Complete help output for every command and subcommand.
bpfman
Usage: bpfman <command> [flags]
BPF program manager with integrated CSI driver.
Flags:
-h, --help Show help (-h for compact, --help for full).
Global Flags:
--runtime-dir="/run/bpfman" Root directory for runtime files.
--image-cache-dir="/var/cache/bpfman"
Root directory for OCI image cache.
--config="/etc/bpfman/bpfman.toml"
Config file path.
--log=STRING Log spec (e.g., 'info,manager=debug')
($BPFMAN_LOG).
--lock-timeout=30s Timeout for acquiring the global writer lock (0
for indefinite).
--verbose Print each action before it executes.
BPF Resources:
program load file Load from a local object file.
program load image Load from an OCI container image.
program unload Unload a managed BPF program.
program get Get details of a program by program ID.
program list List managed programs.
program delete Delete a program with cascading cleanup.
program explain Explain program fields and columns.
link attach xdp Attach an XDP program to a network interface.
link attach tc Attach a TC program to a network interface.
link attach tcx Attach a TCX program to a network interface.
link attach tracepoint Attach a program to a tracepoint.
link attach kprobe Attach a program to a kernel probe.
link attach uprobe Attach a program to a user-space probe.
link attach fentry Attach a program to a function entry tracing point.
link attach fexit Attach a program to a function exit tracing point.
link detach Detach a link.
link get Get details of a link by link ID.
link list List managed links.
link delete Delete a link with cascading cleanup.
link explain Explain link fields and columns.
Infrastructure:
image verify Verify an OCI image signature.
serve Start the gRPC daemon.
Diagnostics:
gc Garbage collect stale resources.
doctor checkup Run coherency checks (default).
doctor explain Explain a coherency rule.
Run "bpfman <command> --help" for more information on a command.
Usage: bpfman program <command> [flags]
Manage BPF programs.
Flags:
-h, --help Show help (-h for compact, --help for full).
BPF Resources:
program load file Load from a local object file.
program load image Load from an OCI container image.
program unload Unload a managed BPF program.
program get Get details of a program by program ID.
program list List managed programs.
program delete Delete a program with cascading cleanup.
program explain Explain program fields and columns.
Usage: bpfman program load <command>
Load a BPF program from an object file or image.
Flags:
-h, --help Show help (-h for compact, --help for full).
BPF Resources:
program load file Load from a local object file.
program load image Load from an OCI container image.
Usage: bpfman program load file --path=STRING [flags]
Load from a local object file.
Flags:
-h, --help Show help (-h for compact, --help for full).
-o, --output=table Output format: table, wide, json, tree,
jsonpath=EXPR, custom-columns=SPEC,
custom-columns-file=FILE.
-m, --metadata=METADATA,... KEY=VALUE metadata to attach (can be
repeated).
-g, --global=GLOBAL,... NAME=HEX global data (can be repeated).
-p, --path=STRING Path to the BPF object file (.o).
--programs=PROGRAMS,... TYPE:NAME or TYPE:NAME:ATTACH_FUNC program
to load (can be repeated). For fentry/fexit,
ATTACH_FUNC is required. If not specified,
all programs in the object file are loaded.
-a, --application=STRING Application name to group programs (stored as
bpfman.io/application metadata).
--map-owner-id=PROGRAM-ID Program ID of another program to share maps
with.
Usage: bpfman program load image --image-url=STRING [flags]
Load from an OCI container image.
Flags:
-h, --help Show help (-h for compact, --help for full).
-o, --output=table Output format: table, wide, json, tree,
jsonpath=EXPR, custom-columns=SPEC,
custom-columns-file=FILE.
-m, --metadata=METADATA,... KEY=VALUE metadata to attach (can be
repeated).
-g, --global=GLOBAL,... NAME=HEX global data (can be repeated).
-i, --image-url=STRING OCI image reference (e.g.,
quay.io/bpfman-bytecode/xdp_pass:latest).
--programs=PROGRAMS,... TYPE:NAME or TYPE:NAME:ATTACH_FUNC program
to load (can be repeated). For fentry/fexit,
ATTACH_FUNC is required. If not specified,
all programs in the image are loaded.
-p, --pull-policy=IfNotPresent
Image pull policy (Always, IfNotPresent,
Never).
--registry-auth=STRING Base64-encoded registry auth
(username:password). Prefer
BPFMAN_REGISTRY_AUTH env var to avoid
exposing credentials in process listings
($BPFMAN_REGISTRY_AUTH).
-a, --application=STRING Application name to group programs (stored as
bpfman.io/application metadata).
--map-owner-id=PROGRAM-ID Program ID of another program to share maps
with.
Usage: bpfman program unload <program-id> ... [flags]
Unload a managed BPF program.
Arguments:
<program-id> ... Program IDs to unload (supports hex with 0x prefix).
Flags:
-h, --help Show help (-h for compact, --help for full).
-o, --output=table Output format: table, wide, json, tree, jsonpath=EXPR,
custom-columns=SPEC, custom-columns-file=FILE.
Usage: bpfman program get <program-id> [flags]
Get details of a program by program ID.
Arguments:
<program-id> Program ID (supports hex with 0x prefix).
Flags:
-h, --help Show help (-h for compact, --help for full).
-o, --output=table Output format: table, wide, json, tree, jsonpath=EXPR,
custom-columns=SPEC, custom-columns-file=FILE.
Usage: bpfman program list [flags]
List managed programs.
Flags:
-h, --help Show help (-h for compact, --help for full).
-o, --output=table Output format: table, wide, json, tree,
jsonpath=EXPR, custom-columns=SPEC,
custom-columns-file=FILE.
-q, --quiet Output only program IDs, one per line.
--attached Show only programs with active links.
--unattached Show only programs without active links.
--type=TYPE,... Filter by program type (case-insensitive, e.g.,
--type=xdp,kprobe).
-l, --selector=STRING Label selector (e.g., app=myapp,version!=v1).
Usage: bpfman program delete <program-id> ... [flags]
Delete a program with cascading cleanup.
Arguments:
<program-id> ... Program IDs to delete.
Flags:
-h, --help Show help (-h for compact, --help for full).
-o, --output=table Output format: table, wide, json, tree, jsonpath=EXPR,
custom-columns=SPEC, custom-columns-file=FILE.
-r, --recursive Also delete programs that share maps with the target
(map_owner_id dependents).
Usage: bpfman program explain [flags]
Explain program fields and columns.
Flags:
-h, --help Show help (-h for compact, --help for full).
--columns Show available columns for custom-columns output.
Usage: bpfman link <command> [flags]
Manage BPF links.
Flags:
-h, --help Show help (-h for compact, --help for full).
BPF Resources:
link attach xdp Attach an XDP program to a network interface.
link attach tc Attach a TC program to a network interface.
link attach tcx Attach a TCX program to a network interface.
link attach tracepoint Attach a program to a tracepoint.
link attach kprobe Attach a program to a kernel probe.
link attach uprobe Attach a program to a user-space probe.
link attach fentry Attach a program to a function entry tracing point.
link attach fexit Attach a program to a function exit tracing point.
link detach Detach a link.
link get Get details of a link by link ID.
link list List managed links.
link delete Delete a link with cascading cleanup.
link explain Explain link fields and columns.
Usage: bpfman link attach <command>
Attach a loaded program to a hook.
Flags:
-h, --help Show help (-h for compact, --help for full).
BPF Resources:
link attach xdp Attach an XDP program to a network interface.
link attach tc Attach a TC program to a network interface.
link attach tcx Attach a TCX program to a network interface.
link attach tracepoint Attach a program to a tracepoint.
link attach kprobe Attach a program to a kernel probe.
link attach uprobe Attach a program to a user-space probe.
link attach fentry Attach a program to a function entry tracing point.
link attach fexit Attach a program to a function exit tracing point.
Usage: bpfman link attach xdp --iface=STRING <program-id> [flags]
Attach an XDP program to a network interface.
Arguments:
<program-id> Program ID to attach.
Flags:
-h, --help Show help (-h for compact, --help for full).
-o, --output=table Output format: table, wide, json, tree,
jsonpath=EXPR, custom-columns=SPEC,
custom-columns-file=FILE.
-i, --iface=STRING Network interface.
-n, --netns=STRING Network namespace path.
-m, --metadata=METADATA,... KEY=VALUE metadata (can be repeated).
Usage: bpfman link attach tc --iface=STRING --direction=STRING --priority=INT <program-id> [flags]
Attach a TC program to a network interface.
Arguments:
<program-id> Program ID to attach.
Flags:
-h, --help Show help (-h for compact, --help for full).
-o, --output=table Output format: table, wide, json, tree,
jsonpath=EXPR, custom-columns=SPEC,
custom-columns-file=FILE.
-i, --iface=STRING Network interface.
-d, --direction=STRING Direction (ingress or egress).
-p, --priority=INT Priority in chain (1-1000, lower runs first).
--proceed-on=ok,pipe,dispatcher_return,...
TC actions to proceed on (comma-separated or
repeated). Values: unspec, ok, reclassify,
shot, pipe, stolen, queued, repeat, redirect,
trap, dispatcher_return.
-n, --netns=STRING Network namespace path.
-m, --metadata=METADATA,... KEY=VALUE metadata (can be repeated).
Usage: bpfman link attach tcx --iface=STRING --direction=STRING --priority=INT <program-id> [flags]
Attach a TCX program to a network interface.
Arguments:
<program-id> Program ID to attach.
Flags:
-h, --help Show help (-h for compact, --help for full).
-o, --output=table Output format: table, wide, json, tree,
jsonpath=EXPR, custom-columns=SPEC,
custom-columns-file=FILE.
-i, --iface=STRING Network interface.
-d, --direction=STRING Direction (ingress or egress).
-p, --priority=INT Priority in chain (1-1000, lower runs first).
-n, --netns=STRING Network namespace path.
-m, --metadata=METADATA,... KEY=VALUE metadata (can be repeated).
Usage: bpfman link attach tracepoint --tracepoint=STRING <program-id> [flags]
Attach a program to a tracepoint.
Arguments:
<program-id> Program ID to attach.
Flags:
-h, --help Show help (-h for compact, --help for full).
-o, --output=table Output format: table, wide, json, tree,
jsonpath=EXPR, custom-columns=SPEC,
custom-columns-file=FILE.
-t, --tracepoint=STRING Tracepoint (group/name format, e.g.,
sched/sched_switch).
-m, --metadata=METADATA,... KEY=VALUE metadata (can be repeated).
Usage: bpfman link attach kprobe --fn-name=STRING <program-id> [flags]
Attach a program to a kernel probe.
Arguments:
<program-id> Program ID to attach.
Flags:
-h, --help Show help (-h for compact, --help for full).
-o, --output=table Output format: table, wide, json, tree,
jsonpath=EXPR, custom-columns=SPEC,
custom-columns-file=FILE.
-f, --fn-name=STRING Kernel function name to attach to.
--offset=0 Offset within the function.
-m, --metadata=METADATA,... KEY=VALUE metadata (can be repeated).
Usage: bpfman link attach uprobe --target=STRING <program-id> [flags]
Attach a program to a user-space probe.
Arguments:
<program-id> Program ID to attach.
Flags:
-h, --help Show help (-h for compact, --help for full).
-o, --output=table Output format: table, wide, json, tree,
jsonpath=EXPR, custom-columns=SPEC,
custom-columns-file=FILE.
--target=STRING Path to target binary or library.
-f, --fn-name=STRING Function name to attach to.
--offset=0 Offset within the function.
--container-pid=INT-32 Container PID for namespace-aware uprobe
attachment.
-m, --metadata=METADATA,... KEY=VALUE metadata (can be repeated).
Usage: bpfman link attach fentry <program-id> [flags]
Attach a program to a function entry tracing point.
Arguments:
<program-id> Program ID to attach.
Flags:
-h, --help Show help (-h for compact, --help for full).
-o, --output=table Output format: table, wide, json, tree,
jsonpath=EXPR, custom-columns=SPEC,
custom-columns-file=FILE.
-m, --metadata=METADATA,... KEY=VALUE metadata (can be repeated).
Usage: bpfman link attach fexit <program-id> [flags]
Attach a program to a function exit tracing point.
Arguments:
<program-id> Program ID to attach.
Flags:
-h, --help Show help (-h for compact, --help for full).
-o, --output=table Output format: table, wide, json, tree,
jsonpath=EXPR, custom-columns=SPEC,
custom-columns-file=FILE.
-m, --metadata=METADATA,... KEY=VALUE metadata (can be repeated).
Usage: bpfman link detach <link-id> ... [flags]
Detach a link.
Arguments:
<link-id> ... Link IDs to detach.
Flags:
-h, --help Show help (-h for compact, --help for full).
-o, --output=table Output format: table, wide, json, tree, jsonpath=EXPR,
custom-columns=SPEC, custom-columns-file=FILE.
Usage: bpfman link get <link-id> [flags]
Get details of a link by link ID.
Arguments:
<link-id> Link ID.
Flags:
-h, --help Show help (-h for compact, --help for full).
-o, --output=table Output format: table, wide, json, tree, jsonpath=EXPR,
custom-columns=SPEC, custom-columns-file=FILE.
Usage: bpfman link list [flags]
List managed links.
Flags:
-h, --help Show help (-h for compact, --help for full).
-o, --output=table Output format: table, wide, json, tree,
jsonpath=EXPR, custom-columns=SPEC,
custom-columns-file=FILE.
-q, --quiet Output only link IDs, one per line.
--program-id=PROGRAM-ID Filter by program ID (supports hex with 0x
prefix).
--kind=KIND,... Filter by link kind (e.g., --kind=xdp,kprobe).
Usage: bpfman link delete <link-id> ... [flags]
Delete a link with cascading cleanup.
Arguments:
<link-id> ... Link IDs to delete.
Flags:
-h, --help Show help (-h for compact, --help for full).
-o, --output=table Output format: table, wide, json, tree, jsonpath=EXPR,
custom-columns=SPEC, custom-columns-file=FILE.
-r, --recursive Also delete programs that share maps with orphaned
programs (map_owner_id dependents).
Usage: bpfman link explain [flags]
Explain link fields and columns.
Flags:
-h, --help Show help (-h for compact, --help for full).
--columns Show available columns for custom-columns output.
Usage: bpfman image <command> [flags]
Image operations (verify signatures).
Flags:
-h, --help Show help (-h for compact, --help for full).
Infrastructure:
image verify Verify an OCI image signature.
Usage: bpfman image verify <image> [flags]
Verify an OCI image signature.
Arguments:
<image> OCI image reference (e.g.,
quay.io/bpfman-bytecode/xdp_pass:latest).
Flags:
-h, --help Show help (-h for compact, --help for full).
--allow-unsigned Allow unsigned images (overrides config file).
Usage: bpfman serve [flags]
Start the gRPC daemon.
Flags:
-h, --help Show help (-h for compact, --help for full).
--tcp-address="[::]:50051"
TCP address for gRPC server.
--csi-support Enable CSI driver support.
--pprof-address="localhost:0"
Address for pprof HTTP server. Port 0 selects
an ephemeral port. Empty string disables
($BPFMAN_PPROF_ADDRESS).
--socket-path="/run/bpfman-sock/bpfman.sock"
Unix socket path for gRPC server ($BPFMAN_SOCKET_PATH).
Usage: bpfman gc [<rules> ...] [flags]
Garbage collect stale resources.
In Kubernetes/OpenShift, the daemon container sets BPFMAN_MODE=bpfman-rpc which
restricts the CLI to serve-only mode. Unset it to run gc:
oc exec $(oc get pod -n bpfman -l name=bpfman-daemon -o name) -n bpfman -c bpfman -- env -u BPFMAN_MODE /bpfman gc
Run specific GC rules:
oc exec $(oc get pod -n bpfman -l name=bpfman-daemon -o name) -n bpfman -c bpfman -- env -u BPFMAN_MODE /bpfman gc orphan-program-artefacts
Available GC rules: stale-dispatcher, orphan-program-artefacts,
orphan-dispatcher-artefacts
Use 'bpfman doctor explain <rule>' for rule details.
Arguments:
[<rules> ...] GC rule(s) to run. Omit to run all rules.
Flags:
-h, --help Show help (-h for compact, --help for full).
--dry-run Show what would be cleaned up without executing.
--prune Also remove live orphans (programs pinned in bpffs but not
tracked in DB).
Usage: bpfman doctor <command> [flags]
Check coherency of database, kernel, and filesystem state.
In Kubernetes/OpenShift, the daemon container sets BPFMAN_MODE=bpfman-rpc which
restricts the CLI to serve-only mode. Unset it to run doctor:
oc exec $(oc get pod -n bpfman -l name=bpfman-daemon -o name) -n bpfman -c bpfman -- env -u BPFMAN_MODE /bpfman doctor
For a specific node (replace $NODE with the node name):
oc exec $(oc get pod -n bpfman -l name=bpfman-daemon --field-selector spec.nodeName=$NODE -o name) -n bpfman -c bpfman -- env -u BPFMAN_MODE /bpfman doctor
Use 'bpfman doctor explain' to list all coherency rules.
Flags:
-h, --help Show help (-h for compact, --help for full).
Diagnostics:
doctor checkup Run coherency checks (default).
doctor explain Explain a coherency rule.
Usage: bpfman doctor checkup
Run coherency checks (default).
Flags:
-h, --help Show help (-h for compact, --help for full).
Usage: bpfman doctor explain [<rule>]
Explain a coherency rule.
Arguments:
[<rule>] Rule name to explain. Omit to list all rules.
Flags:
-h, --help Show help (-h for compact, --help for full).