Skip to content

Instantly share code, notes, and snippets.

@MarioHewardt

MarioHewardt/enable_ebpf_on_wsl2

Last active August 18, 2025 11:48
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save MarioHewardt/5759641727aae880b29c8f715ba4d30f to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save MarioHewardt/5759641727aae880b29c8f715ba4d30f to your computer and use it in GitHub Desktop.
Download ZIP
Enable EBPF on WSL2
Raw
enable_ebpf_on_wsl2
By default, EBPF programs will not run on WSL2 due to required kernel modules missing. The following example error is an
indication of this problem:
modprobe: ERROR: ../libkmod/libkmod.c:586 kmod_search_moddep() could not open moddep file '/lib/modules/4.19.84-microso
ft-standard/modules.dep.bin'
modprobe: FATAL: Module kheaders not found in directory /lib/modules/4.19.84-microsoft-standard
chdir(/lib/modules/4.19.84-microsoft-standard/build): No such file or directory
To fix this you need to rebuild the WSL2 kernel with the missing kernel modules. The below instructions are for Ubuntu 18.04 WSL2.
1. git clone https://github.com/microsoft/WSL2-Linux-Kernel.git
2. cd WSL2-Linux-Kernel
3. sudo apt install flex bison build-essential libelf-dev libncurses-dev libssl-dev
4. cp Microsoft/config-wsl .config
5. Add the kernel flags specified in https://github.com/iovisor/bcc/blob/master/INSTALL.md#kernel-configuration to .config
6. export KERNELRELEASE=4.19.84-microsoft-standard
NOTE: Make sure the version corresponds to the version of WSL2. Run: uname -a
7. make KERNELRELEASE=$KERNELRELEASE -j 4
8. make KERNELRELEASE=$KERNELRELEASE modules -j 4
9. sudo make KERNELRELEASE=$KERNELRELEASE modules_install
10. (confirm you can see files under /lib/modules/$(uname -r))
11. sudo mount -t debugfs debugfs /sys/kernel/debug (for any apps that uses it since its not mounted by default)
@MarioHewardt
Copy link
Author

MarioHewardt commented May 25, 2022

This gist was written quite a while ago. If you are still having problems enabling eBPF on WSL2 I would recommend filing an issue in their repo. If I end up trying it again in the future I'll update this gist with any changes that may be needed.

@jerviscui
Copy link

jerviscui commented May 30, 2022

Can anyone give one hello-world demo to verify that bpf program can run on WSL2? In this way, we can troubleshoot that the issue is in bpf program aspect or wsl2 aspect?

Hi @baoqger,
I have a mistake:

FAILED: load BTF from vmlinux: Unknown error -2make: *** [Makefile:1179: vmlinux] Error 255

Has that ever happened to you?

@benjaminbuzek
Copy link

benjaminbuzek commented Aug 4, 2022

Thank you for the nice and well structured guide, worked without any issues for me. 😃

@cheneytianx
Copy link

cheneytianx commented Aug 16, 2022
edited
Loading

Hi, @MetaT1an @satanshiro,

Have you tried using the following command

export KERNELRELEASE=$(uname -r)

to replace the original one in https://gist.github.com/MarioHewardt/5759641727aae880b29c8f715ba4d30f#file-enable_ebpf_on_wsl2-L15

For me, I can see the new content in /lib/modules/$(uname -r) after rebuilding the kernel.

The kernel KERNELRELEASE should have -WSL2 as the suffix.

@aminmiri
Copy link

aminmiri commented Sep 10, 2023

@baoqger here is a hello-world i used, and it worked.


#!/usr/bin/python3
from bcc import BPF
from time import sleep

program = """
BPF_HASH(clones);

int hello_world(void *ctx) {
    u64 uid;
    u64 counter = 0;
    u64 *p;

    uid = bpf_get_current_uid_gid() & 0xFFFFFFFF;
    p = clones.lookup(&uid);
    if (p != 0){
        counter = *p;
    }

    counter++;
    clones.update(&uid, &counter);

    return 0;
}
"""

b = BPF(text=program)
clone = b.get_syscall_fnname("clone")
b.attach_kprobe(event=clone, fn_name="hello_world")
b.trace_print()

sleep(1000)

while True:
    sleep(2)
    s = ""
    if len(b["clones"].items()):
        for k,v in b["clones"].items():
            s += "ID {}: {}\t".format(k.value, v.value)
        print(s)
    else:
        print("No entries yet")

Here is a simpler one:

#!/usr/bin/python3  
from bcc import BPF

program = r"""
int hello(void *ctx) {
    bpf_trace_printk("Hello World!");
    return 0;
}
"""

b = BPF(text=program)
syscall = b.get_syscall_fnname("execve")
b.attach_kprobe(event=syscall, fn_name="hello")

b.trace_print()

then open a second terminal and run any linux command (ls, echo...etc) and you should see in the trace output Hello World

@Joly0
Copy link

Joly0 commented Oct 15, 2023
edited
Loading

Can anyone give one hello-world demo to verify that bpf program can run on WSL2? In this way, we can troubleshoot that the issue is in bpf program aspect or wsl2 aspect?

Hi @baoqger, I have a mistake:

FAILED: load BTF from vmlinux: Unknown error -2make: *** [Makefile:1179: vmlinux] Error 255

Has that ever happened to you?

Hey, have you ever found a solution to this? I am having the same issue

@gambitaw
Copy link

gambitaw commented Oct 16, 2023

Can anyone give one hello-world demo to verify that bpf program can run on WSL2? In this way, we can troubleshoot that the issue is in bpf program aspect or wsl2 aspect?

Hi @baoqger, I have a mistake:

FAILED: load BTF from vmlinux: Unknown error -2make: *** [Makefile:1179: vmlinux] Error 255

Has that ever happened to you?

Hey, habe you ever found a solution to this? I am having the same issue

Same :(

@NexViolentus
Copy link

NexViolentus commented Jan 14, 2024

I have been trying to unfuck this for several days. This is a tough son of a bitch to solve. I have followed several guides and still FAILED: load BTF from vmlinux: Unknown error -22make: *** [Makefile:1179: vmlinux] Error 255

@deadash
Copy link

deadash commented Jan 26, 2024

I successfully launched eBPF following the guide at https://learn.microsoft.com/en-us/community/content/wsl-user-msft-kernel-v6. However, I used Debian which required the installation of the following packages:

sudo apt install git python3 bc dwarves rsync

Additionally, to run the example Python code provided above, I had to install:

sudo apt install bpfcc-tools python3-bpfcc

Running it initially failed, but I managed to fix it by mounting debugfs with the command:

sudo mount -t debugfs debugfs /sys/kernel/debug

Finally, after opening a new Debian terminal, it printed the following:

b'           <...>-275     [004] d...1    91.948441: bpf_trace_printk: Hello World!'
b'            bash-276     [007] d...1    91.950385: bpf_trace_printk: Hello World!'
b'           <...>-277     [007] d...1    94.875099: bpf_trace_printk: Hello World!'

@Slach
Copy link

Slach commented Jan 26, 2024

@deadash thank you!

@NexViolentus
Copy link

NexViolentus commented Jan 26, 2024

It finally worked even after I tried several guides and got errors every time. I typed usbip and the menu appeared. I got my device to forward to the VM but I cant connect it to WSL1. I can only get WSL1 to work on the VM so im thinking about trying this with rasberrypi instead

@WCY-dt
Copy link

WCY-dt commented Mar 27, 2024

Hi, @MetaT1an @satanshiro,

Have you tried using the following command

export KERNELRELEASE=$(uname -r)

to replace the original one in https://gist.github.com/MarioHewardt/5759641727aae880b29c8f715ba4d30f#file-enable_ebpf_on_wsl2-L15

For me, I can see the new content in /lib/modules/$(uname -r) after rebuilding the kernel.

The kernel KERNELRELEASE should have -WSL2 as the suffix.

Thank you! It works!

@massoudasadi
Copy link

massoudasadi commented Jul 22, 2024

I wrote complete guide in my blog

https://massoudasadiblog.blogspot.com/2024/07/ebpf-on-wsl2-kernel-version-6x-ubuntu.html?m=1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment