Context
Like #981, this is about making the tracefs mount point that internal/tracefs.getTracefsPath probes overridable. That issue was closed because the requestor's container runtime didn't expose /sys at all and they ended up bind-mounting /sys/. Our case is different and (I think) deserves another look.
The use case
We run a security agent in Kubernetes. Each pod already bind-mounts the host filesystem at /host because the agent walks /host/proc, reads container runtime sockets, and inspects various host paths. To use link.Tracepoint/link.Kprobe, we additionally have to bind-mount:
/sys/kernel/tracing → /sys/kernel/tracing/sys/kernel/debug → /sys/kernel/debug
…purely because getTracefsPath only probes those two canonical locations. Tracefs is already reachable inside the pod at /host/sys/kernel/tracing via the existing /host mount; we just can't tell cilium/ebpf to look there.
This isn't about a broken container runtime — it's about removing redundant Helm mounts from a pod that's already mounting the host root.
What I'd like
A small API to point the tracefs probe at any real tracefs/debugfs mount, validated via statfs:
// link package
func SetTracefsPath(path string) error
Auto-detection stays the default; the override only activates when explicitly set, and SetTracefsPath("") clears it. Internally backed by an atomic override checked before the existing sync.OnceValues auto-detect, so probe attaches before/after a SetTracefsPath call do the right thing.
Why this and not "fix your runtime"
In /host-style deployments, the host filesystem is exposed — just not at the kernel-canonical paths. Forcing an extra two bind mounts (/sys/kernel/tracing, /sys/kernel/debug) for a path-resolution preference is fixable in ~20 lines without changing default behavior or affecting any existing user.
Working implementation
I have a fork at https://github.com/yoav-orca/ebpf/tree/feat/tracefs-override with the patch and tests; happy to open a PR if the approach is acceptable. The change is isolated to internal/tracefs/kprobe.go and one wrapper in link/link.go. Tests cover override-honored, override-cleared, and rejection of non-tracefs paths.
I'm open to alternative shapes (env var, options struct, etc.) — wanted to surface the use case and proposal before sending a PR.
Context
Like #981, this is about making the tracefs mount point that
internal/tracefs.getTracefsPathprobes overridable. That issue was closed because the requestor's container runtime didn't expose/sysat all and they ended up bind-mounting/sys/. Our case is different and (I think) deserves another look.The use case
We run a security agent in Kubernetes. Each pod already bind-mounts the host filesystem at
/hostbecause the agent walks/host/proc, reads container runtime sockets, and inspects various host paths. To uselink.Tracepoint/link.Kprobe, we additionally have to bind-mount:/sys/kernel/tracing→/sys/kernel/tracing/sys/kernel/debug→/sys/kernel/debug…purely because
getTracefsPathonly probes those two canonical locations. Tracefs is already reachable inside the pod at/host/sys/kernel/tracingvia the existing/hostmount; we just can't tell cilium/ebpf to look there.This isn't about a broken container runtime — it's about removing redundant Helm mounts from a pod that's already mounting the host root.
What I'd like
A small API to point the tracefs probe at any real tracefs/debugfs mount, validated via
statfs:Auto-detection stays the default; the override only activates when explicitly set, and
SetTracefsPath("")clears it. Internally backed by an atomic override checked before the existingsync.OnceValuesauto-detect, so probe attaches before/after aSetTracefsPathcall do the right thing.Why this and not "fix your runtime"
In
/host-style deployments, the host filesystem is exposed — just not at the kernel-canonical paths. Forcing an extra two bind mounts (/sys/kernel/tracing,/sys/kernel/debug) for a path-resolution preference is fixable in ~20 lines without changing default behavior or affecting any existing user.Working implementation
I have a fork at https://github.com/yoav-orca/ebpf/tree/feat/tracefs-override with the patch and tests; happy to open a PR if the approach is acceptable. The change is isolated to
internal/tracefs/kprobe.goand one wrapper inlink/link.go. Tests cover override-honored, override-cleared, and rejection of non-tracefs paths.I'm open to alternative shapes (env var, options struct, etc.) — wanted to surface the use case and proposal before sending a PR.