Currently the bpftool image contains a built-from-source bpftool binary (located at /usr/local/bin/bpftool) in a ubuntu user-space base image. This image is generally meant to be used via a COPY like this:

COPY --from=bpftool-dist /usr/local /usr/local

The issue is that this binary is dynamically linked:

$ docker run quay.io/cilium/cilium-bpftool:1751527476-11a6d98 /bin/bash -- ldd /usr/local/bin/bpftool
        linux-vdso.so.1 (0x0000ffff92d80000)
        libelf.so.1 => /lib/aarch64-linux-gnu/libelf.so.1 (0x0000ffff92c50000)
        libz.so.1 => /lib/aarch64-linux-gnu/libz.so.1 (0x0000ffff92c10000)
        libc.so.6 => /lib/aarch64-linux-gnu/libc.so.6 (0x0000ffff92a50000)
        /lib/ld-linux-aarch64.so.1 (0x0000ffff92d43000)
        libzstd.so.1 => /lib/aarch64-linux-gnu/libzstd.so.1 (0x0000ffff92990000)

So there is an implicit dependency on those libraries being present in the final image where this binary gets added to. Most of those are present by default in base ubuntu images, so this is not too much of an issue, but notably libelf is not installed by default on ubuntu, see:

$ docker run -it docker.io/library/ubuntu:24.04 /bin/bash -- ldconfig -p | grep -e libelf -e libz -e libzstd
        libzstd.so.1 (libc6,AArch64) => /lib/aarch64-linux-gnu/libzstd.so.1
        libz.so.1 (libc6,AArch64) => /lib/aarch64-linux-gnu/libz.so.1

We can actually observe this issue in #49 here where libelf1 had to be manually installed in the image in order for the cst test that runs bpftool version to succeed (it otherwise fails with bpftool: error while loading shared libraries: libelf.so.1: cannot open shared object file: No such file or directory). But even with libelf now installed in the bpftool image, it's installed as a system lib so it is under /lib and not under /usr/local/lib so downstream users COPYing the /usr/local directory from that image won't get libefl.

Proposed solution

In order to make it safer to use this binary I see two main options:

• Update the build parameters for the bpftool binary to make it a fully static binary so it can safely be COPYed and used from any image regardless of available libraries in that image.
• Update the bpftool image to have libelf (and maybe other dependency libs) under /usr/local so when that directory is COPYed to another image, the bpftool binary has all the libraries it needs in the LD_PATH.