Use bazel to build ebpf parts

[JSGette]

What does this PR do?

This a second attempt for #47400.

This work is based on previous @chouquette and @rdesgroppes work to migrate system-probe and ebpf build to bazel. In this PR we combine both of those and aim to build ebpf parts only excluding system-probe go code for now. Thus, this is one of the series of PRs to gradually migrate system-probe to bazel

Changes in particular:

• Registration of llvm toolchain needed to build ebpf as well as the toolchain itself. Usage of rules_foreign_cc was not possible to wrap ninja as we already have a registered GCC toolchain that cannot be used to build ebpf
• Custom compilation/linking rules for ebpf.
  CO-RE parts depend on vmlinux.h whereas prebuilt components require a full layout of Linux kernel headers that are currently taken directly from the host. We need to make them downloadable for hermeticity.
• Extension of tasks/system_probe.py task to replace ninja build of ebpf with bazel. The rest of the logic remains. This allows us to increment and also test changes fully relying on the current setup and infrastructure.

Describe how you validated your changes

Executed dda inv system-probe.build locally and ensured that it worked.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 4cc7a7008a

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Clean Bazel-generated eBPF objects in system-probe clean

clean_object_files now only calls ninja -t clean, but this commit removed eBPF object compilation from the generated ninja graph, so Bazel-copied .o files are left behind in pkg/ebpf/bytecode/build/* (and in-place outputs). This leaves stale bytecode after inv system-probe.clean, which can be reused or packaged accidentally in later builds.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Package Bazel outputs from the selected build arch

save_build_outputs now hardcodes Arch.local() when collecting Bazel-produced eBPF objects. In cross-arch workflows (for example building arm64 artifacts on x86), objects are emitted under pkg/ebpf/bytecode/build/<target-arch>, so this logic can miss freshly built files and archive the wrong architecture’s objects instead.

Useful? React with 👍 / 👎.

[JSGette]

We don't cross-compile yet so it's not a big deal. We will come to that later

[agent-platform-auto-pr]

Files inventory check summary

File checks results against ancestor 20e9ceb9:

Results for datadog-agent_7.78.0~devel.git.605.4cc7a70.pipeline.102349482-1_amd64.deb:

Detected file changes:

39 Changed files:

• opt/datadog-agent/embedded/share/system-probe/ebpf/runtime-security-syscall-wrapper.o:
  • Permission changed: 0o444 -> 0o644
• opt/datadog-agent/embedded/share/system-probe/ebpf/runtime-security.o:
  • Permission changed: 0o444 -> 0o644
• opt/datadog-agent/embedded/share/system-probe/ebpf/runtime-security-fentry.o:
  • Permission changed: 0o444 -> 0o644
• opt/datadog-agent/embedded/share/system-probe/ebpf/co-re/usm-debug.o:
  • Permission changed: 0o444 -> 0o644
• opt/datadog-agent/embedded/share/system-probe/ebpf/co-re/usm.o:
  • Permission changed: 0o444 -> 0o644
• opt/datadog-agent/embedded/share/system-probe/ebpf/usm-debug.o:
  • Permission changed: 0o444 -> 0o644
• opt/datadog-agent/embedded/share/system-probe/ebpf/usm.o:
  • Permission changed: 0o444 -> 0o644
• opt/datadog-agent/embedded/share/system-probe/ebpf/co-re/tracer-debug.o:
  • Permission changed: 0o444 -> 0o644
• opt/datadog-agent/embedded/share/system-probe/ebpf/co-re/tracer.o:
  • Permission changed: 0o444 -> 0o644
• opt/datadog-agent/embedded/share/system-probe/ebpf/tracer-debug.o:
  • Permission changed: 0o444 -> 0o644
• opt/datadog-agent/embedded/share/system-probe/ebpf/tracer.o:
  • Permission changed: 0o444 -> 0o644
• opt/datadog-agent/embedded/share/system-probe/ebpf/co-re/tracer-fentry-debug.o:
  • Permission changed: 0o444 -> 0o644
• opt/datadog-agent/embedded/share/system-probe/ebpf/co-re/tracer-fentry.o:
  • Permission changed: 0o444 -> 0o644
• opt/datadog-agent/embedded/share/system-probe/ebpf/shared-libraries.o:
  • Permission changed: 0o444 -> 0o644
• opt/datadog-agent/embedded/share/system-probe/ebpf/co-re/shared-libraries.o:
  • Permission changed: 0o444 -> 0o644
• opt/datadog-agent/embedded/share/system-probe/ebpf/co-re/dyninst_event-debug.o:
  • Permission changed: 0o444 -> 0o644
• opt/datadog-agent/embedded/share/system-probe/ebpf/co-re/conntrack-debug.o:
  • Permission changed: 0o444 -> 0o644
• opt/datadog-agent/embedded/share/system-probe/ebpf/co-re/dyninst_event.o:
  • Permission changed: 0o444 -> 0o644
• opt/datadog-agent/embedded/share/system-probe/ebpf/offset-guess-debug.o:
  • Permission changed: 0o444 -> 0o644
• opt/datadog-agent/embedded/share/system-probe/ebpf/offset-guess.o:
  • Permission changed: 0o444 -> 0o644
• opt/datadog-agent/embedded/share/system-probe/ebpf/runtime-security-offset-guesser.o:
  • Permission changed: 0o444 -> 0o644
• opt/datadog-agent/embedded/share/system-probe/ebpf/co-re/conntrack.o:
  • Permission changed: 0o444 -> 0o644
• opt/datadog-agent/embedded/share/system-probe/ebpf/co-re/gpu-debug.o:
  • Permission changed: 0o444 -> 0o644
• opt/datadog-agent/embedded/share/system-probe/ebpf/co-re/gpu.o:
  • Permission changed: 0o444 -> 0o644
• opt/datadog-agent/embedded/share/system-probe/ebpf/co-re/tcp-queue-length.o:
  • Permission changed: 0o444 -> 0o644
• opt/datadog-agent/embedded/share/system-probe/ebpf/co-re/ebpf-debug.o:
  • Permission changed: 0o444 -> 0o644
• opt/datadog-agent/embedded/share/system-probe/ebpf/co-re/ebpf.o:
  • Permission changed: 0o444 -> 0o644
• opt/datadog-agent/embedded/share/system-probe/ebpf/co-re/lock_contention.o:
  • Permission changed: 0o444 -> 0o644
• opt/datadog-agent/embedded/share/system-probe/ebpf/co-re/oom-kill.o:
  • Permission changed: 0o444 -> 0o644
• opt/datadog-agent/embedded/share/system-probe/ebpf/conntrack-debug.o:
  • Permission changed: 0o444 -> 0o644
• opt/datadog-agent/embedded/share/system-probe/ebpf/co-re/noisy-neighbor-debug.o:
  • Permission changed: 0o444 -> 0o644
• opt/datadog-agent/embedded/share/system-probe/ebpf/co-re/noisy-neighbor.o:
  • Permission changed: 0o444 -> 0o644
• opt/datadog-agent/embedded/bin/kinit:
  • Size changed: +11.73% (34.11 KiB -> 38.11 KiB)
• opt/datadog-agent/embedded/share/system-probe/ebpf/conntrack.o:
  • Permission changed: 0o444 -> 0o644
• opt/datadog-agent/embedded/share/system-probe/ebpf/co-re/ksyms_iter.o:
  • Permission changed: 0o444 -> 0o644
• opt/datadog-agent/embedded/share/system-probe/ebpf/dns-debug.o:
  • Permission changed: 0o444 -> 0o644
• opt/datadog-agent/embedded/share/system-probe/ebpf/dns.o:
  • Permission changed: 0o444 -> 0o644
• opt/datadog-agent/embedded/share/system-probe/ebpf/co-re/btf_test.o:
  • Permission changed: 0o444 -> 0o644
• opt/datadog-agent/embedded/share/system-probe/ebpf/co-re/uprobe_attacher-test.o:
  • Permission changed: 0o444 -> 0o644

[agent-platform-auto-pr]

Static quality checks

✅ Please find below the results from static quality gates
Comparison made with ancestor f2b5102
📊 Static Quality Gates Dashboard
🔗 SQG Job

Successful checks

Info

	Quality gate	Change	Size (prev → curr → max)
✅	agent_deb_amd64	-1.21 MiB (0.16% reduction)	747.069 → 745.858 → 750.720
✅	agent_deb_amd64_fips	-1.21 MiB (0.17% reduction)	705.414 → 704.204 → 711.230
✅	agent_rpm_amd64	-1.21 MiB (0.16% reduction)	747.052 → 745.842 → 750.690
✅	agent_rpm_amd64_fips	-1.21 MiB (0.17% reduction)	705.398 → 704.188 → 711.210
✅	agent_rpm_arm64	-1.21 MiB (0.17% reduction)	724.945 → 723.735 → 732.890
✅	agent_rpm_arm64_fips	-1.21 MiB (0.18% reduction)	686.260 → 685.051 → 694.440
✅	agent_suse_amd64	-1.21 MiB (0.16% reduction)	747.052 → 745.842 → 750.690
✅	agent_suse_amd64_fips	-1.21 MiB (0.17% reduction)	705.398 → 704.188 → 711.210
✅	agent_suse_arm64	-1.21 MiB (0.17% reduction)	724.945 → 723.735 → 732.890
✅	agent_suse_arm64_fips	-1.21 MiB (0.18% reduction)	686.260 → 685.051 → 694.440
✅	docker_agent_amd64	-1.21 MiB (0.15% reduction)	807.385 → 806.175 → 813.040
✅	docker_agent_arm64	-1.21 MiB (0.15% reduction)	810.098 → 808.889 → 819.570
✅	docker_agent_jmx_amd64	-1.21 MiB (0.12% reduction)	998.300 → 997.090 → 1003.920
✅	docker_agent_jmx_arm64	-1.21 MiB (0.12% reduction)	989.792 → 988.583 → 999.170

17 successful checks with minimal change (< 2 KiB)

	Quality gate	Current Size
✅	agent_heroku_amd64	311.778 MiB
✅	agent_msi	609.879 MiB
✅	docker_cluster_agent_amd64	203.690 MiB
✅	docker_cluster_agent_arm64	218.164 MiB
✅	docker_cws_instrumentation_amd64	7.142 MiB
✅	docker_cws_instrumentation_arm64	6.689 MiB
✅	docker_dogstatsd_amd64	38.643 MiB
✅	docker_dogstatsd_arm64	36.939 MiB
✅	dogstatsd_deb_amd64	29.863 MiB
✅	dogstatsd_deb_arm64	28.016 MiB
✅	dogstatsd_rpm_amd64	29.863 MiB
✅	dogstatsd_suse_amd64	29.863 MiB
✅	iot_agent_deb_amd64	43.084 MiB
✅	iot_agent_deb_arm64	40.146 MiB
✅	iot_agent_deb_armhf	40.886 MiB
✅	iot_agent_rpm_amd64	43.084 MiB
✅	iot_agent_suse_amd64	43.084 MiB

On-wire sizes (compressed)

	Quality gate	Change	Size (prev → curr → max)
✅	agent_deb_amd64	-197.65 KiB (0.11% reduction)	174.465 → 174.272 → 177.700
✅	agent_deb_amd64_fips	-230.16 KiB (0.14% reduction)	165.376 → 165.151 → 172.230
✅	agent_heroku_amd64	+3.14 KiB (0.00% increase)	75.175 → 75.178 → 79.970
✅	agent_msi	-20.0 KiB (0.01% reduction)	138.039 → 138.020 → 146.220
✅	agent_rpm_amd64	-226.96 KiB (0.13% reduction)	176.472 → 176.250 → 180.780
✅	agent_rpm_amd64_fips	-198.85 KiB (0.12% reduction)	168.035 → 167.841 → 173.370
✅	agent_rpm_arm64	-207.12 KiB (0.13% reduction)	159.387 → 159.185 → 161.610
✅	agent_rpm_arm64_fips	-223.99 KiB (0.14% reduction)	151.380 → 151.161 → 155.910
✅	agent_suse_amd64	-226.96 KiB (0.13% reduction)	176.472 → 176.250 → 180.780
✅	agent_suse_amd64_fips	-198.85 KiB (0.12% reduction)	168.035 → 167.841 → 173.370
✅	agent_suse_arm64	-207.12 KiB (0.13% reduction)	159.387 → 159.185 → 161.610
✅	agent_suse_arm64_fips	-223.99 KiB (0.14% reduction)	151.380 → 151.161 → 155.910
✅	docker_agent_amd64	-460.89 KiB (0.17% reduction)	267.161 → 266.711 → 271.240
✅	docker_agent_arm64	-462.93 KiB (0.18% reduction)	254.466 → 254.014 → 259.800
✅	docker_agent_jmx_amd64	-458.9 KiB (0.13% reduction)	335.805 → 335.357 → 339.870
✅	docker_agent_jmx_arm64	-462.25 KiB (0.14% reduction)	319.093 → 318.642 → 324.390
✅	docker_cluster_agent_amd64	neutral	71.277 MiB → 72.920
✅	docker_cluster_agent_arm64	neutral	66.937 MiB → 68.220
✅	docker_cws_instrumentation_amd64	neutral	2.999 MiB → 3.330
✅	docker_cws_instrumentation_arm64	neutral	2.729 MiB → 3.090
✅	docker_dogstatsd_amd64	neutral	14.955 MiB → 15.820
✅	docker_dogstatsd_arm64	neutral	14.284 MiB → 14.830
✅	dogstatsd_deb_amd64	neutral	7.891 MiB → 8.790
✅	dogstatsd_deb_arm64	neutral	6.774 MiB → 7.710
✅	dogstatsd_rpm_amd64	+2.68 KiB (0.03% increase)	7.901 → 7.904 → 8.800
✅	dogstatsd_suse_amd64	+2.68 KiB (0.03% increase)	7.901 → 7.904 → 8.800
✅	iot_agent_deb_amd64	neutral	11.356 MiB → 12.040
✅	iot_agent_deb_arm64	neutral	9.668 MiB → 10.450
✅	iot_agent_deb_armhf	neutral	9.900 MiB → 10.620
✅	iot_agent_rpm_amd64	neutral	11.377 MiB → 12.060
✅	iot_agent_suse_amd64	neutral	11.377 MiB → 12.060

[cit-pr-commenter-54b7da]

Regression Detector

Regression Detector Results

Metrics dashboard
Target profiles
Run ID: 7f1036f4-3afb-4e7c-b06b-fe4b40e885ac

Baseline: f2b5102
Comparison: 4cc7a70
Diff

Optimization Goals: ✅ No significant changes detected

Experiments ignored for regressions

Regressions in experiments with settings containing erratic: true are ignored.

perf	experiment	goal	Δ mean %	Δ mean % CI	trials	links
➖	docker_containers_cpu	% cpu utilization	+1.39	[-1.60, +4.39]	1	Logs

Fine details of change detection per experiment

perf	experiment	goal	Δ mean %	Δ mean % CI	trials	links
➖	quality_gate_metrics_logs	memory utilization	+1.81	[+1.57, +2.05]	1	Logs bounds checks dashboard
➖	docker_containers_cpu	% cpu utilization	+1.39	[-1.60, +4.39]	1	Logs
➖	tcp_syslog_to_blackhole	ingress throughput	+1.26	[+1.14, +1.38]	1	Logs
➖	ddot_logs	memory utilization	+0.54	[+0.48, +0.61]	1	Logs
➖	quality_gate_idle	memory utilization	+0.50	[+0.45, +0.55]	1	Logs bounds checks dashboard
➖	otlp_ingest_logs	memory utilization	+0.50	[+0.38, +0.61]	1	Logs
➖	ddot_metrics_sum_delta	memory utilization	+0.20	[+0.04, +0.36]	1	Logs
➖	ddot_metrics	memory utilization	+0.16	[-0.01, +0.33]	1	Logs
➖	ddot_metrics_sum_cumulative	memory utilization	+0.12	[-0.02, +0.27]	1	Logs
➖	file_to_blackhole_500ms_latency	egress throughput	+0.03	[-0.36, +0.41]	1	Logs
➖	uds_dogstatsd_to_api	ingress throughput	+0.02	[-0.16, +0.20]	1	Logs
➖	file_to_blackhole_1000ms_latency	egress throughput	+0.02	[-0.40, +0.43]	1	Logs
➖	tcp_dd_logs_filter_exclude	ingress throughput	+0.00	[-0.10, +0.11]	1	Logs
➖	uds_dogstatsd_to_api_v3	ingress throughput	-0.00	[-0.18, +0.17]	1	Logs
➖	file_to_blackhole_0ms_latency	egress throughput	-0.03	[-0.54, +0.49]	1	Logs
➖	quality_gate_logs	% cpu utilization	-0.07	[-1.69, +1.54]	1	Logs bounds checks dashboard
➖	file_to_blackhole_100ms_latency	egress throughput	-0.08	[-0.16, -0.00]	1	Logs
➖	uds_dogstatsd_20mb_12k_contexts_20_senders	memory utilization	-0.14	[-0.20, -0.08]	1	Logs
➖	quality_gate_idle_all_features	memory utilization	-0.15	[-0.19, -0.11]	1	Logs bounds checks dashboard
➖	ddot_metrics_sum_cumulativetodelta_exporter	memory utilization	-0.16	[-0.39, +0.06]	1	Logs
➖	otlp_ingest_metrics	memory utilization	-0.22	[-0.37, -0.07]	1	Logs
➖	docker_containers_memory	memory utilization	-0.26	[-0.34, -0.19]	1	Logs
➖	file_tree	memory utilization	-0.81	[-0.87, -0.76]	1	Logs

Bounds Checks: ✅ Passed

perf	experiment	bounds_check_name	replicates_passed	observed_value	links
✅	docker_containers_cpu	simple_check_run	10/10	719 ≥ 26
✅	docker_containers_memory	memory_usage	10/10	270.14MiB ≤ 370MiB
✅	docker_containers_memory	simple_check_run	10/10	724 ≥ 26
✅	file_to_blackhole_0ms_latency	memory_usage	10/10	0.19GiB ≤ 1.20GiB
✅	file_to_blackhole_0ms_latency	missed_bytes	10/10	0B = 0B
✅	file_to_blackhole_1000ms_latency	memory_usage	10/10	0.23GiB ≤ 1.20GiB
✅	file_to_blackhole_1000ms_latency	missed_bytes	10/10	0B = 0B
✅	file_to_blackhole_100ms_latency	memory_usage	10/10	0.20GiB ≤ 1.20GiB
✅	file_to_blackhole_100ms_latency	missed_bytes	10/10	0B = 0B
✅	file_to_blackhole_500ms_latency	memory_usage	10/10	0.21GiB ≤ 1.20GiB
✅	file_to_blackhole_500ms_latency	missed_bytes	10/10	0B = 0B
✅	quality_gate_idle	intake_connections	10/10	3 = 3	bounds checks dashboard
✅	quality_gate_idle	memory_usage	10/10	173.95MiB ≤ 175MiB	bounds checks dashboard
✅	quality_gate_idle_all_features	intake_connections	10/10	3 = 3	bounds checks dashboard
✅	quality_gate_idle_all_features	memory_usage	10/10	490.32MiB ≤ 550MiB	bounds checks dashboard
✅	quality_gate_logs	intake_connections	10/10	3 ≤ 6	bounds checks dashboard
✅	quality_gate_logs	memory_usage	10/10	203.58MiB ≤ 220MiB	bounds checks dashboard
✅	quality_gate_logs	missed_bytes	10/10	0B = 0B	bounds checks dashboard
✅	quality_gate_metrics_logs	cpu_usage	10/10	363.96 ≤ 2000	bounds checks dashboard
✅	quality_gate_metrics_logs	intake_connections	10/10	4 ≤ 6	bounds checks dashboard
✅	quality_gate_metrics_logs	memory_usage	10/10	421.62MiB ≤ 475MiB	bounds checks dashboard
✅	quality_gate_metrics_logs	missed_bytes	10/10	0B = 0B	bounds checks dashboard

Explanation

Confidence level: 90.00%
Effect size tolerance: |Δ mean %| ≥ 5.00%

Performance changes are noted in the perf column of each table:

• ✅ = significantly better comparison variant performance
• ❌ = significantly worse comparison variant performance
• ➖ = no significant change in performance

A regression test is an A/B test of target performance in a repeatable rig, where "performance" is measured as "comparison variant minus baseline variant" for an optimization goal (e.g., ingress throughput). Due to intrinsic variability in measuring that goal, we can only estimate its mean value for each experiment; we report uncertainty in that value as a 90.00% confidence interval denoted "Δ mean % CI".

For each experiment, we decide whether a change in performance is a "regression" -- a change worth investigating further -- if all of the following criteria are true:

1. Its estimated |Δ mean %| ≥ 5.00%, indicating the change is big enough to merit a closer look.

2. Its 90.00% confidence interval "Δ mean % CI" does not contain zero, indicating that if our statistical model is accurate, there is at least a 90.00% chance there is a difference in performance between baseline and comparison variants.

3. Its configuration does not mark it "erratic".

CI Pass/Fail Decision

✅ Passed. All Quality Gates passed.

• quality_gate_idle_all_features, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_idle_all_features, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_idle, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_idle, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_metrics_logs, bounds check missed_bytes: 10/10 replicas passed. Gate passed.
• quality_gate_metrics_logs, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_metrics_logs, bounds check cpu_usage: 10/10 replicas passed. Gate passed.
• quality_gate_metrics_logs, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_logs, bounds check missed_bytes: 10/10 replicas passed. Gate passed.
• quality_gate_logs, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_logs, bounds check memory_usage: 10/10 replicas passed. Gate passed.