OOM on Mi&Bee Blog

eBPF Observability: Getting Started with OOM Killer Monitoring

Wed, 10 Jun 2026 00:00:00 +0000

eBPF (Extended Berkeley Packet Filter) started as a network packet filtering tool, but over nearly a decade it has evolved into the most powerful observability framework in the Linux kernel. It allows you to safely inject and execute custom programs without modifying kernel source code or loading kernel modules.

This article kicks off the series, using OOM (Out-of-Memory) monitoring as a concrete entry point to learn the core eBPF concepts and toolchain.

Building an OOM Killer Event Tracer with eBPF + Go

Thu, 11 Jun 2026 00:00:00 +0000

bpftrace is great for quick probing and ad-hoc debugging. For production-grade monitoring tools, you need full eBPF programs. The architecture splits into two layers:

Kernel side: eBPF program written in C, attached to hook points, collecting event data
User side: loader written in Go (or Rust / libbpf C), loading the eBPF program and reading events

Architecture

 mermaid
 

 flowchart LR
 classDef kern fill:#E3F2FD,stroke:#1565C0,color:#1565C0
 classDef user fill:#FFF3E0,stroke:#E65100,color:#BF360C
 classDef data fill:#E8F5E9,stroke:#2E7D32,color:#1B5E20

 subgraph kernel["Kernel Space"]
 hook@{ shape: rounded, label: "oom_kill_process (kprobe)" }
 ebpf@{ shape: proc, label: "eBPF Program\nEvent Collection" }
 ring@{ shape: cyl, label: "Ring Buffer" }
 end

 subgraph userspace["User Space (Go)"]
 loader@{ shape: notch-rect, label: "bpf2go Loader" }
 reader@{ shape: proc, label: "RingBuf Reader\nEvent Parsing" }
 end

 hook --> ebpf --> ring
 ring --> reader
 loader -.-> ebpf

 class hook,ebpf,ring kern
 class loader,reader user
 

eBPF Kernel Program (C)

Name the C file oom_kprobe.bpf.c — the bpf suffix is a cilium/ebpf convention for bpf2go code generation:

Advanced eBPF Memory Observability: Container Tracing and Rust Aya

Fri, 12 Jun 2026 00:00:00 +0000

The first two articles covered eBPF fundamentals and OOM Killer event tracing. This article goes deeper: container-level OOM pinpointing, real-time memory allocation rate tracking, and implementing the same functionality with the Rust Aya framework.

Container-Level OOM Pinpointing

In Kubernetes, “a Pod OOM’d” is actually a vague statement. A Pod consists of multiple containers, each belonging to different cgroups. eBPF can drill through this layer and precisely identify which container and which process caused the OOM.

BPF OOM Kernel Patches Deep Dive: Custom OOM Policies with eBPF

Sat, 13 Jun 2026 00:00:00 +0000

The previous articles showed how to use eBPF to observe OOM events. But we could only watch, not intervene. The kernel’s OOM Killer decides who lives and dies based on the oom_badness() algorithm, with no user control.

In 2025, Google engineer Roman Gushchin proposed the BPF OOM kernel patch series, aiming to let eBPF programs fully take over OOM handling policy. This is the biggest change to Linux memory management’s OOM subsystem in nearly two decades.