BEGIN:VCALENDAR VERSION:2.0 PRODID:-//pretalx//cfp.all-systems-go.io//all-systems-go-2024//UK8EUJ BEGIN:VTIMEZONE TZID:CET BEGIN:STANDARD DTSTART:20001029T040000 RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10 TZNAME:CET TZOFFSETFROM:+0200 TZOFFSETTO:+0100 END:STANDARD BEGIN:DAYLIGHT DTSTART:20000326T030000 RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=3 TZNAME:CEST TZOFFSETFROM:+0100 TZOFFSETTO:+0200 END:DAYLIGHT END:VTIMEZONE BEGIN:VEVENT UID:pretalx-all-systems-go-2024-HVEZQQ@cfp.all-systems-go.io DTSTART;TZID=CET:20240925T115500 DTEND;TZID=CET:20240925T123500 DESCRIPTION:Fedora image based variants (CoreOS\, Atomic Desktops\, IoT) ar e currently built using ostree and rpm-ostree. This enables an hybrid appr oach where the system is managed like an image but modifications are still possible using RPMs.\n\nBut this approach has limits:\n- It is difficult for users to customize their operating system and share those customizatio ns.\n- The integrity of the boot chain is not guarenteed and it is costly to validate the system content at runtime.\n\nTo address those shortcoming s\, we are introducing the bootable containers (bootc) project. With boota ble containers\, the content of the operating system\, including the kerne l and initrd (or a UKI) is shipped in a container image alongside its corr esponding base userspace root filesystem. This image can then be modified using container native tools and shared via a container registry.\n\nTo ch ain from platform Secure Boot to a verified root filesystem\, the ostree p roject has integrated support for composefs. It combines multiple Linux ke rnel features (overlayfs\, EROFS and fs-verity) to provide read-only mount able filesystem trees stacking on top of an underlying "lower" Linux files ystem.\n\nWe will detail how we are integrating composefs and UKI support in Bootable Containers to enable a trusted and measured boot chain while l etting users customize and re-sign their images to fit their needs. DTSTAMP:20260315T023325Z LOCATION:Main Hall SUMMARY:The road to a trusted and measured boot chain in Bootable Container s - JB Trystram\, Timothée Ravier URL:https://cfp.all-systems-go.io/all-systems-go-2024/talk/HVEZQQ/ END:VEVENT BEGIN:VEVENT UID:pretalx-all-systems-go-2024-HJLF3C@cfp.all-systems-go.io DTSTART;TZID=CET:20240925T170000 DTEND;TZID=CET:20240925T172500 DESCRIPTION:On general purpose image based systems such as Flatcar and Fedo ra CoreOS\, users are encouraged to run all their applications using conta iners. To make updates safe and predictable\, the system is mounted as rea d only and local modifications are discouraged.\n\nWhile containers offer a lot of flexibility on Linux\, there are still cases where installing bin aries or running applications directly on the host operating system is pre ferred. For example to add kernel modules\, use an alternative container r untime version\, add more udev rules\, etc.\n\nSome of those use cases cou ld be addressed with statically linked binaries\, but their management is manual and their usage creates new issues around updates\, versionning\, m emory footprint and not everything can be statically compiled. Alternative ly\, one can build its own image but at non-negligeable maintenance costs. \n\nSystemd's system extensions (sys-ext) provide a mechanism to extend th e content of the host while preserving the safety guarentees around update s. We will demonstrate how Flatcar\, Fedora CoreOS and Atomic Desktops are leveraging sysext images to securely extend the OS. With practical exampl es and usecases (e.g Cluster API) learn how to install Python\, Podman\, K ubernetes\, ZFS\, everything at the same time\, by composing your very own image with systemd-sysext. DTSTAMP:20260315T023325Z LOCATION:Main Hall SUMMARY:Waiter\, an OS please\, with some sysext sprinkled on top - Mathieu Tortuyaux\, Timothée Ravier URL:https://cfp.all-systems-go.io/all-systems-go-2024/talk/HJLF3C/ END:VEVENT END:VCALENDAR