To see our schedule with full functionality, like timezone conversion and personal scheduling, please enable JavaScript and go here.
07:30
07:30
15min
Opening
default
Loft
07:45
07:45
45min
LinuxBoot and booting fast
Paul Menzel

In contrast to most firmware, like UEFI based or the BIOS, Linux is free software, has drivers for everything and is well known to the administrator. So why not use it in the firmware too? Some work has to be done though to fit it into the flash ROM chip and make it fast.

Booting
Kuppel
07:45
30min
Little Services, Big Risks
David Strauss

As we isolate functionality into services distributed across networks, we increasingly strain the concept of trust boundaries. Hosts are no longer simply trusted or untrusted, and each host comes with a new foothold for attackers. This risk is called the Confused Deputy Problem, and it’s part of a growing number of attacks, including the one on Equifax. We need to stop assuming trusted services -- especially huge ones like those in traditional web stacks -- remain trustworthy. Capability-based models offer hope, but we need a few more patterns to use them with modern microservices.

View Slide Deck

Service and Resource Management
Loft
08:15
08:15
30min
Fedora CoreOS
Ben Breard

What exactly is Red Hat up with CoreOS .....and what were they thinking when they announced a Fedora CoreOS? In this talk, we'll briefly look at some of the excellent work pioneered by the Container Linux team around the self-driving, container focused operating system. We'll also overlay how the container ecosystem has changed over the past 5 years and what we're doing at the OS-level to refocus and ultimately give users a better experience.

Cloud & Container
Loft
08:45
08:45
30min
A debugger from scratch
Liz Rice

At some stage in your programming life you may well have used a debugger, but did you wonder how it was able to step into and control your executable? In this talk we'll see how debuggers work by building one from scratch in a few lines of Go.

Monitoring & Tracing
Loft
08:45
30min
HTTP tunneling in Go using HTTP/2 streams
Iago López Galeiras

This talk describes our experience developing Wormhole Connector, a distributed proxy component that connects external enterprise systems to a Kyma Kubernetes cluster. The connection between the Wormhole Connector and the Kubernetes cluster is based on HTTP/2, taking advantage of the stream concept to multiplex multiple connections (HTTP/1 or HTTP/2) through one active HTTP/2 connection.

It will cover how we use the Serf and Raft libraries to make the Wormhole Connector highly available, our experience using the Go standard library to support HTTP/2 connections, and technical details describing how everything works under the hood.

Networking
Kuppel
09:30
09:30
45min
Resource Control @FB
Tejun Heo, Johannes Weiner

After years of development and experimentation, we finally have comprehensive OS-level work-conserving resource isolation working and are now in the process of deploying for various applications including workload protection and container stacking. This talk examines the project and the resulting resource control methods.

Service and Resource Management
Loft
09:30
30min
nettools
Tom Gundersen, David Herrmann

nettools is a yet-to-be-released project providing low-level libraries for network configuration. Within the scope of the project falls protocols like DHCP, NDP, IPv4 Address Conflict Detection, and IPv4LL. The first library scheduled to be released is IPv4ACD, a pre-release version of which is already used by NetworkManager. This talk gives an overview of the design principles of the project, the current status and the future plans.

Networking
Kuppel
10:00
10:00
30min
Being compliant with Open Container Initiative Spec
Dongsu Park

Open Container Initiative (OCI) started in 2015 to make different implementations of container runtimes and images compliant with well-defined specifications. Together with other folks at Kinvolk, I have been involved in various OCI projects since months, and encountered various issues that occur in runtime specs and runtime-tools for verification. Since we live in a real world, not everything works well as expected. I’m going to talk about practical issues, and possible ways to get it improved.

Cloud & Container
Kuppel
10:15
10:15
30min
Monitoring File System Syscalls in a Distributed Architecture
Daniel Feinberg

In a distributed world, monitoring system calls with kauditd can present challenges. In this talk we will address some of those challenges and give a use case of how we build an event pipeline for monitoring file system events.

Monitoring & Tracing
Loft
10:30
10:30
30min
From Physical to Cloud to Container
Klaus Kämpf

Uyuni, an opinionated fork of the Spacewalk project, provides open source lifecycle management for today's datacenter.
With the help of Salt for configuration management it keeps your workloads up to date and secure.

Foundations
Kuppel
10:45
10:45
15min
Monitoring Linux Capabilities in the Container using BPF
William Smith

Modern container engines such as systemd.nspawn and rkt provide a means of restricting privilege by limiting Linux capabilities. At Facebook, however, the heterogeneity of services and complexity of libraries running inside the container, along with our full init system model, make determining the set of capabilities that a task uses non-trivial. In this talk, we will discuss how we tackled this problem in a performant manner by building Capmond, a host-level daemon that leverages BPF to monitor capability usage by a process, and map it reliably to the associated container. Learn about the challenges we faced in making this work on our unique infrastructure, how this compares to known solutions such as auditd, and how we are leveraging Capmond to build sandboxes around capability usage, ssh sessions, system calls, and more. Capmond is in the process of being open sourced, so we'll also talk about how you can use it in your organization to help monitor your production systemd (nspawn) containers.

Monitoring & Tracing
Loft
11:00
11:00
15min
Playing with casync @ instagram
Alvaro Leiva Geisse

In Instagram, we have been experimenting with casync as an alternative package format for deployment of the site. This talks describe our findings

Foundations
Kuppel
12:15
12:15
30min
Fluent Bit: Solving Logging Challenges for Cloud Native Environments
Eduardo Silva

Logging could be considered simple when dealing with a few applications, but in environments with distributed systems where log data comes from multiple sources and likely in different formats it becomes complex and data analysis harder.

In this session I will dig into the challenges of logging for distributed systems and the experience of building a tool called Fluent Bit to solve the problems associated with performance, unstructured data and log centralization within others.

Cloud & Container
Loft
12:15
30min
Path-agnostic binaries, co-installable libraries, and How To Have Nice Things
Eric Myhre

Portability is a shining goal for all software -- an objective since the beginning of computing through the present. And yet, it also remains illusive. We once sought to develop software "portable" between whole OSes and kernels; today, we've lost control of our build and distribution pipelines so completely that portability of a binary between two barely-different distributions of linux is considered radical and nearly impossible. Even "portability" of a binary when moving between two directories on the same host is often a trial by fire. In this talk, we will define and discuss two specific kinds of portability -- what it means to build path-agnostic libraries and what it means to support co-installable libraries -- then explore what this kind of freedom could do for us, and most importantly, practical ways to achieve these goals within existing systems.

Foundations
Kuppel
12:45
12:45
30min
Cilium - Bringing the BPF Revolution to Kubernetes Networking and Security
Thomas Graf
Networking
Loft
12:45
30min
To Run an App With Guarantees We Must First Create The Universe
Blake Irvin

We’ll look at patterns and anti-patterns for self-contained, immutable runtime environment for applications using Habitat, with a focus on special cases, integrated testing and advanced hacks.

Cloud & Container
Kuppel
13:15
13:15
30min
oomd
Daniel Xu

Running out of memory on a host is a particularly nasty scenario. In the Linux kernel, if memory is being overcommitted, it results in the kernel out-of-memory (OOM) killer kicking in. In this talk, Daniel Xu will cover why the Linux kernel OOM killer is surprisingly ineffective and how oomd, a newly opensourced userspace OOM killer, does a more effective and reliable job. Not only does the switch from kernel space to userspace result a more flexible solution, but it also directly translates to better resource utilization. His talk will also do a deep dive into the Linux kernel changes and improvements necessary for oomd to operate.

Service and Resource Management
Loft
13:15
30min
systemd in 2018
Lennart Poettering
Service and Resource Management
Kuppel
13:45
13:45
30min
Container Run-times and Fun-times
Lindsay Salisbury

A dive into the world of running systemd as an in container process manager at Facebook.

Cloud & Container
Loft
13:45
30min
dbus-broker
Tom Gundersen, David Herrmann

dbus-broker is an implementation of the DBus specification, intended to be a drop-in replacement for the reference implementation on Linux. It is now scheduled to be the default system and user bus in the next Fedora release. This talks shows some of the lessons learned during this relatively young project, the challenges faced, what the current status is and the plans for the future.

Desktop
Kuppel
14:30
14:30
45min
Portable Services are Ready to Use
Lennart Poettering

Portable Services bring certain aspects of containers to classic system service management. Let's discuss them in technical detail!

Service and Resource Management
Loft
14:30
30min
Titus: Adventures in Multi-tenant Scheduling
Sargun Dhillon

Titus is a multitenant scheduler that runs a variety of workloads that vary from online workloads which serve customer traffic to big data workloads which perform machine learning. Getting all of these workloads to cooperate on a shared pool of resources together. Just to add a bit of complexity to the mix, these workloads all run on the cloud, and a shared storage and network fabric. Come to this talk to learn about how our approach to multi-tenancy works, as well as some of the challenges we faced along the way.

Cloud & Container
Kuppel
15:00
15:00
30min
Thunderbolt 3 hardware enablement for GNU/Linux
Christian Kellner

Thunderbolt 3 is a high-speed IO technology that can be used to connect docks, graphic cards or other peripherals requiring high speed. However, the mechanism that allows these high speeds also poses a security risk because malicious devices could obtain sensitive information from the computer's memory. As a result kernel provides an interface to authorize thunderbolt devices before they can be used. The talk will explain the technology and explain the enablement we did to make thunderbolt 3 work for GNU/Linux.

Foundations
Kuppel
15:15
15:15
45min
Is my system fast?
Frank Becker

Computer systems are complex. Most software applications are distributed and expected to scale. That does not make them any simpler. Further, there is the real world all of that is expected to work in. To analyze performance of such a system isn't less complex. Luckily, there is help. The Open Source universe is full of excellent tools that can help. The talk introduces a few of them.

Monitoring & Tracing
Loft
15:30
15:30
30min
BPF and the future of the kernel extensibility
Alexei Starovoitov
Monitoring & Tracing
Kuppel
17:00
17:00
285min
Social event

TBA

default
Mein Haus am See
07:30
07:30
30min
CRI-O: All the Runtime Kubernetes need
Antonio (runcom) Murdaca
Cloud & Container
Loft
07:30
30min
Scale Your Auditing Events
Philipp Krenn

The Linux Audit daemon is responsible for writing audit records to the disk, which you can then access with ausearch and aureport. However, it turned out that parsing and centralizing these records is not as easy as you would hope. Elastic's new Auditbeat fixes this by keeping the original configuration, but ships them to a centralized location where you can easily visualize all events.

Monitoring & Tracing
Kuppel
08:00
08:00
30min
Peer to peer OS and flatpak updates
Philip Withnall

Recently, work that we have been doing on Endless OS to allow peer to peer OS and flatpak updates has been reaching maturity and nearing wider deployment. This talk will give an overview of how we support LAN and USB updates of OSTrees, how it fits in upstream in OSTree and flatpak, and what you’d need to do to enable peer to peer updates for your OSTree system.

Desktop
Kuppel
08:00
30min
State of systemd @ Facebook
Davide Cavalca

We'll be covering happenings, learnings and new challenges running and supporting systemd in production on the Facebook fleet throughout the past year.

Service and Resource Management
Loft
08:30
08:30
30min
Container Runtimes: draw some lines
Vincent Batts

Future of connecting to the container runtime as docker phases out

Cloud & Container
Loft
08:30
30min
Running Android on the Mainline Graphics Stack
Robert Foss

It is now possible to run Android ontop of an entirely Open Source Linux Graphics stack, this talk will dig into how you can do it too!

Foundations
Kuppel
09:00
09:00
15min
Chef in Strange Places
Zeal Jagannatha

How Facebook uses Chef to manage many different largescale heterogenous environments.

Service and Resource Management
Kuppel
09:00
15min
Passive filesystem verification
Vincent Batts

A more generic approach to ensure you have what you'd expect to have

Cloud & Container
Loft
09:30
09:30
45min
Flatpak, a technical walkthrough
Alexander Larsson

Flatpak is a desktop-focused application distribution and deployment
system for linux. This talk will walk through the technical
details of the core functionallity and explain how it work and
why it works that way.

Desktop
Loft
09:30
30min
The State of Your Supply Chain
Andrew Martin

Container security often focuses on runtime best-practices whilst neglecting delivery of the software in the supply chain. Application, library, and OS vulnerabilities are a likely route to data exfiltration, and emerging technologies in the container ecosystem offer a new opportunity to mitigate this risk.

Cloud & Container
Kuppel
10:00
10:00
30min
The Future of Networking APIs
Theresa Enghardt

This talk presents TAPS (Transport Services), a proposed abstraction for a new Networking API, and calls for the Linux community to get involved.

Networking
Kuppel
10:15
10:15
45min
Kexec/Kdump under the hood
Matthias Brugger

Kdump is a vital tool for debugging severe kernel crashes, especially if the failure can't be reproduced easily or an direct access to the system is not possible.

Booting
Loft
10:30
10:30
30min
2018 Desktop Linux Platform Issues
Simon Peter

TL;DR: Stop making "Desktop Linux" a moving target by agreeing on a minimal baseline that third-party application can take for granted to exist on each Desktop Linux system.

Desktop
Kuppel
12:15
12:15
45min
Configuration Driven Event Tracing with Traceleft and eBPF
Suchakra Sharma, Alban Crequy

Traceleft is a framework built upon eBPF which allows generation of system events such as file operations and network calls via a configuration driven system. It can act as a foundation for building auditing and incident analysis or monitoring tools that work at the system level and need targeted and filtered information. While traditionally, eBPF based analysis requires writing scripts in a limited C subset, Traceleft aims at providing a configuration based definition system events to be monitored over which filters can be set as required. This talk shares our experiences of developing Traceleft along with some use cases and challenges faced.

Monitoring & Tracing
Kuppel
12:15
30min
Using Machine Learning to find Linux bugs
Stef Walter

I’d like to show you how to find bugs in Linux systems using machine learning, when paired with the totally seemingly useless and annoying false positives that come out of your integration tests.

Foundations
Loft
13:00
13:00
45min
Replacing Docker with Podman
Dan Walsh

This talk will describe all of the reasons for podman, all of its features demonstrate its functionality,

Cloud & Container
Loft
13:00
45min
libcapsule
Vivek Das Mohapatra

libcapsule is a project that allows segregated dynamic linking: Access to the symbols of a library without being exposed to any of the dependencies of that library without requiring recompilation of the binary that pulls it in.

Foundations
Kuppel
13:45
13:45
30min
Fearless Multimedia Programming
Zeeshan Ali

Whether you are interested in multimedia programming in specific or curious about how Rust programming language can enable you to write almost-bug-free code without having to compromise on efficiency, this talk is for you.

Desktop
Loft
13:45
30min
Is Cockpit Secure?
Stef Walter

Cockpit makes Linux discoverable. But it's really a Linux session in a
web browser, accessing the native system APIs and tools directly from
javascript.

Does that sound scary? How can we be sure that accessing Linux from a
web browser is secure? What about the web server stack? What about
authentication and privilege escalation?

We'll talk about how Cockpit deals with security, authentication,
privilege escalation, and browser lock down. I'll show you various
techniques to tailor Cockpit's security options to your situation, like
using bastion hosts.

Cloud & Container
Kuppel
14:30
14:30
30min
Netboot21: Bootloaders in the 21st Century
Chris Koch

Sick of insecure PXE booting over TFTP? Come learn about our efforts to write modern boot loaders in Linux's user space.

Booting
Loft
14:30
30min
Past, present and future of system containers
Stéphane Graber

System containers, the oldest type of containers, focus on running an entire Linux distribution, including all its services in very much the same way it would on a physical system or virtual machine.

Cloud & Container
Kuppel
15:00
15:00
30min
Efficient Network Analytics with BPF/eBPF using Skydive
Sylvain Afchain

Efficient monitoring of large-scale networks poses a delicate balance between capture granularity on the one hand and the imposed overheads and performance penalties on the other. Skydive is an open source real-time network topology and protocol analyzer, featuring smart network collection which is both granular and efficient. Skydive allows for efficient network monitoring at scale through Linux networking features such as BPF and eBPF.

In the talk we will present Skydive and will give an update of the features that introduced since one year. We will show how Skydive leverages eBPF to produce useful insights on top of network topology information. We will share some performance results showing the efficiency of Skydive BPF/eBPF capturing in the context of a Kubernetes deployment.

Monitoring & Tracing
Loft
15:00
30min
Using systemd to high level languages
Alvaro Leiva Geisse

There is so much more than you can so, than just starting and stooping your service, when you start to interact with systemd from within your application. Lets find out!!!

Service and Resource Management
Kuppel
15:30
15:30
30min
Early boot provisioning systems
Dalton Hubble

Early boot provisioning systems aim to enable automated, declarative, immutable patterns for Linux systems. In this talk, I'll discuss the CoreOS Ignition system and illustrate how it works and addresses real-world use cases on bare-metal, cloud providers, and hypervisors. I'll share experiences using and integrating early provisioning and highlight new challenges for contributors to explore. With Ignition shipping in several Linux distributions soon, early boot provisioning shows promise and potential for the future.

Booting
Kuppel
15:30
30min
Lightning Talks

Please submit your talks to mpitt [at] redhat [dot] com or to organizers at the venue

default
Loft
16:00
16:00
30min
Closing
default
Loft