Your BPF code must be relying on CO-RE. I can check if you can show me your BPF source code. The pinning and map definition itself doesn't rely on CO-RE and thus doesn't need kernel BTF.

Interestingly enough I am using clang version 10.0.0! Even with that creating a structure from the examples like so: struct { __uint(type, BPF_MAP_TYPE_HASH); __uint(max_entries, 1);

It doesn't require kernel BTF for that. Only BPF program's BTF generated by Clang. So you'll need something like Clang 10 (or maybe Clang 9 will do as well), but no requirements for kernel BTF. >

These examples are exactly what I am looking for but it appears that they either require BTF activated in the kernel or require a 5.8 kernel. Unfortunately I am targeting the new Ubuntu 20.04 system

Libbpf supports declarative pinning of maps, that's how you easily get "map re-use" from BPF side. See [0] for example. But there is also bpf_map__pin() and bpf_map__reuse_fd() API on user-space side

It was my understanding that bpf_obj_get was intended to be used as a user space API. I am looking to "open" or obtain a reference to a map in the actual eBPF program that is loaded into the kernel

You can use bpf_obj_get() API to get a reference to the pinned map. BPF_ANNOTATE_KV_PAIR is old way to provide map key/value types, mostly for pretty print. bcc still uses it. libbpf can use more

Hello BPF Community! Hope you are all doing well. I am trying to have a user space program create a BPF Hash map with a single element containing its PID. This map could then be read by all the BPF

No perf buffer is just fine to pass data from the BPF program in the kernel to the user-space part for post-processing. It's hard to give you any definitive answer, it all depends. But think about

Unfortunately my project is currently targeting Ubuntu 20.04 which ships with linux kernel version 5.4. It is a shame because the new ring buffer interface looks excellent! That said, would you still

I don't think golang can interrupt thread while it's being executed in the kernel. So from the golang perspective I wouldn't worry, the kernel will execute both kprobe and corresponding kretprobe

If you have the luxury of using Linux kernel 5.8 or newer, you can try a new BPF ring buffer map, that provides MPSC queue (so you can queue from multiple CPUs simultaneously, while BPF perf buffer

The project I am working on generically loads BPF object files, pins their respective maps, and then proceeds to use perf_buffer__poll from libbpf to poll the maps. I currently am polling the multiple

Thanks for reply. It seems fexit it a new feature and I'm using linux v4.15, so fexit can't help here. kretprobe with kprobe is an option and I've found a lot examples in bbc, but I am also wondering

You can't do it reliably with kretprobe. kretprobe is executed right before the function is exiting, by that time all the registers that contained input parameters could have been used for something

When using kprobe in bcc, I can get param directly like `int kprobe__tcp_set_state(struct pt_regs *ctx, struct sock *sk, int state)` But it seems not to work in kretprobe, I've found that I can get

The BPF UAPI header file <linux/bpf.h> includes <linux/types.h>, which gives BPF-programs access to types e.g. __u32, __u64, __u8, etc. On Ubuntu/Debian when compiling with clang option[1] "-target

Hi, I am trying to attach the same TC eBPF program instance to both host and container interfaces. So some of the maps need to be qualified with the netns id. I was wondering if there is a way to

Hello Tristan! That is the same path I found when debugging with strace! I think I also saw a missing comm string during my tests (with printk from BCC), but I would have to reproduce it again to be

Alessandro, I figured out that it's non-deterministic. So sometimes certain commands (git, awk, rm, uname, etc.) will have an openat with no filename, but other times they will. I ran these commands