# Remove BCC Dependency ## Why? - BCC compiles programs at runtime, which has heavy CPU and memory resource usage. - `libbcc` dependency on the host machine - smaller image size, since no runtime compilation requirement - BCC requires the Linux kernel header packages to be installed on the host. ## Alternatives - `libbpf` - Pre compiled so no resources required for compilation at runtime - CO:RE if BTF information available else needs kernel headers - `libbpf` included with our binary itself so no need for it's presence on the host system ## `libbpf` libraries in Go - `cilium/ebpf` - by cilium, maintained by cloudfare as well - no CGO dependency - Mature ecosystem - `aquasecurity/libbpfgo` - by Aquasecurity for tracee - we already use it in event auditor and have a partial port of system monitor there ## Steps to Migrate 1. Pre compile our monitor leveraging libbpf and linux kernel headers for type information ( no CORE ) ~~2. May need to include kernel headers in our repository to ease development~~ 3. Enable CORE in system monitor Ref https://facebookmicrosites.github.io/bpf/blog/2020/02/20/bcc-to-libbpf-howto-guide.html Refer https://github.com/kubearmor/KubeArmor/pull/399 3. ```c #ifndef NOCORE ...include kernel headers #else //CO:RE is enabled #include <vmlinux.h> #endif ``` Compile two object files one for CORE and one for Non CORE. Embed both of em into the binary, if BTF availaible we the programs accordingly Ref https://www.grant.pizza/blog/tracee-core/