Add fanotify support

[purpleidea]

Would there be any objections if someone sent in patches to add support for fanotify?

[nathany]

That would be great.

The only thing is, how does someone using Linux choose between them? We may need something along the lines of #104 first.

[purpleidea]

Just wanted to get the approximate ACK, so that I can point people here if they're interested in fanotify benefits. Thanks!

[nathany]

@purpleidea I think it would be best to build fanotify Go wrapper out as a separate repo and then look at integrating after that.

[nathany]

@amir73il is working on a "super block watch" for Linux, providing "the ability to set a single (fanotify) watch on a root directory and get notified on all the legacy inotify events without the need to recursively add watches on all directories." https://lkml.org/lkml/2016/12/20/312

This could avoid the need for a user-space recursive watcher (#16) on modern Linux kernels.

[purpleidea]

@nathany Thanks for the info! Looking forward to @amir73il's patches!

Cheers

[amir73il]

Well the patches are out there already in my github (applied to kernel 4.9), but for those of you hoping for this functionality to get upstream, I suggest to be patient.

I have no doubt it is going to be some time before this feature can be
merged to an official kernel.
My bet is that I will have to maintain it out of tree for a while, and only
after real users show genuine interest in the feature, it will be seriously
considered for upstream.

This is were you guys can be of help.
So far I had only one guy rooting for my patches on LKML
and he has also tested them on his system.

When promoting a feature for upstream it is important to bring solid use cases that require the feature and argue that the same cannot be achieved by user library code and existing kernel functionality.

However, if you can't test my work on a distro kernel then it is going to be harder to claim that it is beneficial for your use cases.
To solve this chicken and egg problem I plan to provide install-able
kernel modules for commonly used Linux distros, so using fanotify super block
should be as easy as e.g.: apt-get install fsntotify-tools.

I cannot guaranty when I will get to providing this level of installation though, so if there are any of you out there not afraid of building a custom kernel, I will gladly assist you if you want to test my patches.

Cheers.

[nathany]

Thanks Amir.

Perhaps another option to make the patched kernel available would be to maintain a Vagrant box built with Packer. That way we could test fanotify super block using a VirtualBox VM from any operating system.

[amir73il]

Yes, that could work. And I promise to assist the person who volunteers to work on this setup.

[tiwaana]

Amir, which kernel version you would like to target ?

[purpleidea]

@amir73il I have pinged some kernel engineers at my company to look into your patch. In the meantime, if you have a moment, could you look into and recommend an algorithm or suggest an improvement to the recursive file watching which I've implemented for mgmt? The code is available here:
https://github.com/purpleidea/mgmt/blob/master/recwatch/recwatch.go#L134

Cheers!

[amir73il]

@tiwaana question is moot. I would like to target the earliest kernel version possible, but since this is not a bug fix nor a trivial improvement, some things have to happen first not all of them depend on me, not necessarily in that order:

1. Technical review of patches (I am working on getting that)
2. Design review of patched (ditto)
3. Review of the proposed kernel-user API
4. Demonstrate a cut and clear benefit to Linux users community
5. Demonstrate no performance regressions for users not using the feature

[amir73il]

@purpleidea thanks for the ping. If your company will show interest in the super block watch, that can be a game changer. wrt your recursive watcher, I am new to golang and have zero knowledge about fsnotify library, but it appears your code is not calling addSubFolders() recursively from Init() more than 1 level of depth, so if you never get events on the direct sub folders you will never add watchers for level 2 subdirs, but I may be missing something. Also I don't see any handling of Move events for dirs, unless it is handled in lib by generating Rename/Create event pair.

[purpleidea]

On Wed, Feb 1, 2017 at 3:26 AM, Amir Goldstein ***@***.***> wrote: @purpleidea thanks for the ping. If your company will show interest in the super block watch, that can be a game changer. wrt your recursive watcher, I am new to golang and have zero knowledge about fsnotify library, but it appears your code is not calling addSubFolders() recursively from Init() more than 1 level of depth, so if you never get events on the direct sub folders you will never add watchers for level 2 subdirs, but I may be missing something. Also I don't see any handling of Move events for dirs, unless it is handled in lib by generating Rename/Create event pair.

I think I am having an algorithmic mind block, as IIRC I think some cases didn't work all the time. In any case, golang is very similar to C if you get bored :)

[isage]

@amir73il is working on a "super block watch" for Linux, providing "the ability to set a single (fanotify) watch on a root directory and get notified on all the legacy inotify events without the need to recursively add watches on all directories." https://lkml.org/lkml/2016/12/20/312

You do know, that fanotify supports recursive watch on (any, even bind) mountpoint with FAN_MARK_MOUNT, right?

[amir73il]

@isage focus on the part 'all the legacy inotify event', namely, create/move/delete.
an fanotify mount watch does not provide those events.

[pabs3]

Linux fanotify added directory events (move/delete/etc) back in 2017:

https://lwn.net/Articles/717060/

[amir73il]

@pabs3 I was not aware of any distro that picked up the patch you mentioned,
but actually, Linux did get fanotify directory events back in May.

@nathany, sorry I forgot to update you when the feature got merged upstream:
https://kernelnewbies.org/Linux_5.1#Improved_fanotify_for_better_file_system_monitorization

Man pages were already updated:
http://man7.org/linux/man-pages/man7/fanotify.7.html

On my github, you can find demo conversion of inotifywait tool to use fanotify super block watch instead of a recursive inotify watch:
https://github.com/amir73il/inotify-tools/commits/fanotify_dirent

Please note that at this time, the feature enables user to listen on ALL directory events in the filesystem and any sort of filtering by subtree would have to be implemented in user space.
Implementing subtree filter in kernel is on my roadmap, but cannot promise anything yet.

Let me know if you are interested in using fanotify and if you have any questions.

[nathany]

Other than requiring a newer Linux kernel, is there any disadvantage to using fanotify? Could we detect support for fanotify and fallback to inotify if not available?

Would two or more people be interested in building out a stand-alone fanotify module/package, either in a separate repository or a subfolder of fsnotify? Then we could look at integrating it into fsnotify after that.

[amir73il]

To detect support just need to execute fanotify_init(FAN_REPORT_FID, 0).
If you do net get EINVAL you can use the feature.

The disadvatage compared to recursive inotify is that there is no subtree level filterting in the kernel.
When you set a watch by FAN_MARK_FILESYSTEM you get all events on filesystem and need to filter them by path prefix in userspace.

At the moment, directory modification events are NOT supported along with FAN_MARK_MOUNT due to Linux vfs implementation constrains.

[s3rj1k]

@amir73il any update on this issue?

[amir73il]

@s3rj1k which updates are you expecting?
There is no timeline or any guaranty that subtree filtering in-kernel will ever be available,
but that shouldn't matter - it's just an optimization.

The way I see it, the kernel code is ready and waiting for volunteers to implement the userspace recursive watcher. I even provided sample C code.

I forgot to mention in the answer to @nathany, that unlike inotify, fanotify requires SYS_CAP_ADMIN. Not sure if that is a problem for fsnotify.

[s3rj1k]

@amir73il Hi, basic support for fanotify in fsnotify.
I actually need only the FS_MOUNT watcher, as it can be used for recursive watcher.

[s3rj1k]

@amir73il I actually plan on using it for Directory backend.
If you are interested related issue in LXD https://github.com/lxc/lxd/issues/6304
So this is actually pretty usable but in C :)

[amir73il]

@s3rj1k Are you interested only in open/close events?
That is already available in fanotify for a long time regardless of my changes.

[s3rj1k]

@amir73il Open/Close recursively, for antivirus on demand scanner.
Can current code do this recursively? If so, I'll try this tomorrow and report back.
Thanks for your quick support.

[amir73il]

@s3rj1k I don't understand the question. Fanotify could always do that. If you are asking about fsnotify lib support the no, but you are talking to the wrong person

[s3rj1k]

I played a bit with fanotify and go, here is a working example
https://github.com/s3rj1k/go-fanotify

[s3rj1k]

@amir73il are there any examples with newer fanotify functionality?
FAN_MOVED_FROM, FAN_MOVED_TO, ... and friends

[amir73il]

@s3rj1k see link above to inotofy-tools global watch demo

[amir73il]

@s3rj1k see also https://github.com/amir73il/ltp/blob/master/testcases/kernel/syscalls/fanotify/fanotify15.c

[s3rj1k]

@amir73il The latter example actually helps a lot for none-C people.
Manual states that FAN_MARK_MOUNT can't be used FAN_REPORT_FID.
Is there a way to achieve similar functionality for FAN_REPORT_FID?

[amir73il]

@s3rj1k you will have to be more specific than "similar functionality".
What you have is FAN_MARK_FILESYSTEM.
If the example code I shared is not enough to understand what it can do, I'm afraid there is not much more that I can do to assist.

[s3rj1k]

@amir73il yes. I've set FAN_MARK_FILESYSTEM.
I was talking about some sort of recursive watch as FAN_MARK_MOUNT does.
I assume this should work similar.
Still have troubles with writing go code :)

[s3rj1k]

@nathany basic (pre 5.1 kernel) fanotify support can be added using golang.org/x/sys/unix
You can checkout https://github.com/s3rj1k/go-fanotify for example code.

[s3rj1k]

Would be nice to have someone with more knowledge of C to port those new fanotify structures to golang.
Sadly I can get them to work :(

[s3rj1k]

@amir73il You mentioned earlier

Another functionality you may find missing compared to inotify is the filenames on create/delete/rename events.
I have patches for this functionality, but there is push back from upstream kernel on
these patches, so again, needs kernel feature needs to be driven from userspace needs.

Can you make this patch public?
I assume this patch is for legacy fanotify interface that was discussed in https://lwn.net/Articles/717060/?

[amir73il]

@s3rj1k see amir73il/fsnotify-utils#1

[s3rj1k]

@nathany there is also https://github.com/ozeidan/gosearch/blob/master/internal/fanotify/fanotify.go

[amir73il]

For the record, the remaining bits of fanotify filesystem watch have been merged to kernel v5.9:
https://kernelnewbies.org/Linux_5.9#Core_.28various.29

Man pages were updated for using modes like FAN_REPORT_DFID_NAME, which most closely resembles the inotify event information:
https://www.man7.org/linux/man-pages/man2/fanotify_init.2.html