Whenever you open-source your eBPF project or try to sell it to customers, one of the first challenges you’ll face is environment diversity. Your users will likely run it on a different setup than yours — a different Linux distribution, kernel version, or even architecture.
Just like user-space libraries introduce breaking changes between releases, the kernel’s internal structures also evolve over time — and these changes can easily break your eBPF program if you don’t account for them.
To make things even trickier, BTF (BPF Type Format) support isn’t consistent across environments either. Some systems include it by default, while others might require a kernel rebuild — which is far from ideal.
In this learning path, you’ll go from comparing different tracing program types — tracepoints, raw tracepoints, kprobes, and fprobes — to writing portable eBPF programs that work reliably across environments. You’ll also understand the role of BTF and learn how to make your eBPF code truly portable even when BTF isn’t available on the target system.
Happy 🐝-ing!
Warming up...
Loading tutorial...
When you start learning about eBPF-based tracing, you’ll quickly find there’s more than one way to hook into the kernel — tracepoints, kprobes, fprobes, and raw tracepoints. They might seem similar at first, but each has its own strengths, limitations, and ideal use cases.
In this tutorial, you’ll capture the same execve syscall event using different tracing program types and compare their trade-offs. By the end, you’ll know when to use each one and how to choose the right tracing method for your next eBPF project.
eBPF CO-RE Basics
Loading tutorial...
When you start sharing your eBPF programs with others, you might notice something strange — your code runs perfectly on one system but fails on another. Different Linux distributions, kernel versions, or missing BTF support can all break an otherwise working program.
In this tutorial, you’ll learn why these issues happen and how to make eBPF tracing programs (from the previous tutorial) portable across kernels using BPF CO-RE (Compile Once – Run Everywhere). Along the way, you’ll learn about vmlinux.h, understand BTF (BPF Type Format), and see how modern eBPF tooling helps bridge the gap between different environments.
Truly Portable eBPF Programs
Loading tutorial...
Even though most modern kernels ship with BTF support, you can’t always rely on it when wanting to build truly portable eBPF programs. Without BTF in the target kernel, the loader can’t resolve types, fix offsets, or adjust field accesses — causing your program to fail on systems that lack it.
In this tutorial, you’ll learn how to overcome this limitation by embedding BTF data for multiple kernels directly into your eBPF application binary using BTFHub. You’ll also see how to minimize and integrate these BTF files automatically during the build.
Level up your Server Side game — Join 15,000 engineers who receive insightful learning materials straight to their inbox