Kernel requirements for eBPF sensor

Intro

groundcoverโ€™s eBPF sensor uses state-of-the-art kernel features to provide full coverage at low overhead. In order to do so it requires certain kernel features which are listed below.

groundcover may work on many other linux kernels, but we might just didn't get a chance to test it yet. Can't find yours in the list? let us know over Slack.

Kernel Version

Version v5.3 or higher (anything since 2020).

Linux Distributions

Name
Supported Versions

Debian

11+

RedHat Enterprise Linux

8.2+

Ubuntu

20.10+

CentOS

7.3+

Fedora

31+

BottlerocketOS

1.10+

Amazon Linux

All off the shelf AMIs

Google COS

All off the shelf AMIs

Azure Linux

All off the shelf AMIs

Talos

1.7.3+

Permissions

Loading eBPF code requires running privileged containers. While this might seem unusual, there's nothing to worry about - eBPF is safe by design!

CO:RE support

Our sensor uses eBPFโ€™s CO:RE feature in order to support the vast variety of linux kernels and distributions detailed above. This feature requires the kernel to be compiled with BTF information (enabled using the CONFIG_BTF_ENABLE=Y kernel compilation flag). This is the case for most common distributions nowadays.

You can check if your kernel has CO:RE support by manually looking for the BTF file:

$ ls -la /sys/kernel/btf/vmlinux

- r--r--r--. 1 root root 3541561 Jun 2 18:16 /sys/kernel/btf/vmlinux

If the file exists, congratulations! Your kernel supported CO:RE.

What happens if my kernel is not supported?

If your system does not fit into any of the above - unfortunately, our eBPF sensor will not be able to run on your environment. However, this does not mean groundcover wonโ€™t collect any data. You will still be able to inspect your k8s environment, see all collected logs and use integrations with outer data sources.

Last updated