Skip to content

SYSTEM Cited by 1 source

prometheus-ebpf-exporter

prometheus-ebpf-exporter (repo: github.com/cloudflare/ebpf_exporter) is Cloudflare's open-source eBPF metrics exporter — user-space loads eBPF programs that hook kernel events (syscalls, tracepoints, kprobes, etc.), aggregates the results into Prometheus metrics, and exposes them on an HTTP endpoint for scraping. Cloudflare ships it as a first-class data-source tool for the visibility half of their two-phase mitigation-rollout discipline (patterns/visibility-before-enforcement-rollout). Disclosed publicly on the wiki via the 2026-05-07 Copy Fail response post as the substrate for measuring per-binary AF_ALG socket usage across hundreds of thousands of servers within hours, with no kernel changes.

Role for this wiki

  • Measurement substrate for mitigation validation. Before Cloudflare deploys a runtime mitigation via bpf-lsm, they deploy ebpf_exporter with a config that hooks the relevant syscall or kernel event and emits a per-binary metric of usage. Aggregation in Prometheus gives a fleet-wide picture of which binaries legitimately use the subsystem about to be gated.
  • First-party tool for the visibility-before-enforcement pattern. The Copy Fail mitigation rollout "required no kernel changes and provided aggregate data from hundreds of thousands of servers within hours" — the measurement-side guarantee the bpf-lsm allow-list depended on.
  • Open-source beyond the Copy Fail use case. The tool is not a Copy Fail-specific artefact; it's a general Prometheus exporter for eBPF-derived metrics Cloudflare has had in production for years and publishes for external use.

Architectural properties

  • User-space daemon + kernel eBPF programs. The exporter is a user-space binary that reads a YAML config, loads the specified eBPF programs against kernel hooks (typically via libbpf + CO-RE), and exposes the collected counters/histograms on an HTTP endpoint at /metrics.
  • Prometheus native. Output is standard Prometheus text format; any Prometheus-compatible scrape target can consume it. Aggregation / alerting / query happens in the usual Prometheus tooling.
  • No kernel changes required. eBPF programs attach at runtime via the LSM / tracepoint / kprobe hooks the kernel already exposes; no custom modules, no kernel rebuild, no reboot.
  • Per-process-context metrics. eBPF programs can read task_struct, cgroup, namespace, etc. — so metrics can be labelled by calling binary, container, or user.
  • Salt-gated config deployment (Cloudflare). The Copy Fail rollout specifically notes: "Push the ebpf-exporter config gated by salt." Config push is a routine fleet-configuration operation distinct from any mitigation deployment.
  • Ecosystem adjacent. Part of the broader eBPF-on-Prometheus toolchain; similar in shape to node_exporter + eBPF-specific exporters.

Canonical usage shape (Copy Fail, 2026-04-30 afternoon)

For the Copy Fail CVE, the ebpf_exporter config hooked the socket() syscall and tracked, per calling binary, the count of socket creations with domain == AF_ALG. Aggregation across the fleet gave Cloudflare:

  • The set of binaries legitimately creating AF_ALG sockets.
  • The rate of legitimate AF_ALG socket creation (baseline for detecting anomalies against the allow-list).
  • The delta between the expected single internal service and observed reality.

Results confirmed the identified service was indeed the only legitimate user — clearing the allow-list for the bpf-lsm enforcement push that followed the same evening.

Seen in

Last updated · 451 distilled / 1,324 read