Skip to content

ROX-33199: unlink inode tracking #429

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ovalenti merged 10 commits into from
Apr 9, 2026
Merged

ROX-33199: unlink inode tracking #429

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
2fcd9a3
Unwatch inode of deleted files
ovalenti Mar 25, 2026
a8a3bef
Dismiss inode entry on unlink
ovalenti Mar 25, 2026
807b2a9
Verify inode deletion in probe
ovalenti Mar 25, 2026
fb7d100
Split the test in 2 phases for reliability
ovalenti Mar 27, 2026
910954b
Enhance comments
ovalenti Mar 30, 2026
9796c04
Count files deleted
ovalenti Mar 30, 2026
11244a9
Restore integration test to have only one wait_events()
ovalenti Apr 7, 2026
c0b761a
Disable scanner when scan_interval==0
ovalenti Apr 7, 2026
90cb3b7
Disable periodic scanner in tests
ovalenti Apr 7, 2026
ca0ef71
Remove the test
ovalenti Apr 9, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions fact-ebpf/src/bpf/main.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -94,6 +94,9 @@ int BPF_PROG(trace_path_unlink, struct path* dir, struct dentry* dentry) {
return 0;
}

// We only support files with one link for now
inode_remove(&inode_key);

submit_unlink_event(&m->path_unlink,
path->path,
inode_to_submit,
Expand Down
5 changes: 3 additions & 2 deletions fact/src/config/mod.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -209,13 +209,14 @@ impl TryFrom<Vec<Yaml>> for FactConfig {
config.hotreload = Some(hotreload);
}
"scan_interval" => {
// scan_internal == 0 disables the scanner
if let Some(scan_interval) = v.as_f64() {
if scan_interval <= 0.0 {
if scan_interval < 0.0 {
bail!("invalid scan_interval: {scan_interval}");
}
config.scan_interval = Some(Duration::from_secs_f64(scan_interval));
} else if let Some(scan_interval) = v.as_i64() {
if scan_interval <= 0 {
if scan_interval < 0 {
bail!("invalid scan_interval: {scan_interval}");
}
config.scan_interval = Some(Duration::from_secs(scan_interval as u64))
Expand Down
2 changes: 0 additions & 2 deletions fact/src/config/tests.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -465,8 +465,6 @@ paths:
"scan_interval: true",
"scan_interval field has incorrect type: Boolean(true)",
),
("scan_interval: 0", "invalid scan_interval: 0"),
("scan_interval: 0.0", "invalid scan_interval: 0"),
("scan_interval: -128", "invalid scan_interval: -128"),
("scan_interval: -128.5", "invalid scan_interval: -128.5"),
("unknown:", "Invalid field 'unknown' with value: Null"),
Expand Down
4 changes: 4 additions & 0 deletions fact/src/event/mod.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -130,6 +130,10 @@ impl Event {
matches!(self.file, FileData::Creation(_))
}

pub fn is_unlink(&self) -> bool {
matches!(self.file, FileData::Unlink(_))
}

/// Unwrap the inner FileData and return the inode that triggered
/// the event.
///
Expand Down
26 changes: 25 additions & 1 deletion fact/src/host_scanner.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -220,6 +220,19 @@ impl HostScanner {
Ok(())
}

/// Handle unlink events by removing the inode from the inode->path map.
///
/// The probe already cleared the kernel inode map.
fn handle_unlink_event(&self, event: &Event) {
let inode = event.get_inode();

if self.inode_map.borrow_mut().remove(inode).is_some() {
self.metrics.scan_inc(ScanLabels::InodeRemoved);
}
Comment thread
Molter73 marked this conversation as resolved.

self.metrics.scan_inc(ScanLabels::FileRemoved);
}

/// Periodically notify the host scanner main task that a scan needs
/// to happen.
///
Expand All @@ -246,8 +259,14 @@ impl HostScanner {
}

pub fn start(mut self) -> JoinHandle<anyhow::Result<()>> {
let scan_interval_value = *self.scan_interval.borrow();
let scan_trigger = Arc::new(Notify::new());
self.start_scan_notifier(scan_trigger.clone());

if scan_interval_value.is_zero() {
warn!("Host scanner periodic scans permanently disabled (scan_interval is 0)");
} else {
self.start_scan_notifier(scan_trigger.clone());
}

tokio::spawn(async move {
info!("Starting host scanner...");
Expand Down Expand Up @@ -277,6 +296,11 @@ impl HostScanner {
event.set_old_host_path(host_path);
}

// Remove inode from the map
if event.is_unlink() {
self.handle_unlink_event(&event);
}

let event = Arc::new(event);
if let Err(e) = self.tx.send(event) {
self.metrics.events.dropped();
Expand Down
1 change: 1 addition & 0 deletions tests/conftest.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -119,6 +119,7 @@ def fact_config(request, monitored_dir, logs_dir):
'health_check': True,
},
'json': True,
'scan_interval': 0,
}
config_file = NamedTemporaryFile(
prefix='fact-config-', suffix='.yml', dir=cwd, mode='w')
Expand Down
Loading