Did you considered adding inode number there?

I mean, linux namecache is very different from our, and while linux' dir + name is something that identifies their inode, our does not. Adding a field should be source-compatible.

How inotify fd behaves on fork?

What about mknod?

File or vnode? Also, if vnode, effective or real link count?

Anyway, doesn't the inotify object itself acquires the use/effective count?

Did you considered taking the vnode interlock around all three ifs() and use vn_irflag_set_locked()?

BTW why the flags are in irflags? From my reading, they are actually modified under the vnode lock, and perhaps should be moved to v_flag (VV_XXX). Modulo that there is no space in v_flag.

I still cannot accept the frivolous breakage of the specialfd design breakage that was done. The bug in ioctl type checking is an example of the consequences.

Should the file be passable over unix socket? (Follow-up to the fork question)

Might be this should be an assert instead of the check?

Might be use the exterr and provide some description for EINVAL, to start setting the example.

Could you please explain this memset?

Indeed a useful stat should be provided.

This is the number of allocated inotify fds, am I right? And watchcnt is the number of watches registered per user.

IMO this is not too useful design for resources. There is already a global and per-process file limit. What is needed there is the per-user limit for events. Then the overflow record should be placed on the user limit reach, instead of the per-queue. It is easier for admin to utilize the limit this way (instead of multiplying the number of descriptors by the queue length).

The fd is inherited, unlike our kqueue. This is what prevented me from enabling inotify watcher in devel/dbus - it first creates a notify fd and then forks to do the actual work.

Yes, I mean that this should be mentioned in the man page.

It's source-compatible, but it wouldn't be binary-compatible, and this is required to avoid spuriously breaking applications linked against libinotify.so.

Maybe we could add a new flag which requests an alternate layout for struct inotify_event. Fetching the inode number is a bit complex too, I believe we have to add a VOP_GETATTR for every single event to get the inode number, which is a bit expensive.

The file. (I would avoid referencing "vnodes" in user-facing documentation.)

When the link count of a file changes, we use VOP_GETATTR to check the va_nlinks value; the usecount reference on the vnode doesn't affect that.

My reasoning was that the flags are checked "frequently" (i.e., in many VOP *_post hooks) and this is the motivation for the v_irflag split.

The flags are set under the interlock (and maybe the vnode lock, but this is coincidental), so I don't think v_flag is correct.

Sorry, can you elaborate? What frivolous breakage are you referring to?

Yes, I believe it would be safe.

I used EXTERR_CAT_FILEDESC, I'm not sure if it's an abuse or not.

I added a comment.

Yes, this is the number of inotify fds, and then the total number of watches per user. These limits come directly from Linux, for better or worse.

Suppose I implement your suggestion. A user has two process, each one opens an inotify descriptor. The first process hangs due to some bug or because it is stopped by a debugger, so events accumulate until the limit is reached. Then the second application cannot receive any more events. I think this is too fragile.

this is required to avoid spuriously breaking applications linked against libinotify.so.

Do we really need this? It is nice to have if we don't need to make tradeoffs, but the problem will only be visible for CURRENT users. We can as well just ask everyone to rebuild their ports after updating the world to get rid of all applications linked to libinotify.so

It'll be visible to users when they upgrade to 15.0-RELEASE. I want to be sure that their libinotify-linked applications don't misbehave after upgrading the base system.

And since none of those applications will expect to see an ino field, IMO it is not really useful to add one by default. Only new code will be able to use it.

For the ports software we require all packages/ports to be reinstalled after major upgrades. Users following this procedure will get a FreeBSD 15 package set, for which we'll disable linking to libinotify with https://reviews.freebsd.org/D50736

Programs that are compiled by users themselves will still be linked to libinotify, but they should still work, because they were compiled against libinotify sys/inotify.h and they will still be calling the library, not the native implementation.

The only case that comes to my mind that will be broken is:

1. Application that is using native inotify calls inotify_init()
2. It then loads some legacy module that pulls in libinotify.
3. Consecutive calls to inotify_add_watch and others will go to the library.

But this is a pretty much rare case, I think.

Well, aside from the compatibility issue, it's still relatively expensive to fetch the inode number, and nothing uses it (because all code using inotify today is targeting Linux). How exactly would the new field be useful?

Indeed, the library normally should appear before libc in the order of DT_NEEDED objects, and library symbols would interpose the libc symbols. BTW, is libnotify versioned?

It might be that the symbols exported from libc should be changed to not clash with the symbols from libinotify, similar to how the iconv was handled (iconv_open/libiconv_open) but with reverse direction.

WRT how the inode number in inotify event would be useful, how the event is used? For instance, if I watch a specific file, how could I be sure that events are for it and there is no some race? Normally I would open the file, and whenever I get the event for my name, I want to be sure that the name is still a hardlink to my file. How do I do that? If ino is reported, I simply compare ino in event with the result of fstat().

v_irflags motivation was 'read often, set never'. Perhaps only VIRF_TEXT_REF is somewhat outlier there, even this is up for discussion. All other flags are set at the vnode creation time and then not changed.

The inotify flags are supposed to have the active life.

It is fine to provide the userspace glue later, of course.

The timerfd case.

The most natural way would be to allocate a dedicated category, since for non-bloated kernels, we report the line numbers of the place where the situation occured, but not the file name.
EXTERR_CAT_INOTIFY is fine, we do not have shortage of numbers so far.

Just break out of the loop, to have the free() in single place?

Then return if error != 0

Why cannot this call be vrefact()?

Again SET_ERROR() for the series of EINVALs would be useful.

Why do we need the special case of the existing watch? Is it only to decrement the limit?
Perhaps a comment would be useful.

How could fp be NULL there?

It is much easier (and IMO natural) to configure global or per-uid limits, then have to do math like num_of_inotify times max_queue_length, if we need to make something behave.

Also it handles the normal situations better, where you have one outlier that requires a lot of events queued, while other listeners are mostly dormant. If you have queue limit, then you must bump it and have global effect, which is hard to balance.

libinotify's symbols have no versions. I think you're right that the clash is probably not a problem in practice, unless applications are underlinked.

If you are watching a specific file, then all events for that watch are associated with the same inode/vnode, so there is no race.

If you are watching a directory, and you receive a notification for an name in that directory, then yes it's possible for the name to refer to something else by the time you open it. But, I'm not sure why it's a problem: the watcher can also receive notifications about renames or unlinks, so it can see that the name has changed.

VIRF_DOOMED is set after creation too. VIRF_MOUNTPOINT also can change during the vnode lifetime as well, as mounts are created and destroyed.

In general I expect inotify flags to be set somewhat rarely, certainly less often then they are checked. And v_irflag is specifically annotated as being synchronized by the vnode interlock, so I don't really understand the "write never" requirement.

BTW, it would be nice if SET_ERROR* was an expression, so would could write return (SET_ERROR0(EINVAL, ...));, like the SET_ERROR() macro in OpenZFS.

Yes, it's just a small hack to ensure that we handle the accounting correctly. I added a comment.

I agree that the current scheme is not ideal, but a global limit makes it very easy to starve the rest of the system, and IMHO this is worse.

Note that there is some event coalescing, so file I/O should not generate too many back-to-back events.

I've heard that the main problem in practice in Linux is the per-user limit on the number of watches: when watching some large directory hierarchy (e.g., a copy of the freebsd src tree), it's easy to run out of watches.

VIRF_DOOMED is extra special, it is in fact protected by both interlock and vnode lock, and this is actively utilized.

VIRF_MOUNTPOINT does not have the intensive modification traffic.

Since your code seems to read the flags lockless often e.g. all the vnode post vop hooks, it would be nice to be honest/race-less and put the flags into place which is protected naturally.

At least this is not part of the ABI.

From my experience with e.g. the swap, the per-object limit scheme is not adequate. You want a global reasonable limit (global as e.g. per uid). When I needed swap limits, this was only workable schema, the limits set to the per-process VA did not provided the required safety, and the cause was not the shadowing.

So I do think that the current approach is formal and does not provide effects that would allow users to put the working limitations on the mis-behaving inotify consumers.

I do not expect to see intensive modification traffic for VIRF_INOTIFY*. The most common use-case for the feature is some background indexing service which watches for new files in a hierarchy. Such a service creates watches only rarely.

And mountpoints can be created and destroyed quite frequently in some workloads, e.g., port builds in poudriere.

it would be nice to be honest/race-less

Well, suppose I use the vnode lock to synchronize the flags. What should I do for VOPs where the vnode lock is not held, e.g., VOP_READ_PGCACHE? Either I would check the flag racily, so the same situation as right now, or acquire the lock in the _post hook, which is slow and complex.

In the current patch, the raciness is intentional. If INOTIFY observes that VIRF_INOTIFY* is set, then it will acquire the pollinfo lock to check for watches in a race-free manner. I want this feature to have minimal overhead when not enabled.

But there is a global limit: inotify_max_queued_events * inotify_max_user_instances restricts the number of pending records (per user). The current scheme is simplistic: we should derive max_queued_events from the amount of RAM in the system, rather than hard-coding a default. I will work on that.

Yes, we could make the limit of queued events per-uid instead of per-inotify fd. But again, that allows one process to starve another, and I think that's worse than the current scheme.

Let me rehash the intent behind the flags fields in struct vnode:

• VV_ aka v_vflag represent the vnode state, and protected by the vnode lock, as well as all other living vnode state;
• VI_ aka v_iflag, is mostly internal to VFS vnode lifecycle management;
• VIRF_ aka v_irflag was added as a hack, with the promise that it is used only for the stable flags that do not change after the vnode creation, therefore there is no race in reading them unlocked.

Abusing v_irflag for the transient state is perhaps technically allowed, indeed.

Starving one process with another consuming a lot of resources is in fact how resources limits are supposed to work. It helps in the critical situation, and usually went unnoticed until things go wrong.

Compare with the virtual address limits: we have per-process VSS (RLIMIT_AS), and we have per-uid swap limit. Despite the fact that we can claim that total is limited by per-uid process limit times RLIMIT_AS, it does not work: fork() needs overcommit to be practical, but also for some situations the real swap limit is required.

Same holds for all other resources: admins want to set the total limit per user, but user should (or needs) be able to exhaust the limit in single process, otherwise it cannot be exercised fully.

The inotify event limit is just a seatbelt, not a resource that must be managed by the admin. An inotify queue cannot be allowed to grow indefinitely, there must be some limit on the amount of kernel memory committed to inotify events. So, the limit can be global or per-queue, but either way, applications must handle the possibility of drops.

Suppose the limit is global. Then yes, if there is one busy inotify application running on the system, the queue can be much deeper, but the possibility of drops is still there. The application must handle them, or else it is simply buggy. And, the admin cannot easily know which applications are using inotify, and how many inotify applications might be busy in a given workload.

If the limit is per-queue, then the queue size is fixed, and drops may occur more easily than with a global limit. But, applications have to handle drops anyway. In either scenario, inotify cannot be treated as a reliable file event notification mechanism. A per-queue limit is simpler and cheaper to implement, and one buggy application cannot starve others, so the system behaviour is more predictable. That's why I prefer this scheme.

Rather than comparing inotify queue limits with memory limits, IMO it makes more sense to compare with socket buffers. Applications cannot really control how much kernel memory is committed to a socket receive buffer, so there must be some per-buffer limit. Does it make sense to make this limit per-UID instead of per-socket? I do not really think so. Any kernel queue (inotify queue, socket buffer, etc.) should have some bounded size. When the size is per-queue, applications can be independently tuned for performance; when it is global, it is impossible to tune a single application since one has to account for unrelated resource utilization.

Same holds for all other resources: admins want to set the total limit per user, but user should (or needs) be able to exhaust the limit in single process, otherwise it cannot be exercised fully.

But sometimes "exercised fully" is not important. One (IMHO valid) use for per-process RLIMIT_AS that I have seen in production was to ensure that a memory leak in a daemon does not result in memory pressure in the kernel or other parts of the system (composed of several dozen daemons). In this situation, a global limit was in fact undesirable: a buggy daemon should not trigger mmap() failures in unrelated services, instead it should die quickly and automatically get restarted. So, setting RLIMIT_AS to 2GB in each daemon process worked fine in practice.