0.9 all-systems-go-2024 2024-09-25 2024-09-26 2 00:05 https://cfp.all-systems-go.io https://cfp.all-systems-go.io/media/all-systems-go-2024/img/ASG_social-avatar_Nl7AMBw_a3l9zR4.png Europe/Berlin Main Hall Lightning talk 2024-09-25T09:25:00+02:00 09:25 00:05 A welcome session for All Systems Go! all-systems-go-2024-318-opening-session-of-all-systems-go-2024 en false https://cfp.all-systems-go.io/all-systems-go-2024/talk/FFTCGE/ https://cfp.all-systems-go.io/all-systems-go-2024/talk/FFTCGE/feedback/ Main Hall 35 min talk + 5 min Q&A 2024-09-25T09:30:00+02:00 09:30 00:40 Many consider NixOS a great tool for declarative definition of their OS, but only few know about its capabilities for Image-based Linux. NixOS offers the tools to combine modern technologies such as discoverable disk images (DDIs), unified kernel images (UKIs), and TPM-based measured boot for transforming declarative configurations into security-focused and immutable OS images for both the server and the desktop. This talk showcases how we build such reproducible and immutable DDIs with NixOS, and how ukify, systemd-repart, dm-verity and measured boot are involved in that process. We will also briefly cover the support of SecureBoot in NixOS through the Lanzaboote project, and what else is yet to come for image-based NixOS. all-systems-go-2024-251-reproducible-and-immutable-os-images-with-nixos Moritz Sanft en false https://cfp.all-systems-go.io/all-systems-go-2024/talk/MRDURE/ https://cfp.all-systems-go.io/all-systems-go-2024/talk/MRDURE/feedback/ Main Hall 20 min talk + 5 min Q&A 2024-09-25T10:15:00+02:00 10:15 00:25 Meta runs a large production fleet of servers, all making extensive use of TLS for inter-host communication. As part of a general approach of securing keys against exfiltration a project has been undertaken to make use of existing TPM chips to provide secure storage for high privilege private keys. This talk will touch upon the approach taken to allow for the use of a hardware backed key without compromising performance, but mostly focus on the software infrastructure that needed to be built to provision and monitor TPM health across the fleet (a prerequisite for confirmation of viability). all-systems-go-2024-292-using-trusted-platform-modules-tpms-at-scale-for-protecting-keys Jonathan McDowell en false https://cfp.all-systems-go.io/all-systems-go-2024/talk/JQZ78P/ https://cfp.all-systems-go.io/all-systems-go-2024/talk/JQZ78P/feedback/ Main Hall 20 min talk + 5 min Q&A 2024-09-25T10:45:00+02:00 10:45 00:25 As the digital landscape evolves, ensuring robust security measures becomes paramount. In this talk, we will explore the implementation of a new systemd service designed to enhance secure web token management through TPM 2.0 and FIDO2 support. This integration facilitates seamless interaction with the xdg-credentials-portal, aiming to provide a straightforward and secure approach to handling credentials. all-systems-go-2024-265-enhancing-security-with-systemd-secure-web-tokens-and-tpm-2-0 Philipp Deppenwiese en Key Points: Systemd Service Implementation: An in-depth look at how we are leveraging systemd to create a secure service for web tokens. TPM 2.0 and FIDO2 Integration: Understanding the role of TPM 2.0 and FIDO2 in enhancing hardware security. Seamless Integration with xdg-credentials-portal: Demonstrating the ease of use and benefits of integrating with the xdg-credentials-portal for secure credential management. New Functionality in Systemd: Discussing the significance of this new functionality and its potential impact on the systemd community. Targeted at systemd developers and enthusiasts, this session will provide valuable insights into the implementation process, the benefits of using TPM 2.0 modules for hardware security, and the overall enhancement of systemd functionalities. Attendees will leave with a clear understanding of the concepts and the practical steps required to integrate these security features into their own projects. Join us to explore the future of secure web tokens with systemd and how this integration can simplify and strengthen security protocols in your system architecture. false https://cfp.all-systems-go.io/all-systems-go-2024/talk/9KSPSA/ https://cfp.all-systems-go.io/all-systems-go-2024/talk/9KSPSA/feedback/ Main Hall 35 min talk + 5 min Q&A 2024-09-25T11:15:00+02:00 11:15 00:40 The openSUSE project has been looking for a Full Disk Encryption (FDE) solution since long ago. After some iterations we are converging in a systemd based solution. This talks will present the alternatives and will focus in the current proposed solution based on systemd-pcrlock. all-systems-go-2024-259-full-disk-encryption-in-opensuse-microos-and-tumbleweed Alberto Planas Dominguez en The openSUSE distribution is moving toward a FDE based on systemd, using signed policies or nvindex policies. We will review the different solutions that we worked on, and we will compare them briefly. We also describe some of the architectural changes done in the distribution before we can use the systemd tools. false https://cfp.all-systems-go.io/all-systems-go-2024/talk/93KLUJ/ https://cfp.all-systems-go.io/all-systems-go-2024/talk/93KLUJ/feedback/ Main Hall 35 min talk + 5 min Q&A 2024-09-25T11:55:00+02:00 11:55 00:40 Fedora image based variants (CoreOS, Atomic Desktops, IoT) are currently built using ostree and rpm-ostree. This enables an hybrid approach where the system is managed like an image but modifications are still possible using RPMs. But this approach has limits: - It is difficult for users to customize their operating system and share those customizations. - The integrity of the boot chain is not guarenteed and it is costly to validate the system content at runtime. To address those shortcomings, we are introducing the bootable containers (bootc) project. With bootable containers, the content of the operating system, including the kernel and initrd (or a UKI) is shipped in a container image alongside its corresponding base userspace root filesystem. This image can then be modified using container native tools and shared via a container registry. To chain from platform Secure Boot to a verified root filesystem, the ostree project has integrated support for composefs. It combines multiple Linux kernel features (overlayfs, EROFS and fs-verity) to provide read-only mountable filesystem trees stacking on top of an underlying "lower" Linux filesystem. We will detail how we are integrating composefs and UKI support in Bootable Containers to enable a trusted and measured boot chain while letting users customize and re-sign their images to fit their needs. all-systems-go-2024-309-the-road-to-a-trusted-and-measured-boot-chain-in-bootable-containers Timothée RavierJB Trystram en false https://cfp.all-systems-go.io/all-systems-go-2024/talk/HVEZQQ/ https://cfp.all-systems-go.io/all-systems-go-2024/talk/HVEZQQ/feedback/ Main Hall 20 min talk + 5 min Q&A 2024-09-25T12:40:00+02:00 12:40 00:25 In this talk we present the story of upgrading systemd in Tizen by eleven releases. We share both the lessons we've learnt during the most recent upgrade as well as decade long experience of the maintenance and development of key packages in the only GNU/Linux distribution that uses kdbus. We describe our day-to-day git workflow as well as upgrade procedures we came up with over the years. all-systems-go-2024-264-systemd-255-in-tizen-or-how-we-have-paid-our-technical-debt-and-took-another-one Łukasz Stelmach en false https://cfp.all-systems-go.io/all-systems-go-2024/talk/QLJGJJ/ https://cfp.all-systems-go.io/all-systems-go-2024/talk/QLJGJJ/feedback/ Main Hall 35 min talk + 5 min Q&A 2024-09-25T14:35:00+02:00 14:35 00:40 You may have heard about this weird distribution, NixOS, that breaks compatibility with /usr. This talk explores the properties inherent to NixOS, focusing on its distinct approach to package management and system configuration. Learn how these principles combine with general upstream efforts at bringing TPM2, Secure Boot and more to your Linux distribution. all-systems-go-2024-308-platform-security-in-nixos Ryan LahfaNiklas Sturm en Everything you wanted to know about why NixOS do things a certain way will be answered here. The idea is that you get out of this talk understanding the different compromises done by the NixOS community and what they get out of it. We will cover https://github.com/nix-community/lanzaboote which is a Rust UEFI stub similar to systemd-stub with fewer features but with one unique special feature for NixOS, similar to UKI addons. We will also do a status report of where NixOS stands in terms of adoption of systemd features such as systemd-pcrlock. false https://cfp.all-systems-go.io/all-systems-go-2024/talk/UQ3CYU/ https://cfp.all-systems-go.io/all-systems-go-2024/talk/UQ3CYU/feedback/ Main Hall 35 min talk + 5 min Q&A 2024-09-25T15:20:00+02:00 15:20 00:40 An update on systemd's TPM features, i.e. what happened since last year, i.e. systemd-pcrlock, NvPCRs, and Varlink APIs. all-systems-go-2024-275-systemd-tpm-in-2024 Lennart Poettering en At last year's ASG I already did a systemd & TPM talk, and this is supposed to be a follow-up to that, with everything that happened since then, plus what's next and what's missing. false https://cfp.all-systems-go.io/all-systems-go-2024/talk/VQLZBT/ https://cfp.all-systems-go.io/all-systems-go-2024/talk/VQLZBT/feedback/ Main Hall 20 min talk + 5 min Q&A 2024-09-25T16:30:00+02:00 16:30 00:25 While software bills of materials become of increasing value to further trust in the software supply chain, generating high quality SBOMs still poses some challenges in some ecosystems due to the lack of proper tooling or accessible build metadata. In this talk, I'll explain and demonstrate how we can leverage the static dependency graph of functional package managers like Nix to generate very precise SBOMs, that can be relevant for running a service on any linux distribution thanks to systemd portable services. all-systems-go-2024-315-portable-software-bills-of-materials-with-nix-and-systemd-portable-services Julien Malka en false https://cfp.all-systems-go.io/all-systems-go-2024/talk/7XGYDC/ https://cfp.all-systems-go.io/all-systems-go-2024/talk/7XGYDC/feedback/ Main Hall 20 min talk + 5 min Q&A 2024-09-25T17:00:00+02:00 17:00 00:25 On general purpose image based systems such as Flatcar and Fedora CoreOS, users are encouraged to run all their applications using containers. To make updates safe and predictable, the system is mounted as read only and local modifications are discouraged. While containers offer a lot of flexibility on Linux, there are still cases where installing binaries or running applications directly on the host operating system is preferred. For example to add kernel modules, use an alternative container runtime version, add more udev rules, etc. Some of those use cases could be addressed with statically linked binaries, but their management is manual and their usage creates new issues around updates, versionning, memory footprint and not everything can be statically compiled. Alternatively, one can build its own image but at non-negligeable maintenance costs. Systemd's system extensions (sys-ext) provide a mechanism to extend the content of the host while preserving the safety guarentees around updates. We will demonstrate how Flatcar, Fedora CoreOS and Atomic Desktops are leveraging sysext images to securely extend the OS. With practical examples and usecases (e.g Cluster API) learn how to install Python, Podman, Kubernetes, ZFS, everything at the same time, by composing your very own image with systemd-sysext. all-systems-go-2024-313-waiter-an-os-please-with-some-sysext-sprinkled-on-top Mathieu TortuyauxTimothée Ravier en false https://cfp.all-systems-go.io/all-systems-go-2024/talk/HJLF3C/ https://cfp.all-systems-go.io/all-systems-go-2024/talk/HJLF3C/feedback/ Main Hall 20 min talk + 5 min Q&A 2024-09-25T17:30:00+02:00 17:30 00:25 systemd introduced Portable Services support in 2018, as part of v239. This feature was covered at ASG 2018 and in a blog post published at the time: https://0pointer.net/blog/walkthrough-for-portable-services.html But a lot has changed in the past 6 years, and very crucial new features have been introduced, so it is time to have another look at this topic and see what has happened in the meanwhile, what new use cases have opened up, and what is coming in the near future. https://systemd.io/PORTABLE_SERVICES/ all-systems-go-2024-271-rediscovering-systemd-portable-services Luca Boccassi en false https://cfp.all-systems-go.io/all-systems-go-2024/talk/DGVBSC/ https://cfp.all-systems-go.io/all-systems-go-2024/talk/DGVBSC/feedback/ Main Hall Lightning talk 2024-09-25T18:00:00+02:00 18:00 00:05 A quick overview of how RAUC uses libcomposefs to handle new use-cases. all-systems-go-2024-311-efficient-rauc-updates-using-composefs Jan Lübbe en Traditionally, RAUC focused on A/B updates for whole partitions, either by using filesystem images or tar archives. While the image-based OS approach has many benefits, there are scenarios where more loosely coupled components need to be handle in addition to the root filesystem. In RAUC, these can be handled with using the new "artifact updates" support. As a system might have many artifacts installed in parallel, such as for containers (systemd-nspawn or otherwise) and systemd-sysexts, efficient storage is important. In many cases, these are updated often, so download efficiency is important as well. After evaluating multiple alternatives, we've now decided to integrate composefs. Besides solving the requirements above, it additionally provides the same level of integrity protection as a dm-verity root filesystem, which is important in systems using secure boot. This talk will show how RAUC uses libcomposefs and the new use-cases supported by having an efficient content-addressed backing store with full authentication. false https://cfp.all-systems-go.io/all-systems-go-2024/talk/3DKX9V/ https://cfp.all-systems-go.io/all-systems-go-2024/talk/3DKX9V/feedback/ Main Hall Lightning talk 2024-09-25T18:05:00+02:00 18:05 00:05 oo7-daemon (a temporary name based on the oo7 client library) project aims to provide a replacement for the gnome-keyring-daemon as the new D-Bus Secret Service provider in the GNOME desktop environment. In this talk I will go through the latest development plans and the progress made to integrate TPM backed credentials support to oo7-daemon using systemd per-user credentials as a backend. all-systems-go-2024-314-oo7-daemon-systemd-per-user-credentials Dhanuka Warusadura en false https://cfp.all-systems-go.io/all-systems-go-2024/talk/8TMT9T/ https://cfp.all-systems-go.io/all-systems-go-2024/talk/8TMT9T/feedback/ Main Hall Lightning talk 2024-09-25T18:10:00+02:00 18:10 00:05 This presentation will review how far Debian (and more generally, traditional distributions) is from supporting factory reset: what can work, what is missing and possible hacks^Wways to do it without starting a distribution-wide effort. all-systems-go-2024-284-debian-empty-var-empty-etc-and-factory-reset Marco d'Itri en false https://cfp.all-systems-go.io/all-systems-go-2024/talk/3K8NZT/ https://cfp.all-systems-go.io/all-systems-go-2024/talk/3K8NZT/feedback/ Main Hall Lightning talk 2024-09-25T18:15:00+02:00 18:15 00:05 Integration testing environment for mixed HPC and cloud workloads all-systems-go-2024-321-integration-testing-environment-for-mixed-hpc-and-cloud-workloads en false https://cfp.all-systems-go.io/all-systems-go-2024/talk/XNQLTE/ https://cfp.all-systems-go.io/all-systems-go-2024/talk/XNQLTE/feedback/ Main Hall Lightning talk 2024-09-25T18:20:00+02:00 18:20 00:05 A new way to develop on immutable Linux all-systems-go-2024-322-a-new-way-to-develop-on-immutable-linux en false https://cfp.all-systems-go.io/all-systems-go-2024/talk/NSKLAR/ https://cfp.all-systems-go.io/all-systems-go-2024/talk/NSKLAR/feedback/ Main Hall Lightning talk 2024-09-25T18:25:00+02:00 18:25 00:05 Ideas for improving systemd-boot all-systems-go-2024-323-ideas-for-improving-systemd-boot en false https://cfp.all-systems-go.io/all-systems-go-2024/talk/DT3RCU/ https://cfp.all-systems-go.io/all-systems-go-2024/talk/DT3RCU/feedback/ Dome 20 min talk + 5 min Q&A 2024-09-25T10:15:00+02:00 10:15 00:25 [Azure-init](https://github.com/Azure/azure-init) is a fresh open source reference implementation for provisioning Linux virtual machines in Azure. In contrast to existing systems like cloud-init, azure-init aims to be minimal, focusing on basic instance initialization from Azure metadata. Azure-init also consists of a flexible structure to enable its use by other provisioning agents like Fedora CoreOS’ [Afterburn](https://github.com/coreos/afterburn/). Finally, azure-init aims to be fast and secure, being written in Rust. In this talk we will review the motivations for the creation of azure-init, the current status of the project, and vision for its future development. all-systems-go-2024-290-introducing-azure-init-a-minimal-provisioning-agent-written-in-rust Dongsu Park en false https://cfp.all-systems-go.io/all-systems-go-2024/talk/BK7KMD/ https://cfp.all-systems-go.io/all-systems-go-2024/talk/BK7KMD/feedback/ Dome 20 min talk + 5 min Q&A 2024-09-25T10:45:00+02:00 10:45 00:25 bpftrace is a popular and powerful dynamic tracer for Linux systems. In the vast majority of uses cases, bpftrace does its job quickly, efficiently, and accurately. However with the rapid increase of users, use cases, and features, the bpftrace community has started to feel (technical) growing pains. In particular, we've started to uncover various reliability issues. In this talk, we will cover what is already done as well as what is currently broken and how we will systematically fix and prevent these issues from re-occuring. all-systems-go-2024-280-improving-bpftrace-reliability Daniel Xu en Because bpftrace sits at the intersection of operating systems, compilers, and observability, we have the fortunate advantage of being able to absorb techniques and tricks from these fairly different disciplines. We hope that some of the knowledge we share will be both interesting as well practical to attendees. Audience participation is highly welcome. In particular, we are quite interested in receiving feedback in the form of bug reports, feature requests, complaints, etc. false https://cfp.all-systems-go.io/all-systems-go-2024/talk/MXAEYZ/ https://cfp.all-systems-go.io/all-systems-go-2024/talk/MXAEYZ/feedback/ Dome 35 min talk + 5 min Q&A 2024-09-25T11:15:00+02:00 11:15 00:40 In this presentation we show how eBPF programmers can easily distribute their programs using Inspektor Gadget, a tool designed for the creation, deployment, and execution of eBPF programs (gadgets) across Kubernetes and Linux environments. Inspektor Gadget encapsulates eBPF programs into OCI containers, providing well-understood and easily distributable units. We then detail how an end user can use Inspektor Gadget to easily derive valuable systems insights. all-systems-go-2024-287-ebpf-data-collection-for-everyone-empowering-the-community-to-obtain-linux-insights-using-inspektor-gadget Alban CrequyMichael Friese en We'll give a brief overview of Inspektor Gadget's automatic data enrichment process, transforming complex kernel information into high-level, understandable concepts tied to Kubernetes and container runtimes. This feature bridges the knowledge gap between raw, low-level data and more interpretable information, improving the understanding of system behavior. We will explain how users can write their own gadgets and make use of different helper APIs provided by Inspektor Gadget for socket enricher, file path discovery and container filtering, etc. We will show how to combine existing gadgets into a new one, add additional post-processing logic using WASM or Lua and export the resulting data to different targets, using for example OpenTelemetry. Throughout the talk, we'll demonstrate more of Inspektor Gadget's features, its support across various environments, discuss its operational mechanics, and share insights into the future direction of the project. false https://cfp.all-systems-go.io/all-systems-go-2024/talk/PVGU77/ https://cfp.all-systems-go.io/all-systems-go-2024/talk/PVGU77/feedback/ Dome 35 min talk + 5 min Q&A 2024-09-25T11:55:00+02:00 11:55 00:40 There is a well-known trade-off between security lockdowns and a user's abiliy to debug/inspect a system. The Linux kernel is finally fixing an old proc/mem security bug which illustrates this trade-off nicely. The kernel will provide a mechanism, so distros need to implement a policy according to their own security needs, to restrict proc/mem access (it gives userspace RW access to processes memory). This talk goes into the what, why and how of getting this bug fixed, with some policies for plugging the long-standing hole for different use-cases, without breaking debuggers or container supervisors. all-systems-go-2024-286-fixing-an-old-linux-process-memory-security-bug Adrian Ratiu en This talk is based the Linux patch series [1] which is extending the /proc/*/mem access controls beyond the normal file-based permissions, to restrict various access during kernel builds (Kconfig level) or early boot via static/read-only key parameters. It is expected to land in kernel v6.11, to be released in late Q3 / early Q4 2024. The author is looking for opinions whether this should be backported to stable trees since the patch is somewhere between a bugfix and a new feature. [1] https://patchwork.kernel.org/project/linux-fsdevel/patch/20240613133937.2352724-2-adrian.ratiu@collabora.com/ false https://cfp.all-systems-go.io/all-systems-go-2024/talk/9UVMR7/ https://cfp.all-systems-go.io/all-systems-go-2024/talk/9UVMR7/feedback/ Dome 20 min talk + 5 min Q&A 2024-09-25T12:40:00+02:00 12:40 00:25 The kernel driver is dead; long live the userspace driver! In this talk, we’ll discuss the motivation, challenges and outcomes of migrating drivers for Meta’s AI accelerator chips from the kernel to userspace. all-systems-go-2024-279-lessons-learned-from-migrating-ai-accelerator-drivers-from-the-kernel-to-userspace George Utsin en Topics include: - Managing systemd units at scale - Experiences of running IPC over D-Bus - Re-writing the driver in Rust - The tooling necessary to support a variety of environments - Overall deprecation challenges and wins false https://cfp.all-systems-go.io/all-systems-go-2024/talk/77PFFF/ https://cfp.all-systems-go.io/all-systems-go-2024/talk/77PFFF/feedback/ Dome 35 min talk + 5 min Q&A 2024-09-25T14:35:00+02:00 14:35 00:40 At the edge, there's one thing we know for sure: it's not to be trusted. But imagine if Kairos could change that, letting you sleep soundly knowing your intellectual property is secure. Kairos is a fully open source project to run kubernetes at the edge. As such, we have put Trusted Boot into action. Inspired by Lennard Pottering, the mind behind Systemd, we've leveraged Secure Boot, Trusted Boot, TPM, and disk encryption. The result? A Linux OS that's built tough against the challenges of untrusted environments. all-systems-go-2024-249-fort-kairos-a-new-dawn-for-secure-linux-in-untrusted-environments Mauro Morales en false https://cfp.all-systems-go.io/all-systems-go-2024/talk/9VPPTC/ https://cfp.all-systems-go.io/all-systems-go-2024/talk/9VPPTC/feedback/ Dome 35 min talk + 5 min Q&A 2024-09-25T15:20:00+02:00 15:20 00:40 Containers have become the de facto choice for deploying most applications, and all of us benefit from the isolation, portability, and the surrounding ecosystem. In this talk we’ll take a deep dive into the world of bootable containers, using the same ideas, goals and technology for the host system (whether virtualized or bare metal). We’ll look at the bootc project under the github.com/containers umbrella and its current flagship distribution usage in the new Fedora/CentOS bootc project and initiative. We hope you are as excited as we are by taking cloud-native approaches down to the operating system level, and a key goal is finding points that can be shared with other components of the ecosystem, from the uapi-group.org to other container-based OSes. all-systems-go-2024-266-bootc-generating-an-ecosystem-around-bootable-oci-containers Ben BreardColin Walters en false https://cfp.all-systems-go.io/all-systems-go-2024/talk/LA9LXV/ https://cfp.all-systems-go.io/all-systems-go-2024/talk/LA9LXV/feedback/ Dome 20 min talk + 5 min Q&A 2024-09-25T16:30:00+02:00 16:30 00:25 With systemd tooling, including mkosi, it is possible to build an OS image that fulfills all checkmarks a modern image-based OS should have, but with a standard off-the-shelf distribution! This talk gives an overview for a possible workflow, including A/B updates and offline signed images and updates, in real-use. As a bonus, it is also self-replicating and uses as little configuration as possible, leveraging built-in systemd auto detection. all-systems-go-2024-303-an-extendable-and-securely-signed-image-based-os-with-updates Marius Schiffer en false https://cfp.all-systems-go.io/all-systems-go-2024/talk/LJAYYL/ https://cfp.all-systems-go.io/all-systems-go-2024/talk/LJAYYL/feedback/ Dome 20 min talk + 5 min Q&A 2024-09-25T17:00:00+02:00 17:00 00:25 Arch Linux creates 2 cloud images, 2 vagrant images every month using custom bash scripts and requiring root for building. This talk will look at how these images can be created using mkosi, building them in CI, testing the build images and as a bonus; build reproducible? Project link: https://gitlab.archlinux.org/archlinux/arch-boxes all-systems-go-2024-312-creating-arch-linux-images-using-mkosi Jelle van der Waa en false https://cfp.all-systems-go.io/all-systems-go-2024/talk/QFUGLT/ https://cfp.all-systems-go.io/all-systems-go-2024/talk/QFUGLT/feedback/ Dome 20 min talk + 5 min Q&A 2024-09-25T17:30:00+02:00 17:30 00:25 Probably the way systemd is thought of and used is mostly as a service manager, and a collection of tools built around the idea of “low level user space”. We rarely think of it as a library that can be used as part of any high level language or application. This talk will cover this aspect of systemd, and through the lens of pystemd, explore how applications can use (and abuse) systemd. all-systems-go-2024-260-interacting-with-systemd-from-high-level-languages Alvaro Leiva Geisse en Probably the way systemd is thought of and used is mostly as a service manager, and a collection of tools built around the idea of “low level user space”. We rarely think of it as a library that can be used as part of any high level language or application. This talk will cover this aspect of systemd, and through the lens of pystemd, explore how applications can use (and abuse) systemd. false https://cfp.all-systems-go.io/all-systems-go-2024/talk/VAQPQW/ https://cfp.all-systems-go.io/all-systems-go-2024/talk/VAQPQW/feedback/ Main Hall 20 min talk + 5 min Q&A 2024-09-26T09:30:00+02:00 09:30 00:25 Same as every year, a lot has happened in the systemd project since last year's ASG. We released multiple versions, packed with new components and features. This talk will provide an overview of these changes, commenting on successes and challenges, and a sneak peak at what lies ahead. all-systems-go-2024-269-systemd-state-of-the-project Luca BoccassiZbigniew Jędrzejewski-Szmek en false https://cfp.all-systems-go.io/all-systems-go-2024/talk/RLZEPD/ https://cfp.all-systems-go.io/all-systems-go-2024/talk/RLZEPD/feedback/ Main Hall 20 min talk + 5 min Q&A 2024-09-26T09:55:00+02:00 09:55 00:25 Let's have an open discussion with systemd developers who are at ASG and users in the audience. We will open with the developers saying what they plan to work on in the near future, and then allow questions / comments from the audience. all-systems-go-2024-299-systemd-round-table /media/all-systems-go-2024/submissions/YQZBGT/f17boot_Njd2Ilw.png Zbigniew Jędrzejewski-SzmekLuca BoccassiLennart PoetteringMike YuanYu Watanabe en false https://cfp.all-systems-go.io/all-systems-go-2024/talk/YQZBGT/ https://cfp.all-systems-go.io/all-systems-go-2024/talk/YQZBGT/feedback/ Main Hall 20 min talk + 5 min Q&A 2024-09-26T10:20:00+02:00 10:20 00:25 Why bother with Varlink IPC, and why now? all-systems-go-2024-276-varlink-now- Lennart Poettering en The Varlink IPC has been around for a while, but recently we started using it heavily in systemd. In this talk I'd like to explain what Varlink IPC is, and why we are now adopting it so heavily. And I also want to explain why I think that Varlink is a good candidate as IPC of choice for any Linux software, both low-level and higher-level. We'll compare it with D-Bus in particular, and highlight where it shines (and where it doesn't shine so much). false https://cfp.all-systems-go.io/all-systems-go-2024/talk/XSYMKW/ https://cfp.all-systems-go.io/all-systems-go-2024/talk/XSYMKW/feedback/ Main Hall 35 min talk + 5 min Q&A 2024-09-26T10:50:00+02:00 10:50 00:40 postmarketOS was started with the lofty goal of enabling long term support for mobile phones and other devices with traditionally short lifespans, and doing so outside of the Android walled garden. This has inevitably resulted in a lot of upstream focused hardware bringup and development. Join us and learn what our community have been building, how we're running systemd on Alpine Linux and what we see in the future for postmarketOS. all-systems-go-2024-278-systemd-ifying-postmarketos-our-immutable-future-and-why-alpine-is-cooler-than-you-thought Caleb ConnollyClayton Craft en Through community driven efforts and collaboration, postmarketOS has grown into a highly adaptable platform which runs on anything from smartwatches and TVs to phones and laptops. In this talk, Caleb and Clayton discuss how our unique approach to tooling and package management have allowed such a small community to scale up to support hundreds of devices with more than 5 different bootloaders, over a dozen user interfaces, and now two init systems. They will cover: * A rough overview of the distro architecture * How device abstractions work in postmarketOS * Pmbootstrap and apk for fast developer iteration at a low cost * Systemd bootstrapping and current status * Our plan for an immutable postmarketOS (and request for feedback) false https://cfp.all-systems-go.io/all-systems-go-2024/talk/LJXCKK/ https://cfp.all-systems-go.io/all-systems-go-2024/talk/LJXCKK/feedback/ Main Hall 35 min talk + 5 min Q&A 2024-09-26T11:35:00+02:00 11:35 00:40 In this talk, I will discuss how Linux distributions can integrate and benefit from using systemd soft-reboot. Using openSUSE Tumbleweed as an example, I will show where and how it makes sense for traditional Linux distributions to use it and where the pitfalls are. With openSUSE MicroOS, we have a distribution with a read-only root file system that particularly benefits from a soft-reboot because a reboot is necessary after every update in order to change the root file system. However, this also requires special measures to ensure that it always functions smoothly. Afterwards I will talk about the requirements and solutions for services to survive a soft reboot and what's necessary to make the whole thing supportable. all-systems-go-2024-258-integrating-systemd-soft-reboot-into-a-distribution-and-surviving-it Thorsten Kukuk en false https://cfp.all-systems-go.io/all-systems-go-2024/talk/YUAPMX/ https://cfp.all-systems-go.io/all-systems-go-2024/talk/YUAPMX/feedback/ Main Hall 35 min talk + 5 min Q&A 2024-09-26T12:20:00+02:00 12:20 00:40 How do you continually test and release new versions of systemd with confidence? Also, once released, how do you monitor PID 1 itself and your PID 1 usage across your server fleet? This talk dives into Meta’s way of answering these questions so we can minimize the risk of breaking changes and fun each systemd release brings us. Some of the technology in the talk is OSS, so you too, can join in on the fun knowing how your systemd usage is across your own infrastructure! all-systems-go-2024-261-what-s-your-pid-1-up-to- /media/all-systems-go-2024/submissions/7APG3H/cooper_professional_dAM0PB3.jpeg Cooper Ry Lees en This talk will dive into how Meta baseline’s our systemd usage across the fleet and use that data for CI, releasing and monitoring systemd. * Who am I + what do I work on * The common big monitoring hole many bare bone infrastructures have * PID 1 * PID 1 usage * Systemd @ meta * Imaging initrd * Initrd * Main os * Twine containers * Overview of OS image building and deployment @ meta * How we build images * How we provision servers * Chef’s role * What we check from our PID1 statistics to ensure a box is “healthy” enough to take workloads * Usage of hyperscale’s systemd-cd @ meta * What is systemd-cd * [https://sigs.centos.org/hyperscale/internal/ci/](https://sigs.centos.org/hyperscale/internal/ci/) * How do we use it * What issues has it found for us * Monitoring of meta’s systemd usage across the millions of hosts * Stats collected * Introduce monitord * Dbus (fun) vs. varlink * mention OSS alternative(s) found - explain why invented monitord * Introduce monitord-exporter * Show usage outside of meta (will be my small home infra + VPS’s) false https://cfp.all-systems-go.io/all-systems-go-2024/talk/7APG3H/ https://cfp.all-systems-go.io/all-systems-go-2024/talk/7APG3H/feedback/ Main Hall 35 min talk + 5 min Q&A 2024-09-26T14:30:00+02:00 14:30 00:40 Developing embedded products often involves a trade-off between robust security and accelerated development. Production environments, while offering high security and immutability, can inhibit rapid development cycles. Conversely, sandbox environments provide the flexibility and integration needed for fast development but are not suitable for production deployment. The transition between these two environments is typically fraught with challenges, consuming significant time and effort. This talk introduces Avocado Linux, a highly secure, image-based operating system and layer repository with deeply integrated developer tools. Avocado strikes a perfect balance between flexibility and immutability, combining the best of both worlds, accelerating time to market without compromising on security. By leveraging innovative systemd features like System Extensions, Configuration Extensions, and Portable Services, Avocado Linux provides a robust framework for service management, process isolation, and secure, atomic updates. Its design ensures robust security and system integrity, with comprehensive use of dm-verity and mechanisms for recovery and factory reset, safeguarding device data integrity even in the face of unexpected failures. Join us to explore how Avocado can transform your embedded systems development with faster integration, enhanced reliability, and seamless composability. Discover how this distribution delivers significant business value by enabling rapid deployment, maintaining security, and ensuring system integrity. Learn how Avocado abstracts away the complexities of system development, allowing your team and applications to thrive and your embedded product to scale and succeed. all-systems-go-2024-301-avocado-linux-highly-secure-accelerated-embedded-development-platform-for-a-iot /media/all-systems-go-2024/submissions/QWTAFC/AvocadoOS1200_va4Y48s.gif Justin Schneck en About the Talk In this talk we will explore * Demo use cases for building complex products * Developer tools and workflows * Manufacturing optimizations for provisioning and end of line testing * In field debugging and system fault tolerance false https://cfp.all-systems-go.io/all-systems-go-2024/talk/QWTAFC/ https://cfp.all-systems-go.io/all-systems-go-2024/talk/QWTAFC/feedback/ Main Hall 35 min talk + 5 min Q&A 2024-09-26T15:15:00+02:00 15:15 00:40 Many Linux distributions rely on cryptographic signatures for their packages and release artifacts. However, most of the used signing solutions either do not rely on hardware backed private key material or are run in untrusted environments. This presentation will provide a general overview of the [Signstar](https://gitlab.archlinux.org/archlinux/signstar/) project, which is currently under development by Arch Linux to provide a generic signing solution based on a Hardware Security Module (HSM). all-systems-go-2024-263-boring-infrastructure-building-a-secure-signing-environment David Runge en To improve build automation and general supply chain security for Arch Linux, some of its developers have started to conceptualize and work on a generic, central signing solution: [Signstar](https://gitlab.archlinux.org/archlinux/signstar/). In this context, related work has been evaluated for adoption, but it soon became clear, that to meet the distribution's requirements a custom solution would be implemented. For transparency and auditability reasons Nitrokey's NetHSM has been chosen as Hardware Security Module (HSM). Developers are actively working on a high-level Rust library and CLI to interface with the device over network. In this presentation I will introduce the viewer to some of Arch Linux's relevant history and requirements, the evaluated architecture and setup. Together we will have a look at Signstar's threat model, its design for minimizing credentials exposure of the HSM, as well as its integration with the OpenPGP ecosystem. Additionally, we will explore avenues for future work on other generic cryptographic operations in the context of X.509, SSH and Secure Boot. false https://cfp.all-systems-go.io/all-systems-go-2024/talk/WWEGGC/ https://cfp.all-systems-go.io/all-systems-go-2024/talk/WWEGGC/feedback/ Main Hall 20 min talk + 5 min Q&A 2024-09-26T16:30:00+02:00 16:30 00:25 The Sovereign Tech Fund paid Codethink to help improve the integration testing infrastructure of systemd. This talk covers how the integration test suite used to work and what it does now. all-systems-go-2024-273-improving-systemd-s-integration-testing-infrastructure Sam Leonard en Systemd's integration test suite used to have a number of shortcomings in terms of features and maintainability. The Sovereign Tech Fund provided an opportunity to improve things, and rewrite the test suite to use a select number of special-purpose tools and false https://cfp.all-systems-go.io/all-systems-go-2024/talk/9JKWCT/ https://cfp.all-systems-go.io/all-systems-go-2024/talk/9JKWCT/feedback/ Main Hall 20 min talk + 5 min Q&A 2024-09-26T17:00:00+02:00 17:00 00:25 This talk will explore several of the ways we've leveraged the systemd user instance in our developer environments at Meta, challenges we faced while doing so, and how we worked around those challenges. all-systems-go-2024-281-successes-and-struggles-using-the-systemd-user-instance-in-developer-environments Colin Chan en false https://cfp.all-systems-go.io/all-systems-go-2024/talk/H7CVUQ/ https://cfp.all-systems-go.io/all-systems-go-2024/talk/H7CVUQ/feedback/ Main Hall 20 min talk + 5 min Q&A 2024-09-26T17:30:00+02:00 17:30 00:25 mkosi-initrd is a project to build initrds from normal system packages (rpms, debs). Initially separate, it now is part of mkosi — just another build stage. systemd uses mkosi for automated tests, and this now includes building an initrd and booting a VM with it, so such initrds are getting fairly wide testing, albeit in fairly narrow circumstances. The process of adoption of mkosi-initrd in distributions has been slow, but with an implementation natively in mkosi, the technical base is really good. What remains to be done to make this the default approach? Can Fedora 41 finally make this an option for users? all-systems-go-2024-302-mkosi-initrd-initrds-built-from-system-packages Zbigniew Jędrzejewski-Szmek en false https://cfp.all-systems-go.io/all-systems-go-2024/talk/JTXJR7/ https://cfp.all-systems-go.io/all-systems-go-2024/talk/JTXJR7/feedback/ Main Hall 20 min talk + 5 min Q&A 2024-09-26T18:00:00+02:00 18:00 00:25 Every second spent on waiting for a system to boot is wasted time. In this talk I present the steps we took in Ubuntu to speed up the boot and the initrd generation time. The presented improvements are not specific to Ubuntu and can be ported to other implementations (like dracut) to benefit other distributions as well. The talk will present further speed improvements that can/will be implemented in the future. That includes rewriting parts in modern languages like Rust. all-systems-go-2024-291-initrd-performance-improvements Benjamin Drung en false https://cfp.all-systems-go.io/all-systems-go-2024/talk/9T8LTT/ https://cfp.all-systems-go.io/all-systems-go-2024/talk/9T8LTT/feedback/ Main Hall Lightning talk 2024-09-26T18:25:00+02:00 18:25 00:05 Closing session of All Systems Go! 2024 all-systems-go-2024-319-closing-session-of-all-systems-go-2024 en false https://cfp.all-systems-go.io/all-systems-go-2024/talk/DLUVHF/ https://cfp.all-systems-go.io/all-systems-go-2024/talk/DLUVHF/feedback/ Dome 20 min talk + 5 min Q&A 2024-09-26T09:30:00+02:00 09:30 00:25 Ensuring consistent and secure software builds is crucial in today's cloud-native environments. At Sidero Labs, we've developed a comprehensive approach to reproducible builds for Talos Linux using a variety of tools and techniques. This talk will explore our use of Docker Buildx, Kres, and other key components that contribute to our build system. We'll share insights into our methods, challenges faced, and solutions implemented, providing practical guidance for developers aiming to achieve reproducibility in their own projects. all-systems-go-2024-296-reproducible-builds-at-sidero-labs-tools-and-techniques Utku Özdemir en To achieve a fully reproducible stack, from the kernel and initramfs to the software we own and third-party software we build, we use multiple tools in our toolset: - Buildx: Provides a consistent environment for building software. - Kres: Our project scaffolding tool for generating and updating build instructions and dependencies. - Code Patches: Address issues in third-party projects that prevent reproducible builds. - Tests: Written by us to ensure and verify reproducibility. In this talk, we will cover each of these tools and techniques, providing examples and practical insights. You will learn how to apply these methods to achieve reproducible builds in your own projects, gaining a complete picture of our approach and how it can be adapted to your needs. false https://cfp.all-systems-go.io/all-systems-go-2024/talk/RYZJ9W/ https://cfp.all-systems-go.io/all-systems-go-2024/talk/RYZJ9W/feedback/ Dome 20 min talk + 5 min Q&A 2024-09-26T09:55:00+02:00 09:55 00:25 A brief report about how we use io_uring in SLASH/fellow https://gitlab.com/uplex/varnish/slash, an always consistent, eventually persistent storage engine for Varnish-Cache. (FOSS, LGPL) all-systems-go-2024-305-using-iouring-for-storage Nils Goroll en false https://cfp.all-systems-go.io/all-systems-go-2024/talk/U7GJJW/ https://cfp.all-systems-go.io/all-systems-go-2024/talk/U7GJJW/feedback/ Dome 20 min talk + 5 min Q&A 2024-09-26T10:20:00+02:00 10:20 00:25 Container runtimes and other privileged system management tools have historically struggled with safely operating on a path within a directory tree controlled by a malicious user. [libpathrs][] is a library which makes it easy to do said path operations, as well as providing some other safe path-related utilities such as providing safe wrappers to operate on procfs files in a safe way. [libpathrs]: https://github.com/openSUSE/libpathrs all-systems-go-2024-310-libpathrs-securing-path-operations-for-system-tools Aleksa Sarai en As part of the kernel work on openat2(2) and continuing kernel work to make magic-links safer (against both confused deputy attacks and resource re-opening attacks), the need for a library to make it easy to do all sorts of VFS operations safely became obvious, and so [libpathrs][] was born. [libpathrs][] uses openat2(2) if available, but has a fallback to the old fashioned (and more finicky) method of doing safe-ish path resolutions. This talk will talk about how [libpathrs][] works and how it can help secure container runtimes and privileged system management tools against attacks, as well as touching on some ongoing kernel work which would allow for even more hardening. After the talk, slides will be available from [my site](https://www.cyphar.com/talks). [libpathrs]: https://github.com/openSUSE/libpathrs false https://cfp.all-systems-go.io/all-systems-go-2024/talk/ZZFL7L/ https://cfp.all-systems-go.io/all-systems-go-2024/talk/ZZFL7L/feedback/ Dome 35 min talk + 5 min Q&A 2024-09-26T10:50:00+02:00 10:50 00:40 This shows how to boot an [mkosi](https://github.com/systemd/mkosi) generated arm64 [Debian](https://debian.org) Image with [UKI](https://github.com/uapi-group/specifications/blob/main/specs/unified_kernel_image.md) and systemd-boot on a [u-boot](https://docs.u-boot.org/en/latest/develop/uefi/u-boot_on_efi.html) based EFI firmware with a [fTPM](https://github.com/microsoft/ms-tpm-20-ref/tree/main/Samples/ARM32-FirmwareTPM/optee_ta/fTPM) as a Trusted-Application in [OP-TEE](https://optee.readthedocs.io/en/latest/general/about.html) all-systems-go-2024-274-booting-an-embedded-system-like-a-pc Manuel Traut en Embedded systems are very similar to IT managed PCs. A manufacturer of the device wants to ensure, that the system integrity is good, e.g. before unlocking secrets that allow accessing cloud services. Therefore the recent developments of the UAPI group and systemd are also very useful in the embedded world. This talk gives an overview of the involved software components and how they are combined. It shows how to build a firmware for an i.MX8MM that allows booting modern Linux images. false https://cfp.all-systems-go.io/all-systems-go-2024/talk/VZGAAG/ https://cfp.all-systems-go.io/all-systems-go-2024/talk/VZGAAG/feedback/ Dome 35 min talk + 5 min Q&A 2024-09-26T11:35:00+02:00 11:35 00:40 Yocto is a tool for building custom Linux distros. When you think about it, a container image is just a custom Linux distro. The distro (e.g. Alpine) is your base image and the customizations are the rest of your application or microservice. Like Podman, Yocto can generate a complete root filesystem in the form of an OCI container image. Originally targeted at bare metal, the Yocto configuration and build process seems complex when compared to the Containerfile approach of cloud native tools. Yocto's OpenEmbedded origins also mean that reduced image size, SBOM generation, license compliance, and reproducible builds were concerns early on in the project rather than afterthoughts. With security and risk of litigation now top of mind, this talk explains Yocto's uniquely layered and ultimately monolithic approach to solving these real-world software problems. all-systems-go-2024-267-building-secure-container-images-for-the-cloud-with-yocto Frank Vasquez en false https://cfp.all-systems-go.io/all-systems-go-2024/talk/KZPRPN/ https://cfp.all-systems-go.io/all-systems-go-2024/talk/KZPRPN/feedback/ Dome 35 min talk + 5 min Q&A 2024-09-26T12:20:00+02:00 12:20 00:40 This presentation introduces a novel approach to enhance the trust in SPIFFE by leveraging confidential computing technologies, specifically Confidential Virtual Machines. The presentation will provide an introduction to the realm of confidential computing, as well as an overview of SPIFFE/SPIRE. Armed with this knowledge we will demonstrate a practical example that integrates the AWS Instance Identity Document plugin with AMD SEV-SNP, showcasing the implementation challenges and solutions. all-systems-go-2024-253-removing-cloud-providers-from-the-zero-trust-equation Fabian Kammel en SPIFFE is a framework to generate identities for software systems in dynamic and heterogeneous environments. SPIFFE Verifiable Identity Documents (SVIDs) enable us to be explicit about the trust we place in systems. However, the degree of trust we can place in SVIDs relies heavily on the soundness of the data gathering and verification process during node attestation. This presentation introduces a novel approach to enhance the trust in SVIDs by leveraging confidential computing technologies, specifically Confidential Virtual Machines (CVMs) such as AMD SEV-SNP or Intel TDX. These technologies enable us to track platform information directly in hardware, including firmware, boot loader, and kernel images, which are then signed with a key rooted inside the CPU itself. By incorporating hardware-protected platform information directly into the SVID generation process, we can significantly enhance the confidence placed in the resulting identity documents. Additionally, consumers of these SVIDs will be able to assert these properties before placing trust in a system. The presentation will provide an introduction to the realm of confidential computing, as well as provide an overview of SPIFFE/SPIRE, including the architecture of SPIRE agents and servers, the concept of workloads and SPIFFE SVIDs, and the role of node plugins in the attestation process. A practical example that integrates the AWS Instance Identity Document plugin with AMD SEV-SNP will be demonstrated, showcasing the implementation challenges and solutions. Through this presentation, attendees will gain insights into how confidential computing technologies can bolster the security of critical systems in an untrusted cloud environment, paving the way for more robust and resilient infrastructure in modern computing environments. false https://cfp.all-systems-go.io/all-systems-go-2024/talk/AG7L3K/ https://cfp.all-systems-go.io/all-systems-go-2024/talk/AG7L3K/feedback/ Dome 35 min talk + 5 min Q&A 2024-09-26T14:30:00+02:00 14:30 00:40 D-Bus is an IPC mechanism that is very ubiquitous on Linux systems everywhere (desktop, cloud and embedded). It is the mechanism you'd use to communicate with many of the core Linux userspace subsystems, such as systemd, NetworkManager etc. Traditionally, most of these services have been written in C, a language known for its lack of safety and expressiveness. In the past years, Zeeshan has developed a library, called zbus for enabling implementation of D-Bus services and clients in a programming language designed for safety: Rust. zbus has become the go-to library for writing D-Bus code in Rust. While that is major step forward, the communication typically still happens through a broker and the two major broker implementation are both are written in C and have been stagnating for years. This is why Zeeshan has recently started working on writing a D-Bus broker based on zbus, called busd, which not only aims provide a drop-in replacement for existing brokers, but also modernize the D-Bus space by providing new features needed by apps and services, such as systemd. In this talk, Zeeshan will walk us through a summary of his journey so far, the current state of busd and his plans and dreams for the future of D-Bus. all-systems-go-2024-298-busd-there-is-a-new-d-bus-broker-in-town /media/all-systems-go-2024/submissions/WB7DYF/busd-logo_cCPaG3F.png Zeeshan Ali Khan en false https://cfp.all-systems-go.io/all-systems-go-2024/talk/WB7DYF/ https://cfp.all-systems-go.io/all-systems-go-2024/talk/WB7DYF/feedback/ Dome 35 min talk + 5 min Q&A 2024-09-26T15:15:00+02:00 15:15 00:40 Strong authentication requires multiple signals: identity claims proves that identity of the person, while device attestation proves possession of a given machine, and device bound keys prevent the key from being stolen. In this presentation we will take a look at how the TPM provides device attestation and device bound keys. We will connect this with identity claims from SSO providers to provide a centrally managed short-lived SSH certificates for users and their devices. This is implemented as an open-source project called “ssh-tpm-ca-authority”. all-systems-go-2024-320-ssh-authentication-using-user-and-machine-identities Morten Linderud en false https://cfp.all-systems-go.io/all-systems-go-2024/talk/JCJ9YT/ https://cfp.all-systems-go.io/all-systems-go-2024/talk/JCJ9YT/feedback/ Dome 20 min talk + 5 min Q&A 2024-09-26T16:30:00+02:00 16:30 00:25 There's a new installer for GNOME OS, and it's built on top of systemd-repart. Here's how and why we did it all-systems-go-2024-283-installing-your-os-with-systemd-repart Adrian Vovk en false https://cfp.all-systems-go.io/all-systems-go-2024/talk/CMQTNL/ https://cfp.all-systems-go.io/all-systems-go-2024/talk/CMQTNL/feedback/ Dome 20 min talk + 5 min Q&A 2024-09-26T17:00:00+02:00 17:00 00:25 As a reference for developers and testers, GNOME OS is an experimental Linux distribution that ships the latest in-development GNOME desktop, core applications, and stack. GNOME OS is currently using OSTree, this talk covers the ongoing work to add features to systemd-sysupdate and transition to it. Features like optional transfers, delta updates, and major version upgrades. all-systems-go-2024-285-gnome-os-systemd-sysupdate Abderrahim KitouniJude Onyenegecha en GNOME OS is an experimental Linux distribution that ships the latest in-development GNOME desktop, core applications, and stack. It serves as a reference for developers and testers. This operating system is designed and built around the modern systemd and GNU-based userland built from the Freedesktop SDK. Currently, GNOME OS uses OSTree to deploy the root filesystem and manage updates. This means that the base OS is immutable (read-only) and updates can be quickly downloaded as deltas. OSTree allows easy rollback to multiple previous versions of the root filesystem, which is essential for a testing-first distribution focused on finding bugs. Our work focuses on transitioning GNOME OS to use systemd-sysupdate. Migrating to sysupdate would bring the following benefits: * Provide a trust chain from the bootloader, all the way up, both online and offline; * Achieve a closer integration with systemd; * Advance our support for image-based design and its benefits, e.g., immutability, auto-updating, adaptability, factory reset, uniformity and other modernised security properties around image-based OSes. For that, we are adding a number of features to systemd-sysupdate to make it more production ready; * Implement optional transfers in systemd-sysupdate * sysupdate should allow upgrading to a newer major version * pluggable backends for systemd-sysupdate (or systemd-import) This project was partly inspired by Lennart Pottering's article "Brave New Trusted Boot World", in which he explains a vision of the future of Linux systems. false https://cfp.all-systems-go.io/all-systems-go-2024/talk/MGDHYQ/ https://cfp.all-systems-go.io/all-systems-go-2024/talk/MGDHYQ/feedback/ Dome 20 min talk + 5 min Q&A 2024-09-26T17:30:00+02:00 17:30 00:25 Thanks to work made possible by the STF grant, all the pieces are there for GNOME to integrate with systemd-homed. This talk describes what it took to get here, what new features it gives us, what still remains to be done all-systems-go-2024-282-home-directory-encryption-in-gnome Adrian Vovk en false https://cfp.all-systems-go.io/all-systems-go-2024/talk/FFY3BB/ https://cfp.all-systems-go.io/all-systems-go-2024/talk/FFY3BB/feedback/ Dome 20 min talk + 5 min Q&A 2024-09-26T18:00:00+02:00 18:00 00:25 Multicast DNS (mDNS) and DNS Service Discovery (DNS-SD), collectively know as zeroconf, are technologies used for devices to find each other and advertise services on the local network. There are two widely used FOSS implementations: mDNSResponder is used by Apple and Android, while Avahi is used by most GNU/Linux distributions. However, there is a third one in systemd-resolved -- widely installed but rarely used. In this talk, I will explain how mDNS and DNS-SD work individually and together, and explore how to use them with resolvectl. I'll also try to go over the deficiencies in the systemd-resolved and have a discussion about the ways that it can be improved to replace Avahi as the default implementation on GNU/Linux systems. all-systems-go-2024-297-can-systemd-resolved-replace-avahi- Abderrahim Kitouni en false https://cfp.all-systems-go.io/all-systems-go-2024/talk/C3DZDS/ https://cfp.all-systems-go.io/all-systems-go-2024/talk/C3DZDS/feedback/