Opening of All Systems Go!
Atomic Updates and user modified configuration files in /etc often lead to hard to resolve conflicts. In this talk, I want to show the most common and biggest problems and possible solutions.
In this talk David will show Grafana's advanced features to manage a fleet of Linux hosts. He will also show relevant metrics and logging datasources and how they can be combined to get a full picture of what is going on.
Whether to support users, ensure their security, or meet compliance goals, organizations need to deploy monitoring of their desktop machines. Yet, many approaches overreach by effectively being rootkits. In this presentation, we'll examine:
- What data a monitoring system needs to collect
- Where the data we need lives on a modern Linux desktop
- Which data sources expose sandbox-friendly API access
- Sandboxing the monitoring daemon itself
Presenting traceloop, a “time travel” tracing tool to trace system calls in cgroups using BPF and overwritable ring buffers.
Have you ever encountered a transient performance issue, that was hard to
investigate only from the database point of view? On top of how many layers of
abstraction your database is working? What is the difference between running
your database on a bare metal, VM or inside a container?
PostgreSQL does not work in the vacuum, it heavily relies on functionality
provided by an underlying platform. And sometimes to answer these questions
above one needs to step back and look at a problem not only from a database
point of view. In this talk we will discuss how to achieve that, how to tame
such tools as strace, perf or eBPF to troubleshoot intricate issues and stay
How can we build hostile and untrusted code in containers? There are many options available, but not all of them are as safe as they claim to be...
Let's bring the UNIX concept of Home Directories into the 21st century.
Learn how a Service Mesh can secure your bare-metal (non-virtualized) workloads quickly without any code modifications to improve your security posture.
GNU poke is a new interactive editor for binary data. Not limited to editing basic entities such as bits and bytes, it provides a full-fledged procedural, interactive programming language designed to describe data structures and to operate on them.
How did Microsoft made SQL Server available on Linux, Containers and ARM CPUs? Come hear the story from the SQL Server engineering team.
Resource control is reaching feature completeness and the focus at facebook is shifting towards productionizing. Let's go over what feature completeness means and the productionizing efforts.
Transactional updates (also called atomic updates) are a way to update a system without interfering with the currently running system - making this a rock-solid way to update any machine, from embedded systems to cluster nodes.
The difficult task to checkpoint and restore a process is used in many container runtimes to implement container live migration. This talk will give details how CRIU is able to checkpoint and restore processes, how it is integrated in different container runtimes and which optimizations CRIU offers to decrease the downtime during container migration.
Follow a journey of writing STM32 microcontroller firmware from scratch, using open-source tools.
What happened in the coreboot based firmware world since last year? How to get started?
In this talk, I'll go through my efforts to revamp libcontainer's systemd driver, in particular to support the unified cgroup hierarchy.
The embedded world has dealt with image creation for decades.
Why not use those decade of experience to reliably create image for the datacenter world ?
The primary focus is to gather feedback from systemd community regarding ongoing and future work to introduce custom cgroup-bpf programs to systemd.
The motivation is to give a user a capability to attach their own cgroup-bpf programs to systemd containers.
This is a continuation of started at ASG2018 and followed by and .
How Endless are implementing time-limited scopes in systemd, using that to implement time-limited login sessions, and then using that to implement parental controls on the desktop.
Zstandard (zstd) is a new lossless compression algorithm with a very attractive compression rate and performance. In production environments it comes with some quantifiable benefits but also with some surprising issues.
Several of the standard tools like
find have rewritten alternatives, performing the tasks much quicker and have a more intuitive interface. Present some of them.
Using RPMs can be very advantageous during development of systemd on Fedora. In order to make that viable, we need to build them from a git checkout and have the ability to use incremental builds.
How to run clusters for GPU computing based blockchain hashing diskless on cost effective commodity hardware.
BuildStream is used to build Freedesktop SDK for different deployment systems allowing applications based on it to be distributed at once to multiple systems.
During development and testing it is often needed to test different kernels or run various sets of unit tests quickly. With lrun it is possible to do exactly that. It utilizes existing technology including UML, KVM and Namespaces to facility different environments. It has been in active use for testing Bluetooth and Wi-Fi features on Linux and can be easily extended to other technologies in the future. This presentation will introduce lrun and its design. It will also show demos of its current use cases.
oomd is a userspace out-of-memory killer. This talk covers past, present, and future development along with possible plans for systemd integration.
Buck is an opensource build system. At Facebook, we’ve taught it to build container images that work with systemd.
Testing the effectiveness of Kubernetes Network Policies can be done in different approaches. In this talk we will show you the benefits and drawbacks of different approaches and what solution we finally chose.
Traditionally processes are identified globally via process identifiers (PIDs). Due to how pid allocation works the kernel is free to recycle PIDs once a process has been reaped. As such, PIDs do not allow another process to maintain a private, stable reference on a process. On systems under pressure it is thus possible that a PID is recycled without other (non-parent) processes being aware of it. This becomes rather problematic when (non-parent) processes are in charge of managing other processes as is the case for system managers or userspace implementations of OOM killers.
Over the last months we have been working on solving these and other problems by introducing pidfds – process file descriptors. Among other nice properties, the allow callers to maintain a private, stable reference on a process.
In this talk we will look at challenges we faced and the different approaches people pushed for. We will see what already has been implement and pushed upstream, look into various implementation details and outline what we have planned for the future.
Despite of it's old age, ksh still remains one of the most popular shells. In 2013, David Korn and others who worked on ksh were laid off from AT&T Bell Labs. This lead to speculations of death of ksh. In 2017, Siteshwar Vashisht and Kurtis Rader resumed it's development on GitHub. This talk will be about what makes ksh so challenging to maintain and how new developers are trying to revive it.
The open source wireless daemon iwd has been introduced about 5 years ago and has seen an active development since its inception. The last year has been focused on behind the scenes work for new Wi-Fi standards that make connection setup faster, make roaming smoother and also introduce new security standards including WPA3. This presentation will demonstrate the new advances in Wi-Fi support for Linux and show how they improve the usage from within Network Manager and other connection managers.
This talk is about the bmc-toolbox, an open-source project that leverages the Baseboard Management Controller (iLOs iDracs and similar) to help manage a large fleet (>50K) of bare metal servers at Booking.com
Its goal is to provide vendor agnostic tooling to manage the lifecycle of bare metal servers,
this talk describes the tools part of bmc-toolbox and various aspects of managing a large fleet of bare metal servers.
Most modern container image formats use tar-based linear archives to represent root filesystems, which results in many issues when using modern container images. In this talk, we will demonstrate a solution to this problem that we plan to propose for standardisation within the Open Container Initiative (code-named "OCIv2 images").
Currently everyone uses the same seccomp rules for running their containers. This tool allows us to generate seccomp rules based on what the container actually requires and allows us to lock down the container.
We'll be covering happenings, learnings and new challenges running and supporting systemd in production on the Facebook fleet throughout the past year.
The boot loader specification defines a generic drop-in based solution for defining boot targets. sd-boot is a boot loader for UEFI systems, and included in the systemd source tree. In this talk we’ll have a closer look on the what, the why and the how of the specification and the boot loader.
We will present Yomi, a new proposal for installing Linux using SaltStack. This installer is designed to be used in heterogeneous clusters, where you need a bit of intelligence during the installation and be integrated as one more step in the provisioning process.
Ever experienced a broken system by simply upgrading packages? No more! This talk introduces the purely functional package manager Nix and the advancements all software distributions can benefit from - with some of those already implemented in mainstream package managers like snap.
This talk covers the ongoing effort about adding eBPF support to the GNU Toolchain. eBPF is a virtual machine running within the Linux kernel; initially intended for user-level packet capture and filtering, eBPF has since been generalized to also serve as a general-purpose infrastructure for non-networking purposes.
Come and learn about packit: tooling which enables you to integrate your upstream project into Fedora linux.
Lessons learned operating thousands of stateful production clusters on top of Fedora and systemd-nspawn.
Senpai is a userspace tool to auto-tune cgroup memory limits.
A summary of the current state of Thunderbolt, kernel as well as user space, including the latest development where the the input–output memory management unit (IOMMU) is used to prevent Direct Memory Access (DMA) attacks. A brief explanation and discussion of such such an attack, the recent Thunderclap attacks, will be given including with a focus on how it is related to the IOMMU feature on Linux.
Closing of All Systems Go! 2019