファイルやディレクトリへのアクセスも検知するような設定にしていると、キューを消費する
  • キューから溢れたイベントは破棄される

/proc/sys/fs/inotify/max_queued_events

16384

 
下記に使用例が載っているが、オプションが不明なので man コマンドから確認する。
https://github.com/rvoicilas/inotify-tools/wiki#inotifywait
 

man

inotifywatch

man inotifywatch のダンプ

inotifywatch(1)                                                                                    General Commands Manual                                                                                   inotifywatch(1)

NAME
       inotifywatch - gather filesystem access statistics using inotify

SYNOPSIS
       inotifywatch [-hvzrqf] [-e <event> ] [-t <seconds> ] [-a <event> ] [-d <event> ] <file> [ ... ]

DESCRIPTION
       inotifywatch listens for filesystem events using Linux's inotify(7) interface, then outputs a summary count of the events received on each file or directory.

OUTPUT
       inotifywatch will output a table on standard out with one column for each type of event and one row for each watched file or directory.  The table will show the amount of times each event occurred for each watched
       file or directory.  Output can be sorted by a particular event using the -a or -d options.

       Some diagnostic information will be output on standard error.

OPTIONS
       -h, --help
              Output some helpful usage information.

       -v, --verbose
              Output some extra information on standard error during execution.

       @<file>
              When watching a directory tree recursively, exclude the specified file from being watched.  The file must be specified with a relative or absolute path according to whether a relative or  absolute  path  is
              given for watched directories.  If a specific path is explicitly both included and excluded, it will always be watched.

              Note: If you need to watch a directory or file whose name starts with @, give the absolute path.

       --fromfile <file>
              Read  filenames  to watch or exclude from a file, one filename per line.  If filenames begin with @ they are excluded as described above.  If <file> is `-', filenames are read from standard input.  Use this
              option if you need to watch too many files to pass in as command line arguments.

       -z, --zero
              Output table rows and columns even if all elements are zero.  By default, rows and columns are only output if they contain non-zero elements.  Using this option when watching for every event  on  a  lot  of
              files can result in a lot of output!

       --exclude <pattern>
              Do not process any events whose filename matches the specified POSIX extended regular expression, case sensitive.

       --excludei <pattern>
              Do not process any events whose filename matches the specified POSIX extended regular expression, case insensitive.

       -r, --recursive
              Watch  all subdirectories of any directories passed as arguments.  Watches will be set up recursively to an unlimited depth.  Symbolic links are not traversed.  If new directories are created within watched
              directories they will automatically be watched.

              Warning: If you use this option while watching the root directory of a large tree, it may take quite a while until all inotify watches are established, and events will not be received in this  time.   Also,
              since one inotify watch will be established per subdirectory, it is possible that the maximum amount of inotify watches per user will be reached.  The default maximum is 8192; it can be increased by writing
              to /proc/sys/fs/inotify/max_user_watches.

       -t <seconds>, --timeout <seconds>
              Listen only for the specified amount of seconds.  If not specified, inotifywatch will gather statistics until receiving an interrupt signal by (for example) pressing CONTROL-C at the console.

       -e <event>, --event <event>
              Listen for specific event(s) only.  The events which can be listened for are listed in the EVENTS section.  This option can be specified more than once.  If omitted, all events are listened for.

       -a <event>, --ascending <event>
              Sort output ascending by event counts for the specified event.  Sortable events include `total' and all the events listed in  the  EVENTS  section  except  `move'  and  `close'  (you  must  use  `moved_to',
              `moved_from', `close_write' or `close_nowrite' instead).  The default is to sort descending by `total'.

       -d <event>, --descending <event>
              Sort  output  descending  by  event  counts  for  the  specified  event.   Sortable events include `total' and all the events listed in the EVENTS section except `move' and `close' (you must use `moved_to',
              `moved_from', `close_write' or `close_nowrite' instead).  The default is to sort descending by `total'.

EXIT STATUS
       0      The program executed successfully.

       1      An error occurred in execution of the program.

EVENTS
       The following events are valid for use with the -e option:

       access A watched file or a file within a watched directory was read from.

       modify A watched file or a file within a watched directory was written to.

       attrib The metadata of a watched file or a file within a watched directory was modified.  This includes timestamps, file permissions, extended attributes etc.

       close_write
              A watched file or a file within a watched directory was closed, after being opened in writeable mode.  This does not necessarily imply the file was written to.

       close_nowrite
              A watched file or a file within a watched directory was closed, after being opened in read-only mode.

       close  A watched file or a file within a watched directory was closed, regardless of how it was opened.  Note that this is actually implemented simply by listening for both close_write and close_nowrite, hence all
              close events received will be output as one of these, not CLOSE.

       open   A watched file or a file within a watched directory was opened.

       moved_to
              A file or directory was moved into a watched directory.  This event occurs even if the file is simply moved from and to the same directory.

       moved_from
              A file or directory was moved from a watched directory.  This event occurs even if the file is simply moved from and to the same directory.

       move   A  file or directory was moved from or to a watched directory.  Note that this is actually implemented simply by listening for both moved_to and moved_from, hence all close events received will be output as
              one or both of these, not MOVE.

       move_self
              A watched file or directory was moved. After this event, the file or directory is no longer being watched.

       create A file or directory was created within a watched directory.

       delete A file or directory within a watched directory was deleted.

       delete_self
              A watched file or directory was deleted.  After this event the file or directory is no longer being watched.  Note that this event can occur even if it is not explicitly being listened for.

       unmount
              The filesystem on which a watched file or directory resides was unmounted.  After this event the file or directory is no longer being watched.  Note that this event can occur even if it  is  not  explicitly
              being listened to.

EXAMPLE
       Watching the `~/.beagle' directory for 60 seconds:

       % inotifywatch -v -e access -e modify -t 60 -r ~/.beagle
       Establishing watches...
       Setting up watch(es) on /home/rohan/.beagle
       OK, /home/rohan/.beagle is now being watched.
       Total of 302 watches.
       Finished establishing watches, now collecting statistics.
       Will listen for events for 60 seconds.
       total  access  modify  filename
       1436   1074    362     /home/rohan/.beagle/Indexes/FileSystemIndex/PrimaryIndex/
       1323   1053    270     /home/rohan/.beagle/Indexes/FileSystemIndex/SecondaryIndex/
       303    116     187     /home/rohan/.beagle/Indexes/KMailIndex/PrimaryIndex/
       261    74      187     /home/rohan/.beagle/TextCache/
       206    0       206     /home/rohan/.beagle/Log/
       42     0       42      /home/rohan/.beagle/Indexes/FileSystemIndex/Locks/
       18     6       12      /home/rohan/.beagle/Indexes/FileSystemIndex/
       12     0       12      /home/rohan/.beagle/Indexes/KMailIndex/Locks/
       3      0       3       /home/rohan/.beagle/TextCache/54/
       3      0       3       /home/rohan/.beagle/TextCache/bc/
       3      0       3       /home/rohan/.beagle/TextCache/20/
       3      0       3       /home/rohan/.beagle/TextCache/62/
       2      2       0       /home/rohan/.beagle/Indexes/KMailIndex/SecondaryIndex/

CAVEATS
       When using inotifywatch, the filename that is outputted is not guaranteed to be up to date after a move because it is the inode that is being monitored. Additionally, none of the observed operations are guaranteed
       to have been performed on the filename inotifywatch was instructed to monitor in cases when the file is known by several names in the filesystem.

BUGS
       There are race conditions in the recursive directory watching code which can cause events to be missed if they occur in a directory immediately after that directory is created.  This is probably not fixable.

       It is assumed the inotify event queue will never overflow.

AUTHORS
       inotifywatch is written by Rohan McGovern <rohan@mcgovern.id.au>.

       inotifywatch is part of inotify-tools.  The inotify-tools website is located at: http://inotify-tools.sourceforge.net/

SEE ALSO
       inotifywait(1), inotify(7)

inotifywatch 3.14                                                                                      March 14, 2010                                                                                        inotifywatch(1)

 

inotifywait

man inotifywait のダンプ

inotifywait(1)                                                                                     General Commands Manual                                                                                    inotifywait(1)

NAME
       inotifywait - wait for changes to files using inotify

SYNOPSIS
       inotifywait [-hcmrq] [-e <event> ] [-t <seconds> ] [--format <fmt> ] [--timefmt <fmt> ] <file> [ ... ]

DESCRIPTION
       inotifywait  efficiently waits for changes to files using Linux's inotify(7) interface.  It is suitable for waiting for changes to files from shell scripts.  It can either exit once an event occurs, or continually
       execute and output events as they occur.

OUTPUT
       inotifywait will output diagnostic information on standard error and event information on standard output.  The event output can be configured, but by default it consists of lines of the following form:

       watched_filename EVENT_NAMES event_filename

       watched_filename
              is the name of the file on which the event occurred.  If the file is a directory, a trailing slash is output.

       EVENT_NAMES
              are the names of the inotify events which occurred, separated by commas.

       event_filename
              is output only when the event occurred on a directory, and in this case the name of the file within the directory which caused this event is output.

              By default, any special characters in filenames are not escaped in any way.  This can make the output of inotifywait difficult to parse in awk scripts or similar.  The --csv and  --format  options  will  be
              helpful in this case.

OPTIONS
       -h, --help
              Output some helpful usage information.

       @<file>
              When  watching  a  directory tree recursively, exclude the specified file from being watched.  The file must be specified with a relative or absolute path according to whether a relative or absolute path is
              given for watched directories.  If a specific path is explicitly both included and excluded, it will always be watched.

              Note: If you need to watch a directory or file whose name starts with @, give the absolute path.

       --fromfile <file>
              Read filenames to watch or exclude from a file, one filename per line.  If filenames begin with @ they are excluded as described above.  If <file> is `-', filenames are read from standard input.   Use  this
              option if you need to watch too many files to pass in as command line arguments.

       -m, --monitor
              Instead of exiting after receiving a single event, execute indefinitely.  The default behaviour is to exit after the first event occurs.

       -d, --daemon
              Same as --monitor, except run in the background logging events to a file that must be specified by --outfile. Implies --syslog.

       -o, --outfile <file>
              Output events to <file> rather than stdout.

       -s, --syslog
              Output errors to syslog(3) system log module rather than stderr.

       -r, --recursive
              Watch  all  subdirectories  of  any  directories passed as arguments.  Watches will be set up recursively to an unlimited depth.  Symbolic links are not traversed.  Newly created subdirectories will also be
              watched.

              Warning: If you use this option while watching the root directory of a large tree, it may take quite a while until all inotify watches are established, and events will not be received in this  time.   Also,
              since one inotify watch will be established per subdirectory, it is possible that the maximum amount of inotify watches per user will be reached.  The default maximum is 8192; it can be increased by writing
              to /proc/sys/fs/inotify/max_user_watches.

       -q, --quiet
              If specified once, the program will be less verbose.  Specifically, it will not state when it has completed establishing all inotify watches.

              If specified twice, the program will output nothing at all, except in the case of fatal errors.

       --exclude <pattern>
              Do not process any events whose filename matches the specified POSIX extended regular expression, case sensitive.

       --excludei <pattern>
              Do not process any events whose filename matches the specified POSIX extended regular expression, case insensitive.

       -t <seconds>, --timeout <seconds>
              Exit if an appropriate event has not occurred within <seconds> seconds. If <seconds> is zero (the default), wait indefinitely for an event.

       -e <event>, --event <event>
              Listen for specific event(s) only.  The events which can be listened for are listed in the EVENTS section.  This option can be specified more than once.  If omitted, all events are listened for.

       -c, --csv
              Output in CSV (comma-separated values) format.  This is useful when filenames may contain spaces, since in this case it is not safe to simply split the output at each space character.

       --timefmt <fmt>
              Set a time format string as accepted by strftime(3) for use with the `%T' conversion in the --format option.

       --format <fmt>
              Output in a user-specified format, using printf-like syntax.  The event strings output are limited to around 4000 characters and will be truncated to this length.  The following conversions are supported:

       %w     This will be replaced with the name of the Watched file on which an event occurred.

       %f     When an event occurs within a directory, this will be replaced with the name of the File which caused the event to occur.  Otherwise, this will be replaced with an empty string.

       %e     Replaced with the Event(s) which occurred, comma-separated.

       %Xe    Replaced with the Event(s) which occurred, separated by whichever character is in the place of `X'.

       %T     Replaced with the current Time in the format specified by the --timefmt option, which should be a format string suitable for passing to strftime(3).

EXIT STATUS
       0      The program executed successfully, and an event occurred which was being listened for.

       1      An error occurred in execution of the program, or an event occurred which was not being listened for.  The latter generally occurs if something happens which forcibly removes the inotify watch,  such  as  a
              watched file being deleted or the filesystem containing a watched file being unmounted.

       2      The -t option was used and an event did not occur in the specified interval of time.

EVENTS
       The following events are valid for use with the -e option:

       access A watched file or a file within a watched directory was read from.

       modify A watched file or a file within a watched directory was written to.

       attrib The metadata of a watched file or a file within a watched directory was modified.  This includes timestamps, file permissions, extended attributes etc.

       close_write
              A watched file or a file within a watched directory was closed, after being opened in writeable mode.  This does not necessarily imply the file was written to.

       close_nowrite
              A watched file or a file within a watched directory was closed, after being opened in read-only mode.

       close  A watched file or a file within a watched directory was closed, regardless of how it was opened.  Note that this is actually implemented simply by listening for both close_write and close_nowrite, hence all
              close events received will be output as one of these, not CLOSE.

       open   A watched file or a file within a watched directory was opened.

       moved_to
              A file or directory was moved into a watched directory.  This event occurs even if the file is simply moved from and to the same directory.

       moved_from
              A file or directory was moved from a watched directory.  This event occurs even if the file is simply moved from and to the same directory.

       move   A file or directory was moved from or to a watched directory.  Note that this is actually implemented simply by listening for both moved_to and moved_from, hence all close events received will be output  as
              one or both of these, not MOVE.

       move_self
              A watched file or directory was moved. After this event, the file or directory is no longer being watched.

       create A file or directory was created within a watched directory.

       delete A file or directory within a watched directory was deleted.

       delete_self
              A watched file or directory was deleted.  After this event the file or directory is no longer being watched.  Note that this event can occur even if it is not explicitly being listened for.

       unmount
              The  filesystem  on  which a watched file or directory resides was unmounted.  After this event the file or directory is no longer being watched.  Note that this event can occur even if it is not explicitly
              being listened to.

EXAMPLES
   Example 1
       Running inotifywait at the command-line to wait for any file in the `test' directory to be accessed.  After running inotifywait, `cat test/foo' is run in a separate console.

       % inotifywait test
       Setting up watches.
       Watches established.
       test/ ACCESS foo

   Example 2
       A short shell script to efficiently wait for httpd-related log messages and do something appropriate.

       #!/bin/sh
       while inotifywait -e modify /var/log/messages; do
         if tail -n1 /var/log/messages | grep httpd; then
           kdialog --msgbox "Apache needs love!"
         fi
       done

   Example 3
       A custom output format is used to watch `~/test'.  Meanwhile, someone runs `touch ~/test/badfile; touch ~/test/goodfile; rm ~/test/badfile' in another console.

       % inotifywait -m -r --format '%:e %f' ~/test
       Setting up watches.  Beware: since -r was given, this may take a while!
       Watches established.
       CREATE badfile
       OPEN badfile
       ATTRIB badfile
       CLOSE_WRITE:CLOSE badfile
       CREATE goodfile
       OPEN goodfile
       ATTRIB goodfile
       CLOSE_WRITE:CLOSE goodfile
       DELETE badfile

CAVEATS
       When using inotifywait, the filename that is outputted is not guaranteed to be up to date after a move because it is the inode that is being monitored. Additionally, none of the observed operations are  guaranteed
       to have been performed on the filename inotifywait was instructed to monitor in cases when the file is known by several names in the filesystem.

BUGS
       There are race conditions in the recursive directory watching code which can cause events to be missed if they occur in a directory immediately after that directory is created.  This is probably not fixable.

       It is assumed the inotify event queue will never overflow.

AUTHORS
       inotifywait is written and maintained by Rohan McGovern <rohan@mcgovern.id.au>.

       inotifywait is part of inotify-tools.  The inotify-tools website is located at: http://inotify-tools.sourceforge.net/

SEE ALSO
       inotifywatch(1), strftime(3), inotify(7)

inotifywait 3.14                                                                                       March 14, 2010                                                                                         inotifywait(1)