Chapter 5. CO-RE, BTF, and Libbpf
In the previous chapter you encountered BTF (BPF Type Format) for the first time. This chapter discusses why it exists and how it’s used to make eBPF programs portable across different versions of the kernel. It’s a key part of BPF’s compile once, run everywhere (CO-RE) approach, which solves the problem of making eBPF programs portable across different kernel versions.
Many eBPF programs access kernel data structures, and an eBPF programmer would need to include relevant Linux header files so that their eBPF code can correctly locate fields within those data structures. However, the Linux kernel is under continuous development, which means internal data structures can change between different kernel versions. If you were to take an eBPF object file compiled on one machine1 and load it onto a machine with a different kernel version, there would be no guarantee that the data structures would be the same.
The CO-RE approach is a huge step forward in addressing this portability issue in an efficient way. It allows eBPF programs to include information about the data structure layouts they were compiled with, and it provides a mechanism for adjusting how fields are accessed if the data structure layout is different on the target machine where they run. Provided the program doesn’t want to access a field or data structure that simply doesn’t exist in the target machine’s kernel, the program is portable across different kernel versions.
But before we ...
Get Learning eBPF now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
