What are the main differences between eBPF and LTTng?

Question

What are the main differences between eBPF and LTTng?

I read LTTng uses instrumentation: “Linux Trace Toolkit Next Generation (LTTng) is a tracer able to extract information from the 2 Linux kernel, user space libraries and from programs. It is based on instrumentation of the executables”

https://lttng.org/files/papers/desnoyers-codebreakers.pdf

Does this mean you have to rebuild the kernel or is this also about instrumentation when working with kprobes?

Answer 1

I am more familiar with eBPF than I am with LTTng, based on skimming the LTTng docs I can see the following differences:

• LTTng requires the loading of a kernel module whereas eBPF is a native part of the linux kernel. The kernel gives a number of guarantees with regards to eBPF programs, mostly to protect the user from panicking their kernel or getting it stuck in infinite loops ect. You don't have that protection with kernel modules.
• LTTng seems to me specifically targeted towards tracing. eBPF on the other hand has a much broader scope which includes tracing, networking, security, infrared drivers, and potentially even CPU scheduling.