Skip to content

bpftool: make the bpftool binary static #366

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jul 18, 2025
Merged

bpftool: make the bpftool binary static #366

merged 2 commits into from
Jul 18, 2025

Conversation

HadrienPatte
Copy link
Member

@HadrienPatte HadrienPatte commented Jul 17, 2025
edited
Loading

See #362 for full context

Summary of the changes:

  • bpftool is now statically linked
  • The build process is 100% inspired from how tetragon builds bpftool
  • Instead of building from the linux kernel source tree, we now build from libbpf/bpftool
  • Instead of checking out a commit, we check out a release tag and set a renovate annotation to allow renovate to automatically update the image on new bpftool releases (see Configure renovate to update tools dependencies #349)
  • Since the binary is now static, the final image is just the binary on a FROM scratch base
  • Added a test to validate that the binary is static

Layout of the final image:
image

Note: the new test running ldd on the newly built binary was initially failing for the arm64 build with ldd: exited with unknown exit code (139) error (see job logs). This turned out to be an old qemu bug (issue) that's been fixed for some time. In order to pick up that fix, I updated qemu by replacing the old binfmt step with the docker/setup-qemu-action action.

Closes #362

@HadrienPatte
bpftool: make the bpftool binary static
e12016d 
See #362 for full context

Signed-off-by: Hadrien Patte <hadrien.patte@datadoghq.com>
@HadrienPatte HadrienPatte force-pushed the pr/HadrienPatte/static-bpftool branch 4 times, most recently from 306aff1 to cb2d0b1 Compare July 17, 2025 19:03
@HadrienPatte
Update QEMU
c9efe2e 
Update QEMU to fix https://gitlab.com/qemu-project/qemu/-/issues/1763

Signed-off-by: Hadrien Patte <hadrien.patte@datadoghq.com>
@HadrienPatte HadrienPatte force-pushed the pr/HadrienPatte/static-bpftool branch from cb2d0b1 to c9efe2e Compare July 17, 2025 19:08
@HadrienPatte HadrienPatte marked this pull request as ready for review July 17, 2025 19:19
@HadrienPatte HadrienPatte requested review from a team as code owners July 17, 2025 19:19
@HadrienPatte HadrienPatte mentioned this pull request Jul 17, 2025
Closed
mtardy
mtardy approved these changes Jul 18, 2025
View reviewed changes
Copy link
Member

@mtardy mtardy left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks it looks good to me, definitely better than what's here.

The only thing that is missing so that we could use it with Tetragon and avoid doing the line you copied on every build is a multiarch image with x86_64 and aarch64. For Tetragon we cross compiled this step but now that we have aarch64 nodes in GitHub maybe you could simply natively build the two images and push a multiarch image. Of course no need to do it in this PR but would be amazing so that we can drop that code entirely on the Tetragon side!

Here are the cross-compilation shenanigans https://github.com/cilium/tetragon/blob/2258168df5bf524547318241979f7a040dc13763/Dockerfile#L44-L76

@mtardy
Copy link
Member

mtardy commented Jul 18, 2025

Note: the new test running ldd on the newly built binary was initially failing for the arm64 build with ldd: exited with unknown exit code (139) error (see job logs). This turned out to be an old qemu bug (issue)

oh I just noticed this, you already build for arm64 and it appears it works, nevermind all I said before ahah

@aanm aanm merged commit 49d7b28 into master Jul 18, 2025
12 checks passed
@aanm aanm deleted the pr/HadrienPatte/static-bpftool branch July 18, 2025 13:04
HadrienPatte added a commit that referenced this pull request Jul 30, 2025
@HadrienPatte
Add renovate custom regex manager to tool updates
f76c980 
See #349

This PR configures renovate to recognize custom `# renovate:` comments in
Dockerfiles. One such comment is already present (here)[https://github.com/cilium/image-tools/blob/49d7b282e76f941d6bf5abc4f125d14a1a7b2211/images/bpftool/Dockerfile#L12] (since #366) and will allow to validate that this renovate config works as expected. If that is the case, we will be able to add more renovate comments to manage the versioning of other tools as listed in #349.

This is largely inspired from the renovate config in cilium/cilium.

Signed-off-by: Hadrien Patte <hadrien.patte@datadoghq.com>
HadrienPatte added a commit that referenced this pull request Jul 30, 2025
@HadrienPatte
Add renovate custom regex manager to tool updates
346598c 
See #349

This PR configures renovate to recognize custom `# renovate:` comments in
Dockerfiles. One such comment is already present [here](https://github.com/cilium/image-tools/blob/49d7b282e76f941d6bf5abc4f125d14a1a7b2211/images/bpftool/Dockerfile#L12) (since #366) and will allow to validate that this renovate config works as expected. If that is the case, we will be able to add more renovate comments to manage the versioning of other tools as listed in #349.

This is largely inspired from the renovate config in cilium/cilium.

Signed-off-by: Hadrien Patte <hadrien.patte@datadoghq.com>
@HadrienPatte HadrienPatte mentioned this pull request Jul 30, 2025
Open
@HadrienPatte HadrienPatte mentioned this pull request Aug 13, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aanm aanm aanm approved these changes

@ti-mo ti-mo Awaiting requested review from ti-mo ti-mo is a code owner automatically assigned from cilium/loader

@christarazi christarazi Awaiting requested review from christarazi christarazi is a code owner automatically assigned from cilium/ci-structure

+1 more reviewer

@mtardy mtardy mtardy approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Static bpftool binary
3 participants
@HadrienPatte @mtardy @aanm