Skip to content

Blocked Upgrade: github.com/cilium/ebpf v0.21.0 #1505

Open
Open
Blocked Upgrade: github.com/cilium/ebpf v0.21.0#1505
Labels
dependencies
Milestone
v0.9.0
@MrAlias

Description

@MrAlias
MrAlias
opened on Mar 9, 2026

Upgrading github.com/cilium/ebpf from v0.20.0 to v0.21.0 causes Rust SSL/HTTP2 integration failures in OBI.

The failure is caused by a behavior change in link.OpenExecutable in cilium/ebpf v0.21.0: it now checks the file mode and rejects non-executable files (file ... is not executable).

OBI attaches uprobes to shared libraries such as libssl.so.3, which are commonly 0644 (readable, not executable bit set). This breaks probe attachment and prevents expected RED metrics from being produced.

Impact

  • PR: fix(deps): update go (fix(deps): update go #1496)
  • CI impact: Rust integration suites fail
  • Observed failures:
    • TestSuite_RustHTTP2/Rust_RED_metrics
    • TestSuite_RustSSL (same probe path class)

Observed Error Signal

From integration logs:

can't open executable for inspection: file /proc/1/root/usr/lib/x86_64-linux-gnu/libssl.so.3 is not executable

Reproduction

  1. Set dependency to github.com/cilium/ebpf v0.21.0 in root go.mod.

  2. Run:

    go test ./internal/test/integration -run TestSuite_RustHTTP2 -count=1
go test ./internal/test/integration -run TestSuite_RustSSL -count=1

  3. Observe RED metric assertion failures and uprobe/open-executable log errors.

Root Cause Details

Behavior difference by version

  • v0.20.0: link.OpenExecutable parses ELF and allows ET_EXEC/ET_DYN objects.
  • v0.21.0: link.OpenExecutable now performs os.Stat(path) and requires executable permission bits.

This is incompatible with typical shared-library permissions used for uprobe targets.

Current Mitigation

Rollback to github.com/cilium/ebpf v0.20.0 (matching main) restores stability:

  • TestSuite_RustHTTP2 passes
  • TestSuite_RustSSL passes

What We Need

A forward-compatible path to re-enable upgrade to v0.21.0+ without losing shared-library uprobe support.

Candidate Fix Directions

  1. Update OBI uprobe target opening strategy to avoid OpenExecutable permission gating for shared libs (if upstream exposes a suitable API path).
  2. Engage upstream cilium/ebpf on library uprobe usage where target files are ET_DYN but not executable-mode.
  3. Add an integration guard test for library uprobes (libssl path) to detect this regression class early.

Acceptance Criteria

  • OBI can run Rust SSL/HTTP2 integration suites with github.com/cilium/ebpf v0.21.0 or newer.
  • No uprobe attach failures caused by non-executable file mode on shared libraries.
  • go.mod can keep upgraded cilium/ebpf version without local workarounds that reduce observability coverage.

Metadata

Metadata

Assignees

No one assigned

    Labels

    dependencies

    Type

    No type

    Projects

    OBI Roadmap

    Status

    Todo

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions