feat(pkg): embeddable library mode (ValidateBeforeLoad) for pre-load gating#47
Merged
Conversation
…gating Add pkg/bpfcompat, an embeddable Go API for validating compiled eBPF objects against real kernels: - ValidateBeforeLoad / ValidateBytes: real load of an object against the LOCAL running kernel — no VM, no network — for a pre-load gate (e.g. bpfman). The node it runs on is the node the program will load on, so the running kernel is the target; this is more accurate than static ELF/BTF inference and fast (~ms). - Validate: thin facade over the existing matrix engine (N kernel profiles in disposable VMs), returning a mapped Report. Host-kernel loading is gated behind the `hostload` build tag; default builds return ErrHostLoadNotEnabled, keeping the host-load freeze intact in the demo/server. The static validator is embedded via go:embed (amd64/arm64, staged by `make pkg-embed-validator`, built by `make lib-hostload`) so the library has no external assets. An internal validatorProvider seam keeps the public API stable for a future in-process CGO validator. arm64-build-smoke CI now builds + tests the hostload library and uploads the arm64 validator. Pre-1.0 / experimental; see pkg/bpfcompat/README.md. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…erDefer) Move the body into run() int so deferred cancel() runs before exit; main only calls os.Exit(run()). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adds
pkg/bpfcompat, an embeddable Go API for validating compiled eBPF objects against real kernels. Driven by the bpfman ask (Andy McDermott, Red Hat): call out to bpfcompat as a library to validate a program before loading it, with no QEMU and air-gap-safe.Entry points
ValidateBeforeLoad/ValidateBytesValidateValidateBeforeLoadis the pre-load gate: the node it runs on is the node the program will load on, so the running kernel is the target. It does a realbpf()load (the verifier), not static ELF/BTF inference — strictly more accurate, and fast (~ms).Design decisions
hostloadbuild tag. Default builds (demo/server) returnErrHostLoadNotEnabled, so the existing host-load freeze stays intact everywhere it matters. The intentionally-fencedRunnerHostpath is untouched.go:embed(amd64/arm64), extracted to a private temp dir per call — no external assets, air-gap-clean. Staged bymake pkg-embed-validator, built bymake lib-hostload.validatorProviderinterface keeps the public API stable for a future in-process CGO validator (not a breaking change when added).Verification
go vet+gofmtclean.Result, matrix schema →Report) and the fenced-off default build; green with and without-tags hostload.Validateproven against a real ubuntu-24.04-6.8 VM boot (mappedReport, correct booted-kernel attribution). This surfaced and fixed two facade bugs (defaultOutPath/WorkDir).arm64-build-smokeCI now builds + tests the hostload library and uploads the arm64 validator.Stability
Pre-1.0 / experimental — see
pkg/bpfcompat/README.md. The embedded validator binary is git-ignored (a build artifact regenerated bymake pkg-embed-validator).🤖 Generated with Claude Code