bpfcompat

An open-source eBPF compatibility validator: it boots real Linux kernels in disposable VMs, loads your compiled BPF programs inside each one, and gates your CI on an artifact-by-kernel pass/fail matrix.

GoeBPFCI/CDApache-2.0

Etude de cas

Probleme

eBPF teams often discover verifier, BTF, or CO-RE compatibility failures only after deploying to a customer kernel.

Architecture

A Go orchestrator boots disposable QEMU/KVM Linux guests, loads compiled BPF artifacts through a C/libbpf validator, and aggregates results by kernel profile.

Approche securite

Compatibility checks run in disposable overlays instead of production hosts. The kernel verifier is treated as the authority, and CI fails on regression evidence.

Resultat

The project turns kernel compatibility into a repeatable CI gate with an artifact-by-kernel pass/fail matrix.

Preuves

Kernel-by-artifact matrixDisposable VM executionCI regression exit code

Lecons

Compatibility claims need live-kernel evidence, not only compile-time checks.
A small, deterministic failure code makes CI adoption easier.

Technical Overview

Written in Go with a C/libbpf validator that runs inside each guest. For every kernel profile, bpfcompat boots a disposable QEMU/KVM overlay VM from a cloud image (Ubuntu and Fedora, 5.x–6.x, x86_64 and ARM64), then actually loads and attaches each program — recording BTF status, CO-RE relocations, and capability checks. Results aggregate into a pass/fail matrix, and exit code 2 marks a compatibility regression for CI gating.

Value Proposition

Stop discovering kernel incompatibilities in production. bpfcompat proves your eBPF programs load on every kernel you ship to — in CI, before your users do — with verifiable evidence instead of guesswork.

View Source Code Live Preview