This alpha moves runtime delivery toward the production-safe shape:
host probe -> control-plane decision -> verified fetch -> local audit
It is intentionally fetch-only by default. It does not load eBPF on the host unless an operator explicitly adds load flags after a separate review.
Build the binary:
make buildInstall the systemd units:
sudo scripts/install-agent-systemd.shEdit /etc/bpfcompat/agent.env:
sudo editor /etc/bpfcompat/agent.env
sudo chmod 0600 /etc/bpfcompat/agent.envRequired values:
BPFCOMPAT_AGENT_API_URLBPFCOMPAT_AGENT_TENANTBPFCOMPAT_AGENT_PROJECTBPFCOMPAT_AGENT_ARTIFACT_NAMEBPFCOMPAT_AGENT_REGISTRY_TOKEN
Run preflight before enabling the timer:
sudo -u bpfcompat-agent /usr/local/bin/bpfcompat agent preflight \
--api-url "$BPFCOMPAT_AGENT_API_URL" \
--tenant "$BPFCOMPAT_AGENT_TENANT" \
--project "$BPFCOMPAT_AGENT_PROJECT" \
--artifact-name "$BPFCOMPAT_AGENT_ARTIFACT_NAME" \
--workdir /var/lib/bpfcompat-agent \
--out-dir /var/lib/bpfcompat-agent/selected \
--require-config=true \
--probe-use-sudo=falseThe fetch-only preflight checks:
- resolved agent identity
- writable workdir and selected-artifact directory
- control-plane configuration shape
- registry token presence when
--require-config=true - host probe readiness
Reviewed host loading has a stricter preflight:
sudo /usr/local/bin/bpfcompat agent preflight \
--workdir /var/lib/bpfcompat-agent \
--out-dir /var/lib/bpfcompat-agent/selected \
--include-load \
--load-policy /etc/bpfcompat/agent-load-policy.yaml \
--probe-use-sudo=falseWith --include-load, preflight also requires a valid local load policy and a
usable bpfcompat-validator binary in the runtime search path. The installer
copies the validator to /usr/local/libexec/bpfcompat/bpfcompat-validator when
validator/c-libbpf/bin/bpfcompat-validator exists.
sudo systemctl start bpfcompat-agent.service
sudo journalctl -u bpfcompat-agent.service -n 100 --no-pager
sudo cat /var/lib/bpfcompat-agent/last-apply.json
sudo -u bpfcompat-agent /usr/local/bin/bpfcompat agent status \
--path /var/lib/bpfcompat-agent/last-apply.jsonExpected result:
- host probe is included
- selected artifact metadata is included
- fetched artifact path is under
/var/lib/bpfcompat-agent/selected - SHA-256 verification succeeds
load_skippedis present unless explicit load approval was configuredbpfcompat agent statusreportshealthyfor a fetch-only verified run
Inspect reviewed load history:
sudo -u bpfcompat-agent /usr/local/bin/bpfcompat agent ledger \
--workdir /var/lib/bpfcompat-agentsudo systemctl enable --now bpfcompat-agent.timer
systemctl list-timers bpfcompat-agent.timerDefault cadence: every 5 minutes after boot.
The alpha unit uses a dedicated bpfcompat-agent OS user and systemd
hardening:
NoNewPrivileges=trueProtectSystem=strictProtectHome=truePrivateTmp=true- empty
CapabilityBoundingSet - writable state limited to
/var/lib/bpfcompat-agent
This is suitable for fetch-only runtime delivery proof. Production host loading still requires:
- per-host identity and revocation
- pinned trusted signing keys or KMS-backed trust root
- local runtime policy
- rollback/unload tracking
- canary and kill-switch drills
- separate reviewed host-load service/drop-in
Do not enable host loading in the public demo.
Host loading is separated into bpfcompat-agent-load.service. It is not tied
to the timer and must be started explicitly after local policy review:
sudo cp /etc/bpfcompat/agent-load-policy.example.yaml \
/etc/bpfcompat/agent-load-policy.yaml
sudo editor /etc/bpfcompat/agent-load-policy.yaml
sudo editor /etc/bpfcompat/agent-load.env
sudo /usr/local/bin/bpfcompat agent preflight \
--workdir /var/lib/bpfcompat-agent \
--out-dir /var/lib/bpfcompat-agent/selected \
--include-load \
--load-policy /etc/bpfcompat/agent-load-policy.yaml \
--probe-use-sudo=false
sudo systemctl start bpfcompat-agent-load.service
sudo /usr/local/bin/bpfcompat agent status \
--path /var/lib/bpfcompat-agent/last-load.json
sudo /usr/local/bin/bpfcompat agent ledger \
--workdir /var/lib/bpfcompat-agentApproved host loading now requires a local agent load policy by default
(BPFCOMPAT_AGENT_REQUIRE_LOAD_POLICY=true). The default example policy denies
everything until the operator adds a narrow allow rule. The packaged
bpfcompat-agent-load.service also requires reviewed approval pins by default:
BPFCOMPAT_AGENT_EXPECTED_DECISION_IDBPFCOMPAT_AGENT_EXPECTED_SHA256BPFCOMPAT_AGENT_REQUIRE_APPROVAL_PINS=trueBPFCOMPAT_AGENT_MANIFEST_PATHBPFCOMPAT_AGENT_REQUIRE_MANIFEST=true
Copy these values from a reviewed bpfcompat agent plan --json result or from
a fetch-only agent apply result. If either value is missing or does not match
the selected decision/artifact digest, the load attempt is denied before local
policy evaluation and before any host eBPF load. The manifest requirement keeps
reviewed loads tied to explicit program and attach intent instead of loading an
opaque object with no declared behavior.
Policy rules can match:
- agent identity (
agents, plus top-levelallowed_agents/revoked_agents) - tenant/project/artifact
- target profile and host kernel range
- signed-history status
- optional manifest program types and attach kinds
Each approved, denied, or failed host-load attempt is appended to
/var/lib/bpfcompat-agent/agent-load-ledger.jsonl. The ledger records the
selected artifact digest, reviewed approval pins, manifest intent summary,
policy rule, audit trace, execution result, and the previous successful load for
rollback planning. last-load.json includes the same approval and manifest
evidence for the most recent load attempt.
Run these drills before calling a deployment production-ready.
Generate a controlled local evidence package without loading eBPF on the host:
make production-runtime-drillOutputs are written under:
evidence/production-runtime-drills/<timestamp>/production-runtime-drill.md
Rollback drill:
sudo /usr/local/bin/bpfcompat agent rollback \
--workdir /var/lib/bpfcompat-agent \
--artifact-name aegis \
--recordIf the plan is ready and the operator has approved the previous version:
sudo /usr/local/bin/bpfcompat agent rollback \
--workdir /var/lib/bpfcompat-agent \
--artifact-name aegis \
--load-policy /etc/bpfcompat/agent-load-policy.yaml \
--executeUnload drill for explicitly pinned BPF objects:
sudo /usr/local/bin/bpfcompat agent unload \
--workdir /var/lib/bpfcompat-agent \
--artifact-name aegis \
--pin-path /sys/fs/bpf/aegis \
--recordOnly add --execute after confirming the pin path. The command refuses paths
outside /sys/fs/bpf unless --allow-non-bpffs is supplied for tests/labs.
Revocation drill:
sudo /usr/local/bin/bpfcompat agent revocation-drill \
--workdir /var/lib/bpfcompat-agent \
--agent-id host-01 \
--artifact-name aegis \
--load-policy /etc/bpfcompat/agent-load-policy.yamlThe drill passes only if local policy denies the supplied host identity. This proves per-host revocation works before an incident.
This is the Production Runtime Agent Alpha boundary: fetch-only automation is safe to schedule; host loading is a separate reviewed action with local policy and a rollback/audit ledger. The included rollback, unload, and revocation drills make those controls testable. A deployment still needs customer-specific identity issuance/rotation and real incident drills before it should be called generally production-ready.