Problem
eBPF teams often discover verifier, BTF, or CO-RE compatibility failures only after deploying to a customer kernel.
返回目录
bpfcompat
An open-source eBPF compatibility validator: it boots real Linux kernels in disposable VMs, loads your compiled BPF programs inside each one, and gates your CI on an artifact-by-kernel pass/fail matrix.
GoeBPFCI/CDApache-2.0
Case Study
Architecture
A Go orchestrator boots disposable QEMU/KVM Linux guests, loads compiled BPF artifacts through a C/libbpf validator, and aggregates results by kernel profile.
Security Approach
Compatibility checks run in disposable overlays instead of production hosts. The kernel verifier is treated as the authority, and CI fails on regression evidence.
Outcome
The project turns kernel compatibility into a repeatable CI gate with an artifact-by-kernel pass/fail matrix.
Evidence
Kernel-by-artifact matrixDisposable VM executionCI regression exit code
Lessons Learned
- Compatibility claims need live-kernel evidence, not only compile-time checks.
- A small, deterministic failure code makes CI adoption easier.
技术概览
Written in Go with a C/libbpf validator that runs inside each guest. For every kernel profile, bpfcompat boots a disposable QEMU/KVM overlay VM from a cloud image (Ubuntu and Fedora, 5.x–6.x, x86_64 and ARM64), then actually loads and attaches each program — recording BTF status, CO-RE relocations, and capability checks. Results aggregate into a pass/fail matrix, and exit code 2 marks a compatibility regression for CI gating.
价值主张
Stop discovering kernel incompatibilities in production. bpfcompat proves your eBPF programs load on every kernel you ship to — in CI, before your users do — with verifiable evidence instead of guesswork.