fix(build): hermetic netprobe eBPF object build for RBE/publish (#3425) #3511

Merged

mfreeman451 merged 1 commit from fix/netprobe-ebpf-cargo-hermetic into staging 2026-06-01 23:20:52 +00:00

Conversation 1 Commits 1 Files changed 2107 +668211 -55

mfreeman451 commented 2026-06-01 23:14:46 +00:00

Owner

Copy link

Why

The netprobe native add-on bundle ships netprobe_ebpf.o, but the eBPF genrule
(//rust/netprobe/ebpf:netprobe_ebpf_object) shelled out to a host
cargo +nightly -Z build-std=core --target bpfel-unknown-none + host bpf-linker.
With no local/no-remote tag, under --remote_executor (the publish lane) it
dispatched to an RBE worker with no Rust toolchain and died at
cargo is required to build the netprobe eBPF object — blocking the
Publish Native Add-ons run and the netprobe capture e2e.

What

Build the eBPF object hermetically from Bazel-declared inputs only:

• MODULE.bazel: pinned nightly rustc/cargo/rust-std/rust-src (2026-05-31)
  • a static bpf-linker v0.10.3 (@netprobe_ebpf_* http_archives, sha256-pinned).
    The default stable 1.93.0 rules_rust toolchain is untouched.
• build-ebpf-object.sh: rewritten — assembles a scratch sysroot from the pinned
  components and builds offline against the committed vendor/ tree with
  -Z build-std=core --target bpfel-unknown-none. No host PATH tooling, no network.
• vendor/: committed cargo-vendor of the eBPF crate's deps plus the
  -Z build-std std deps (cargo vendor --sync <rust-src>/library/Cargo.toml).
• assemble_addon_bundle.py: harden the dependency-free YAML fallback parser to
  strip inline # comments (it was stricter than the authoritative Go validator,
  which masked-then-surfaced a rejection of addons/netprobe/addon.yaml).

Validation (carverauto RBE — the environment that was failing)

• bazel build --config=ci //rust/netprobe/ebpf:netprobe_ebpf_object → builds
  remotely (1 remote), produces a valid 79952-byte eBPF ELF.
• bazel build --config=ci //build/native_addons:netprobe_addon_bundle.linux.amd64.tar.gz
  → assembles with netprobe_ebpf.o + serviceradar-netprobe +
  serviceradar-netprobe.service + manifests.

Notes

• Spec/design/tasks: openspec/changes/add-hermetic-netprobe-ebpf-build/.
• Out of scope (follow-up): multi-arch eBPF — --cfg bpf_target_arch is x86_64;
  amd64 (the e2e target) is correct, arm64 is a separate change.

🤖 Generated with Claude Code

## Why The netprobe native add-on bundle ships `netprobe_ebpf.o`, but the eBPF genrule (`//rust/netprobe/ebpf:netprobe_ebpf_object`) shelled out to a **host** `cargo +nightly -Z build-std=core --target bpfel-unknown-none` + host `bpf-linker`. With no `local`/`no-remote` tag, under `--remote_executor` (the publish lane) it dispatched to an RBE worker with no Rust toolchain and died at `cargo is required to build the netprobe eBPF object` — blocking the `Publish Native Add-ons` run and the netprobe capture e2e. ## What Build the eBPF object **hermetically** from Bazel-declared inputs only: - `MODULE.bazel`: pinned nightly `rustc`/`cargo`/`rust-std`/`rust-src` (2026-05-31) + a static `bpf-linker` v0.10.3 (`@netprobe_ebpf_*` `http_archive`s, sha256-pinned). The default stable `1.93.0` rules_rust toolchain is untouched. - `build-ebpf-object.sh`: rewritten — assembles a scratch sysroot from the pinned components and builds **offline** against the committed `vendor/` tree with `-Z build-std=core --target bpfel-unknown-none`. No host `PATH` tooling, no network. - `vendor/`: committed cargo-vendor of the eBPF crate's deps **plus** the `-Z build-std` std deps (`cargo vendor --sync <rust-src>/library/Cargo.toml`). - `assemble_addon_bundle.py`: harden the dependency-free YAML fallback parser to strip inline `#` comments (it was stricter than the authoritative Go validator, which masked-then-surfaced a rejection of `addons/netprobe/addon.yaml`). ## Validation (carverauto RBE — the environment that was failing) - `bazel build --config=ci //rust/netprobe/ebpf:netprobe_ebpf_object` → builds remotely (`1 remote`), produces a valid **79952-byte eBPF ELF**. - `bazel build --config=ci //build/native_addons:netprobe_addon_bundle.linux.amd64.tar.gz` → assembles with `netprobe_ebpf.o` + `serviceradar-netprobe` + `serviceradar-netprobe.service` + manifests. ## Notes - Spec/design/tasks: `openspec/changes/add-hermetic-netprobe-ebpf-build/`. - Out of scope (follow-up): multi-arch eBPF — `--cfg bpf_target_arch` is `x86_64`; amd64 (the e2e target) is correct, arm64 is a separate change. 🤖 Generated with [Claude Code](https://claude.com/claude-code)

mfreeman451 added 1 commit 2026-06-01 23:14:46 +00:00

fix(build): hermetic netprobe eBPF object build for RBE/publish (#3425) ... d8133a2a82

The netprobe native add-on bundle ships netprobe_ebpf.o, but the eBPF
genrule shelled out to a host `cargo +nightly -Z build-std` + bpf-linker,
so it failed on remote execution (no toolchain) and blocked the publish
(`cargo is required to build the netprobe eBPF object`).

Build it hermetically instead: pinned nightly rustc/cargo/rust-std/rust-src
plus a static bpf-linker (MODULE.bazel @netprobe_ebpf_*) are assembled into
a scratch sysroot, and the crate is built offline against a committed cargo
vendor tree (including the -Z build-std std deps). No host toolchain and no
network, so it builds identically locally, in CI, and on RBE.

Also harden the bundle assembler's dependency-free YAML fallback parser to
strip inline `#` comments (it was stricter than the authoritative Go
validator), which otherwise rejected addons/netprobe/addon.yaml during
bundle assembly.

Validated on carverauto RBE: the eBPF genrule and the full
netprobe_addon_bundle.linux.amd64.tar.gz build remotely; the produced
object is a valid 79952-byte eBPF ELF.

Spec: openspec/changes/add-hermetic-netprobe-ebpf-build/

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

mfreeman451 reviewed 2026-06-01 23:20:42 +00:00

mfreeman451 left a comment

Copy link

lgtm

lgtm

mfreeman451 merged commit c2cb8625bb into staging 2026-06-01 23:20:52 +00:00

mfreeman451 referenced this pull request from a commit 2026-06-01 23:20:53 +00:00

Merge pull request 'fix(build): hermetic netprobe eBPF object build for RBE/publish (#3425)' (#3511) from fix/netprobe-ebpf-cargo-hermetic into staging

mfreeman451 deleted branch fix/netprobe-ebpf-cargo-hermetic 2026-06-01 23:21:03 +00:00

mfreeman451 referenced this pull request from a commit 2026-06-02 01:28:57 +00:00

fix(build): commit vendored files the repo .gitignore stripped (#3425)

mfreeman451 referenced this pull request 2026-06-02 01:29:23 +00:00

fix(build): commit vendored files the repo .gitignore stripped (#3425) #3512

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

1week

  

2weeks

  

Failed compliance check

  

IP cameras

  

NATS

NATS JetStream

  

Possible security concern

  

Review effort 1/5

  

Review effort 2/5

  

Review effort 3/5

  

Review effort 4/5

  

Review effort 5/5

  

UI

  

aardvark

  

accessibility

  

amd64

  

api

  

arm64

  

auth

  

back-end

  

bgp

  

blog

  

bug

Something isn't working

  

build

  

checkers

  

ci-cd

continuous integration-continuous deployments

  

cleanup

  

cnpg

cloud-native postgres

  

codex

  

core

core service

  

dependencies

Pull requests that update a dependency file

  

device-management

  

documentation

Improvements or additions to documentation

  

duplicate

This issue or pull request already exists

  

dusk

  

ebpf

  

enhancement

New feature or request

  

eta 1d

  

eta 1hr

  

eta 3d

  

eta 3hr

  

feature

  

fieldsurvey

  

github_actions

Pull requests that update GitHub Actions code

  

go

Pull requests that update Go code

  

good first issue

Good for newcomers

  

help wanted

Extra attention is needed

  

invalid

This doesn't seem right

  

javascript

Pull requests that update Javascript code

  

k8s

  

log-collector

  

mapper

  

mtr

multi traceroute

  

needs-triage

  

netflow

  

network-sweep

  

observability

  

oracle

Oracle Linux related issues

  

otel

opentelemetry logs, traces, metrics

  

plug-in

  

proton

timeplus proton streaming database

  

python

  

question

Further information is requested

  

reddit

  

redhat

  

research

  

rperf

  

rperf-checker

  

rust

Pull requests that update rust code

  

sdk

  

security

  

serviceradar-agent

  

serviceradar-agent-gateway

  

serviceradar-web

  

serviceradar-web-ng

  

siem

  

snmp

  

sysmon

  

topology

  

ubiquiti

  

wasm

  

wontfix

This will not be worked on

  

zen-engine

No labels

1week

2weeks

Failed compliance check

IP cameras

NATS

Possible security concern

Review effort 1/5

Review effort 2/5

Review effort 3/5

Review effort 4/5

Review effort 5/5

UI

aardvark

accessibility

amd64

api

arm64

auth

back-end

bgp

blog

bug

build

checkers

ci-cd

cleanup

cnpg

codex

core

dependencies

device-management

documentation

duplicate

dusk

ebpf

enhancement

eta 1d

eta 1hr

eta 3d

eta 3hr

feature

fieldsurvey

github_actions

go

good first issue

help wanted

invalid

javascript

k8s

log-collector

mapper

mtr

needs-triage

netflow

network-sweep

observability

oracle

otel

plug-in

proton

python

question

reddit

redhat

research

rperf

rperf-checker

rust

sdk

security

serviceradar-agent

serviceradar-agent-gateway

serviceradar-web

serviceradar-web-ng

siem

snmp

sysmon

topology

ubiquiti

wasm

wontfix

zen-engine

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

carverauto/serviceradar!3511

No description provided.