CO-RE and syscalls (#12318)

.gitignore

@@ -72,6 +72,7 @@ cgroup-network
 ebpf.plugin
 collectors/ebpf.plugin/reset_netdata_trace.sh
 !ebpf.plugin/
+collectors/ebpf.plugin/includes/
 
 # protoc generated files
 *.pb.cc

Makefile.am

@@ -61,6 +61,7 @@ dist_noinst_DATA = \
     netdata.cppcheck \
     netdata.spec \
     packaging/bundle-ebpf.sh \
+    packaging/bundle-ebpf-co-re.sh \
     packaging/bundle-judy.sh \
     packaging/bundle-libbpf.sh \
     packaging/check-kernel-config.sh \

collectors/ebpf.plugin/ebpf.c

@@ -68,7 +68,7 @@ ebpf_module_t ebpf_modules[] = {
       .config_file = NETDATA_SYNC_CONFIG_FILE,
       // All syscalls have the same kernels
       .kernels =  NETDATA_V3_10 | NETDATA_V4_14 | NETDATA_V4_16 | NETDATA_V4_18 | NETDATA_V5_4,
-      .load = EBPF_LOAD_LEGACY, .targets = NULL},
+      .load = EBPF_LOAD_LEGACY, .targets = sync_targets},
     { .thread_name = "dc", .config_name = "dc", .enabled = 0, .start_routine = ebpf_dcstat_thread,
       .update_every = EBPF_DEFAULT_UPDATE_EVERY, .global_charts = 1, .apps_charts = CONFIG_BOOLEAN_NO,
       .cgroup_charts = CONFIG_BOOLEAN_NO, .mode = MODE_ENTRY, .optional = 0,
@@ -113,7 +113,7 @@ ebpf_module_t ebpf_modules[] = {
       .pid_map_size = ND_EBPF_DEFAULT_PID_SIZE, .names = NULL, .cfg = &mount_config,
       .config_file = NETDATA_MOUNT_CONFIG_FILE,
       .kernels =  NETDATA_V3_10 | NETDATA_V4_14 | NETDATA_V4_16 | NETDATA_V4_18 | NETDATA_V5_4,
-      .load = EBPF_LOAD_LEGACY, .targets = NULL},
+      .load = EBPF_LOAD_LEGACY, .targets = mount_targets},
     { .thread_name = "fd", .config_name = "fd", .enabled = 0, .start_routine = ebpf_fd_thread,
       .update_every = EBPF_DEFAULT_UPDATE_EVERY, .global_charts = 1, .apps_charts = CONFIG_BOOLEAN_NO,
       .cgroup_charts = CONFIG_BOOLEAN_NO, .mode = MODE_ENTRY, .optional = 0,
@@ -151,7 +151,7 @@ ebpf_module_t ebpf_modules[] = {
       .pid_map_size = ND_EBPF_DEFAULT_PID_SIZE, .names = NULL, .cfg = &shm_config,
       .config_file = NETDATA_DIRECTORY_SHM_CONFIG_FILE,
       .kernels =  NETDATA_V3_10 | NETDATA_V4_14 | NETDATA_V4_16 | NETDATA_V4_18 | NETDATA_V5_4,
-      .load = EBPF_LOAD_LEGACY, .targets = NULL},
+      .load = EBPF_LOAD_LEGACY, .targets = shm_targets},
     { .thread_name = "mdflush", .config_name = "mdflush", .enabled = 0, .start_routine = ebpf_mdflush_thread,
       .update_every = EBPF_DEFAULT_UPDATE_EVERY, .global_charts = 1, .apps_charts = CONFIG_BOOLEAN_NO,
       .cgroup_charts = CONFIG_BOOLEAN_NO, .mode = MODE_ENTRY, .optional = 0, .apps_routine = NULL, .maps = NULL,
@@ -181,6 +181,11 @@ ebpf_network_viewer_options_t network_viewer_opt;
 ebpf_plugin_stats_t plugin_statistics = {.core = 0, .legacy = 0, .running = 0, .threads = 0, .tracepoints = 0,
                                          .probes = 0, .retprobes = 0, .trampolines = 0};
 
+#ifdef LIBBPF_MAJOR_VERSION
+struct btf *default_btf = NULL;
+#endif
+char *btf_path = NULL;
+
 /*****************************************************************
  *
  *  FUNCTIONS USED TO CLEAN MEMORY AND OPERATE SYSTEM FILES
@@ -290,6 +295,11 @@ static void ebpf_exit(int sig)
     }
      */
 
+#ifdef LIBBPF_MAJOR_VERSION
+    if (default_btf)
+        btf__free(default_btf);
+#endif
+
     exit(sig);
 }
 
@@ -1116,6 +1126,56 @@ static void ebpf_update_table_size()
     }
 }
 
+/**
+ * Set Load mode
+ *
+ * @param load  default load mode.
+ */
+static inline void ebpf_set_load_mode(netdata_ebpf_load_mode_t load)
+{
+#ifdef LIBBPF_MAJOR_VERSION
+    if (load == EBPF_LOAD_CORE || load == EBPF_LOAD_PLAY_DICE) {
+        load = (!default_btf) ? EBPF_LOAD_LEGACY : EBPF_LOAD_CORE;
+    }
+#else
+    load = EBPF_LOAD_LEGACY;
+#endif
+
+    int i;
+    for (i = 0; ebpf_modules[i].thread_name; i++) {
+        // TO DO: Use `load` variable after we change all threads.
+        ebpf_modules[i].load = EBPF_LOAD_LEGACY; // load ;
+    }
+}
+
+/**
+ *  Update mode
+ *
+ *  @param str value read from configuration file.
+ */
+static inline void epbf_update_load_mode(char *str)
+{
+    netdata_ebpf_load_mode_t load = epbf_convert_string_to_load_mode(str);
+
+    ebpf_set_load_mode(load);
+}
+
+#ifdef LIBBPF_MAJOR_VERSION
+/**
+ * Set default btf file
+ *
+ * Load the default BTF file on environment.
+ */
+static void ebpf_set_default_btf_file()
+{
+    char path[PATH_MAX + 1];
+    snprintfz(path, PATH_MAX, "%s/vmlinux", btf_path);
+    default_btf = ebpf_parse_btf_file(path);
+    if (!default_btf)
+        info("Your environment does not have BTF file %s/vmlinux. The plugin will work with 'legacy' code.",
+             btf_path);
+}
+#endif
 
 /**
  * Read collector values
@@ -1137,6 +1197,17 @@ static void read_collector_values(int *disable_apps, int *disable_cgroups, int u
 
     how_to_load(value);
 
+    btf_path = appconfig_get(&collector_config, EBPF_GLOBAL_SECTION, EBPF_CFG_PROGRAM_PATH,
+                             EBPF_DEFAULT_BTF_FILE);
+
+#ifdef LIBBPF_MAJOR_VERSION
+    ebpf_set_default_btf_file();
+#endif
+
+    value = appconfig_get(&collector_config, EBPF_GLOBAL_SECTION, EBPF_CFG_TYPE_FORMAT, EBPF_CFG_DEFAULT_PROGRAM);
+
+    epbf_update_load_mode(value);
+
     ebpf_update_interval(update_every);
 
     ebpf_update_table_size();
@@ -1372,19 +1443,6 @@ static inline void ebpf_load_thread_config()
     }
 }
 
-/**
- * Set Load mode
- *
- * @param load  default load mode.
- */
-static inline void ebpf_set_load_mode(netdata_ebpf_load_mode_t load)
-{
-    int i;
-    for (i = 0; ebpf_modules[i].thread_name; i++) {
-        ebpf_modules[i].load = load;
-    }
-}
-
 /**
  * Parse arguments given from user.
  *
@@ -1842,6 +1900,10 @@ int main(int argc, char **argv)
 
     ebpf_allocate_common_vectors();
 
+#ifdef LIBBPF_MAJOR_VERSION
+    libbpf_set_strict_mode(LIBBPF_STRICT_ALL);
+#endif
+
     read_local_addresses();
     read_local_ports("/proc/net/tcp", IPPROTO_TCP);
     read_local_ports("/proc/net/tcp6", IPPROTO_TCP);

collectors/ebpf.plugin/ebpf.d/mount.conf

@@ -3,6 +3,17 @@
 #  `return : In the `return` mode, the eBPF collector monitors the same kernel functions as `entry`, but also creates
 #            new charts for the return of these functions, such as errors.
 #
-#[global]
+# The `ebpf type format` option accepts the following values :
+#  `auto`  : The eBPF collector will investigate hardware and select between the two next options.
+#  `legacy`: The eBPF collector will load the legacy code. Note: This has a bigger overload.
+#  `co-re` : The eBPF collector will use latest tracing method. Note: This is not available on all platforms.
+#
+# The `ebpf co-re tracing` option accepts the following values: 
+#   `trampoline`: This is the default mode used by the eBPF collector, due the small overhead added to host.
+#   `tracepoint`: When available, the eBPF collector will use kernel tracepoint to monitor syscall.
+#   `probe`     : This is the same as legacy code.
+[global]
 #    ebpf load mode = entry
 #    update every = 1
+    ebpf type format = auto
+    ebpf co-re tracing = trampoline

collectors/ebpf.plugin/ebpf.d/shm.conf

@@ -8,13 +8,25 @@
 # If you want to disable the integration with `apps.plugin` or `cgroups.plugin` along with the above charts, change
 # the setting `apps` and `cgroups` to  'no'.
 #
+# The `ebpf type format` option accepts the following values :
+#  `auto`  : The eBPF collector will investigate hardware and select between the two next options.
+#  `legacy`: The eBPF collector will load the legacy code. Note: This has a bigger overload.
+#  `co-re` : The eBPF collector will use latest tracing method. Note: This is not available on all platforms.
+#
+# The `ebpf co-re tracing` option accepts the following values: 
+#   `trampoline`: This is the default mode used by the eBPF collector, due the small overhead added to host.
+#   `tracepoint`: When available, the eBPF collector will use kernel tracepoint to monitor syscall.
+#   `probe`     : This is the same as legacy code.
+#
 # Uncomment lines to define specific options for thread.
-#[global]
+[global]
 #    ebpf load mode = entry
 #    apps = yes
 #    cgroups = no
 #    update every = 10
 #    pid table size = 32768
+    ebpf type format = auto
+    ebpf co-re tracing = trampoline
 
 # List of monitored syscalls
 [syscalls]

collectors/ebpf.plugin/ebpf.d/sync.conf

@@ -8,12 +8,23 @@
 # If you want to disable the integration with `apps.plugin` or `cgroups.plugin` along with the above charts, change
 # the setting `apps` and `cgroups` to  'no'.
 #
+# The `ebpf type format` option accepts the following values :
+#  `auto`  : The eBPF collector will investigate hardware and select between the two next options.
+#  `legacy`: The eBPF collector will load the legacy code. Note: This has a bigger overload.
+#  `co-re` : The eBPF collector will use latest tracing method. Note: This is not available on all platforms.
+#
+# The `ebpf co-re tracing` option accepts the following values: 
+#   `trampoline`: This is the default mode used by the eBPF collector, due the small overhead added to host.
+#   `tracepoint`: When available, the eBPF collector will use kernel tracepoint to monitor syscall.
+#   `probe`     : This is the same as legacy code.
 #  
-#[global]
+[global]
 #    ebpf load mode = entry
 #    apps = yes
 #    cgroups = no
 #    update every = 10
+    ebpf type format = auto
+    ebpf co-re tracing = trampoline
 
 # List of monitored syscalls 
 [syscalls]

collectors/ebpf.plugin/ebpf.h

@@ -264,6 +264,7 @@ extern pthread_mutex_t mutex_cgroup_shm;
 extern size_t all_pids_count;
 extern uint32_t finalized_threads;
 extern ebpf_plugin_stats_t plugin_statistics;
+extern struct btf *default_btf;
 
 // Socket functions and variables
 // Common functions

collectors/ebpf.plugin/ebpf_mount.c

@@ -30,6 +30,196 @@ struct netdata_static_thread mount_thread = {"MOUNT KERNEL",
                                               NULL, NULL, 1, NULL,
                                               NULL,  NULL};
 
+netdata_ebpf_targets_t mount_targets[] = { {.name = "mount", .mode = EBPF_LOAD_TRAMPOLINE},
+                                           {.name = "umount", .mode = EBPF_LOAD_TRAMPOLINE},
+                                           {.name = NULL, .mode = EBPF_LOAD_TRAMPOLINE}};
+
+#ifdef LIBBPF_MAJOR_VERSION
+#include "includes/mount.skel.h" // BTF code
+
+static struct mount_bpf *bpf_obj = NULL;
+
+/*****************************************************************
+ *
+ *  BTF FUNCTIONS
+ *
+ *****************************************************************/
+
+/*
+ * Disable probe
+ *
+ * Disable all probes to use exclusively another method.
+ *
+ * @param obj is the main structure for bpf objects.
+ */
+static inline void ebpf_mount_disable_probe(struct mount_bpf *obj)
+{
+    bpf_program__set_autoload(obj->progs.netdata_mount_probe, false);
+    bpf_program__set_autoload(obj->progs.netdata_umount_probe, false);
+
+    bpf_program__set_autoload(obj->progs.netdata_mount_retprobe, false);
+    bpf_program__set_autoload(obj->progs.netdata_umount_retprobe, false);
+}
+
+/*
+ * Disable tracepoint
+ *
+ * Disable all tracepoints to use exclusively another method.
+ *
+ * @param obj is the main structure for bpf objects.
+ */
+static inline void ebpf_mount_disable_tracepoint(struct mount_bpf *obj)
+{
+    bpf_program__set_autoload(obj->progs.netdata_mount_exit, false);
+    bpf_program__set_autoload(obj->progs.netdata_umount_exit, false);
+}
+
+/*
+ * Disable trampoline
+ *
+ * Disable all trampoline to use exclusively another method.
+ *
+ * @param obj is the main structure for bpf objects.
+ */
+static inline void ebpf_mount_disable_trampoline(struct mount_bpf *obj)
+{
+    bpf_program__set_autoload(obj->progs.netdata_mount_fentry, false);
+    bpf_program__set_autoload(obj->progs.netdata_umount_fentry, false);
+    bpf_program__set_autoload(obj->progs.netdata_mount_fexit, false);
+    bpf_program__set_autoload(obj->progs.netdata_umount_fexit, false);
+}
+
+/**
+ * Set trampoline target
+ *
+ * Set the targets we will monitor.
+ *
+ * @param obj is the main structure for bpf objects.
+ */
+static inline void netdata_set_trampoline_target(struct mount_bpf *obj)
+{
+    char syscall[NETDATA_EBPF_MAX_SYSCALL_LENGTH + 1];
+    ebpf_select_host_prefix(syscall, NETDATA_EBPF_MAX_SYSCALL_LENGTH,
+                            mount_targets[NETDATA_MOUNT_SYSCALL].name, running_on_kernel);
+
+    bpf_program__set_attach_target(obj->progs.netdata_mount_fentry, 0,
+                                   syscall);
+
+    bpf_program__set_attach_target(obj->progs.netdata_mount_fexit, 0,
+                                   syscall);
+
+    ebpf_select_host_prefix(syscall, NETDATA_EBPF_MAX_SYSCALL_LENGTH,
+                            mount_targets[NETDATA_UMOUNT_SYSCALL].name, running_on_kernel);
+
+    bpf_program__set_attach_target(obj->progs.netdata_umount_fentry, 0,
+                                   syscall);
+
+    bpf_program__set_attach_target(obj->progs.netdata_umount_fexit, 0,
+                                   syscall);
+}
+
+/**
+ * Mount Attach Probe
+ *
+ * Attach probes to target
+ *
+ * @param obj is the main structure for bpf objects.
+ *
+ * @return It returns 0 on success and -1 otherwise.
+ */
+static int ebpf_mount_attach_probe(struct mount_bpf *obj)
+{
+    char syscall[NETDATA_EBPF_MAX_SYSCALL_LENGTH + 1];
+
+    ebpf_select_host_prefix(syscall, NETDATA_EBPF_MAX_SYSCALL_LENGTH,
+                            mount_targets[NETDATA_MOUNT_SYSCALL].name, running_on_kernel);
+
+    obj->links.netdata_mount_probe = bpf_program__attach_kprobe(obj->progs.netdata_mount_probe,
+                                                                false, syscall);
+    int ret = (int)libbpf_get_error(obj->links.netdata_mount_probe);
+    if (ret)
+        return -1;
+
+    obj->links.netdata_mount_retprobe = bpf_program__attach_kprobe(obj->progs.netdata_mount_retprobe,
+                                                                   true, syscall);
+    ret = (int)libbpf_get_error(obj->links.netdata_mount_retprobe);
+    if (ret)
+        return -1;
+
+    ebpf_select_host_prefix(syscall, NETDATA_EBPF_MAX_SYSCALL_LENGTH,
+                            mount_targets[NETDATA_UMOUNT_SYSCALL].name, running_on_kernel);
+
+    obj->links.netdata_umount_probe = bpf_program__attach_kprobe(obj->progs.netdata_umount_probe,
+                                                                 false, syscall);
+    ret = (int)libbpf_get_error(obj->links.netdata_umount_probe);
+    if (ret)
+        return -1;
+
+    obj->links.netdata_umount_retprobe = bpf_program__attach_kprobe(obj->progs.netdata_umount_retprobe,
+                                                                    true, syscall);
+    ret = (int)libbpf_get_error(obj->links.netdata_umount_retprobe);
+    if (ret)
+        return -1;
+
+    return 0;
+}
+
+/**
+ * Set hash tables
+ *
+ * Set the values for maps according the value given by kernel.
+ *
+ * @param obj is the main structure for bpf objects.
+ */
+static void ebpf_mount_set_hash_tables(struct mount_bpf *obj)
+{
+    mount_maps[NETDATA_KEY_MOUNT_TABLE].map_fd = bpf_map__fd(obj->maps.tbl_mount);
+}
+
+/**
+ * Load and attach
+ *
+ * Load and attach the eBPF code in kernel.
+ *
+ * @param obj is the main structure for bpf objects.
+ * @param em  structure with configuration
+ *
+ * @return it returns 0 on succes and -1 otherwise
+ */
+static inline int ebpf_mount_load_and_attach(struct mount_bpf *obj, ebpf_module_t *em)
+{
+    netdata_ebpf_targets_t *mt = em->targets;
+    netdata_ebpf_program_loaded_t test = mt[NETDATA_MOUNT_SYSCALL].mode;
+
+    // We are testing only one, because all will have the same behavior
+    if (test == EBPF_LOAD_TRAMPOLINE ) {
+        ebpf_mount_disable_probe(obj);
+        ebpf_mount_disable_tracepoint(obj);
+
+        netdata_set_trampoline_target(obj);
+    } else if (test == EBPF_LOAD_PROBE ||
+    test == EBPF_LOAD_RETPROBE ) {
+        ebpf_mount_disable_tracepoint(obj);
+        ebpf_mount_disable_trampoline(obj);
+    } else {
+        ebpf_mount_disable_probe(obj);
+        ebpf_mount_disable_trampoline(obj);
+    }
+
+    int ret = mount_bpf__load(obj);
+    if (!ret) {
+        if (test != EBPF_LOAD_PROBE && test != EBPF_LOAD_RETPROBE )
+            ret = mount_bpf__attach(obj);
+        else
+            ret = ebpf_mount_attach_probe(obj);
+
+        if (!ret)
+            ebpf_mount_set_hash_tables(obj);
+    }
+
+    return ret;
+}
+#endif
 /*****************************************************************
  *
  *  FUNCTIONS TO CLOSE THE THREAD
@@ -59,6 +249,11 @@ static void ebpf_mount_cleanup(void *ptr)
         }
         bpf_object__close(objects);
     }
+#ifdef LIBBPF_MAJOR_VERSION
+    else if (bpf_obj)
+        mount_bpf__destroy(bpf_obj);
+#endif
+
 }
 
 /*****************************************************************
@@ -219,6 +414,39 @@ static void ebpf_create_mount_charts(int update_every)
  *
  *****************************************************************/
 
+/*
+ * Load BPF
+ *
+ * Load BPF files.
+ *
+ * @param em the structure with configuration
+ */
+static int ebpf_mount_load_bpf(ebpf_module_t *em)
+{
+    int ret = 0;
+    if (em->load == EBPF_LOAD_LEGACY) {
+        probe_links = ebpf_load_program(ebpf_plugin_dir, em, running_on_kernel, isrh, &objects);
+        if (!probe_links) {
+            em->enabled = CONFIG_BOOLEAN_NO;
+            ret = -1;
+        }
+    }
+#ifdef LIBBPF_MAJOR_VERSION
+    else {
+        bpf_obj = mount_bpf__open();
+        if (!bpf_obj)
+            ret = -1;
+        else
+            ret = ebpf_mount_load_and_attach(bpf_obj, em);
+    }
+#endif
+
+    if (ret)
+        error("%s %s", EBPF_DEFAULT_ERROR_MSG, em->thread_name);
+
+    return ret;
+}
+
 /**
  * Mount thread
  *
@@ -238,8 +466,10 @@ void *ebpf_mount_thread(void *ptr)
     if (!em->enabled)
         goto endmount;
 
-    probe_links = ebpf_load_program(ebpf_plugin_dir, em, running_on_kernel, isrh, &objects);
-    if (!probe_links) {
+#ifdef LIBBPF_MAJOR_VERSION
+    ebpf_adjust_thread_load(em, default_btf);
+#endif
+    if (ebpf_mount_load_bpf(em)) {
         em->enabled = CONFIG_BOOLEAN_NO;
         goto endmount;
     }

collectors/ebpf.plugin/ebpf_mount.h

@@ -30,7 +30,15 @@ enum mount_tables {
     NETDATA_KEY_MOUNT_TABLE
 };
 
+enum netdata_mount_syscalls {
+    NETDATA_MOUNT_SYSCALL,
+    NETDATA_UMOUNT_SYSCALL,
+
+    NETDATA_MOUNT_SYSCALLS_END
+};
+
 extern struct config mount_config;
 extern void *ebpf_mount_thread(void *ptr);
+extern netdata_ebpf_targets_t mount_targets[];
 
 #endif /* NETDATA_EBPF_MOUNT_H */

collectors/ebpf.plugin/ebpf_shm.c

@@ -41,6 +41,203 @@ static struct bpf_object *objects = NULL;
 struct netdata_static_thread shm_threads = {"SHM KERNEL", NULL, NULL, 1,
                                              NULL, NULL,  NULL};
 
+netdata_ebpf_targets_t shm_targets[] = { {.name = "shmget", .mode = EBPF_LOAD_TRAMPOLINE},
+                                         {.name = "shmat", .mode = EBPF_LOAD_TRAMPOLINE},
+                                         {.name = "shmdt", .mode = EBPF_LOAD_TRAMPOLINE},
+                                         {.name = "shmctl", .mode = EBPF_LOAD_TRAMPOLINE},
+                                         {.name = NULL, .mode = EBPF_LOAD_TRAMPOLINE}};
+
+#ifdef LIBBPF_MAJOR_VERSION
+#include "includes/shm.skel.h"
+
+static struct shm_bpf *bpf_obj = NULL;
+
+/*****************************************************************
+ *
+ *  BTF FUNCTIONS
+ *
+ *****************************************************************/
+
+/*
+ * Disable tracepoint
+ *
+ * Disable all tracepoints to use exclusively another method.
+ *
+ * @param obj is the main structure for bpf objects.
+ */
+static void ebpf_shm_disable_tracepoint(struct shm_bpf *obj)
+{
+    bpf_program__set_autoload(obj->progs.netdata_syscall_shmget, false);
+    bpf_program__set_autoload(obj->progs.netdata_syscall_shmat, false);
+    bpf_program__set_autoload(obj->progs.netdata_syscall_shmdt, false);
+    bpf_program__set_autoload(obj->progs.netdata_syscall_shmctl, false);
+}
+
+/*
+ * Disable probe
+ *
+ * Disable all probes to use exclusively another method.
+ *
+ * @param obj is the main structure for bpf objects.
+ */
+static void ebpf_disable_probe(struct shm_bpf *obj)
+{
+    bpf_program__set_autoload(obj->progs.netdata_shmget_probe, false);
+    bpf_program__set_autoload(obj->progs.netdata_shmat_probe, false);
+    bpf_program__set_autoload(obj->progs.netdata_shmdt_probe, false);
+    bpf_program__set_autoload(obj->progs.netdata_shmctl_probe, false);
+}
+
+/*
+ * Disable trampoline
+ *
+ * Disable all trampoline to use exclusively another method.
+ *
+ * @param obj is the main structure for bpf objects.
+ */
+static void ebpf_disable_trampoline(struct shm_bpf *obj)
+{
+    bpf_program__set_autoload(obj->progs.netdata_shmget_fentry, false);
+    bpf_program__set_autoload(obj->progs.netdata_shmat_fentry, false);
+    bpf_program__set_autoload(obj->progs.netdata_shmdt_fentry, false);
+    bpf_program__set_autoload(obj->progs.netdata_shmctl_fentry, false);
+}
+
+/**
+ * Set trampoline target
+ *
+ * Set the targets we will monitor.
+ *
+ * @param obj is the main structure for bpf objects.
+ */
+static void ebpf_set_trampoline_target(struct shm_bpf *obj)
+{
+    char syscall[NETDATA_EBPF_MAX_SYSCALL_LENGTH + 1];
+    ebpf_select_host_prefix(syscall, NETDATA_EBPF_MAX_SYSCALL_LENGTH,
+                            shm_targets[NETDATA_KEY_SHMGET_CALL].name, running_on_kernel);
+
+    bpf_program__set_attach_target(obj->progs.netdata_shmget_fentry, 0,
+                                   syscall);
+
+    ebpf_select_host_prefix(syscall, NETDATA_EBPF_MAX_SYSCALL_LENGTH,
+                            shm_targets[NETDATA_KEY_SHMAT_CALL].name, running_on_kernel);
+    bpf_program__set_attach_target(obj->progs.netdata_shmat_fentry, 0,
+                                   syscall);
+
+    ebpf_select_host_prefix(syscall, NETDATA_EBPF_MAX_SYSCALL_LENGTH,
+                            shm_targets[NETDATA_KEY_SHMDT_CALL].name, running_on_kernel);
+    bpf_program__set_attach_target(obj->progs.netdata_shmdt_fentry, 0,
+                                   syscall);
+
+    ebpf_select_host_prefix(syscall, NETDATA_EBPF_MAX_SYSCALL_LENGTH,
+                            shm_targets[NETDATA_KEY_SHMCTL_CALL].name, running_on_kernel);
+    bpf_program__set_attach_target(obj->progs.netdata_shmctl_fentry, 0,
+                                   syscall);
+}
+
+/**
+ * SHM Attach Probe
+ *
+ * Attach probes to target
+ *
+ * @param obj is the main structure for bpf objects.
+ *
+ * @return It returns 0 on success and -1 otherwise.
+ */
+static int ebpf_shm_attach_probe(struct shm_bpf *obj)
+{
+    char syscall[NETDATA_EBPF_MAX_SYSCALL_LENGTH + 1];
+    ebpf_select_host_prefix(syscall, NETDATA_EBPF_MAX_SYSCALL_LENGTH,
+                            shm_targets[NETDATA_KEY_SHMGET_CALL].name, running_on_kernel);
+
+    obj->links.netdata_shmget_probe = bpf_program__attach_kprobe(obj->progs.netdata_shmget_probe,
+                                                                 false, syscall);
+    int ret = (int)libbpf_get_error(obj->links.netdata_shmget_probe);
+    if (ret)
+        return -1;
+
+    ebpf_select_host_prefix(syscall, NETDATA_EBPF_MAX_SYSCALL_LENGTH,
+                            shm_targets[NETDATA_KEY_SHMAT_CALL].name, running_on_kernel);
+    obj->links.netdata_shmat_probe = bpf_program__attach_kprobe(obj->progs.netdata_shmat_probe,
+                                                                false, syscall);
+    ret = (int)libbpf_get_error(obj->links.netdata_shmat_probe);
+    if (ret)
+        return -1;
+
+    ebpf_select_host_prefix(syscall, NETDATA_EBPF_MAX_SYSCALL_LENGTH,
+                            shm_targets[NETDATA_KEY_SHMDT_CALL].name, running_on_kernel);
+    obj->links.netdata_shmdt_probe = bpf_program__attach_kprobe(obj->progs.netdata_shmdt_probe,
+                                                                false, syscall);
+    ret = (int)libbpf_get_error(obj->links.netdata_shmdt_probe);
+    if (ret)
+        return -1;
+
+    ebpf_select_host_prefix(syscall, NETDATA_EBPF_MAX_SYSCALL_LENGTH,
+                            shm_targets[NETDATA_KEY_SHMCTL_CALL].name, running_on_kernel);
+    obj->links.netdata_shmctl_probe = bpf_program__attach_kprobe(obj->progs.netdata_shmctl_probe,
+                                                                 false, syscall);
+    ret = (int)libbpf_get_error(obj->links.netdata_shmctl_probe);
+    if (ret)
+        return -1;
+
+    return 0;
+}
+
+/**
+ * Set hash tables
+ *
+ * Set the values for maps according the value given by kernel.
+ */
+static void ebpf_shm_set_hash_tables(struct shm_bpf *obj)
+{
+    shm_maps[NETDATA_PID_SHM_TABLE].map_fd = bpf_map__fd(obj->maps.tbl_pid_shm);
+    shm_maps[NETDATA_SHM_CONTROLLER].map_fd = bpf_map__fd(obj->maps.shm_ctrl);
+    shm_maps[NETDATA_SHM_GLOBAL_TABLE].map_fd = bpf_map__fd(obj->maps.tbl_shm);
+}
+
+/**
+ * Load and attach
+ *
+ * Load and attach the eBPF code in kernel.
+ *
+ * @param obj is the main structure for bpf objects.
+ * @param em  structure with configuration
+ *
+ * @return it returns 0 on succes and -1 otherwise
+ */
+static inline int ebpf_shm_load_and_attach(struct shm_bpf *obj, ebpf_module_t *em)
+{
+    netdata_ebpf_targets_t *shmt = em->targets;
+    netdata_ebpf_program_loaded_t test = shmt[NETDATA_KEY_SHMGET_CALL].mode;
+
+    // We are testing only one, because all will have the same behavior
+    if (test == EBPF_LOAD_TRAMPOLINE ) {
+        ebpf_shm_disable_tracepoint(obj);
+        ebpf_disable_probe(obj);
+
+        ebpf_set_trampoline_target(obj);
+    }  else if (test == EBPF_LOAD_PROBE || test == EBPF_LOAD_RETPROBE ) {
+        ebpf_shm_disable_tracepoint(obj);
+        ebpf_disable_trampoline(obj);
+    } else  {
+        ebpf_disable_probe(obj);
+        ebpf_disable_trampoline(obj);
+    }
+
+    int ret = shm_bpf__load(obj);
+    if (!ret) {
+        if (test != EBPF_LOAD_PROBE && test != EBPF_LOAD_RETPROBE)
+            shm_bpf__attach(obj);
+        else
+            ret = ebpf_shm_attach_probe(obj);
+
+        if (!ret)
+            ebpf_shm_set_hash_tables(obj);
+    }
+
+    return ret;
+}
+#endif
 /*****************************************************************
  *  FUNCTIONS TO CLOSE THE THREAD
  *****************************************************************/
@@ -91,6 +288,10 @@ static void ebpf_shm_cleanup(void *ptr)
         }
         bpf_object__close(objects);
     }
+#ifdef LIBBPF_MAJOR_VERSION
+    else if (bpf_obj)
+        shm_bpf__destroy(bpf_obj);
+#endif
 }
 
 /*****************************************************************
@@ -802,6 +1003,40 @@ static void ebpf_create_shm_charts(int update_every)
     fflush(stdout);
 }
 
+/*
+ * Load BPF
+ *
+ * Load BPF files.
+ *
+ * @param em the structure with configuration
+ */
+static int ebpf_shm_load_bpf(ebpf_module_t *em)
+{
+    int ret = 0;
+    if (em->load == EBPF_LOAD_LEGACY) {
+        probe_links = ebpf_load_program(ebpf_plugin_dir, em, running_on_kernel, isrh, &objects);
+        if (!probe_links) {
+            em->enabled = CONFIG_BOOLEAN_NO;
+            ret = -1;
+        }
+    }
+#ifdef LIBBPF_MAJOR_VERSION
+    else {
+        bpf_obj = shm_bpf__open();
+        if (!bpf_obj)
+            ret = -1;
+        else
+            ret = ebpf_shm_load_and_attach(bpf_obj, em);
+    }
+#endif
+
+
+    if (ret)
+        error("%s %s", EBPF_DEFAULT_ERROR_MSG, em->thread_name);
+
+    return ret;
+}
+
 /**
  * Shared memory thread.
  *
@@ -821,8 +1056,10 @@ void *ebpf_shm_thread(void *ptr)
         goto endshm;
     }
 
-    probe_links = ebpf_load_program(ebpf_plugin_dir, em, running_on_kernel, isrh, &objects);
-    if (!probe_links) {
+#ifdef LIBBPF_MAJOR_VERSION
+    ebpf_adjust_thread_load(em, default_btf);
+#endif
+    if (ebpf_shm_load_bpf(em)) {
         em->enabled = CONFIG_BOOLEAN_NO;
         goto endshm;
     }