{"id":28716324,"url":"https://github.com/aleyi17/ebpf_loader","last_synced_at":"2026-05-06T08:34:09.110Z","repository":{"id":287967994,"uuid":"966294051","full_name":"ALEYI17/ebpf_loader","owner":"ALEYI17","description":"Lightweight agent for running eBPF programs on Linux nodes. Captures system events and streams enriched data to a central server. Supports standalone and Kubernetes modes.","archived":false,"fork":false,"pushed_at":"2025-06-12T22:04:52.000Z","size":889,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-06-12T23:22:36.983Z","etag":null,"topics":["ebpf","golang"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ALEYI17.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-04-14T17:46:07.000Z","updated_at":"2025-06-12T22:04:56.000Z","dependencies_parsed_at":"2025-04-14T22:29:15.692Z","dependency_job_id":"0d7410e6-562f-4537-bbea-9ecfc5a91cf2","html_url":"https://github.com/ALEYI17/ebpf_loader","commit_stats":null,"previous_names":["aleyi17/ebpf_loader"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/ALEYI17/ebpf_loader","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ALEYI17%2Febpf_loader","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ALEYI17%2Febpf_loader/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ALEYI17%2Febpf_loader/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ALEYI17%2Febpf_loader/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ALEYI17","download_url":"https://codeload.github.com/ALEYI17/ebpf_loader/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ALEYI17%2Febpf_loader/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":259914866,"owners_count":22931323,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ebpf","golang"],"created_at":"2025-06-15T03:00:16.340Z","updated_at":"2026-05-06T08:34:09.104Z","avatar_url":"https://github.com/ALEYI17.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"# InfraSight Agent (eBPF Loader)\n\nThis component of the **InfraSight** platform is a node-level agent that uses **eBPF programs** to trace system activity (e.g., syscalls like `execve`, `accept`, etc.), enriches this data, and sends it to the InfraSight server via gRPC.\n\nIt is responsible for:\n- Loading and attaching eBPF programs to tracepoints\n- Capturing events from the kernel\n- Enriching events with user-space metadata\n- Sending structured events to the server using gRPC\n\n## 📦 Features\n\n- Traces syscalls like `execve`, `open`, `connect`, `accept`, `chmod`.\n- Uses **Cilium/ebpf** to interact with eBPF programs\n- Communicates over gRPC with the InfraSight server\n- Flexible design: load multiple eBPF \"loaders\" dynamically\n- Designed for use as a container in Kubernetes or standalone\n\n## 🧱 Technologies Used and Dependencies\n\n- [Go](https://golang.org/) (\u003e= 1.21)\n- [Cilium eBPF](https://github.com/cilium/ebpf)\n- [gRPC](https://grpc.io/)\n- [Protocol Buffers](https://protobuf.dev/)\n- `go:generate` to compile eBPF programs from C\n- `libelf`\n- `zlib`\n\n\n### How to run the container with docker\n\n```bash\n\ndocker run -it \\\n--privileged \\\n-e TRACER=accept,execve \\\n-e NODE_NAME=CASA \\\n-p 9090:9090 \\\n-v /var/run:/var/run:ro \\\n-v /sys/kernel/debug:/sys/kernel/debug:rw \\\nghcr.io/aleyi17/ebpf_loader:latest \\\n--server-addr=server \\\n--server-port=8080\n\n```\n\u003e 🔐 `--privileged` is required to load eBPF programs.\n\n## 🛠️ Building from Source\n\n### Clone the repository\n```bash\ngit clone https://github.com/ALEYI17/ebpf_loader.git\ncd ebpf_loader\n```\n\n### Compile the Go code\n```bash\ngo build -o ebpf-loader ./cmd/main.go\n```\n\n### Compile the eBPF programs\nEach eBPF program is in `bpf/\u003cname\u003e/`, with a corresponding `generate.go` file.\n\nTo compile all:\n```bash\ngo generate ./bpf/...\n```\n\n\u003e ⚠️ Requires `clang` and `llvm`.\n\n\n## 🧪 Compiling Protobuf\nIf you modify the `.proto` file, recompile Go stubs:\n\n```bash\ncd internal/grpc/pb \u0026\u0026 protoc --go_out=. --go_opt=paths=source_relative --go-grpc_out=. --go-grpc_opt=paths=source_relative ebpf_event.proto\n```\n\n### ✅ Required Parameters\n\n| Parameter     | Flag              | Env Variable   | Description                               |\n|---------------|------------------|----------------|-------------------------------------------|\n| Tracers       | `--tracer`       | `TRACER`       | Comma-separated list of enabled probes (e.g. `execve,open`) |\n| Server Addr   | `--server-addr`  | `SERVER_ADDR`  | Address of gRPC server                    |\n| Server Port   | `--server-port`  | `SERVER_PORT`  | Port of gRPC server                       |\n| Prometheus Port  | `--prometheus-port`    | `PROMETHEUS_PORT`    | Port to expose Prometheus metrics (default: `9090`)                         |\n| Node Name     | _(not a flag)_   | `NODE_NAME`    | Optional. Used for tagging node origin. Falls back to `os.Hostname()` if unset |\n\n### 💡 Example CLI\n\u003e ⚠️ Note: You must run the agent as root or with sudo to load eBPF programs.\n```bash\nsudo ./ebpf-loader \\\n  --tracer=execve,accept \\\n  --server-addr=10.0.0.1 \\\n  --server-port=8080\n```\n\nOr with environment variables:\n\n```bash\nexport TRACER=execve,accept\nexport SERVER_ADDR=10.0.0.1\nexport SERVER_PORT=8080\nsudo ./ebpf-loader\n```\n\n## 📈 Prometheus Metrics\n\nThe `ebpf_loader` exposes internal metrics on `/metrics` (default port `:9090`) using Prometheus format. These are useful for observability, troubleshooting, and performance monitoring.\n\n\u003e You can scrape this with Prometheus or inspect manually.\n\n### 📊 Available Metrics\n\n| Name                                     | Labels             | Description                                                             |\n| ---------------------------------------- | ------------------ | ----------------------------------------------------------------------- |\n| `infrasight_enricher_cache_hits_total`   | `source`           | Cache hits during enrichment (e.g., `\"container\"`, `\"user\"`)            |\n| `infrasight_enricher_cache_misses_total` | `source`           | Cache misses during enrichment                                          |\n| `infrasight_grpc_messages_sent_total`    | `tracer`, `status` | Total gRPC messages sent (`status`: `\"success\"` or `\"error\"`)           |\n| `infrasight_grpc_send_latency_seconds`   | `tracer`           | Histogram of gRPC send latencies                                        |\n| `infrasight_tracer_events_total`         | `tracer`           | Total number of events read from each eBPF loader                       |\n| `infrasight_tracer_errors_total`         | `tracer`, `type`   | Errors during event processing (e.g., decode failure, ringbuffer issue) |\n\n\n## 📚 Related Repositories\n\nThis is part of the **[InfraSight](https://github.com/ALEYI17/InfraSight)** platform:\n\n- [`infrasight-controller`](https://github.com/ALEYI17/infrasight-controller): Kubernetes controller to manage agents\n- [`ebpf_loader`](https://github.com/ALEYI17/ebpf_loader): Agent that collects and sends eBPF telemetry from nodes\n- [`ebpf_server`](https://github.com/ALEYI17/ebpf_server): Receives and stores events (e.g., to ClickHouse)\n- [`ebpf_deploy`](https://github.com/ALEYI17/ebpf_deploy): Helm charts to deploy the stack\n- [`InfraSight_ml`](https://github.com/ALEYI17/InfraSight_ml): Machine learning models for anomaly detection.\n- [`InfraSight_sentinel`](https://github.com/ALEYI17/InfraSight_sentinel): Rules engine that generates alerts based on predefined detection logic.\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faleyi17%2Febpf_loader","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Faleyi17%2Febpf_loader","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faleyi17%2Febpf_loader/lists"}