CO:RE Support: Add support for embedding and loading BTF for the running host #715
Comments
kakkoyun
added
enhancement
|
I think we should start with the 5.2 kernel requirement and add in the documentation that it's possible to support older kernels. We should only add this feature if we find the users that require it. |
I recently revisited what the supported features for the kernel version are. FWIW, BTF type format is supporter version 4.18, and above https://github.com/iovisor/bcc/blob/master/docs/kernel-versions.md I think we can have it since we claim to support 4.19 and above. |
|
While basic support for BTF indeed existed since 4.18, the more important thing to have the information about is when support for the BTF APIs we'll have in use with the stack unwinding feature landed in the kernel. And depending upon that we can decide if it's worth adding support for the CO-RE via BTF Hub(for the older versions) or not. For example, some stuff from older BTF things might already be outdated anyway. |
|
Let's see how it goes. As of now, all the things we need for unwinding are in the perf_event context, so we might not need this. |
kakkoyun
changed the title
kakkoyun
changed the title
kakkoyun
added
good first issue
Using https://github.com/aquasecurity/btfhub, we can download the specific BTF definitions for the major kernel versions and embed those BTF definitions into the binaries.
CONFIG_DEBUG_INFO_BTF=yis enabled in the Kernel config; it's easy to find BTF definitions for the kernel under/sys/kernel/btf/vmlinux. However, if it's not there, we need a way to provide them if we claim that we're truly CO:RE.BTF definitions for the major Kernel versions can be downloaded from the hub, embedded, and loaded with the correct definitions when initializing the libbpf loader.
Tracee does this, and this article explains the process in detail https://opensource.com/article/22/9/ebpf-monitor-traffic-tracee
The text was updated successfully, but these errors were encountered: