2.0 -//Pentabarf//Schedule//EN PUBLISH 142@@cfp.all-systems-go.io -142 Pre-Registration Event en en 20171020T163000 20171020T193000 3.00000

Pre-Registration Event

Meet-up at the Kinvolk Office! PUBLIC CONFIRMED default https://cfp.all-systems-go.io/ASG2017/talk/142/ Kinvolk Office PUBLISH 141@@cfp.all-systems-go.io -141 Opening en en 20171021T073000 20171021T074500 0.01500

Opening

Check In and Say Hello! PUBLIC CONFIRMED default https://cfp.all-systems-go.io/ASG2017/talk/141/ Event Loft PUBLISH 115@@cfp.all-systems-go.io -115 Really crazy container troubleshooting stories en en 20171021T074500 20171021T082500 0.04000

Really crazy container troubleshooting stories

In this talk, the presenter will share a few container troubleshooting stories that were encountered in the life of an infrastructure operator. The use cases are deliberately chosen to be a bit advanced and focused around exploring the inner workings of core libraries and kernel, to remind everyone that even the lowest level of modern systems need some love. The talk will follow a hands-on agenda, interactively iterating over all the key points of the troubleshooting process, focusing on the different tools used and providing immediate value to the listener, who should be able to apply the various workflows to other scenarios. Example use cases presented: - Troubleshooting resource isolation between containers - Tracing the root cause of a crashing containerized application - Monitoring memory and performance issues in containers PUBLIC CONFIRMED presentation https://cfp.all-systems-go.io/ASG2017/talk/115/ Event Loft Gianluca Borello PUBLISH 118@@cfp.all-systems-go.io -118 Rust memory management en en 20171021T083000 20171021T085500 0.02500

Rust memory management

Rust is a systems programming language that focuses on safety and performance at the same time. Most people new to Rust, often struggle with memory management. The goal of this talk is to give a very quick overview of Rust's memory management. PUBLIC CONFIRMED presentation https://cfp.all-systems-go.io/ASG2017/talk/118/ Event Loft Zeeshan Ali Khan PUBLISH 104@@cfp.all-systems-go.io -104 Incremental Adoption of Open Services with Habitat en en 20171021T090000 20171021T091500 0.01500

Incremental Adoption of Open Services with Habitat

The modern computing world revolves around delivering applications as services. Until recently, massively scalable services were the specialized domain of tech giants, and attempts by small teams to reproduce the tooling available to Fortune 100 players often led to frustration and wasted time. Habitat is part of a new family of tools aimed at making application runtimes and service orchestration layers safe, repeatable and fully open. At smartB, Blake has brought Habitat to his org to reduce operational complexity, guarantee application runtime behavior and provide dependency isolation and transparency for applications and their corollary security profiles. smartB is his 5th startup in 10 years and his first foray into sustainability engineering. PUBLIC CONFIRMED presentation https://cfp.all-systems-go.io/ASG2017/talk/104/ Event Loft Blake Irvin PUBLISH 144@@cfp.all-systems-go.io -144 Break en en 20171021T091500 20171021T093000 0.01500

Break

Have a tea, coffee and/or Club Mate! PUBLIC CONFIRMED default https://cfp.all-systems-go.io/ASG2017/talk/144/ Event Loft PUBLISH 93@@cfp.all-systems-go.io -93 Azure networking integration challenges en en 20171021T093000 20171021T101500 0.04500

Azure networking integration challenges

PUBLIC CONFIRMED presentation https://cfp.all-systems-go.io/ASG2017/talk/93/ Event Loft Stephen Hemminger PUBLISH 146@@cfp.all-systems-go.io -146 Lunch en en 20171021T101500 20171021T114500 1.03000

Lunch

Yummy food available from food trucks in the courtyard PUBLIC CONFIRMED default https://cfp.all-systems-go.io/ASG2017/talk/146/ Event Loft PUBLISH 126@@cfp.all-systems-go.io -126 systemd @ Facebook — a year later en en 20171021T114500 20171021T122500 0.04000

systemd @ Facebook — a year later

This talk is a followup to <a href="https://www.youtube.com/watch?v=LhYd0S3qiMY">Deploying systemd at scale</a> that was presented at systemd.conf 2016, and covers the aftermath of the migration of our fleet to CentOS 7. Now that systemd is available everywhere, we found more and more services that started adopting it for their deployment, leveraging its features and occasionally exposing interesting behaviors. At the same time, we've been able to hone our process for integrating and rolling out new versions of systemd on the fleet, and started building tooling to manage and monitor it at scale. PUBLIC CONFIRMED presentation https://cfp.all-systems-go.io/ASG2017/talk/126/ Event Loft Davide Cavalca PUBLISH 123@@cfp.all-systems-go.io -123 State of the rkt container runtime en en 20171021T123000 20171021T125500 0.02500

State of the rkt container runtime

PUBLIC CONFIRMED presentation https://cfp.all-systems-go.io/ASG2017/talk/123/ Event Loft Iago López Galeiras PUBLISH 114@@cfp.all-systems-go.io -114 Portals, dynamic permissions in Flatpak en en 20171021T130000 20171021T134000 0.04000

Portals, dynamic permissions in Flatpak

Flatpak is a distribution independent bundling and deployment system for Linux, focusing on desktop applications. One core aspect of flatpak is application sandboxing, which has very different requirements on the desktop than in the traditional container space. Applications need to be isolated from the system, yet in order to be easy and intuitive to use they must integrate with the desktop environment in complex ways. Flatpak solves this by using a concept called Portals. This talk will discuss how Flatpak sandboxing/security works and the how Portals fit in this system. PUBLIC CONFIRMED presentation https://cfp.all-systems-go.io/ASG2017/talk/114/ Event Loft Alexander Larsson PUBLISH 100@@cfp.all-systems-go.io -100 Containers: What Did We Learn? en en 20171021T134500 20171021T140000 0.01500

Containers: What Did We Learn?

Containers have brought a lot of new patterns and behaviors into focus. For example, atomic deploys have become part of everyday conversation; fully captured dependencies and snapshots are now the norm; and the very concept of "releasing" software is beginning to morph. But many of these concepts -- at least, as implemented in popular container systems today -- seem to be somewhere between poorly integrated or outright in conflict with our present understanding of "package managers" and "config management". What do containers need to learn from the decades of package management before today? And what hints do the package managers we all know and love need to take from the explosion of containers? Containers are an exciting opportunity to revisit many of our oldest assumptions about how to design systems: let's take this opportunity to think carefully and ask tough questions. PUBLIC CONFIRMED presentation https://cfp.all-systems-go.io/ASG2017/talk/100/ Event Loft Eric Myhre PUBLISH 148@@cfp.all-systems-go.io -148 Break en en 20171021T140000 20171021T141500 0.01500

Break

Have a tea, coffee and/or Club Mate! PUBLIC CONFIRMED default https://cfp.all-systems-go.io/ASG2017/talk/148/ Event Loft PUBLISH 159@@cfp.all-systems-go.io -159 Fix, forget, or forge a new path? en en 20171021T141500 20171021T145500 0.04000

Fix, forget, or forge a new path?

On the systems side AAA services haven't kept up with the pace of application development, our hardware is aging, and there are components of infrastructure that have fallen by the wayside. Modern switches still support (non-TLS) RADIUS and TACACS+, other networking gear still only supports SNMP v1, and then we've got logging... In this talk we take stock of the landscape and discuss which pieces should be fixed, which desperately need to be abandoned, and which we have been thinking about all wrong. PUBLIC CONFIRMED presentation https://cfp.all-systems-go.io/ASG2017/talk/159/ Event Loft Brian 'redbeard' Harrington PUBLISH 124@@cfp.all-systems-go.io -124 Streamlining systemd's code and safety en en 20171021T150000 20171021T152500 0.02500

Streamlining systemd's code and safety

<p>Today, the systemd project uses a non-standard superset of C to get destructor-like functionality. But, we pay a heavy price for doing it this way: we lose compiler portability, use hundreds of boilerplate macros, and confuse static analysis tools (which don't always realize why we're not leaking memory). At compilation, the cleanup functionality gets mapped to the same facilities that handle C++ destructors. So, essentially, we're already using a non-standard version of C++ as well as a non-standard version of C. We can end this charade by following in GCC's footsteps and <a href="https://lwn.net/Articles/542457/">explicitly using a subset of C++</a>. By doing so, we can shed thousands of lines of C-trying-to-be-C++. We can also improve memory safety and code readability -- <a href="https://medium.com/@davidtstrauss/choosing-some-c-over-c-f5acb3dce4f5">all while keeping the feel of C</a>.</p> <p>In this presentation, we'll consider options for systems'd codebase:</p> <ul> <li>Converting instances of "cleanup" to destructors. This should allow us to discard a couple thousand lines of boilerplate and many "goto cleanup" situations.</li> <li>Converting raw pointers to equivalents with enforced semantics. For internal APIs, this should clarify handoff of memory ownership. For event loops, this should allow typed user data.</li> <li>While I'm no advocate of object-orientation, our concept of a "unit" cleanly maps to an abstract superclass. IDEs and code analysis tools will benefit from moving away from homegrown inheritance.</li> <li>We often return error codes as ints, and it would be good to explicitly use a real type instead. This will make refactoring easier if we change a function between returning an int vs. error vs. boolean.</li> <li>The journal would benefit from a higher-level storage library like RocksDB (which offers a slim version for resource-constrained environments). Libraries like RocksDB are possible to use from C but have a richer (and easier-to-use) C++ API.</li> </ul> PUBLIC CONFIRMED presentation https://cfp.all-systems-go.io/ASG2017/talk/124/ Event Loft David Strauss PUBLISH 92@@cfp.all-systems-go.io -92 A gentle introduction to [e]BPF en en 20171021T153000 20171021T155500 0.02500

A gentle introduction to [e]BPF

PUBLIC CONFIRMED presentation https://cfp.all-systems-go.io/ASG2017/talk/92/ Event Loft Michael Schubert PUBLISH 101@@cfp.all-systems-go.io -101 Containers without a Container Manager, with systemd en en 20171021T160000 20171021T163000 0.03000

Containers without a Container Manager, with systemd

systemd service management today supports a number of the features that container management is known for, but for classic system services. Let's see which ones, and how to make use of them. We'll talk about sandboxing, resource bundling, service management and resource management, and more. We'll discuss what container managers can do, that systemd service management can't and vice versa. Last but not least we'll have a look at systemd-nspawn, systemd's very own container manager and what it adds on top of systemd's native service management. PUBLIC CONFIRMED presentation https://cfp.all-systems-go.io/ASG2017/talk/101/ Event Loft Lennart Poettering PUBLISH 105@@cfp.all-systems-go.io -105 Introducing Bluetooth Mesh en en 20171021T074500 20171021T082500 0.04000

Introducing Bluetooth Mesh

PUBLIC CONFIRMED presentation https://cfp.all-systems-go.io/ASG2017/talk/105/ Galerie Marcel Holtmann PUBLISH 139@@cfp.all-systems-go.io -139 High-performance Linux monitoring with eBPF en en 20171021T083000 20171021T085500 0.02500

High-performance Linux monitoring with eBPF

PUBLIC CONFIRMED presentation https://cfp.all-systems-go.io/ASG2017/talk/139/ Galerie Alfonso Acosta PUBLISH 113@@cfp.all-systems-go.io -113 Network troubleshooting in heterogeneous cloud environment with Skydive en en 20171021T090000 20171021T091500 0.01500

Network troubleshooting in heterogeneous cloud environment with Skydive

With the growing number of network cloud services it becomes essential to be able to monitor, troubleshoot and analyze different virtualization or container technologies. Being able to monitor complex heterogeneous federated cloud environments is key. Skydive is a real-time and post-mortem topology and packet analyzer. To do so, it listens for networking kernel events, monitors network namespaces, watches external components such as OVSDB and Docker. Skydive can make use of AF_PACKET or eBPF programs to capture traffic. Thanks to its classifier Skydive is able to map the network traffic with the topology. We will show through a demo how Skydive can help operators to visualize, understand and troubleshoot packet forwarding from point to point. PUBLIC CONFIRMED presentation https://cfp.all-systems-go.io/ASG2017/talk/113/ Galerie Sylvain Afchain PUBLISH 145@@cfp.all-systems-go.io -145 Break en en 20171021T091500 20171021T093000 0.01500

Break

Have a tea, coffee and/or Club Mate! PUBLIC CONFIRMED default https://cfp.all-systems-go.io/ASG2017/talk/145/ Galerie PUBLISH 103@@cfp.all-systems-go.io -103 Getting Started with Habitat en en 20171021T093000 20171021T101500 0.04500

Getting Started with Habitat

Habitat is the best way for software developers to build, deploy, and manage modern applications - regardless of their expertise. Habitat provides a self-healing, self-configuring, stack-agnostic, frictionless abstraction for running applications—regardless of their complexity on whatever infrastructure you prefer, from physical hardware and virtual machines to containers and everything in between. This session will show you how to build and run your own application. You will learn how scaffolding helps you quickly and easily package your application. Explore the build system used for generating Habitat artifacts. Run an application using the Habitat supervisor. This is the talk for anyone who's just learning about Habitat or those that are interested in seeing some of the newer features of the framework. PUBLIC CONFIRMED presentation https://cfp.all-systems-go.io/ASG2017/talk/103/ Galerie Jamie Winsor PUBLISH 147@@cfp.all-systems-go.io -147 Lunch en en 20171021T101500 20171021T114500 1.03000

Lunch

Yummy food available from food trucks in the courtyard PUBLIC CONFIRMED default https://cfp.all-systems-go.io/ASG2017/talk/147/ Galerie PUBLISH 129@@cfp.all-systems-go.io -129 The IoT botnet wars, Linux devices, and the absence of basic security hardening en en 20171021T114500 20171021T122500 0.04000

The IoT botnet wars, Linux devices, and the absence of basic security hardening

This talk will cover the ongoing battle being waged is leveraging insecure Linux-based Internet of Things (IoT) devices. BrickerBot is an example of a recent malware strain attacking connected devices and causing them to “brick,” making an electronic device completely useless in a permanent denial-of-service (PDoS) attack. Additionally, the Mirai botnet consisted of connected printers, IP cameras, residential gateways, and baby monitors that flooded DNS servers. Mirai was behind the largest DDoS attack of its kind ever in October 2016, with an estimated throughput of 1.2 terabits per second. It leveraged these enslaved devices to bring down large portions of the internet, including services such as Netflix, GitHub, HBO, Amazon, Reddit, Twitter, and DIRECTV. BrickerBot’s goal appears to counter Mirai’s: Bricking insecure Linux devices so that malware such as Mirai can’t subjugate these devices in another DDoS attack. We will take an in-depth look at the anatomy of the attack. We will then dive into basic some security hardening principles which would have helped protect against many of these attacks. Some of the fundamental security concepts we will cover include: Closing unused open network ports Intrusion detection systems Enforcing password complexity and policies Removing unnecessary services Frequent software updates to fix bugs and patch security vulnerabilities PUBLIC CONFIRMED presentation https://cfp.all-systems-go.io/ASG2017/talk/129/ Galerie Drew Moseley PUBLISH 99@@cfp.all-systems-go.io -99 Cockpit: A Linux sysadmin session in your Browser en en 20171021T123000 20171021T125500 0.02500

Cockpit: A Linux sysadmin session in your Browser

PUBLIC CONFIRMED presentation https://cfp.all-systems-go.io/ASG2017/talk/99/ Galerie Stef Walter PUBLISH 117@@cfp.all-systems-go.io -117 Reproducible Builds - where do we want to go tomorrow? en en 20171021T130000 20171021T134000 0.04000

Reproducible Builds - where do we want to go tomorrow?

We've made lots of progress, but we are still far from our goals of changing the (software) world This talk will report on the state of reproducible builds in various distributions (Debian, Archlinux, coreboot, F-Droid, Fedora, FreeBSD, Guix, NetBSD, OpenWrt, SuSE, and Qubes OS - to name a few) and thus should be interesting and insightful for anyone working on any free software project. Holger will explain how he started working on this in the Debian context and how his focus shifted slightly over the time. So he will start with explaining the status of Reproducible Debian, but this is quickly followed by an overview of common problems and solutions, followed by a quick explaination of the shared test infrastructure for reproducible tests of any project. You will learn how the community was broadened, what future plans we have to address what might be needed beyond being able to reproducible build something, so this becomes truly meaningful for users in practice. In this talk you will also learn about the challanges we're facing to deliver on the promise. Being able to reproducibly build in theory is not enough, one needs to be able to do so in practice. And enabling this on a distro scale is much harder than we thought… PUBLIC CONFIRMED presentation https://cfp.all-systems-go.io/ASG2017/talk/117/ Galerie Holger Levsen PUBLISH 95@@cfp.all-systems-go.io -95 Building containers all day en en 20171021T134500 20171021T140000 0.01500

Building containers all day

PUBLIC CONFIRMED lighning_talk https://cfp.all-systems-go.io/ASG2017/talk/95/ Galerie Cornelius Schumacher PUBLISH 149@@cfp.all-systems-go.io -149 Break en en 20171021T140000 20171021T141500 0.01500

Break

Have a tea, coffee and/or Club Mate! PUBLIC CONFIRMED default https://cfp.all-systems-go.io/ASG2017/talk/149/ Galerie PUBLISH 135@@cfp.all-systems-go.io -135 Using systemd for containers @ Facebook en en 20171021T141500 20171021T145500 0.04000

Using systemd for containers @ Facebook

Co-presented by Zoltan Puskas and Zeal Jagannatha PUBLIC CONFIRMED presentation https://cfp.all-systems-go.io/ASG2017/talk/135/ Galerie Zeal Jagannatha Zoltan Puskas PUBLISH 110@@cfp.all-systems-go.io -110 Landlock LSM: Towards unprivileged sandboxing en en 20171021T150000 20171021T152500 0.02500

Landlock LSM: Towards unprivileged sandboxing

PUBLIC CONFIRMED presentation https://cfp.all-systems-go.io/ASG2017/talk/110/ Galerie Michael Schubert PUBLISH 122@@cfp.all-systems-go.io -122 Software updates for connected Linux devices: key requirements en en 20171021T153000 20171021T155500 0.02500

Software updates for connected Linux devices: key requirements

In order to address these requirements, design trade-offs need to be made. In this presentation, we will cover the most common update strategies, such as using A/B dual rootfs, maintenance-mode updates, package managers, tarballs, and see the trade-offs of each approach. Remote Software Updates for Connected Devices: Key Considerations A key requirement for connected devices is the ability to deploy remote software updates to them so that bugs, vulnerabilities and new features can be addressed while devices live in the field for up to 10 years. As part of the Mender.io project, we have interviewed more than 100 embedded developers to understand best practices and the current state of enabling software updates for connected devices today. The key requirements found during this study can be split into the following areas: Robust - the cost of bricking devices is high Ease - teams generally do not have much time to invest in an updater mechanism Performant - bandwidth is the key limiting resource for connected devices, but other system resources should also be conserved during the update process. Downtime during the update process should be kept to a minimum. Secure - the update process must not enable attackers to deploy malicious software to the devices Extensible - connected devices vary greatly and the updater must be generic and extensible to support the majority of them In order to address these requirements, design tradeoffs need to be made. In this presentation, we will cover the most common update strategies, such as using A/B dual rootfs, maintenance-mode updates, package managers, tarballs, and see the tradeoffs of each approach. We will also consider other important design aspects of an updater, such as validating deployment compatibility, integrity, authenticity, sanity-checking after the update, handling update failures, identifying extension points, device portability, persistent user-data, and reducing bandwidth consumption and downtime. PUBLIC CONFIRMED presentation https://cfp.all-systems-go.io/ASG2017/talk/122/ Galerie Drew Moseley PUBLISH 119@@cfp.all-systems-go.io -119 Securing Home Automation with Tor en en 20171021T160000 20171021T163000 0.03000

Securing Home Automation with Tor

Be Safe. Be Secure Automation is, unsurprisingly, one of the two main characteristics of home automation. Automation refers to the ability to program and schedule events for the devices on the network. The programming may include time-related commands, such as having your lights turn on or off at specific times each day. It can also include non-scheduled events, such as turning on all the lights in your home when your security system alarm is triggered. Home automation systems are advancement to the mechanization processes wherein human efforts are needed with the machinery equipments to operate various loads in homes.The popularity of home automation has been expanding incredibly because of much higher reasonableness and straightforwardness through Smartphones and wireless networks. <cite>"Internet of Things"</cite> is interlinked through these networks; because of the popularity of the home automation is improved by the quality of service provided by the devices. Different home automation systems are developed for automatically on and off the appliances with different applications. Once you start to understand the possibilities of home automation scheduling, you can come up with any number of useful and creative solutions to make your life better. In present days most of the automation systems utilize the combination of hardwired and wireless systems for controlling the appliances. Security is extremely important for achieving this goal. As this worldwide network of interconnected objects can be exploited anywhere by anyone and anytime, it is necessary to enhance it with strong security foundations able to give birth to a world-changing paradigm. Tor is a cumulative routing system that has helped many towards “Safe and Secure Browsing”. Tor can be used to secure our Home Automation, and in unlocking its workings, we will avoid being locked out of our smart home physically. PUBLIC CONFIRMED default https://cfp.all-systems-go.io/ASG2017/talk/119/ Galerie Kalyan Dikshit PUBLISH 143@@cfp.all-systems-go.io -143 Social Event en en 20171021T170000 20171021T215500 4.05500

Social Event

Meet people and be merry! PUBLIC CONFIRMED default https://cfp.all-systems-go.io/ASG2017/talk/143/ Galerie PUBLISH 137@@cfp.all-systems-go.io -137 What If Component xxx Dies? Introducing Self-Healing Kubernetes en en 20171022T073000 20171022T075500 0.02500

What If Component xxx Dies? Introducing Self-Healing Kubernetes

This talk introduces self-hosted Kubernetes (K8s inside itself) to autonomously recover from failure scenarios with the help of e.g. itself, systemd and checkpointing. We will ask and answer questions like “What happens when xxx dies”. The theory will be followed by a demo on a live cluster showcasing what happens when we kill central Kubernetes components, like the API-Server. Let’s see how well Kubernetes recovers. PUBLIC CONFIRMED presentation https://cfp.all-systems-go.io/ASG2017/talk/137/ Event Loft Max Leonard Inden PUBLISH 108@@cfp.all-systems-go.io -108 kubernetes for toasters? en en 20171022T080000 20171022T084000 0.04000

kubernetes for toasters?

potential solutions to achieving containerization on constrained devices. PUBLIC CONFIRMED presentation https://cfp.all-systems-go.io/ASG2017/talk/108/ Event Loft Arvid E. Picciani PUBLISH 134@@cfp.all-systems-go.io -134 Using BPF in Kubernetes en en 20171022T084500 20171022T091500 0.03000

Using BPF in Kubernetes

Linux superpowers in the cloud BPF and Kubernetes are both Open Source technologies on Linux but their respective communities initially had little overlaps. I want to bring more visibility of what BPF can offer to Kubernetes users and developers. PUBLIC CONFIRMED presentation https://cfp.all-systems-go.io/ASG2017/talk/134/ Event Loft Alban Crequy PUBLISH 150@@cfp.all-systems-go.io -150 Break en en 20171022T091500 20171022T093000 0.01500

Break

Have a tea, coffee and/or Club Mate! PUBLIC CONFIRMED default https://cfp.all-systems-go.io/ASG2017/talk/150/ Event Loft PUBLISH 121@@cfp.all-systems-go.io -121 Simulate hardware for integration testing en en 20171022T093000 20171022T095500 0.02500

Simulate hardware for integration testing

PUBLIC CONFIRMED presentation https://cfp.all-systems-go.io/ASG2017/talk/121/ Event Loft Martin Pitt PUBLISH 130@@cfp.all-systems-go.io -130 Cyborg Teams en en 20171022T100000 20171022T104500 0.04500

Cyborg Teams

Happy humans, tired machines PUBLIC CONFIRMED presentation https://cfp.all-systems-go.io/ASG2017/talk/130/ Event Loft Stef Walter PUBLISH 152@@cfp.all-systems-go.io -152 Lunch en en 20171022T104500 20171022T121500 1.03000

Lunch

Yummy food available from food trucks in the courtyard PUBLIC CONFIRMED default https://cfp.all-systems-go.io/ASG2017/talk/152/ Event Loft PUBLISH 111@@cfp.all-systems-go.io -111 Meson and the changing Linux build landscape en en 20171022T121500 20171022T125500 0.04000

Meson and the changing Linux build landscape

The build system may seem like a simple and unimportant part of software development but it turns out to have implications that are both wide and deep. For example when Debian changed their package builds of systemd to use Meson, the build time on mips machines dropped from almost two hours to less than one. These sorts of changes enable workflows and process changes that simply were not possible or feasible with old tools. In addition to single projects, this transition has wider implications for distros and other aggregate works. We shall look into some of these changes ranging from full distro rebuilds to the core dependencies and tooling needed to build a modern Linux distro and how that might change in the future. PUBLIC CONFIRMED presentation https://cfp.all-systems-go.io/ASG2017/talk/111/ Event Loft Jussi Pakkanen PUBLISH 160@@cfp.all-systems-go.io -160 Insecure containers? en en 20171022T130000 20171022T134000 0.04000

Insecure containers?

Open Source Software underpins the internet and many enterprises, but has repeatedly proven itself vulnerable to accident and tampering. As we fight to continuously secure millions of servers from attack, have we found a crucial panacea in containers? This talk examines the anatomy of major vulnerabilities, demonstrates their applicability to containerised applications, and explores container native security tooling throughout the pipeline. It covers recent major CVEs, container security models and extensions (cgroups, namespaces, rlimits, capabilities, Seccomp, AppArmor), their implementation in Docker and Kubernetes (flags, configuration best practices, entitlements), container breakout and hardening live demos, and container native security tooling (static/dynamic analysis, secret leakage prevention, IDS). PUBLIC CONFIRMED presentation https://cfp.all-systems-go.io/ASG2017/talk/160/ Event Loft Andrew Martin PUBLISH 158@@cfp.all-systems-go.io -158 Creating your own 1password clone en en 20171022T134500 20171022T141500 0.03000

Creating your own 1password clone

PUBLIC CONFIRMED presentation https://cfp.all-systems-go.io/ASG2017/talk/158/ Event Loft Carlos Martín Nieto PUBLISH 154@@cfp.all-systems-go.io -154 Break en en 20171022T141500 20171022T143000 0.01500

Break

Have a tea, coffee and/or Club Mate! PUBLIC CONFIRMED default https://cfp.all-systems-go.io/ASG2017/talk/154/ Event Loft PUBLISH 140@@cfp.all-systems-go.io -140 Building a secure boot chain to userland en en 20171022T143000 20171022T151000 0.04000

Building a secure boot chain to userland

Full system security requires the ability to determine that the entire system is in a trustworthy state. Secure Boot as currently implemented in Linux gets us partway there, but not all the way. Going further involves tying into additional security functionality, much of which already exists but is poorly integrated. This presentation will cover what needs to be done, the components required to do it and the integration work that distributions will need to do to make it viable. PUBLIC CONFIRMED presentation https://cfp.all-systems-go.io/ASG2017/talk/140/ Event Loft Matthew Garrett PUBLISH 133@@cfp.all-systems-go.io -133 Updating Embedded Systems -- Putting it all Together en en 20171022T151500 20171022T154000 0.02500

Updating Embedded Systems -- Putting it all Together

With the security issues in recent year, the fact that updates are necessary is no longer in question. Still, for embedded systems updates remain a challenge. With no administrator to handle unexpected problems, a failed update can render the device unusable, which is not acceptable. Performing updates reliably is only possible when updating is considered in the design of the entire system, from the bootloader to the application. This presentation gives an overview of the building blocks and decisions made to create such a design. The configuration and boot choices in the bootloader, watchdog handling, monitoring at boot- and runtime and, of course, the actual update process itself. The result is showcased using various open source components such as barebox, systemd, rauc and casync. PUBLIC CONFIRMED presentation https://cfp.all-systems-go.io/ASG2017/talk/133/ Event Loft Michael Olbrich PUBLISH 156@@cfp.all-systems-go.io -156 Closing en en 20171022T154500 20171022T161500 0.03000

Closing

Till the next time! PUBLIC CONFIRMED default https://cfp.all-systems-go.io/ASG2017/talk/156/ Event Loft PUBLISH 109@@cfp.all-systems-go.io -109 kube-spawn: testing multi-node Kubernetes clusters on Linux systems en en 20171022T073000 20171022T075500 0.02500

kube-spawn: testing multi-node Kubernetes clusters on Linux systems

kube-spawn aims to become the easiest means of testing and fiddling with Kubernetes on Linux. It provides an environment that Kubernetes will eventually be running on, a full Linux OS. On the host side, end users are able to run native Kubernetes command-line tools to get every nodes and pods to work. For each container, kube-spawn bootstaps each instance based on CoreOS Container Linux, with the help of systemd-nspawn. In this talk I will introduce kube-spawn briefly from the perspective of end users. After that, I'm going to cover several integration issues, which have been discovered during implementation. It will range from administration tools like kubeadm to low-level issues such as btrfs-based storage pools. PUBLIC CONFIRMED presentation https://cfp.all-systems-go.io/ASG2017/talk/109/ Galerie Dongsu Park PUBLISH 96@@cfp.all-systems-go.io -96 cgroupv2: Linux's new unified control group hierarchy en en 20171022T080000 20171022T084000 0.04000

cgroupv2: Linux's new unified control group hierarchy

PUBLIC CONFIRMED presentation https://cfp.all-systems-go.io/ASG2017/talk/96/ Galerie Chris Down PUBLISH 131@@cfp.all-systems-go.io -131 Unbreaking reloads: strategies for fast and non-blocking reconfiguration en en 20171022T084500 20171022T091500 0.03000

Unbreaking reloads: strategies for fast and non-blocking reconfiguration

<p>When configuration changes, daemon-reload stops the world in an increasingly unsustainable way. The problem is getting worse for two reasons: (1) heavier use of systemd means more units and longer reload times and (2) expanded use of socket activation/D-Bus activation/automount means more things urgently need PID 1's attention. There are ways to fix this up, but we'll need to move away from stopping the world (the main event loop), throwing out most loaded state, reloading state, and then resuming event handling.</p> <p>We'll explore these options:</p> <ul> <li>Incremental state reloading, possibly when dependencies and other cascading configuration remains the same</li> <li>Amortized state reloading with an atomic switch on completion</li> <li>Offloading configuration loading to a separate thread or process, followed by an atomic switch-over on completion.</li> </ul> <p>We'll need to be careful to maintain the memory footprint on resource-constrained devices, but we have options:</p> <ul> <li>Choosing to still stop the world when a system is resource-constrained</li> <li>Storing unit data in a tree that supports snapshots and copy-on-write, which would constrain the maximum footprint during reload to barely more than it is today</li> </ul> PUBLIC CONFIRMED presentation https://cfp.all-systems-go.io/ASG2017/talk/131/ Galerie David Strauss PUBLISH 151@@cfp.all-systems-go.io -151 Break en en 20171022T091500 20171022T093000 0.01500

Break

Have a tea, coffee and/or Club Mate! PUBLIC CONFIRMED default https://cfp.all-systems-go.io/ASG2017/talk/151/ Galerie PUBLISH 112@@cfp.all-systems-go.io -112 Modern deployment for Embedded Linux and IoT en en 20171022T093000 20171022T095500 0.02500

Modern deployment for Embedded Linux and IoT

In a world of connected devices, IoT and embedded systems, building robust products needs a modern deployment workflow where security and constant updates are as important as the product itself. The abilities of these systems to protect themselves, isolate applications inside sandboxes or containers, and support constant updates will enhance the product's security, its longevity and all the offered services around it. In this regard, Linux containers are one of the mechanisms that may allow to solve some of the Embedded and IoT systems problems, however their adoption is still facing some challenges such how can these mechanisms fit in the final embedded environment ? In order to improve container integration in the Embedded Linux world, we will explore in this presentation some upcoming systemd and Linux kernel features, notably a new Security Permission model for systemd, a new lightweight container environment that allows to deploy and sandbox portable applications, some new kernel hardening features that can be used by both containers and the kernel itself to protect the entire system. Additionally we will discuss how to apply constant updates, how we can integrate this with systemd, and how to update the entire system. Some of this or all of it is already or will be available by default in Yocto project. To conclude we will demonstrate some results on how to block real life vulnerabilities in such Embedded Linux systems. This presentation will contain: some kernel hardening measures, lightweight containers, new sandbox model and system updates. Also the integration with Yocto will be discussed so we can create better secure embedded Linux systems. Anyone who is interested in shipping portable secure applications for Embedded Linux systems, improving Embedded Linux and IoT security, kernel hardening and Linux kernel Self Protection projects bits for embedded systems is welcome. The Embedded and IoT industry is facing major security challenges, therefore there is a huge need for improvements. PUBLIC CONFIRMED presentation https://cfp.all-systems-go.io/ASG2017/talk/112/ Galerie Djalal Harouni PUBLISH 125@@cfp.all-systems-go.io -125 Synchronizing images with casync en en 20171022T100000 20171022T104500 0.04500

Synchronizing images with casync

casync is a novel tool for delivering OS images across the Internet. While there are many tools like this around, casync has some features that set it apart. In this talk we'll discuss why it is useful for delivering your IoT, container, application or OS images, and how you can make use of it. PUBLIC CONFIRMED presentation https://cfp.all-systems-go.io/ASG2017/talk/125/ Galerie Lennart Poettering PUBLISH 153@@cfp.all-systems-go.io -153 Lunch en en 20171022T104500 20171022T121500 1.03000

Lunch

Yummy food available from food trucks in the courtyard PUBLIC CONFIRMED default https://cfp.all-systems-go.io/ASG2017/talk/153/ Galerie PUBLISH 138@@cfp.all-systems-go.io -138 Which network to use when - Socket Intents en en 20171022T121500 20171022T125500 0.04000

Which network to use when - Socket Intents

Hacking the Socket API for fun and research The Socket Intents framework is a research prototype developed at the INET group at TU Berlin, running in user space on Linux and Mac OS. It is written in C and released under a BSD license. Using the Socket Intents library, an application can set up a connection specifying its "Intents", e.g., whether the connection is going to be a small query or a large bulk transfer, whether it is intended to be a long-lived steady stream of data or a series of interactive bursts, and whether it is time-critical or background traffic. The client library then queries a daemon, the Multi Access Manager (MAM), to make a decision about which of the available network interfaces to bind this connection to, based on the Intents and on current performance estimates if available. Socket Intents aims to overcome the assumption that only one network interface would be available at a time, or that there is always the same statically configured "default" interface to use. By itself, the Socket API does not provide a good way to choose between different interfaces without placing the burden on the application. Instead of having each applications implement an interface selection logic by itself, Socket Intents provides one daemon, the Multi Access Manager, to gather as much information about the currently available network interfaces and their performance as possible. As it knows about the performance of the connected networks and about the needs of the application, based on its Intents, the Multi Access Manager can make decisions about which network interface to ues for what connection. It can also make decisions for individual objects, e.g., components of a web page, and schedule them among multiple persistens TCP connections that were established over multiple interfaces. Also, it is compatible with Multi-Path TCP (MPTCP) and can choose to schedule an object or connection over not a single interface, but multiple bundles interfaces. PUBLIC CONFIRMED presentation https://cfp.all-systems-go.io/ASG2017/talk/138/ Galerie Theresa Enghardt PUBLISH 136@@cfp.all-systems-go.io -136 Virtualization: what changed in the last decade en en 20171022T130000 20171022T134000 0.04000

Virtualization: what changed in the last decade

PUBLIC CONFIRMED presentation https://cfp.all-systems-go.io/ASG2017/talk/136/ Galerie Hugo Tavares Reis PUBLISH 132@@cfp.all-systems-go.io -132 Update on new WiFi daemon for Linux en en 20171022T134500 20171022T141500 0.03000

Update on new WiFi daemon for Linux

PUBLIC CONFIRMED presentation https://cfp.all-systems-go.io/ASG2017/talk/132/ Galerie Marcel Holtmann PUBLISH 155@@cfp.all-systems-go.io -155 Break en en 20171022T141500 20171022T143000 0.01500

Break

Have a tea, coffee and/or Club Mate! PUBLIC CONFIRMED default https://cfp.all-systems-go.io/ASG2017/talk/155/ Galerie PUBLISH 157@@cfp.all-systems-go.io -157 What's in a container? The OCI Answer en en 20171022T143000 20171022T144000 0.01000

What's in a container? The OCI Answer

PUBLIC CONFIRMED presentation https://cfp.all-systems-go.io/ASG2017/talk/157/ Galerie Jon Boulle PUBLISH 128@@cfp.all-systems-go.io -128 Tango with systemd en en 20171022T144500 20171022T151000 0.02500

Tango with systemd

Building a product from scratch is a challenge, even more so with a small team. Every line of code that you don't have to maintain; every hour you win by using an already existing piece of code that solve your problem, is more hours you can spend creating new features for your product. Using systemd in an embedded device is not a choice done by many, but it can be really beneficial to your product, your team and yourself. We'll first start discussing how to reduce systemd to debunk the fact that it's huge. Then we will see the benefits of using systemd and how it can help you build your system without worrying. PUBLIC CONFIRMED presentation https://cfp.all-systems-go.io/ASG2017/talk/128/ Galerie Maxime Hadjinlian PUBLISH 107@@cfp.all-systems-go.io -107 Journal as a Storage and Other Adventures in User Session Recording en en 20171022T151500 20171022T154000 0.02500

Journal as a Storage and Other Adventures in User Session Recording

Red Hat's customers in financial, medical, government and other areas have been asking for a session recording feature for a while, and so the User Session Recording project was started. Nikolai Kondrashov is going to introduce our project briefly and then show how we use Systemd Journal to store and playback recordings of terminal sessions for our Cockpit UI. He is going to talk about limitations of, and possible improvements for this solution, and then about other challenges the project faces: dealing with different terminal types, character encodings, implementing recording playback, etc. And, of course, there is going to be a demo! PUBLIC CONFIRMED presentation https://cfp.all-systems-go.io/ASG2017/talk/107/ Galerie Nikolai Kondrashov