On Thu, 14 Mar 2019 08:27:48 -0400 Joel Fernandes joel@joelfernandes.org wrote:
But the eBPF is based on kprobe-events. What kind of usage would you expected? (with macros??)
eBPF C programs are compiled with kernel headers. They can execute inline functions or refer to macros in the kernel headers. They are similar to kernel modules where you build a C program that then later is executed in kernel context. It goes through the whole compiler pipeline. This is slightly different usage from pure kprobe-events. Also eBPF kprobe programs need LINUX_VERSION_CODE (or similarly named) macro which it provides to the bpf(2) syscall when loading kprobe programs. This is because eBPF implementation in the kernel checks if the eBPF programs that use kprobes are being loaded against the right kernel.
Ah, I got it. It's similar to SystemTap. :)
Thank you,