Bluetooth technology has been extended with a brand new mesh feature. This presentation gives an introduction to Bluetooth Mesh and its impacts on the ecosystem. It shows the new and exciting use cases that a mesh enabled Bluetooth low energy enables. The presentation will also put a focus on Linux and Zephyr operating systems and its integration with Bluetooth Mesh.
Extended Berkeley Packet Filter (eBPF) allows for high-performance introspection of the Linux kernel execution. eBPF is widely available (part of the mainline kernel and enabled by most distributions), flexible (any kernel code path can be probed) and safe (driven from userspace and statically verified). In this talk, I will introduce eBPF, explaining how it can be used to track TCP connections in real time. On the way I will demonstrate it is possible to access eBPF from languages other than C (Golang) and remove undesirable runtime dependencies (LLVM compiler and kernel-headers). At Weaveworks we are using eBPF for the connection-tracker of the Weave Scope visualization tool.
A quick introduction to the unique memory management concepts of Rust.
Open services mark a paradigm shift similar to the disruption caused by open-source software in the 90s, but the path to effective adoption of open services tooling is sometimes unclear. Blake will share patterns and learnings from his experience integrating one such tool, Habitat, at smartB GmbH.
With the growing number of network cloud services it becomes essential to be able to monitor, troubleshoot and analyze different virtualization or container technologies. Being able to monitor complex heterogeneous federated cloud environments is key.
Skydive is a real-time and post-mortem topology and packet analyzer. To do so, it listens for networking kernel events, monitors network namespaces, watches external components such as OVSDB and Docker. Skydive can make use of AF_PACKET or eBPF programs to capture traffic. Thanks to its classifier Skydive is able to map the network traffic with the topology.
The introduction on Accelerated Networking on Azure created challenges integrating support in Linux distributions. The original method using bonding had issues that were solved by introducing a new mode called "Transparent VF". This mode solves issues with udev, cloudinit and distribution specific network initialization. This talk will also cover the process of how Linux support for Azure is integrated with upstreamand distributions.
Habitat is the best way for software developers to build, deploy, and manage modern applications - regardless of their expertise. Habitat provides a self-healing, self-configuring, stack-agnostic, frictionless abstraction for running applications—regardless of their complexity on whatever infrastructure you prefer, from physical hardware and virtual machines to containers and everything in between. This session will show you how to build and run your own application. You will learn how scaffolding helps you quickly and easily package your application. Explore the build system used for generating Habitat artifacts. Run an application using the Habitat supervisor. This is the talk for anyone who's just learning about Habitat or those that are interested in seeing some of the newer features of the framework.
We will discuss the various malware infecting Linux IoT devices including Mirai, Hajime, and BrickerBot and the vulnerabilities they leverage to enslave or brick connected devices. We will walk the audience through specific vectors they used to exploit devices and cover some basics in security hardening that would have largely protected from many of the widespread malware.
Some of the fundamental security concepts we will cover include:
Closing unused open network ports
Intrusion detection systems
Enforcing password complexity and policies
Removing unnecessary services
Frequent software updates to fix bugs and patch security vulnerabilities
We will also delve into the arguments and counter-arguments of vigilante hacking with Hajime and BrickerBot as examples and the potential long-term consequences in this new age of connected devices.
We'll be talking about what we learned throughout the past year running systemd in production at Facebook: new challenges that have come up, how the integration process went and the areas of improvement we discovered. We'll also discuss our efforts building a monitoring solution for system services based on systemd.
Cockpit is an open source project that has built the new system admin UI for Linux. It turns Linux server into something discoverable and usable. Its goal is to remove the steep learning curve for Linux deployments.
Cockpit lets you immediately dive into things like storage, network configuration, system log diagnosis, container troubleshooting and Kubernetes orchestration. All while being zero-footprint: It goes away when not in use. Cockpit interacts well with other management configuration tools, it reacts instantly to system changes made elsewhere.
We'll look at how Cockpit is an actual linux user session that you drive through your browser, running with user privileges, and accesses to the native system APIs and tools.
You'll be able to build new pieces of sysadmin UI as fast as you write a shell script. In fact we'll do it on stage in a few minutes.
rkt is a modern container runtime, built for security, efficiency, and composability. It is one of the container runtimes supported by Kubernetes but the current implementation (“rktnetes”) doesn’t support the Container Runtime Interface (CRI). The work-in-progress CRI implementation is called rktlet.
This presentation will give an update on the rkt project, what new features were implemented recently and what’s coming up. It will also give an update on the state of the rktlet: what features are missing and what workarounds should be removed before it becomes a complete implementation of the CRI.
Desktop application sandboxing is quite different than traditional
container isolation, learn how flatpak does it, using the concept of
A status report on Reproducible builds, which enable everyone to verify that a given binary is made from the source it is claimed to be made from, by enabling anyone to create bit by bit identical binaries.
Containers have become a popular way of packaging and running applications, especially for server applications using microservice architectures. As containers can be started in no time, building new container images replacing old ones has become the predominant way of applying updates. Having continuous delivery pipelines for building these images becomes a key problem. This talk will show how the Open Build Service provides a way to automate container builds including tracking updates and automatic rebuilds of dependent containers. This makes it easy to create secure and up to date containers all day.
Containers: love 'em or hate 'em -- whether you think they're the hottest new thing or yesteryear's same ideas in new clothing -- the both rapid and sustained rate of adoption of recent container technologies says one thing clearly: We Were Missing Something. But what, exactly? And have we found "it"? Or are we just beginning to uncover something new about the way we all, in our deepest hearts, wish computers would be? In this talk, we'll survey where containers came from, and question where they’re going: a discussion that crosses package management, releasing, deployment, immutability, reproducibility, and questions how meanings of all these things are now changing.
As Infrastructure operators we're exposed to a lot of plumbing and not a lot of porcelain. Worse, because our concerns are often esoteric (in the eyes of application developers) we have to fix our own pipes too. Often this leads to the "homeowners dilemma"... Making the call of when to patch things up, when to rip out the pipes, and when to abandon gas lamps for electricity.
We outline a number of aging pipes, proposed (and implemented) solutions, and ideas for dragging our systems into the future.
To achieve faster and easier containerization at Facebook we have started utilizing Chef, Btrfs and Systemd to improve our container system. These tools helped us to design a robust base for our cluster management will allow us to concentrate more higher level functionality. Our version of image and task handling tries address some issues common both to Facebook and the industry.
Landlock is a proposal for a new Linux Security Module (LSM) to create secure sandboxes with the goal “to empower any process, including unprivileged ones, to securely restrict themselves.” This presentation will give an overview on what Landlock is, discuss the current status of the patchset and demonstrate how Landlock works, as well as its differences compared to other Linux security modules.
Today, the systemd project uses a non-standard superset of C to get destructor-like functionality. But, we pay a heavy price for doing it this way: we lose compiler portability, use hundreds of boilerplate macros, and confuse static analysis tools (which don't always realize why we're not leaking memory). At compilation, the cleanup functionality gets mapped to the same facilities that handle C++ destructors. So, essentially, we're already using a non-standard version of C++ as well as a non-standard version of C. We can end this charade by following in GCC's footsteps and explicitly using a subset of C++. By doing so, we can shed thousands of lines of C-trying-to-be-C++. We can also improve memory safety and code readability -- all while keeping the feel of C.
BPF is a Linux in-kernel virtual machine that is used for networking, tracing, seccomp and more. This talk will give an introduction to the extended BPF subsystem in Linux, an overview on how it works, show available tools to work with and explain possibilities as well as limits.
A key requirement for connected Linux devices is the ability to deploy remote software updates to them so that bugs, vulnerabilities and new features can be addressed while devices live in the field for up to 10 years.
As part of the Mender.io project, we have interviewed more than 100 embedded developers to understand best practices and the current state of enabling software updates for connected devices today. The key requirements found during this study can be split into the following areas we cover:
systemd service management today supports a number of the features that container management is known for, but for classic system services. Let's see which ones, and how to make use of them.
Today the technological worlds centralize principle is to automate each conceivable thing for simplicity in life, providing security,
saving electricity and time.
Home automation is “The Internet of Things"…The way that all of our devices and appliances will be networked together to provide us with a seamless control over all aspects of our home and more.
Also a step toward what is referred to as the "Internet of Things," in which everything has an assigned IP address, and can be monitored and accessed remotely.
The idea of automating each appliance in the home is done from many years ago, it started with connecting two electric wires to the battery and close the circuit by connecting load as a light.
Kubernetes promises healing your application on all kinds of failure scenarios, but why not self-heal Kubernetes itself?
kube-spawn is a tool to easily start a local, multi-node Kubernetes cluster on a Linux machine. While it was originally meant to be used mainly by developers of Kubernetes, it has been turned into a tool that is great for just trying Kubernetes out. In this talk, I will give a general introduction to kube-spawn and cover integration issues.
cgroupv1 (or just "cgroups") has helped revolutionise the way that we manage and use containers over the past 8 years. A complete overhaul is coming -- cgroupv2. This talk will go into why a new control group system was needed, the changes from cgroupv1, and practical uses that you can apply to improve the level of control you have over the processes on your servers.
We will go over:
- Design decisions and deviations for cgroupv2 compared to v1
- Pitfalls and caveats you may encounter when migrating to cgroupv2
- Discussion of the internals of cgroupv2
- Practical information about how we are using cgroupv2 inside Facebook
Potential solutions to achieving containerization on constrained devices.
- a content addressable elf linker (bolter)
- space efficient container imaging (korhal)
- oci compliant runtime (railcar)
When configuration changes, daemon-reload stops the world in an increasingly unsustainable way. The problem is getting worse for two reasons: (1) heavier use of systemd means more units and longer reload times and (2) expanded use of socket activation/D-Bus activation/automount means more things urgently need PID 1's attention. There are ways to fix this up, but we'll need to move away from stopping the world (the main event loop), throwing out most loaded state, reloading state, and then resuming event handling.
In this talk, I will present different use cases for using BPF in a Kubernetes cluster. BPF is a Linux in-kernel virtual machine and there are different kinds of BPF programs for different subsystems that will be considered: kprobes, traffic control, cgroups, LSM. I’ll follow with concrete examples, such as Weave Scope’s HTTP Statistics plugin. Finally, I’ll share tips and tricks on how to develop your own BPF programs in Kubernetes with the libraries bcc and gobpf, and show ways of easily test those with SemaphoreCI and rkt.
In a world of connected devices, IoT and embedded systems, building robust products needs a modern deployment workflow where security and constant updates are as important as the product itself. The abilities of these systems to protect themselves, isolate applications inside sandboxes or containers, and support constant updates will enhance the product's security, its longevity and all the offered services around it. In this regard, Linux containers are one of the mechanisms that may allow to solve some of the Embedded and IoT systems problems, however their adoption is still facing some challenges such how can these mechanisms fit in the final embedded environment ?
In order to improve container integration in the Embedded Linux world, we will explore in this presentation some upcoming systemd and Linux kernel features, notably a new Security Permission model for systemd, a new lightweight container environment that allows to deploy and sandbox portable applications, some new kernel hardening features that can be used by both containers and the kernel itself to protect the entire system. Additionally we will discuss how to apply constant updates, how we can integrate this with systemd, and how to update the entire system. Some of this or all of it is already or will be available by default in Yocto project. To conclude we will demonstrate some results on how to block real life vulnerabilities in such Embedded Linux systems.
How to get a slightly broken hard disk for testing file systems or udisks? A wifi access point which supports the old 802.11b standard for writing a test case for NetworkManager? Downloading a photo from a particular camera model which you don't own, but got a libgphoto bug report for? In this hands-on presentation and live demo of various Linux kernel and userspace tools I will show you how.
n the Cockpit project we’ve done something amazing: We’ve built “robot” contributors to an Open Source project. “Cockpituous”, our project’s #5 contributor, is actually our automated team members.
Bots do the mundane tasks that would otherwise use up the time of human contributors. During the talk you can see them self-organizing, finding issues, contributing code changes, making decisions, releasing the software into Linux distros and containers. They work in a completely distributed, organic way, and run in containers.
We’ll talk about how humans are pair-programming with bots, and moving at a pace that would be unthinkable otherwise.
Treating the bots as team members is fundamental to achieving this. I’m excited to show you how to pull that off.
casync is a novel tool for delivering OS images across the Internet. While there are many tools like this around, casync has some features that set it apart. In this talk we'll discuss why it is useful for delivering your IoT, container, application or OS images, and how you can make use of it.
The Meson build system has been picking up steam this year and many
fundamental projects have transitioned to it from their old build
systems. In this talk we shall look at the advantages and disadvantages these transitions have brought, what we can expect from the future of build systems and what effect this change may have on the larger Linux ecosystem.
Nowadays, most end devices have multiple network interfaces to connect to the Internet. They usually pick a statically configured default interface, such as WiFi, which they prefer over LTE when both are available, but this is not necessarily the choice that provides the best performance to the application. Socket Intents is a research prototype that addresses the problem of finding policies of which network interface to pick for what kind of traffic or application. It provides several networking APIs through which an application can specify its "Intents", i.e., what it knows or assumes about its own traffic. The prototype then decides which of the available network interfaces to use.
Containers are pretty cool, but in scenarios where they don't satisfy all the requirements, service providers still rely on virtualization. Hardware virtualization became mainstream 1 decade ago and it never stopped evolving. I even dare to say that virtualization is not boring anymore!
In this presentation I will talk about the most significant hardware changes in the virtualization world.
AgileBits, the company behind the 1password password manager, published a spec for their “opvault” format to show how confident they are in its design. This eliminates the need to reverse-engineer the encryption when trying to read from such a vault on a system where they
don’t provide their tool.
In this talk we’ll see an overview of the design of the format, such as the key derivation or the decision to split the meta-data from the details such as username and passwords.
At the same time, the talk will follow the implementation of a library to read this format in Rust, which started as a way to practice the language but now has grown a GUI to display these entries so I can use the vault on my desktop.
This presentation is about a new 802.11 wireless daemon for Linux. It is a lightweight daemon handling all aspects around WiFi support for Linux. It is designed with a tiny footprint for IoT use cases in mind. After its initial release last year, this provides the update on the progress and its integration into ConnMan and Network Manager.
Secure boot as it currently exists in desktop Linux distributions is sufficient to verify that the bootloader and kernel have not been tampered with, but generally does nothing to ensure that userland is secure. How can we fix that?
The container has become one of the most overloaded industry buzzwords of the last five years. From Jails to LXC to Zones to systemd-nspawn Docker to rkt - there's an assortment of different tools on different platforms that call themselves containers, and no clear consensus what it means when it comes to distributing containers or implementing the underlying technical details. The Open Container Initiative was formed in 2015 to try to remedy this situation by establishing a shared set of container standards for different implementers to agree on. With representatives from all major server operating system platforms, the Initiative has made great strides towards specifying a truly interoperable container. The two key OCI projects recently hit their canonical 1.0 version; this talk will explain what OCI is and what that milestone means for the container ecosystem.
Used by many major distributions, systemd is widely known in the desktop and
server world. But it is not so common to find it in embedded product.
In this talk, we will show how systemd can be a real benefit for the embedded
world; for both your sanity and your time.
We will discuss how systemd was integrated into Phantom, a speaker from
Devialet, and what was the pro and cons of using it.
See how Red Hat's Session Recording project is using Systemd Journal to store and playback recordings of terminal sessions. Wonder at the challenges the project faces, such as dealing with various terminal types, character encodings, random playback positioning, etc.
Updating embedded systems reliably requires more than just the actual
update process. This presentation gives an overview of the overall design
and components needed for successful system updates.