Blog
Thoughts on engineering, design, and building great products.
libbpf and CO-RE: Writing an eBPF Tool Yourself
bpftrace is good for quick questions. When you need a real tool — packaged, distributed, long-running — you write the eBPF program in C with libbpf and CO-RE. This post builds execsnoop from scratch: a kernel program pushing exec events through a ring buffer, bpftool generating the skeleton, and a C loader using libbpf to load and read events. Build the full chain clang → skeleton → libbpf, then watch every exec on the cluster appear with pid, ppid, filename — plus a real buffer trap.
BTF and CO-RE: Compile Once, Run on Every Kernel
Kernel data structures like task_struct have different layouts across kernel versions — a field sits at a different offset per build. So how does a pre-compiled eBPF program read the right field on every kernel? BTF and CO-RE. This final Part I post generates vmlinux.h from the kernel's BTF, writes a program that reads ppid by walking task->real_parent->tgid, compiles once and runs — libbpf finds the right offset from the running kernel's BTF. The foundation for Part III.