Timothée Ravier
Timothée Ravier is a CoreOS engineer at Red Hat. He maintains the Fedora Atomic Desktops. He is a KDE developer and helps maintain KDE Applications as Flatpaks on Flathub.
Sessions
On image based desktops distributions such as Fedora Atomic desktops and Universal Blue, users are expected to run their graphical applications using Flatpaks and their command line ones using containers. But that approach does not work well for some applications that require more privileges, direct access to devices or kernel interfaces.
With systemd system extensions (sysexts), it is possible to extend an image based system on demand. Sysexts come with a lot of advantages: they can be created out of arbitrary content (not only packages), are quickly enabled or disabled and can be built and shared independently of the main distribution channels.
We will demonstrate how the Atomic Desktops can take benefit of sysexts to provide extensions such as virtual machine management (libvirt), alternative container runtimes (moby-engine or docker), IDE (VS Code) or debugging (gdb).
We will also look at important details when building sysexts, the current limits when deploying them (SELinux policy modules, service management, RPM database update), what is currently blocking us from using it for more complex cases (kernel modules) and what we would need to properly manage and update them.
With Bootable Containers (bootc), we can place the operating system files inside a standard OCI container. This lets users modify the content of the operating system using familiar container tools and the Containerfile pattern. They can then share those container images using container registries and sign them using cosign.
Using composefs and fs-verity, we can link a UKI to a complete read only filesystem tree, guaranteeing that every system file is verified on load. We integrate this in bootc by creating a reliable way to turn container images into composefs filesystem trees, and then including the UKI in the container image.
We will share the progress on the integration of UKI and composefs in bootc and how we are going to enable remote attestation for those systems using trustee, notably for Confidential Computing use cases.