sysdig's support for an eBPF probe as alternative/replacement for the scap kernel module is stable enough. They actually have two, but we only want the "modern bpf" probe. - figure out dependencies (clang, bpftool?), maybe optionally bpf-toolchain - wire up USE=bpf to control dependencies/building Reproducible: Always
Done in my local overlay: - added bpf USE flag - added required bpftool/clang dependencies - uses llvm-r1 eclass - added elog message on how to use the bpf probe - verified that using the bpf probe does not load the scap driver - verified that the bpf probe uses more CPU than scap (~6% vs. <2%) :( Using bpf-toolchain will require some creative upstream changes as currently clang is hardcoded everywhere: https://github.com/falcosecurity/libs/blob/85713d300f4b4ee61280d5b902c386c1ef8de3c2/driver/modern_bpf/CMakeLists.txt#L65
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8efa75ce221f1748bbe3cb83aed9988a001c62e5 commit 8efa75ce221f1748bbe3cb83aed9988a001c62e5 Author: Holger Hoffstätte <holger@applied-asynchrony.com> AuthorDate: 2024-10-14 12:45:30 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-11-01 17:28:23 +0000 dev-debug/sysdig: add 0.39.0 Closes: https://bugs.gentoo.org/938218 Closes: https://bugs.gentoo.org/938188 Signed-off-by: Holger Hoffstätte <holger@applied-asynchrony.com> Signed-off-by: Sam James <sam@gentoo.org> dev-debug/sysdig/metadata.xml | 2 + dev-debug/sysdig/sysdig-0.39.0.ebuild | 169 ++++++++++++++++++++++++++++++++++ 2 files changed, 171 insertions(+)
