Inspektor Gadget uses eBPF to obtain the insights it provides. The different gadgets provided use different eBPF capabilities. The capabilities available depend on the version of the kernel running in the node, as well as whether or not the kernel has BTF enabled (via CONFIG_DEBUG_INFO_BTF=y).

    Some of the gadgets have two different implementations. The first is based on the traditional BCC tools , in this case they are compiled at runtime on the target machine before loading. These tools usually work on older kernels (~4.15) and require to have the kernel headers available or the IKHEADERS module loaded. The second implementation uses the modern Compile Once - Run Everywhere (CO-RE) approach. These tools are not compiled at runtime and it’s needed to have BTF information. This information is collected from three different sources, a fallback mechanism is implemented to try another source if the previous one was not available.

    1. The kernel already exposes it through /sys/kernel/btf/vmlinux: the kernel was compiled with CONFIG_DEBUG_INFO_BTF).
    2. It’s available in the gadget container image: we ship the BTF information for some well known kernel versions using BTFGen .
    3. It’s downloaded from BTFHub .

    Inspektor Gadget always tries to use the CO-RE implementation of the gadget (when available), if it fails then it falls back to the traditional BCC-based implementation.

    Required Kernel Versions and CONFIG_*

    This section summarizes the kernel versions and features that are required to run the gadgets. This has been generated by testing different Ubuntu versions and their shipped kernels, hence it’s possible that some gadgets work in older kernels than the one mentioned here.

    All gadgets require CONFIG_BPF=y and CONFIG_BPF_SYSCALL=y. CO-RE gadgets also require CONFIG_DEBUG_INFO_BTF=y if the host kernel is not supported by BTFHub.

    For all gadgets, the minimum kernel version and additional needed CONFIG_* are listed in the following table:

    Gadget Minimum Kernel Additional CONFIG_*
    advise network-policy U.U
    advise seccomp-profile (CO-RE only)
    audit seccomp 5.4 (CO-RE only) KPROBES
    profile block-io 4.15 (BCC), U.U (CO-RE)
    profile cpu (BCC only)
    snapshot process 5.10 (CO-RE only)
    snapshot socket 5.10 (CO-RE only)
    top block-io (CO-RE only) KPROBES
    top file 5.4 (CO-RE only) KPROBES
    top tcp 4.15 (BCC), U.U (CO-RE) KPROBES
    trace bind 4.15 (BCC), 5.4 (CO-RE) KPROBES, KRETPROBES
    trace capabilities 4.15 (BCC), U.U (CO-RE) KPROBES
    trace dns 5.4
    trace exec 4.15 (BCC), 5.4 (CO-RE) FTRACE_SYSCALLS
    trace fsslower 5.4 (CO-RE only) KPROBES, KRETPROBES
    trace mount U.U (BCC), U.U (CO-RE) FTRACE_SYSCALLS
    trace oomkill 5.4 (CO-RE only) KPROBES
    trace open 4.15 (BCC), 5.4 (CO-RE) FTRACE_SYSCALLS
    trace signal 5.4 (CO-RE only) FTRACE_SYSCALLS
    trace sni U.U
    trace tcp 4.15 (BCC only)
    trace tcpconnect 4.15 (BCC), 5.8 (CO-RE) KPROBES, KRETPROBES
    trace tcpdrop 5.17 (CO-RE only)
    trace tcpretrans 4.15 (CO-RE only)
    script 4.9
    traceloop 4.15 KPROBES

    If the kernel version is U.U, it means we do not have this information at the moment.