Developing BPF Observability Tools with the Rust aya Ecosystem

PART I — The Article

Most articles about eBPF hand you a Python script wrapped around BCC or walk you through bpftool and C skeletons, declare victory, and move on. That approach works until you need to ship a production observability tool — at which point you’re managing kernel header dependencies, fighting clang version mismatches, and hand-writing C that interacts with generated skeleton code through a layer of void * casts. The aya ecosystem eliminates that entire category of problem by letting you write both the BPF kernel program and the userspace consumer in Rust, end to end, with no C in the middle.

---

01 — The Split You Need to Understand First

aya is not one crate. It’s two: aya-bpf targets the BPF virtual machine (bpfel-unknown-none triple, #[no_std]), and aya is the userspace library that loads, attaches, and polls BPF programs from async Rust. The kernel-side program compiles to BPF bytecode via LLVM; the userspace binary is a normal Rust executable. They share data through BPF maps — ring buffers, hash maps, arrays — which the kernel allocates and both sides access through separate APIs.