Open nascentcore-eng opened 1 year ago
ArthurChiao
commented
1 year ago 1 question is how can libbpf handles changes in the kernel data structure where new fields are added into the struct For example, let's say on kernel v0.10, int val was added to _kernel_structure
http://arthurchiao.art/blog/bpf-portability-and-co-re-zh/ , or the original blog:
https://facebookmicrosites.github.io/bpf/blog/2020/02/19/bpf-portability-and-co-re.html
oojimmy
commented
1 year ago https://github.com/aquasecurity/libbpfgo
Edit by @yaxiong-zhao 2023-02-20: This is a golang biding of libbpf
nascentcore-eng
commented
1 year ago @ArthurChiao Have done a thorough investigation on the format of clang-compiled bpf object file, and how to use cilium/ebpf to parse and operate the object file (open perf buffer, bpf map, load program, and attach probes etc.) The sample code is in experimental/cilium-ebpf
The result shows that:
Our next step, is to prototyping an API based on the sample code in https://github.com/tricorder-observability/starship/tree/main/experimental/cilium-ebpf @yaxiong-zhao @ArthurChiao will discuss about this later.
nascentcore-eng
commented
1 year ago
Right now starship only support BCC style C code. BCC style C code has one major limitations:
From the perspective of making portable BPF code, BCC and libbpf actually are two different approaches to this same problem, i.e.:
1 question is how can libbpf handles changes in the kernel data structure where new fields are added into the struct For example, let's say on kernel v0.10, int val was added to _kernel_structure
If we compile with libbpf against v0.10, what happens when we deploy the resultant ebpf binary code on v0.9 kernel?
The goal of this issue is to implement the support for libbpf-style bpf C code, or libbpf binary object file.