How do you know when a file has been changed on a filesystem? Developer tools that need to hot-reload programs or kick off compilation or deploy loops on code changes need a reliable source of information (at Google, I built this for Kubernetes development).
You can periodically poll for changes – that's potentially slow and intensive for large file subtrees.
There's also a inotify, a kernel subsystem that monitors changes to the filesystem (kqueue on FreeBSD/macOS). Some issues with inotify,
- Doesn't support recursive directory watches
- Can drop changes when a large number of filesystem events occur (fixed-sized buffer)
- No native debouncing support when a large number of events occur
- Race conditions (rename events and between different instances of
inotify) - API issues (no event information about the process that changed the file, path names as the event data)
What if you could use eBPF to run more granular filesystem notification programs? It's a natural fit: a tough problem to generically solve in the kernel that can only be solved in the kernel. It could open up more advanced file watching to a host of applications – everything from developer tools like git, webpack, and skaffold to more critical file-watching applications that solve observability or security issues. Development could happen much faster outside the kernel, and programs could be adapted to specific needs. And filtering filesystem events is not a far throw from BPF's original purpose as a generic network packet filter.