Requirements
Inspektor Gadget uses eBPF to obtain the insights it provides. The
different gadgets provided use different eBPF capabilities. The
capabilities available depend on the version of the kernel running in the
node, as well as whether or not the kernel has
BTF
enabled (via
CONFIG_DEBUG_INFO_BTF=y).
Some of the gadgets have two different implementations. The first is
based on the
traditional BCC
tools
, in this case
they are compiled at runtime on the target machine before loading. These
tools usually work on older kernels (~4.15) and require to have the
kernel headers available or the IKHEADERS module loaded. The second
implementation uses the modern Compile Once - Run Everywhere (CO-RE)
approach. These tools are not compiled at runtime and it’s needed to
have BTF information. This information is collected from three different
sources, a fallback mechanism is implemented to try another source if the
previous one was not available.
- The kernel already exposes it through
/sys/kernel/btf/vmlinux: the kernel was compiled withCONFIG_DEBUG_INFO_BTF). - It’s available in the gadget container image: we ship the BTF information for some well known kernel versions using BTFGen .
- It’s downloaded from BTFHub .
Inspektor Gadget always tries to use the CO-RE implementation of the gadget (when available), if it fails then it falls back to the traditional BCC-based implementation.
Required Kernel Versions and CONFIG_*
This section summarizes the kernel versions and features that are required to run the gadgets. This has been generated by testing different Ubuntu versions and their shipped kernels, hence it’s possible that some gadgets work in older kernels than the one mentioned here.
All gadgets require CONFIG_BPF=y and CONFIG_BPF_SYSCALL=y.
CO-RE gadgets also require CONFIG_DEBUG_INFO_BTF=y if the host kernel is not
supported by BTFHub.
For all gadgets, the minimum kernel version and additional needed CONFIG_* are
listed in the following table:
| Gadget | Minimum Kernel | Additional CONFIG_* |
|---|---|---|
advise network-policy |
U.U | |
advise seccomp-profile |
(CO-RE only) | |
audit seccomp |
5.4 (CO-RE only) | KPROBES |
profile block-io |
4.15 (BCC), U.U (CO-RE) | |
profile cpu |
(BCC only) | |
snapshot process |
5.10 (CO-RE only) | |
snapshot socket |
5.10 (CO-RE only) | |
top block-io |
(CO-RE only) | KPROBES |
top file |
5.4 (CO-RE only) | KPROBES |
top tcp |
4.15 (BCC), U.U (CO-RE) | KPROBES |
trace bind |
4.15 (BCC), 5.4 (CO-RE) | KPROBES, KRETPROBES |
trace capabilities |
4.15 (BCC), U.U (CO-RE) | KPROBES |
trace dns |
5.4 | |
trace exec |
4.15 (BCC), 5.4 (CO-RE) | FTRACE_SYSCALLS |
trace fsslower |
5.4 (CO-RE only) | KPROBES, KRETPROBES |
trace mount |
U.U (BCC), U.U (CO-RE) | FTRACE_SYSCALLS |
trace oomkill |
5.4 (CO-RE only) | KPROBES |
trace open |
4.15 (BCC), 5.4 (CO-RE) | FTRACE_SYSCALLS |
trace signal |
5.4 (CO-RE only) | FTRACE_SYSCALLS |
trace sni |
U.U | |
trace tcp |
4.15 (BCC only) | |
trace tcpconnect |
4.15 (BCC), 5.8 (CO-RE) | KPROBES, KRETPROBES |
trace tcpdrop |
5.17 (CO-RE only) | |
trace tcpretrans |
4.15 (CO-RE only) | |
script |
4.9 | |
traceloop |
4.15 | KPROBES |
If the kernel version is U.U, it means we do not have this information at the moment.