feat: zero-config gadget validation (OCI loading + --quick + auto-size runtime maps)#39
Merged
Conversation
--artifact now accepts an OCI image in addition to a local .bpf.o ELF: a registry reference (e.g. ghcr.io/inspektor-gadget/gadget/trace_open:latest), an OCI layout directory, or an OCI/docker image archive. bpfcompat extracts the eBPF object layer — preferring Inspektor Gadget's application/vnd.gadget.ebpf.program.v1+binary media type, with an ELF-magic fallback for gadgets packaged by other tooling — and validates it through the existing flow. internal/artifact/oci.go adds IsOCISource + ExtractEBPFFromOCI (via go-containerregistry: registry pull, OCI layout, tarball, with zip-slip-safe extraction); runner resolves an OCI source to a temp ELF before Inspect. Tests cover detection, media-type and ELF-magic selection, name derivation, and path-escape rejection; verified end-to-end pulling a real IG gadget. Requested by Inspektor Gadget maintainer Alban Crequy as a way for gadget authors to validate published gadgets across kernels without standing up CI. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Add --quick, which runs a small built-in kernel set (matrix.Quick: old LTS → recent) instead of requiring a --matrix file. Aimed at the local dev loop a gadget/eBPF author hits before any CI exists — pair with OCI loading for a one-liner: `bpfcompat test --artifact ghcr.io/org/gadget:tag --quick`. Config.Validate now accepts --quick in place of --matrix; runner uses matrix.Quick() when no matrix path is given. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
ErenAri
changed the title
Many real loaders (Inspektor Gadget, KubeArmor, Falco libpman) compile maps with max_entries=0 and set the size at load time from a userspace param. A generic load can't, so map creation fails with EINVAL on every kernel — a loader contract, not a compatibility result. The validator now gives such maps a default max_entries (4096), but only for types where 0 is invalid AND the real loader supplies a size (hash/array/percpu/LRU/stack-trace/LPM/prog-array). Types where 0 is meaningful are never touched: perf-event-array (nr_cpus), ring/user ringbuf (byte size), and the *_STORAGE local-storage maps (which require 0). Manifest max_entries fixups run first and win; auto-sizing only fills remaining zeros. Each auto-sized map is reported in the run notes for transparency. This makes zero-config gadget validation work: e.g. `bpfcompat test --artifact ghcr.io/inspektor-gadget/gadget/trace_open:latest --quick` loads with no manifest (ig_build_id auto-sized) and correctly fails only on Ubuntu 5.4, where the events ring buffer needs >= 5.8. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
ErenAri
changed the title
…al or CI) Add docs/case-study-inspektor-gadget.md — zero-config validation of published gadgets pulled from OCI (trace_open/trace_exec clean matrices; the trace_dns socket1 program-type loader-contract finding), with the AlmaLinux 8 / 4.18 backported-ringbuf "kernel version != feature support" highlight. Reposition the README and demo banner from "CI-first" to "test your eBPF across real kernels — locally or in CI", lead with the one-command OCI gadget example, and list the reference matrices in the docs map. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
# Conflicts: # CHANGELOG.md
Range OCI index descriptors by index (they are ~136-byte structs), and rename safeJoin's parameter so it no longer shadows the imported go-containerregistry `name` package. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Make bpfcompat validate a published eBPF gadget across kernels locally, with zero config — the workflow an Inspektor Gadget maintainer asked for. Three pieces:
--artifactaccepts an OCI image, not just a local.bpf.o: a registry reference (ghcr.io/inspektor-gadget/gadget/trace_open:latest), an OCI layout dir, or an OCI/docker archive. Extracts the eBPF layer (IG'sapplication/vnd.gadget.ebpf.program.v1+binarymedia type, ELF-magic fallback) viago-containerregistry.--quick— a built-in kernel set (old LTS → recent), no--matrixfile needed.max_entries=0(which the real loader sizes at runtime) get a default size so they load, but only for types where 0 is invalid; perf-event-array, ringbuf, and*_STORAGElocal-storage maps (where 0 is meaningful) are never touched, and manifest fixups take precedence. Reported per map.Together:
Why
Discovery thread with Alban Crequy (Inspektor Gadget / Microsoft): IG's official-gadget CI (vimto + ci-kernels) isn't exhaustive, and third-party gadget authors can't easily test their eBPF across kernels without standing up similar CI. His ask: let the bpfcompat CLI load a gadget straight from an OCI registry/tarball and test it locally.
Verification — real IG gadget, zero config
bpfcompat test --artifact ghcr.io/inspektor-gadget/gadget/trace_open:latest --quick(no manifest, no matrix file):eventsring buffer needs ≥5.8 — auto-size correctly left the ringbuf aloneig_build_idauto-sized to 4096ig_build_idauto-sized to 4096A true "kernel version ≠ feature support" result, produced with no configuration. (With the full 5-kernel matrix it also passes on AlmaLinux 8 / 4.18 — RHEL backported the ring buffer into 4.18.)
matrix.Quickvalidation.go build,go vet,gofmt,go test ./...all clean.go-containerregistryadded + vendored.🤖 Generated with Claude Code