feat(examples): ebpf-go validation recipe — loader example + cookbook#72
Merged
Conversation
ebpf-go (cilium/ebpf) is a separate loader implementation that trails
libbpf's feature set, so a libbpf load-pass does not guarantee an
ebpf-go load-pass on the same kernel. Projects that ship with ebpf-go
should validate through ebpf-go — command mode makes that a one-binary
recipe.
- examples/ebpf-go-loader: ~50-line static loader (CGO_ENABLED=0) that
loads a .bpf.o via ebpf.NewCollection, prints the verifier log on
rejection, exit code = verdict. Standalone Go module so cilium/ebpf
stays out of the main module's dependency surface.
- docs/ebpf-go-validation.md: cookbook (build static, test-command CLI
+ GitHub Action snippets, real-run matrix, extension notes).
- README: recipe linked from the command-mode section + doc map.
- ci.yml: compile the standalone example module (root go build ./...
does not see it).
VERIFIED with a real run (3 VMs, test-command, ringbuf_modern.bpf.o):
ubuntu-20.04-5.4 exit 1 ("map events: map create: invalid argument"),
almalinux-8-4.18 exit 0, ubuntu-22.04-5.15 exit 0 — the version-lies
contrast through the ebpf-go loader path, libbpf phase skipped.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Turns the "test ELFs against ebpf-go" caveat into a first-class recipe. ebpf-go is libbpf-compatible for the features it supports but is a separate loader implementation that trails libbpf — so a libbpf load-pass does not guarantee an ebpf-go load-pass. Projects shipping with ebpf-go should validate through ebpf-go; command mode makes that a one-binary recipe.
What's included
examples/ebpf-go-loader— ~50-line static loader (CGO_ENABLED=0): loads a.bpf.oviaebpf.NewCollection, prints the full verifier log on rejection, exit code = verdict. Standalone Go module, socilium/ebpfstays out of the main module's govulncheck/license surface.docs/ebpf-go-validation.md— cookbook: static build,test-commandCLI + GitHub Action snippets, real-run matrix, how to extend the loader with project invariants.go build ./...skips it).Verified with a real run
test-commandshipping this loader withringbuf_modern.bpf.oacross the version-lies trio (real QEMU/KVM):ubuntu-20.04-5.4map events: map create: invalid argumentalmalinux-8-4.18ubuntu-22.04-5.15libbpf load/attach reported
skippedon all three — the verdict is entirely ebpf-go's.🤖 Generated with Claude Code