eBPF and WASM - Better Together
Table of contents
Start tutorial
Tutorial on Linux, Observability<br>Discussion Discord<br>eBPF
This tutorial was carefully crafted by an independent author and proudly hosted by iximiuz Labs.
Tutorial on Linux, Observability Last updated: Jun 13, 2026
eBPF and WASM - Better Together
by Teodor Janez Podobnik
Learn how Inspektor Gadget pairs eBPF with WASM to process kernel events—and walk through the same idea yourself by implementing a minimal example.
In February 2025, Inspektor Gadget moved from built-in gadgets to OCI-image-based gadgets.<br>From the outside, the model looks almost too simple: ship an eBPF program that captures kernel events and (optionally) add a Wasm module to process that data.<br>But that's quite surprising, since if you've ever built an eBPF application before, you know there is a lot more than just the kernel program—and it is not obvious at all where Wasm even fits into the stack.
While Inspektor Gadget has many other features, the key question is fairly straightforward - how can one only focus on writing the eBPF kernel program and the data processing logic using Wasm and the rest just works?<br>In this lab, we'll build that split from scratch.<br>The eBPF Boilerplate Problem<br>In general, every eBPF application has the same structure:<br>Kernel-space program — hooks into the kernel, captures events, and either acts on them directly or sends them to user space through an eBPF map.<br>User-space program — loads the compiled kernel program, attaches it, reads events from the eBPF map, and runs your application logic.
💡 If you've followed From Zero to Your First eBPF Program, that split should feel familiar: hello.c in the kernel, main.go in user space.
This setup is pretty flexible, but it repeats the same work in almost every project:<br>Compiling the eBPF program and generating language bindings<br>Loading the kernel program and attaching it to the right kernel hook<br>Creating (and pinning) eBPF maps<br>Defining event structs shared between kernel and user space<br>Shutting everything down cleanly on exit<br>Most of that code has nothing to do with what you want to observe —only with how you get that data out of the kernel .<br>And even worse, each project tends to structure this logic differently.<br>So the gem of every project—like "capture and log binaries executed by root"—lives inside the project's setup and cannot be reused elsewhere without rewriting the surrounding boilerplate code.<br>With this in mind, projects like Inspektor Gadget have shifted toward shipping eBPF programs as OCI artifacts —portable bundles you can pull, version, and run like container images—so developers can focus on application logic and avoid the boilerplate that usually comes with eBPF development today.<br>Never used Inspektor Gadget before?Let's run one of their gadgets, using:<br>sudo ig run trace_exec:latest --host<br>Copy to clipboard<br>💡 --host in this case shows "executed binaries" events from all processes, not just containers. We need it here because this playground has no container runtime and the gadget would fail without it.
Now, open a second terminal tab, trigger a few execve calls (e.g. ls, cat /etc/os-release), and watch the output.<br>And if you peek inside that OCI-image-based gadget—it's just an eBPF program and a Wasm module (written in Go) bundled together:<br>sudo ig image inspect trace_exec:latest \<br>--extra-info oci.manifest --jsonpath '.layers[*].mediaType'<br>Copy to clipboard<br>"application/vnd.gadget.ebpf.program.v1+binary",<br>"application/vnd.gadget.wasm.program.v1+binary"<br>Copy to clipboard
But how is that even possible?
Materials by an Independent Author<br>Extra content pack required to access this material
Content Pack<br>eBPF and WASM - Better Together<br>by Teodor Janez Podobnik
View Pack
✕ How to Author Tutorials on iximiuz Labs<br>Instead of providing a subpar online editing experience, iximiuz Labs offers a helper CLI tool called labctl, allowing you to use your favorite text editor (or a full-featured IDE) to write content from the comfort of your local machine.<br>Install labctl CLI<br>curl -sf https://labs.iximiuz.com/cli/install.sh | sh
This will download and install the latest version of the labctl CLI. You only need to do this once per workstation.
Authorize labctl<br>labctl auth login
This will open a browser window asking you to authorize labctl to access your account. You need to do it after a fresh install of labctl and repeat it whenever the auth session expires.
Pull tutorial content<br>labctl content pull tutorial ebpf-wasm-plugin-46a23db3
This will create a local copy of the tutorial content in a directory named ebpf-wasm-plugin-46a23db3. You only need to do this once per tutorial.
Stream your changes<br>labctl content push -fw tutorial ebpf-wasm-plugin-46a23db3
Run this command in a separate terminal to continuously upload your changes to the server while editing the tutorial in your favorite text editor or IDE.
You can also use labctl to create, list, and delete your content. Learn...