Inotify, FAM, Gamin

From Noah.org
Jump to navigationJump to search

Inotify, FAM, Gamin -- comparing filesystem event monitors

Basically, you want to use inotify on Linux. If you are looking for a filesystem event monitor for other operating systems then look for something else. Both FAM and Gamin are old, but still available. I don't know if anything newer or better is preferred these days. See my #Old notes.

inotify

There is a handy collection of inotify-tools available that let you easily use inotify from a the command-line and in shell scripts. On Ubuntu install the inotify-tools package.

Python developers will want to look at pyinotify. The Ubuntu package that provides this is called python-pyinotify (universe).

Examples: Monitor a directory for changes with inotify

This requires inotify-tools.

The following example will display filenames created or deleted in /dev. Note that only the specified events are shown. This examples shows what happens when I inserted a USB flash drive into a USB bus. Note that this only watches the top level of /dev. This example is not recursive, so it does not watch any subdirectories under /dev/. When I tested with the --recursive option I was notified of 136 events just from inserting a USB flash drive.

$ inotifywait --monitor --event CREATE --event DELETE /dev/
Setting up watches.  
Watches established.
/dev/ CREATE usbdev1.12_ep81
/dev/ CREATE usbdev1.12_ep01
/dev/ CREATE usbdev1.12_ep00
/dev/ CREATE sg6
/dev/ CREATE .tmp-block-8:80
/dev/ DELETE .tmp-block-8:80
/dev/ CREATE sdf
/dev/ CREATE .tmp-block-8:81
/dev/ DELETE .tmp-block-8:81
/dev/ CREATE sdf1

This example adds recursion and compares output with and without formatting. This does not specify specific events to watch, so all events are shown. This example shows an ssh agent temp directory and file being created and deleted when a user connects with SSH. This format seems more intuitive to me.

Note that in these examples the creation of the files, agent.28194 and agent.28279 is not shown, but DELETE is shown. This is because these files represent a local socket (the ls -l command would show s in the file type column). These are not a regular files or directories in the file system. The kernel provides the named socket so it is visible to other processes through the filesystem. You would see a similar thing for named pipes (FIFO). I am not sure why inotify picks up the DELETE on the named socket, but not the creation.

$ inotifywait --monitor --recursive --format "%e %w%f" /tmp/
Setting up watches.  Beware: since -r was given, this may take a while!
Watches established.
CREATE,ISDIR /tmp/ssh-ENbYOyHHJn
OPEN,ISDIR /tmp/ssh-ENbYOyHHJn
ACCESS,ISDIR /tmp/ssh-ENbYOyHHJn
CLOSE_NOWRITE,CLOSE,ISDIR /tmp/ssh-ENbYOyHHJn
DELETE /tmp/ssh-ENbYOyHHJn/agent.28194
DELETE,ISDIR /tmp/ssh-ENbYOyHHJn
DELETE_SELF /tmp/ssh-ENbYOyHHJn/

$ inotifywait --monitor --recursive /tmp/
Setting up watches.  Beware: since -r was given, this may take a while!
Watches established.
/tmp/ CREATE,ISDIR ssh-ty4tCJACgh
/tmp/ OPEN,ISDIR ssh-ty4tCJACgh
/tmp/ ACCESS,ISDIR ssh-ty4tCJACgh
/tmp/ CLOSE_NOWRITE,CLOSE,ISDIR ssh-ty4tCJACgh
/tmp/ssh-ty4tCJACgh/ DELETE agent.28279
/tmp/ DELETE,ISDIR ssh-ty4tCJACgh
/tmp/ssh-ty4tCJACgh/ DELETE_SELF

Example: Display a window manager notification when a mailbox changes

This requires inotify-tools and notify-send (libnotify-bin).

This example will display a notify popup when a file is updated in ~/Maildir.

inotifywait -mrq -e create -e modify -e delete -e attrib -e move ~/Maildir | while read file
do
  (notify-send "File updated in Maildir:" "$file"&)
done

also possibly of interest

The fsniper tool is an utility for watching a directory and processing event scripts based on the filetype of new files that appear in the directory.

The incron tool is a utility for triggering scripts based on filesystem events. It is similar in setup to cron.

Old

This briefly compares the pros and cons of various filesystem event monitoring tools. These tools monitor the filesystem for changes and alert an application when specified events have occurred. For example, this allows a GUI to automatically update a directory listing if files are added by a background process. Without event based systems like this an application would have to poll the filesystem for changes every few seconds which wastes CPU and is not very responsive -- there can be significant delay between the time a file is delete and the time it disappears from a directory browser window.

  • FAM stands for File Alteration Monitor. It is one of the oldest portable event monitors. It sends events to an application when changes are made to files or directories that an application has registered to me monitored. FAM is complicated and old -- it was last updated 5 years ago. Bad choice.
  • Gamin is newer and simpler than FAM. It tries to be compatible with FAM while not implementing many of the obscure feature. It is moderately maintained and widely available on many distros. It is portable, but the focus of development and testing is on Linux. It has BSD support and can be found in FreeBSD Ports. Decent choice
  • dnotify is ancient and crusty and should be ignored. Bad choice.
  • inotify is a replacement for `dnotify`. It's a Linux kernel module. It's fast and lightweight and should be available for every Linux distro flavor. The downside is that it is Linux-only, so no BSD or OS X portability. If portability is not your top priority then it's the best choice for Linux.

I wish Gamin were a little more polished and up to date. It would be my first choice since it is portable.