Kernel requirements for eBPF sensor
Last updated
Last updated
groundcover’s eBPF sensor uses state-of-the-art kernel features to provide full coverage at low overhead. In order to do so it requires certain kernel features which are listed below.
Version v5.3 or higher (anything since 2020).
Debian
11+
RedHat Enterprise Linux
8.2+
Ubuntu
20.10+
CentOS
7.3+
Fedora
31+
BottlerocketOS
1.10+
Amazon Linux
All off the shelf AMIs
Google COS
All off the shelf AMIs
Azure Linux
All off the shelf AMIs
Talos
1.7.3+
You can check if your kernel has CO:RE support by manually looking for the BTF file:
If the file exists, congratulations! Your kernel supported CO:RE.
Loading eBPF code requires running privileged containers. While this might seem unusual, there's nothing to worry about - eBPF is
Our sensor uses eBPF’s feature in order to support the vast variety of linux kernels and distributions detailed above. This feature requires the kernel to be compiled with BTF information (enabled using the CONFIG_BTF_ENABLE=Y kernel compilation flag). This is the case for most common nowadays.
If your system does not fit into any of the above - unfortunately, our eBPF sensor will not be able to run on your environment. However, this does not mean groundcover won’t collect any data. You will still be able to inspect your , see all and use with outer data sources.