SYSTEM Cited by 1 source
ebpf-manager¶
ebpf-manager is Datadog's open-source Go library
(DataDog/ebpf-manager) that
abstracts the eBPF program lifecycle — load, attach, manage, reload —
behind a common API shared across all Datadog eBPF products
(systems/datadog-workload-protection, Cloud Network Monitoring,
Universal Service Monitoring).
Its job: concentrate the "this is how you run eBPF correctly in production" knowledge in one place, so individual product teams don't rediscover the same pitfalls independently.
What it abstracts¶
- Program loading + attachment across kernel versions — handles the matrix of hook availability, naming, inlining, verifier quirks (see concepts/ebpf-verifier).
- Dynamic hook discovery — e.g. for syscalls, attach to all
required hook points (compat syscalls,
raw_tracepoints,io_uringpaths, exotic execution interfaces likebinfmt_misc/call_usermodehelper/ cgroup release agents / shebang interpreters) rather than relying on static upstream symbol names. - Module-lifecycle awareness — when a kernel module unloads and reloads, re-attach programs automatically to preserve observability.
- Minimum-viable hook set. Products declare a critical subset of eBPF programs that must load+attach. If not met, the product refuses to start with a clear actionable error — failing loudly rather than silently serving reduced coverage.
Design principle¶
Centralise eBPF expertise behind a single library so that the product surface is just "declare what you want hooked", and kernel-version / distro / verifier-quirk handling is the library's problem.
Seen in¶
- sources/2026-01-07-datadog-hardening-ebpf-for-runtime-security — explicitly named as the consolidation point across Datadog's eBPF products, with the minimum-viable-hook-set pattern described.
Related¶
- systems/ebpf — underlying kernel runtime
- systems/datadog-workload-protection — consumer
- systems/co-re — portability complement
- concepts/ebpf-verifier — the primary source of variability the library hides