15278217843680.html

<!doctype html>
<html class="no-js" lang="en">
  <head>
    <meta charset="utf-8" />
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
    <title>
    
  Linux Filesystem Events with inotify - Junkman
  
  </title>
  
  
  <link href="atom.xml" rel="alternate" title="Junkman" type="application/atom+xml">
    <link rel="stylesheet" href="asset/css/foundation.min.css" />
    <link rel="stylesheet" href="asset/css/docs.css" />
    <script src="asset/js/vendor/modernizr.js"></script>
    <script src="asset/js/vendor/jquery.js"></script>
  <script src="asset/highlightjs/highlight.pack.js"></script>
  <link href="asset/highlightjs/styles/github.css" media="screen, projection" rel="stylesheet" type="text/css">
  <script>hljs.initHighlightingOnLoad();</script>
<script type="text/javascript">
  function before_search(){
    var searchVal = 'site:panlw.github.io ' + document.getElementById('search_input').value;
    document.getElementById('search_q').value = searchVal;
    return true;
  }
</script>
  </head>
  <body class="antialiased hide-extras">
    
    <div class="marketing off-canvas-wrap" data-offcanvas>
      <div class="inner-wrap">


<nav class="top-bar docs-bar hide-for-small" data-topbar>


  <section class="top-bar-section">
  <div class="row">
      <div style="position: relative;width:100%;"><div style="position: absolute; width:100%;">
        <ul id="main-menu" class="left">
        
        <li id=""><a target="self" href="index.html">Home</a></li>
        
        <li id=""><a target="_self" href="archives.html">Archives</a></li>
        
        </ul>

        <ul class="right" id="search-wrap">
          <li>
<form target="_blank" onsubmit="return before_search();" action="http://google.com/search" method="get">
    <input type="hidden" id="search_q" name="q" value="" />
    <input tabindex="1" type="search" id="search_input"  placeholder="Search"/>
</form>
</li>
          </ul>
      </div></div>
  </div>
  </section>

</nav>

        <nav class="tab-bar show-for-small">
  <a href="javascript:void(0)" class="left-off-canvas-toggle menu-icon">
    <span> &nbsp; Junkman</span>
  </a>
</nav>

<aside class="left-off-canvas-menu">
      <ul class="off-canvas-list">
       
       <li><a href="index.html">HOME</a></li>
    <li><a href="archives.html">Archives</a></li>
    <li><a href="about.html">ABOUT</a></li>

    <li><label>Categories</label></li>

        
            <li><a href="Infra.html">Infra</a></li>
        
            <li><a href="Coding.html">Coding</a></li>
        
            <li><a href="Modeling.html">Modeling</a></li>
        
            <li><a href="Archtecting.html">Archtecting</a></li>
         

      </ul>
    </aside>

<a class="exit-off-canvas" href="#"></a>


        <section id="main-content" role="main" class="scroll-container">
        
       

 <script type="text/javascript">
  $(function(){
    $('#menu_item_index').addClass('is_active');
  });
</script>
<div class="row">
  <div class="large-8 medium-8 columns">
      <div class="markdown-body article-wrap">
       <div class="article">
          
          <h1>Linux Filesystem Events with inotify</h1>
     
        <div class="read-more clearfix">
          <span class="date">2018/6/1</span>

          <span>posted in&nbsp;</span> 
          
              <span class="posted-in"><a href='Storage.html'>Storage</a></span>
           
         
          <span class="comments">
            

            
          </span>

        </div>
      </div><!-- article -->

      <div class="article-content">
      <blockquote>
<p>by Charles Fisher on January 8, 2018<br/>
<a href="https://www.linuxjournal.com/content/linux-filesystem-events-inotify">https://www.linuxjournal.com/content/linux-filesystem-events-inotify</a></p>
</blockquote>

<p><cite class="">Triggering scripts with incron and systemd.</cite></p>

<p>It is, at times, important to know when things change in the Linux OS. The uses to which systems are placed often include high-priority data that must be processed as soon as it is seen. The conventional method of finding and processing new file data is to poll for it, usually with cron. This is inefficient, and it can tax performance unreasonably if too many polling events are forked too often.</p>

<p>Linux has an efficient method for alerting user-space processes to changes impacting files of interest. The inotify Linux system calls were first discussed here in <u>Linux Journal</u> in a <a href="http://www.linuxjournal.com/article/8478">2005 article by Robert Love</a> who primarily addressed the behavior of the new features from the perspective of C.</p>

<p>However, there also are stable shell-level utilities and new classes of monitoring dæmons for registering filesystem watches and reporting events. Linux installations using systemd also can access basic inotify functionality with path units. The inotify interface does have limitations—it can&#39;t monitor remote, network-mounted filesystems (that is, NFS); it does not report the userid involved in the event; it does not work with /proc or other pseudo-filesystems; and mmap() operations do not trigger it, among other concerns. Even with these limitations, it is a tremendously useful feature.</p>

<p>This article completes the work begun by Love and gives everyone who can write a Bourne shell script or set a crontab the ability to react to filesystem changes.</p>

<h3 id="toc_0">The inotifywait Utility</h3>

<p>Working under Oracle Linux 7 (or similar versions of Red Hat/CentOS/Scientific Linux), the inotify shell tools are not installed by default, but you can load them with yum:</p>

<pre><code>
 # yum install inotify-tools
Loaded plugins: langpacks, ulninfo
ol7_UEKR4                                      | 1.2 kB   00:00
ol7_latest                                     | 1.4 kB   00:00
Resolving Dependencies
--&gt; Running transaction check
---&gt; Package inotify-tools.x86_64 0:3.14-8.el7 will be installed
--&gt; Finished Dependency Resolution

Dependencies Resolved

==============================================================
Package         Arch       Version        Repository     Size
==============================================================
Installing:
inotify-tools   x86_64     3.14-8.el7     ol7_latest     50 k

Transaction Summary
==============================================================
Install  1 Package

Total download size: 50 k
Installed size: 111 k
Is this ok [y/d/N]: y
Downloading packages:
inotify-tools-3.14-8.el7.x86_64.rpm               |  50 kB   00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Warning: RPMDB altered outside of yum.
  Installing : inotify-tools-3.14-8.el7.x86_64                 1/1
  Verifying  : inotify-tools-3.14-8.el7.x86_64                 1/1

Installed:
  inotify-tools.x86_64 0:3.14-8.el7

Complete!

</code></pre>

<p>The package will include two utilities (inotifywait and inotifywatch), documentation and a number of libraries. The inotifywait program is of primary interest.</p>

<p>Some derivatives of Red Hat 7 may not include inotify in their base repositories. If you find it missing, you can obtain it from <a href="https://fedoraproject.org/wiki/EPEL">Fedora&#39;s EPEL repository</a>, either by downloading the inotify RPM for manual installation or adding the EPEL repository to yum.</p>

<p>Any user on the system who can launch a shell may register watches—no special privileges are required to use the interface. This example watches the /tmp directory:</p>

<pre><code>
$ inotifywait -m /tmp
Setting up watches.
Watches established.

</code></pre>

<p>If another session on the system performs a few operations on the files in /tmp:</p>

<pre><code>
$ touch /tmp/hello
$ cp /etc/passwd /tmp
$ rm /tmp/passwd
$ touch /tmp/goodbye
$ rm /tmp/hello /tmp/goodbye

</code></pre>

<p>those changes are immediately visible to the user running inotifywait:</p>

<pre><code>
/tmp/ CREATE hello
/tmp/ OPEN hello
/tmp/ ATTRIB hello
/tmp/ CLOSE_WRITE,CLOSE hello
/tmp/ CREATE passwd
/tmp/ OPEN passwd
/tmp/ MODIFY passwd
/tmp/ CLOSE_WRITE,CLOSE passwd
/tmp/ DELETE passwd
/tmp/ CREATE goodbye
/tmp/ OPEN goodbye
/tmp/ ATTRIB goodbye
/tmp/ CLOSE_WRITE,CLOSE goodbye
/tmp/ DELETE hello
/tmp/ DELETE goodbye

</code></pre>

<p>A few relevant sections of the manual page explain what is happening:</p>

<pre><code>
$ man inotifywait | col -b | sed -n &#39;/diagnostic/,/helpful/p&#39;
  inotifywait will output diagnostic information on standard error and
  event information on standard output. The event output can be config-
  ured, but by default it consists of lines of the following form:

  watched_filename EVENT_NAMES event_filename

  watched_filename
    is the name of the file on which the event occurred. If the
    file is a directory, a trailing slash is output.

  EVENT_NAMES
    are the names of the inotify events which occurred, separated by
    commas.

  event_filename
    is output only when the event occurred on a directory, and in
    this case the name of the file within the directory which caused
    this event is output.

    By default, any special characters in filenames are not escaped
    in any way. This can make the output of inotifywait difficult
    to parse in awk scripts or similar. The --csv and --format
    options will be helpful in this case.

</code></pre>

<p>It also is possible to filter the output by registering particular events of interest with the <code>-e</code> option, the list of which is shown here:</p>

<p>| access | create | move_self |<br/>
| attrib | delete | moved_to |<br/>
| close_write | delete_self | moved_from |<br/>
| close_nowrite | modify | open |<br/>
| close | move | unmount |</p>

<p>A common application is testing for the arrival of new files. Since inotify must be given the name of an existing filesystem object to watch, the directory containing the new files is provided. A trigger of interest is also easy to provide—new files should be complete and ready for processing when the <code>close_write</code> trigger fires. Below is an example script to watch for these events:</p>

<pre><code>
#!/bin/sh
unset IFS                                 # default of space, tab and nl
                                          # Wait for filesystem events
inotifywait -m -e close_write \
   /tmp /var/tmp /home/oracle/arch-orcl/ |
while read dir op file
do [[ &quot;${dir}&quot; == &#39;/tmp/&#39; &amp;&amp; &quot;${file}&quot; == *.txt ]] &amp;&amp;
      echo &quot;Import job should start on $file ($dir $op).&quot;

   [[ &quot;${dir}&quot; == &#39;/var/tmp/&#39; &amp;&amp; &quot;${file}&quot; == CLOSE_WEEK*.txt ]] &amp;&amp;
      echo Weekly backup is ready.

   [[ &quot;${dir}&quot; == &#39;/home/oracle/arch-orcl/&#39; &amp;&amp; &quot;${file}&quot; == *.ARC ]]
&amp;&amp;
      su - oracle -c &#39;ORACLE_SID=orcl ~oracle/bin/log_shipper&#39; &amp;

   [[ &quot;${dir}&quot; == &#39;/tmp/&#39; &amp;&amp; &quot;${file}&quot; == SHUT ]] &amp;&amp; break

   ((step+=1))
done

echo We processed $step events.

</code></pre>

<p>There are a few problems with the script as presented—of all the available shells on Linux, only ksh93 (that is, the AT&amp;T Korn shell) will report the &quot;step&quot; variable correctly at the end of the script. All the other shells will report this variable as null.</p>

<p>The reason for this behavior can be found in a brief explanation on the manual page for Bash: &quot;Each command in a pipeline is executed as a separate process (i.e., in a subshell).&quot; The MirBSD clone of the Korn shell has a slightly longer explanation:</p>

<pre><code>
# man mksh | col -b | sed -n &#39;/The parts/,/do so/p&#39;
  The parts of a pipeline, like below, are executed in subshells. Thus,
  variable assignments inside them fail. Use co-processes instead.

  foo | bar | read baz          # will not change $baz
  foo | bar |&amp; read -p baz      # will, however, do so

</code></pre>

<p>And, the pdksh documentation in Oracle Linux 5 (from which MirBSD mksh emerged) has several more mentions of the subject:</p>

<pre><code>
General features of at&amp;t ksh88 that are not (yet) in pdksh:
  - the last command of a pipeline is not run in the parent shell
  - `echo foo | read bar; echo $bar&#39; prints foo in at&amp;t ksh, nothing
    in pdksh (ie, the read is done in a separate process in pdksh).
  - in pdksh, if the last command of a pipeline is a shell builtin, it
    is not executed in the parent shell, so &quot;echo a b | read foo bar&quot;
    does not set foo and bar in the parent shell (at&amp;t ksh will).
    This may get fixed in the future, but it may take a while.

$ man pdksh | col -b | sed -n &#39;/BTW, the/,/aware/p&#39;
  BTW, the most frequently reported bug is
    echo hi | read a; echo $a   # Does not print hi
  I&#39;m aware of this and there is no need to report it.

</code></pre>

<p>This behavior is easy enough to demonstrate—running the script above with the default bash shell and providing a sequence of example events:</p>

<pre><code>
$ cp /etc/passwd /tmp/newdata.txt
$ cp /etc/group /var/tmp/CLOSE_WEEK20170407.txt
$ cp /etc/passwd /tmp/SHUT

</code></pre>

<p>gives the following script output:</p>

<pre><code>
# ./inotify.sh
Setting up watches.
Watches established.
Import job should start on newdata.txt (/tmp/ CLOSE_WRITE,CLOSE).
Weekly backup is ready.
We processed events.

</code></pre>

<p>Examining the process list while the script is running, you&#39;ll also see two shells, one forked for the control structure:</p>

<pre><code>
$ function pps { typeset a IFS=\| ; ps ax | while read a
do case $a in *$1*|+([!0-9])) echo $a;; esac; done }

$ pps inot
  PID TTY      STAT   TIME COMMAND
 3394 pts/1    S+     0:00 /bin/sh ./inotify.sh
 3395 pts/1    S+     0:00 inotifywait -m -e close_write /tmp /var/tmp
 3396 pts/1    S+     0:00 /bin/sh ./inotify.sh

</code></pre>

<p>As it was manipulated in a subshell, the &quot;step&quot; variable above was null when control flow reached the echo. Switching this from #/bin/sh to #/bin/ksh93 will correct the problem, and only one shell process will be seen:</p>

<pre><code>
# ./inotify.ksh93
Setting up watches.
Watches established.
Import job should start on newdata.txt (/tmp/ CLOSE_WRITE,CLOSE).
Weekly backup is ready.
We processed 2 events.

$ pps inot
  PID TTY      STAT   TIME COMMAND
 3583 pts/1    S+     0:00 /bin/ksh93 ./inotify.sh
 3584 pts/1    S+     0:00 inotifywait -m -e close_write /tmp /var/tmp

</code></pre>

<p>Although ksh93 behaves properly and in general handles scripts far more gracefully than all of the other Linux shells, it is rather large:</p>

<pre><code>
$ ll /bin/[bkm]+([aksh93]) /etc/alternatives/ksh
-rwxr-xr-x. 1 root root  960456 Dec  6 11:11 /bin/bash
lrwxrwxrwx. 1 root root      21 Apr  3 21:01 /bin/ksh -&gt;
                                               /etc/alternatives/ksh
-rwxr-xr-x. 1 root root 1518944 Aug 31  2016 /bin/ksh93
-rwxr-xr-x. 1 root root  296208 May  3  2014 /bin/mksh
lrwxrwxrwx. 1 root root      10 Apr  3 21:01 /etc/alternatives/ksh -&gt;
                                                    /bin/ksh93

</code></pre>

<p>The mksh binary is the smallest of the Bourne implementations above (some of these shells may be missing on your system, but you can install them with yum). For a long-term monitoring process, mksh is likely the best choice for reducing both processing and memory footprint, and it does not launch multiple copies of itself when idle assuming that a coprocess is used. Converting the script to use a Korn coprocess that is friendly to mksh is not difficult:</p>

<pre><code>
#!/bin/mksh
unset IFS                              # default of space, tab and nl
                                       # Wait for filesystem events
inotifywait -m -e close_write \
   /tmp/ /var/tmp/ /home/oracle/arch-orcl/ \
   2&lt;/dev/null |&amp;                      # Launch as Korn coprocess

while read -p dir op file              # Read from Korn coprocess
do [[ &quot;${dir}&quot; == &#39;/tmp/&#39; &amp;&amp; &quot;${file}&quot; == *.txt ]] &amp;&amp;
      print &quot;Import job should start on $file ($dir $op).&quot;

   [[ &quot;${dir}&quot; == &#39;/var/tmp/&#39; &amp;&amp; &quot;${file}&quot; == CLOSE_WEEK*.txt ]] &amp;&amp;
      print Weekly backup is ready.

   [[ &quot;${dir}&quot; == &#39;/home/oracle/arch-orcl/&#39; &amp;&amp; &quot;${file}&quot; == *.ARC ]]
&amp;&amp;
      su - oracle -c &#39;ORACLE_SID=orcl ~oracle/bin/log_shipper&#39; &amp;

   [[ &quot;${dir}&quot; == &#39;/tmp/&#39; &amp;&amp; &quot;${file}&quot; == SHUT ]] &amp;&amp; break

   ((step+=1))
done

echo We processed $step events.

</code></pre>

<p>Note that <a></a>the Korn and Bolsky reference on the Korn shell outlines the following requirements in a program operating as a coprocess:</p>

<blockquote>
<p><strong>Caution:</strong> The co-process must:</p>

<ul>
<li><p>Send each output message to standard output.</p></li>
<li><p>Have a Newline at the end of each message.</p></li>
<li><p>Flush its standard output whenever it writes a message.</p></li>
</ul>
</blockquote>

<p>An <code>fflush(NULL)</code> is found in the main processing loop of the inotifywait source, and these requirements appear to be met.</p>

<p>The mksh version of the script is the most reasonable compromise for efficient use and correct behavior, and I have explained it at some length here to save readers trouble and frustration—it is important to avoid control structures executing in subshells in most of the Borne family. However, hopefully all of these ersatz shells someday fix this basic flaw and implement the Korn behavior correctly.</p>

<h3 id="toc_1">A Practical Application—Oracle Log Shipping</h3>

<p>Oracle databases that are configured for hot backups produce a stream of &quot;archived redo log files&quot; that are used for database recovery. These are the most critical backup files that are produced in an Oracle database.</p>

<p>These files are numbered sequentially and are written to a log directory configured by the DBA. An inotifywatch can trigger activities to compress, encrypt and/or distribute the archived logs to backup and disaster recovery servers for safekeeping. You can configure Oracle RMAN to do most of these functions, but the OS tools are more capable, flexible and simpler to use.</p>

<p>There are a number of important design parameters for a script handling archived logs:</p>

<ul>
<li><p>A &quot;critical section&quot; must be established that allows only a single process to manipulate the archived log files at a time. Oracle will sometimes write bursts of log files, and inotify might cause the handler script to be spawned repeatedly in a short amount of time. Only one instance of the handler script can be allowed to run—any others spawned during the handler&#39;s lifetime must immediately exit. This will be achieved with a textbook application of the flock program from the util-linux package.</p></li>
<li><p>The optimum compression available for production applications appears to be <a href="http://www.nongnu.org/lzip">lzip</a>. The author claims that the integrity of his archive format is <a href="http://www.nongnu.org/lzip/xz_inadequate.html">superior to many more well known utilities</a>, both in compression ability and also structural integrity. The lzip binary is not in the standard repository for Oracle Linux—it is available in EPEL and is easily compiled from source.</p></li>
<li><p>Note that <a href="http://www.7-zip.org">7-Zip</a> uses the same LZMA algorithm as lzip, and it also will perform AES encryption on the data after compression. Encryption is a desirable feature, as it will exempt a business from <a href="http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx">breach disclosure laws</a> in most US states if the backups are lost or stolen and they contain &quot;Protected Personal Information&quot; (PPI), such as birthdays or Social Security Numbers. The author of lzip does have harsh things to say regarding the quality of 7-Zip archives using LZMA2, and the <code>openssl enc</code> program can be used to apply AES encryption after compression to lzip archives or any other type of file, as I discussed in a <a href="http://www.linuxjournal.com/content/flat-file-encryption-openssl-and-gpg">previous article</a>. I&#39;m foregoing file encryption in the script below and using lzip for clarity.</p></li>
<li><p>The current log number will be recorded in a dot file in the Oracle user&#39;s home directory. If a log is skipped for some reason (a rare occurrence for an Oracle database), log shipping will stop. A missing log requires an immediate and full database backup (either cold or hot)—successful recoveries of Oracle databases cannot skip logs.</p></li>
<li><p>The <code>scp</code> program will be used to copy the log to a remote server, and it should be called repeatedly until it returns successfully.</p></li>
<li><p>I&#39;m calling the genuine &#39;93 Korn shell for this activity, as it is the most capable scripting shell and I don&#39;t want any surprises.</p></li>
</ul>

<p>Given these design parameters, this is an implementation:</p>

<pre><code>
# cat ~oracle/archutils/process_logs

#!/bin/ksh93

set -euo pipefail
IFS=$&#39;\n\t&#39;  # http://redsymbol.net/articles/unofficial-bash-strict-mode/

(
 flock -n 9 || exit 1          # Critical section-allow only one process.

 ARCHDIR=~oracle/arch-${ORACLE_SID}

 APREFIX=${ORACLE_SID}_1_

 ASUFFIX=.ARC

 CURLOG=$(&lt;~oracle/.curlog-$ORACLE_SID)

 File=&quot;${ARCHDIR}/${APREFIX}${CURLOG}${ASUFFIX}&quot;

 [[ ! -f &quot;$File&quot; ]] &amp;&amp; exit

 while [[ -f &quot;$File&quot; ]]
 do ((NEXTCURLOG=CURLOG+1))

    NextFile=&quot;${ARCHDIR}/${APREFIX}${NEXTCURLOG}${ASUFFIX}&quot;

    [[ ! -f &quot;$NextFile&quot; ]] &amp;&amp; sleep 60  # Ensure ARCH has finished

    nice /usr/local/bin/lzip -9q &quot;$File&quot;

    until scp &quot;${File}.lz&quot; &quot;yourcompany.com:~oracle/arch-$ORACLE_SID&quot;
    do sleep 5
    done

    CURLOG=$NEXTCURLOG

    File=&quot;$NextFile&quot;
 done

 echo $CURLOG &gt; ~oracle/.curlog-$ORACLE_SID

) 9&gt;~oracle/.processing_logs-$ORACLE_SID

</code></pre>

<p>The above script can be executed manually for testing even while the inotify handler is running, as the flock protects it.</p>

<p>A standby server, or a DataGuard server in primitive standby mode, can apply the archived logs at regular intervals. The script below forces a 12-hour delay in log application for the recovery of dropped or damaged objects, so inotify cannot be easily used in this case—cron is a more reasonable approach for delayed file processing, and a run every 20 minutes will keep the standby at the desired recovery point:</p>

<pre><code>
# cat ~oracle/archutils/delay-lock.sh

#!/bin/ksh93

(
 flock -n 9 || exit 1              # Critical section-only one process.

 WINDOW=43200                      # 12 hours

 LOG_DEST=~oracle/arch-$ORACLE_SID

 OLDLOG_DEST=$LOG_DEST-applied

 function fage { print $(( $(date +%s) - $(stat -c %Y &quot;$1&quot;) ))
  } # File age in seconds - Requires GNU extended date &amp; stat

 cd $LOG_DEST

 of=$(ls -t | tail -1)             # Oldest file in directory

 [[ -z &quot;$of&quot; || $(fage &quot;$of&quot;) -lt $WINDOW ]] &amp;&amp; exit

 for x in $(ls -rt)                    # Order by ascending file mtime
 do if [[ $(fage &quot;$x&quot;) -ge $WINDOW ]]
    then y=$(basename $x .lz)          # lzip compression is optional

         [[ &quot;$y&quot; != &quot;$x&quot; ]] &amp;&amp; /usr/local/bin/lzip -dkq &quot;$x&quot;

         $ORACLE_HOME/bin/sqlplus &#39;/ as sysdba&#39; &gt; /dev/null 2&gt;&amp;1 &lt;&lt;-EOF
                recover standby database;
                $LOG_DEST/$y
                cancel
                quit
                EOF

         [[ &quot;$y&quot; != &quot;$x&quot; ]] &amp;&amp; rm &quot;$y&quot;

         mv &quot;$x&quot; $OLDLOG_DEST
    fi

 done
) 9&gt; ~oracle/.recovering-$ORACLE_SID

</code></pre>

<p>I&#39;ve covered these specific examples here because they introduce tools to control concurrency, which is a common issue when using inotify, and they advance a few features that increase reliability and minimize storage requirements. Hopefully enthusiastic readers will introduce many improvements to these approaches.</p>

<h3 id="toc_2">The incron System</h3>

<p>Lukas Jelinek is the author of the incron package that allows users to specify tables of inotify events that are executed by the master incrond process. Despite the reference to &quot;cron&quot;, the package does not schedule events at regular intervals—it is a tool for filesystem events, and the cron reference is slightly misleading.</p>

<p>The incron package is available from EPEL. If you have installed the repository, you can load it with yum:</p>

<pre><code>
# yum install incron
Loaded plugins: langpacks, ulninfo
Resolving Dependencies
--&gt; Running transaction check
---&gt; Package incron.x86_64 0:0.5.10-8.el7 will be installed
--&gt; Finished Dependency Resolution

Dependencies Resolved

=================================================================
 Package       Arch       Version           Repository    Size
=================================================================
Installing:
 incron        x86_64     0.5.10-8.el7      epel          92 k

Transaction Summary
==================================================================
Install  1 Package

Total download size: 92 k
Installed size: 249 k
Is this ok [y/d/N]: y
Downloading packages:
incron-0.5.10-8.el7.x86_64.rpm                      |  92 kB   00:01
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : incron-0.5.10-8.el7.x86_64                          1/1
  Verifying  : incron-0.5.10-8.el7.x86_64                          1/1

Installed:
  incron.x86_64 0:0.5.10-8.el7

Complete!

</code></pre>

<p>On a systemd distribution with the appropriate service units, you can start and enable incron at boot with the following commands:</p>

<pre><code>
# systemctl start incrond
# systemctl enable incrond
Created symlink from
   /etc/systemd/system/multi-user.target.wants/incrond.service
to /usr/lib/systemd/system/incrond.service.

</code></pre>

<p>In the default configuration, any user can establish incron schedules. The incrontab format uses three fields:</p>

<pre><code>
&lt;path&gt; &lt;mask&gt; &lt;command&gt;

</code></pre>

<p>Below is an example entry that was set with the <code>-e</code> option:</p>

<pre><code>
$ incrontab -e        #vi session follows

$ incrontab -l
/tmp/ IN_ALL_EVENTS /home/luser/myincron.sh $@ $% $#

</code></pre>

<p>You can record a simple script and mark it with execute permission:</p>

<pre><code>
$ cat myincron.sh
#!/bin/sh

echo -e &quot;path: $1 op: $2 \t file: $3&quot; &gt;&gt; ~/op

$ chmod 755 myincron.sh

</code></pre>

<p>Then, if you repeat the original /tmp file manipulations at the start of this article, the script will record the following output:</p>

<pre><code>
$ cat ~/op

path: /tmp/ op: IN_ATTRIB        file: hello
path: /tmp/ op: IN_CREATE        file: hello
path: /tmp/ op: IN_OPEN          file: hello
path: /tmp/ op: IN_CLOSE_WRITE   file: hello
path: /tmp/ op: IN_OPEN          file: passwd
path: /tmp/ op: IN_CLOSE_WRITE   file: passwd
path: /tmp/ op: IN_MODIFY        file: passwd
path: /tmp/ op: IN_CREATE        file: passwd
path: /tmp/ op: IN_DELETE        file: passwd
path: /tmp/ op: IN_CREATE        file: goodbye
path: /tmp/ op: IN_ATTRIB        file: goodbye
path: /tmp/ op: IN_OPEN          file: goodbye
path: /tmp/ op: IN_CLOSE_WRITE   file: goodbye
path: /tmp/ op: IN_DELETE        file: hello
path: /tmp/ op: IN_DELETE        file: goodbye

</code></pre>

<p>While the <code>IN_CLOSE_WRITE</code> event on a directory object is usually of greatest interest, most of the standard inotify events are available within incron, which also offers several unique amalgams:</p>

<pre><code>
$ man 5 incrontab | col -b | sed -n &#39;/EVENT SYMBOLS/,/child process/p&#39;

EVENT SYMBOLS

These basic event mask symbols are defined:

IN_ACCESS          File was accessed (read) (*)
IN_ATTRIB          Metadata changed (permissions, timestamps, extended
                   attributes, etc.) (*)
IN_CLOSE_WRITE     File opened for writing was closed (*)
IN_CLOSE_NOWRITE   File not opened for writing was closed (*)
IN_CREATE          File/directory created in watched directory (*)
IN_DELETE          File/directory deleted from watched directory (*)
IN_DELETE_SELF     Watched file/directory was itself deleted
IN_MODIFY          File was modified (*)
IN_MOVE_SELF       Watched file/directory was itself moved
IN_MOVED_FROM      File moved out of watched directory (*)
IN_MOVED_TO        File moved into watched directory (*)
IN_OPEN            File was opened (*)

When monitoring a directory, the events marked with an asterisk (*)
above can occur for files in the directory, in which case the name
field in the returned event data identifies the name of the file within
the directory.

The IN_ALL_EVENTS symbol is defined as a bit mask of all of the above
events. Two additional convenience symbols are IN_MOVE, which is a com-
bination of IN_MOVED_FROM and IN_MOVED_TO, and IN_CLOSE, which combines
IN_CLOSE_WRITE and IN_CLOSE_NOWRITE.

The following further symbols can be specified in the mask:

IN_DONT_FOLLOW     Don&#39;t dereference pathname if it is a symbolic link
IN_ONESHOT         Monitor pathname for only one event
IN_ONLYDIR         Only watch pathname if it is a directory

Additionally, there is a symbol which doesn&#39;t appear in the inotify sym-
bol set. It is IN_NO_LOOP. This symbol disables monitoring events until
the current one is completely handled (until its child process exits).

</code></pre>

<p>The incron system likely presents the most comprehensive interface to inotify of all the tools researched and listed here. Additional configuration options can be set in /etc/incron.conf to tweak incron&#39;s behavior for those that require a non-standard configuration.</p>

<h3 id="toc_3">Path Units under systemd</h3>

<p>When your Linux installation is running systemd as PID 1, limited inotify functionality is available through &quot;path units&quot; as is discussed in a lighthearted <a href="http://www.ocsmag.com/2015/09/02/monitoring-file-access-for-dummies">article by Paul Brown</a> at <u>OCS-Mag</u>.</p>

<p>The relevant manual page has useful information on the subject:</p>

<pre><code>
$ man systemd.path | col -b | sed -n &#39;/Internally,/,/systems./p&#39;

Internally, path units use the inotify(7) API to monitor file systems.
Due to that, it suffers by the same limitations as inotify, and for
example cannot be used to monitor files or directories changed by other
machines on remote NFS file systems.

</code></pre>

<p>Note that when a systemd path unit spawns a shell script, the <code>$HOME</code> and tilde (<code>~</code>) operator for the owner&#39;s home directory may not be defined. Using the tilde operator to reference another user&#39;s home directory (for example, ~nobody/) does work, even when applied to the self-same user running the script. The Oracle script above was explicit and did not reference ~ without specifying the target user, so I&#39;m using it as an example here.</p>

<p>Using inotify triggers with systemd path units requires two files. The first file specifies the filesystem location of interest:</p>

<pre><code>
$ cat /etc/systemd/system/oralog.path

[Unit]
Description=Oracle Archivelog Monitoring
Documentation=http://docs.yourserver.com

[Path]
PathChanged=/home/oracle/arch-orcl/

[Install]
WantedBy=multi-user.target

</code></pre>

<p>The <code>PathChanged</code> parameter above roughly corresponds to the <code>close-write</code> event used in my previous direct inotify calls. The full collection of inotify events is not (currently) supported by systemd—it is limited to <code>PathExists</code>, <code>PathChanged</code> and <code>PathModified</code>, which are described in <code>man systemd.path</code>.</p>

<p>The second file is a service unit describing a program to be executed. It must have the same name, but a different extension, as the path unit:</p>

<pre><code>
$ cat /etc/systemd/system/oralog.service

[Unit]
Description=Oracle Archivelog Monitoring
Documentation=http://docs.yourserver.com

[Service]
Type=oneshot
Environment=ORACLE_SID=orcl
ExecStart=/bin/sh -c &#39;/root/process_logs &gt;&gt; /tmp/plog.txt 2&gt;&amp;1&#39;

</code></pre>

<p>The <code>oneshot</code> parameter above alerts systemd that the program that it forks is expected to exit and should not be respawned automatically—the restarts are limited to triggers from the path unit. The above service configuration will provide the best options for logging—divert them to /dev/null if they are not needed.</p>

<p>Use <code>systemctl start</code> on the path unit to begin monitoring—a common error is using it on the service unit, which will directly run the handler only once. Enable the path unit if the monitoring should survive a reboot.</p>

<p>Although this limited functionality may be enough for some casual uses of inotify, it is a shame that the full functionality of inotifywait and incron are not represented here. Perhaps it will come in time.</p>

<h3 id="toc_4">Conclusion</h3>

<p>Although the inotify tools are powerful, they do have limitations. To repeat them, inotify cannot monitor remote (NFS) filesystems; it cannot report the userid involved in a triggering event; it does not work with /proc or other pseudo-filesystems; mmap() operations do not trigger it; and the inotify queue can overflow resulting in lost events, among other concerns.</p>

<p>Even with these weaknesses, the efficiency of inotify is superior to most other approaches for immediate notifications of filesystem activity. It also is quite flexible, and although the close-write directory trigger should suffice for most usage, it has ample tools for covering special use cases.</p>

<p>In any event, it is productive to replace polling activity with inotify watches, and system administrators should be liberal in educating the user community that the classic crontab is not an appropriate place to check for new files. Recalcitrant users should be confined to Ultrix on a VAX until they develop sufficient appreciation for modern tools and approaches, which should result in more efficient Linux systems and happier administrators.</p>

<h3 id="toc_5">Sidenote: Archiving /etc/passwd</h3>

<p>Tracking changes to the password file involves many different types of inotify triggering events. The <code>vipw</code> utility commonly will make changes to a temporary file, then clobber the original with it. This can be seen when the inode number changes:</p>

<pre><code>
# ll -i /etc/passwd
199720973 -rw-r--r-- 1 root root 3928 Jul  7 12:24 /etc/passwd

# vipw
[ make changes ]
You are using shadow passwords on this system.
Would you like to edit /etc/shadow now [y/n]? n

# ll -i /etc/passwd
203784208 -rw-r--r-- 1 root root 3956 Jul  7 12:24 /etc/passwd

</code></pre>

<p>The destruction and replacement of /etc/passwd even occurs with setuid binaries called by unprivileged users:</p>

<pre><code>
$ ll -i /etc/passwd
203784196 -rw-r--r-- 1 root root 3928 Jun 29 14:55 /etc/passwd

$ chsh
Changing shell for fishecj.
Password:
New shell [/bin/bash]: /bin/csh
Shell changed.

$ ll -i /etc/passwd
199720970 -rw-r--r-- 1 root root 3927 Jul  7 12:23 /etc/passwd

</code></pre>

<p>For this reason, all inotify triggering events should be considered when tracking this file. If there is concern with an inotify queue overflow (in which events are lost), then the <code>OPEN</code>, <code>ACCESS</code> and <code>CLOSE_NOWRITE,CLOSE</code> triggers likely can be immediately ignored.</p>

<p>All other inotify events on /etc/passwd might run the following script to version the changes into an RCS archive and mail them to an administrator:</p>

<pre><code>
#!/bin/sh

# This script tracks changes to the /etc/passwd file from inotify.
# Uses RCS for archiving. Watch for UID zero.

PWMAILS=Charlie.Root@openbsd.org

TPDIR=~/track_passwd

cd $TPDIR

if diff -q /etc/passwd $TPDIR/passwd
then exit                                         # they are the same
else sleep 5                                      # let passwd settle
     diff /etc/passwd $TPDIR/passwd 2&gt;&amp;1 |        # they are DIFFERENT
     mail -s &quot;/etc/passwd changes $(hostname -s)&quot; &quot;$PWMAILS&quot;
     cp -f /etc/passwd $TPDIR                     # copy for checkin

#    &quot;SCCS, the source motel! Programs check in and never check out!&quot;
#     -- Ken Thompson

     rcs -q -l passwd                            # lock the archive
     ci -q -m_ passwd                            # check in new ver
     co -q passwd                                # drop the new copy
fi &gt; /dev/null 2&gt;&amp;1

</code></pre>

<p>Here is an example email from the script for the above <code>chfn</code> operation:</p>

<pre><code>
-----Original Message-----
From: root [mailto:root@myhost.com]
Sent: Thursday, July 06, 2017 2:35 PM
To: Fisher, Charles J. &lt;Charles.Fisher@myhost.com&gt;;
Subject: /etc/passwd changes myhost

57c57
&lt; fishecj:x:123:456:Fisher, Charles J.:/home/fishecj:/bin/bash
---
&gt; fishecj:x:123:456:Fisher, Charles J.:/home/fishecj:/bin/csh

</code></pre>

<p>Further processing on the third column of /etc/passwd might detect UID zero (a root user) or other important user classes for emergency action. This might include a rollback of the file from RCS to /etc and/or SMS messages to security contacts.</p>


    

      </div>

      <div class="row">
        <div class="large-6 columns">
        <p class="text-left" style="padding:15px 0px;">
      
          <a href="15278220652161.html" 
          title="Previous Post: ZFS for Linux">&laquo; ZFS for Linux</a>
      
        </p>
        </div>
        <div class="large-6 columns">
      <p class="text-right" style="padding:15px 0px;">
      
          <a  href="15277861393795.html" 
          title="Next Post: 深入浅出Netty - EventLoop, EventLoopGroup">深入浅出Netty - EventLoop, EventLoopGroup &raquo;</a>
      
      </p>
        </div>
      </div>
      <div class="comments-wrap">
        <div class="share-comments">
          <script type="text/javascript" src="//s7.addthis.com/js/300/addthis_widget.js#pubid=ra-5ae58078c0d7b2ab"></script>

          

          
        </div>
      </div>
    </div><!-- article-wrap -->
  </div><!-- large 8 -->




 <div class="large-4 medium-4 columns">
  <div class="hide-for-small">
    <div id="sidebar" class="sidebar">
          <div id="site-info" class="site-info">
            
                <div class="site-a-logo"><img src="./asset/img/logo.jpg" /></div>
            
                <h1>Junkman</h1>
                <div class="site-des">“拾荒者”一词来自凯文・凯利的《失控》中关于机器学习的故事（“收集癖好机”如何完成他的收集工作）。</div>
                <div class="social">









<a target="_blank" class="github" target="_blank" href="https://github.com/panlw/" title="GitHub">GitHub</a>

  <a target="_blank" class="rss" href="atom.xml" title="RSS">RSS</a>
                
              	 </div>
          	</div>

             

              <div id="site-categories" class="side-item ">
                <div class="side-header">
                  <h2>Categories</h2>
                </div>
                <div class="side-content">

      	<p class="cat-list">
        
            <a href="Infra.html"><strong>Infra</strong></a>
        
            <a href="Coding.html"><strong>Coding</strong></a>
        
            <a href="Modeling.html"><strong>Modeling</strong></a>
        
            <a href="Archtecting.html"><strong>Archtecting</strong></a>
         
        </p>


                </div>
              </div>

              <div id="site-categories" class="side-item">
                <div class="side-header">
                  <h2>Recent Posts</h2>
                </div>
                <div class="side-content">
                <ul class="posts-list">
	      
		      
			      <li class="post">
			        <a href="15517999043443.html">The Art of Crafting Architectural Diagrams</a>
			      </li>
		     
		  
		      
			      <li class="post">
			        <a href="15517997955971.html">为什么说我们需要软件架构图？</a>
			      </li>
		     
		  
		      
			      <li class="post">
			        <a href="15516128677869.html">DNS Servers That Offer Privacy and Filtering</a>
			      </li>
		     
		  
		      
			      <li class="post">
			        <a href="15516123108194.html">Airbnb's Migration from Monolith to Services</a>
			      </li>
		     
		  
		      
			      <li class="post">
			        <a href="15516097487470.html">Events As First-Class Citizens</a>
			      </li>
		     
		  
		      
		  
		      
		  
		      
		  
		      
		  
		      
		  
		      
		  
		      
		  
		      
		  
		      
		  
		      
		  
		      
		  
		      
		  
		      
		  
		      
		  
		      
		   
		  		</ul>
                </div>
              </div>
        </div><!-- sidebar -->
      </div><!-- hide for small -->
</div><!-- large 4 -->

</div><!-- row -->

 <div class="page-bottom clearfix">
  <div class="row">
   <p class="copyright">Copyright &copy; 2015
Powered by <a target="_blank" href="http://www.mweb.im">MWeb</a>,&nbsp; 
Theme used <a target="_blank" href="http://github.com">GitHub CSS</a>.</p>
  </div>
</div>

        </section>
      </div>
    </div>

  
    

    <script src="asset/js/foundation.min.js"></script>
    <script>
      $(document).foundation();
      function fixSidebarHeight(){
        var w1 = $('.markdown-body').height();
          var w2 = $('#sidebar').height();
          if (w1 > w2) { $('#sidebar').height(w1); };
      }
      $(function(){
        fixSidebarHeight();
      })
      $(window).load(function(){
          fixSidebarHeight();
      });
     
    </script>

    <script src="asset/chart/all-min.js"></script><script type="text/javascript">$(function(){    var mwebii=0;    var mwebChartEleId = 'mweb-chart-ele-';    $('pre>code').each(function(){        mwebii++;        var eleiid = mwebChartEleId+mwebii;        if($(this).hasClass('language-sequence')){            var ele = $(this).addClass('nohighlight').parent();            $('<div id="'+eleiid+'"></div>').insertAfter(ele);            ele.hide();            var diagram = Diagram.parse($(this).text());            diagram.drawSVG(eleiid,{theme: 'simple'});        }else if($(this).hasClass('language-flow')){            var ele = $(this).addClass('nohighlight').parent();            $('<div id="'+eleiid+'"></div>').insertAfter(ele);            ele.hide();            var diagram = flowchart.parse($(this).text());            diagram.drawSVG(eleiid);        }    });});</script>
<script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.1/MathJax.js?config=TeX-AMS-MML_HTMLorMML"></script><script type="text/x-mathjax-config">MathJax.Hub.Config({TeX: { equationNumbers: { autoNumber: "AMS" } }});</script>


  </body>
</html>