exectrace icon indicating copy to clipboard operation
exectrace copied to clipboard

Published 20 hours ago verified publisher icon coder

Kernel < 5.8 support

Open deansheather opened this issue 3 years ago • 0 comments

Right now, exectrace uses BPF_MAP_TYPE_RINGBUF which is only supported in Linux kernel 5.8+.

To support older kernels, we would need to reimplement the output method to use a perf map instead of a ringbuf:

  • A BPF_MAP_TYPE_PERF_EVENT_ARRAY for the output
  • A BPF_MAP_TYPE_PERCPU_ARRAY for temporary memory storage (because our event struct exceeds the 512 byte BPF stack limit)

This blog post has some examples comparing a ringbuf to a perfmap: https://nakryiko.com/posts/bpf-ringbuf

cc @kylecarbs

deansheather avatar Dec 03 '21 16:12 deansheather