[derobert]

Here you probably want fanotify, not inotify. The later would require setting up a lot of inotify entries, recursing through the filesystem.

https://man7.org/linux/man-pages/man7/fanotify.7.html

I think fanotify does xattrs, but I haven't tested.

[patrakov]

I would still think that eBPF is a better suited approach. With fanotify, you would need to manage the mount points for which notifications need to be received. This works semi-OK for a static use case, but not for dynamically-created mounts and, worse, mount namespaces. In other words, fanotify is not suitable at all, without a lot of glue, for monitoring events happening in containers. And, for example, clamonacc (on-access file checking for ClamAV) does not work with removable storage, temporary network mounts, and containers for this very reason.

[javierhonduco]

Exactly this. I should have mentioned it in the post. Might amend it.

Would be interesting to compare the chances of race conditions with inotify vs BPF for this contrived use-case.

[ec109685]

Just curious why you wouldn’t amend it?

Doesn’t take away from the original point that bpf is cool.

[OJFord]

Because it's from 2020/21, not even like it's a factual error, and OP may not have the interest to revisit it?