Skip to content

feat(pkg): embeddable library mode (ValidateBeforeLoad) for pre-load gating#47

Merged
ErenAri merged 2 commits into
mainfrom
feat/library-mode
Jun 26, 2026
Merged

feat(pkg): embeddable library mode (ValidateBeforeLoad) for pre-load gating#47
ErenAri merged 2 commits into
mainfrom
feat/library-mode

Conversation

@ErenAri

@ErenAri ErenAri commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

What

Adds pkg/bpfcompat, an embeddable Go API for validating compiled eBPF objects against real kernels. Driven by the bpfman ask (Andy McDermott, Red Hat): call out to bpfcompat as a library to validate a program before loading it, with no QEMU and air-gap-safe.

Entry points

Function What it does Boots a VM? Network?
ValidateBeforeLoad / ValidateBytes Real load of an object against the local running kernel No No
Validate Full matrix run across N kernel profiles in disposable VMs Yes Only for OCI artifacts

ValidateBeforeLoad is the pre-load gate: the node it runs on is the node the program will load on, so the running kernel is the target. It does a real bpf() load (the verifier), not static ELF/BTF inference — strictly more accurate, and fast (~ms).

Design decisions

  • Host loading is gated behind the hostload build tag. Default builds (demo/server) return ErrHostLoadNotEnabled, so the existing host-load freeze stays intact everywhere it matters. The intentionally-fenced RunnerHost path is untouched.
  • Embed + exec. The static validator is embedded via go:embed (amd64/arm64), extracted to a private temp dir per call — no external assets, air-gap-clean. Staged by make pkg-embed-validator, built by make lib-hostload.
  • Provider seam. An internal validatorProvider interface keeps the public API stable for a future in-process CGO validator (not a breaking change when added).

Verification

  • Both build variants compile, go vet + gofmt clean.
  • Unit tests cover both mapping layers (validator JSON → Result, matrix schema → Report) and the fenced-off default build; green with and without -tags hostload.
  • Live host-load proven end-to-end against the local kernel (pass/fail/classified verdicts; ~3 ms on a small program).
  • Live Validate proven against a real ubuntu-24.04-6.8 VM boot (mapped Report, correct booted-kernel attribution). This surfaced and fixed two facade bugs (default OutPath/WorkDir).
  • arm64-build-smoke CI now builds + tests the hostload library and uploads the arm64 validator.

Stability

Pre-1.0 / experimental — see pkg/bpfcompat/README.md. The embedded validator binary is git-ignored (a build artifact regenerated by make pkg-embed-validator).

🤖 Generated with Claude Code

ErenAri and others added 2 commits June 26, 2026 17:21
…gating

Add pkg/bpfcompat, an embeddable Go API for validating compiled eBPF
objects against real kernels:

- ValidateBeforeLoad / ValidateBytes: real load of an object against the
  LOCAL running kernel — no VM, no network — for a pre-load gate (e.g.
  bpfman). The node it runs on is the node the program will load on, so the
  running kernel is the target; this is more accurate than static ELF/BTF
  inference and fast (~ms).
- Validate: thin facade over the existing matrix engine (N kernel profiles
  in disposable VMs), returning a mapped Report.

Host-kernel loading is gated behind the `hostload` build tag; default
builds return ErrHostLoadNotEnabled, keeping the host-load freeze intact in
the demo/server. The static validator is embedded via go:embed (amd64/arm64,
staged by `make pkg-embed-validator`, built by `make lib-hostload`) so the
library has no external assets. An internal validatorProvider seam keeps the
public API stable for a future in-process CGO validator.

arm64-build-smoke CI now builds + tests the hostload library and uploads the
arm64 validator. Pre-1.0 / experimental; see pkg/bpfcompat/README.md.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…erDefer)

Move the body into run() int so deferred cancel() runs before exit; main only
calls os.Exit(run()).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@ErenAri ErenAri merged commit 17e5f0d into main Jun 26, 2026
7 of 8 checks passed
@ErenAri ErenAri deleted the feat/library-mode branch June 26, 2026 14:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant