/en/tags/cilium/Recent content in Cilium on Mi&Bee BlogHugo -- gohugo.ioen蓝宝石的傻话Thu, 11 Jun 2026 00:00:00 +0000/en/posts/telemetry/ebpf-oom-tracer-cgo/Thu, 11 Jun 2026 00:00:00 +0000/en/posts/telemetry/ebpf-oom-tracer-cgo/<p>bpftrace is great for quick probing and ad-hoc debugging. For production-grade monitoring tools, you need full eBPF programs. The architecture splits into two layers:</p> <ul> <li><strong>Kernel side</strong>: eBPF program written in C, attached to hook points, collecting event data</li> <li><strong>User side</strong>: loader written in Go (or Rust / libbpf C), loading the eBPF program and reading events</li> </ul> <h2 id="architecture">Architecture</h2> <div class="code-block-wrapper" data-lang="mermaid"> <div class="code-block-header"> <div class="code-block-meta"> <span class="code-language">mermaid</span> </div> </div> <div class="code-block-body"> <pre class="chroma"><code class="language-mermaid">flowchart LR classDef kern fill:#E3F2FD,stroke:#1565C0,color:#1565C0 classDef user fill:#FFF3E0,stroke:#E65100,color:#BF360C classDef data fill:#E8F5E9,stroke:#2E7D32,color:#1B5E20 subgraph kernel[&#34;Kernel Space&#34;] hook@{ shape: rounded, label: &#34;oom_kill_process (kprobe)&#34; } ebpf@{ shape: proc, label: &#34;eBPF Program\nEvent Collection&#34; } ring@{ shape: cyl, label: &#34;Ring Buffer&#34; } end subgraph userspace[&#34;User Space (Go)&#34;] loader@{ shape: notch-rect, label: &#34;bpf2go Loader&#34; } reader@{ shape: proc, label: &#34;RingBuf Reader\nEvent Parsing&#34; } end hook --&gt; ebpf --&gt; ring ring --&gt; reader loader -.-&gt; ebpf class hook,ebpf,ring kern class loader,reader user</code></pre> </div> </div><h2 id="ebpf-kernel-program-c">eBPF Kernel Program (C)</h2> <p>Name the C file <code>oom_kprobe.bpf.c</code> — the <code>bpf</code> suffix is a cilium/ebpf convention for <code>bpf2go</code> code generation:</p>