# Inotify



> This is a translation from
> [this article](http://atcomputing.nl/2009/december/04/index.php#e2009-12-04T10_00_31.txt) which
> is published in Dutch

During [our](http://www.atcomputing.nl) work at
[Octrooicentrum Nederland](http://www.octrooicentrum.nl/)
somebody came up with the following question. During the
night a file was created in a directory and he wanted to know
who (which process) was responsible for that. My first reaction
was: "Can't be done".

However, that evening I thought of `inotify` which could be of help.
With `inotify` you can watch your file system
and get notified when "something" (read, write, create, etc.)
happens. For (much) more detailed information look in inotify(7).

You can install the tools with:

    % apt-get install inotify-tools

And with that you get two tools
`inotifywatch` and `inotifywait`.

The inotify framework has a configurable limit on how many directories
can be watched at once. To increase this a bit you need to write
a value to a file under `/proc`, like so:

    % sudo -s
    # echo $((2 ** 16)) > /proc/sys/fs/inotify/max_user_watches

64K should be enough for everyone.

Using `inotifywait` works with:

    % inotifywait -m  -r --format '%:e %f' ~
    Setting up watches.  Beware: since -r was given, this may take a while!
    Watches established.

* `-m`: keep waiting;
* `--format '%:e %f'`: change the output (see inotifywait(1));
* `-r`: recursive.

Now, I'm going to create a file in my home directory:

    % touch bliep

And in my other terminal window I see output scrolling by, among
which:

    CREATE bliep
    OPEN bliep
    ATTRIB bliep
    CLOSE_WRITE:CLOSE bliep

As you can see, the file `~/bliep` has been created.

# Getting the process

> Note: the following creates a blatant race condition, so
> this is not bullet proof.

Lets start `inotifywait` and let it trigger for the creation of the
file `bliep`. If it is created try to get to the creating process (if
possible).

    % inotifywait -m  -r --format '%:e %f' ~ | grep -q 'CREATE bliep' && \
    lsof -t ~/bliep | xargs pstree -a -h

Which should be fairly obvious to the trained Unix eye. So
if I type the following in one terminal:

    % touch bliep && tail -f bliep

Then the `inotifywait` pipeline will output:

    tail -f bliep

Which says: the `tail -f` is still tailing the file `bliep`. Note:
that `touch` command is not seen. So we have the culprit -- well one
of them, at least.

With inotify you can probably imagine other uses. One idea may be that
of a *realtime* backup (this might even be already implemented by
someone).

Other usefull tools based on `inotify` are:

<dl>
<dt>incron</dt>
<dd>cron-like daemon with support for filesystem events</dd>
<dt>inotail</dt>
<dd>tail replacement with inotify, probably faster than GNU tail -f</dd>
</dl>

You can find more information in
[this article](http://www.linuxjournal.com/article/8478), which
is authored by the original author of inotify [Robert Love](http://rlove.org/).