Version v1

Events


Friday 18:30


Pre-Registration Event

Meet-up at the Kinvolk Office! - Kinvolk Office

Saturday 09:30


Opening

Check In and Say Hello! - Event Loft

Saturday 09:45


Really crazy container troubleshooting stories

Event Loft

In this talk, the presenter will share a few container troubleshooting stories that were encountered in the life of an infrastructure operator. The use cases are deliberately chosen to be a bit advanced and focused around exploring the inner workings of core libraries and kernel, to remind everyone that even the lowest level of modern systems need some love. The talk will follow a hands-on agenda, interactively iterating over all the key points of the troubleshooting process, focusing on the different tools used and providing immediate value to the listener, who should be able to apply the various workflows to other scenarios. Example use cases presented: - Troubleshooting resource isolation between containers - Tracing the root cause of a crashing containerized application - Monitoring memory and performance issues in containers

Introducing Bluetooth Mesh

Galerie

Bluetooth technology has been extended with a brand new mesh feature. This presentation gives an introduction to Bluetooth Mesh and its impacts on the ecosystem. It shows the new and exciting use cases that a mesh enabled Bluetooth low energy enab...

Saturday 10:30


Rust memory management

Event Loft

A quick introduction to the unique memory management concepts of Rust.

Rust is a systems programming language that focuses on safety and performance at the same time. Most people new to Rust, often struggle with memory management. The goal of this talk is to give a very quick overview of Rust's memory management.

High-performance Linux monitoring with eBPF

Galerie

Extended Berkeley Packet Filter (eBPF) allows for high-performance introspection of the Linux kernel execution. eBPF is widely available (part of the mainline kernel and enabled by most distributions), flexible (any kernel code path can be probed)...

Saturday 11:00


Network troubleshooting in heterogeneous cloud environment with Skydive

Galerie

With the growing number of network cloud services it becomes essential to be able to monitor, troubleshoot and analyze different virtualization or container technologies. Being able to monitor complex heterogeneous federated cloud environments is ...

With the growing number of network cloud services it becomes essential to be able to monitor, troubleshoot and analyze different virtualization or container technologies. Being able to monitor complex heterogeneous federated cloud environments is key. Skydive is a real-time and post-mortem topology and packet analyzer. To do so, it listens for networking kernel events, monitors network namespaces, watches external components such as OVSDB and Docker. Skydive can make use of AF_PACKET or eBPF programs to capture traffic. Thanks to its classifier Skydive is able to map the network traffic with the topology. We will show through a demo how Skydive can help operators to visualize, understand and troubleshoot packet forwarding from point to point.

Incremental Adoption of Open Services with Habitat

Event Loft

Open services mark a paradigm shift similar to the disruption caused by open-source software in the 90s, but the path to effective adoption of open services tooling is sometimes unclear. Blake will share patterns and learnings from his experience ...

The modern computing world revolves around delivering applications as services. Until recently, massively scalable services were the specialized domain of tech giants, and attempts by small teams to reproduce the tooling available to Fortune 100 players often led to frustration and wasted time. Habitat is part of a new family of tools aimed at making application runtimes and service orchestration layers safe, repeatable and fully open. At smartB, Blake has brought Habitat to his org to reduce operational complexity, guarantee application runtime behavior and provide dependency isolation and transparency for applications and their corollary security profiles. smartB is his 5th startup in 10 years and his first foray into sustainability engineering.

Saturday 11:15


Break

Have a tea, coffee and/or Club Mate! - Event Loft

Break

Have a tea, coffee and/or Club Mate! - Galerie

Saturday 11:30


Azure networking integration challenges

Event Loft

The introduction on Accelerated Networking on Azure created challenges integrating support in Linux distributions. The original method using bonding had issues that were solved by introducing a new mode called "Transparent VF". This mode solves is...

Getting Started with Habitat

Galerie

Habitat is the best way for software developers to build, deploy, and manage modern applications - regardless of their expertise. Habitat provides a self-healing, self-configuring, stack-agnostic, frictionless abstraction for running applications—...

Habitat is the best way for software developers to build, deploy, and manage modern applications - regardless of their expertise. Habitat provides a self-healing, self-configuring, stack-agnostic, frictionless abstraction for running applications—regardless of their complexity on whatever infrastructure you prefer, from physical hardware and virtual machines to containers and everything in between. This session will show you how to build and run your own application. You will learn how scaffolding helps you quickly and easily package your application. Explore the build system used for generating Habitat artifacts. Run an application using the Habitat supervisor. This is the talk for anyone who's just learning about Habitat or those that are interested in seeing some of the newer features of the framework.

Saturday 12:15


Lunch

Yummy food available from food trucks in the courtyard - Event Loft

Lunch

Yummy food available from food trucks in the courtyard - Galerie

Saturday 13:45


The IoT botnet wars, Linux devices, and the absence of basic security hardening

Galerie

We will discuss the various malware infecting Linux IoT devices including Mirai, Hajime, and BrickerBot and the vulnerabilities they leverage to enslave or brick connected devices. We will walk the audience through specific vectors they used to ex...

This talk will cover the ongoing battle being waged is leveraging insecure Linux-based Internet of Things (IoT) devices. BrickerBot is an example of a recent malware strain attacking connected devices and causing them to “brick,” making an electronic device completely useless in a permanent denial-of-service (PDoS) attack. Additionally, the Mirai botnet consisted of connected printers, IP cameras, residential gateways, and baby monitors that flooded DNS servers. Mirai was behind the largest DDoS attack of its kind ever in October 2016, with an estimated throughput of 1.2 terabits per second. It leveraged these enslaved devices to bring down large portions of the internet, including services such as Netflix, GitHub, HBO, Amazon, Reddit, Twitter, and DIRECTV. BrickerBot’s goal appears to counter Mirai’s: Bricking insecure Linux devices so that malware such as Mirai can’t subjugate these devices in another DDoS attack. We will take an in-depth look at the anatomy of the attack. We will then dive into basic some security hardening principles which would have helped protect against many of these attacks. Some of the fundamental security concepts we will cover include: Closin...

systemd @ Facebook — a year later

Event Loft

We'll be talking about what we learned throughout the past year running systemd in production at Facebook: new challenges that have come up, how the integration process went and the areas of improvement we discovered. We'll also discuss our effort...

This talk is a followup to <a href="https://www.youtube.com/watch?v=LhYd0S3qiMY">Deploying systemd at scale</a> that was presented at systemd.conf 2016, and covers the aftermath of the migration of our fleet to CentOS 7. Now that systemd is available everywhere, we found more and more services that started adopting it for their deployment, leveraging its features and occasionally exposing interesting behaviors. At the same time, we've been able to hone our process for integrating and rolling out new versions of systemd on the fleet, and started building tooling to manage and monitor it at scale.

Saturday 14:30


State of the rkt container runtime

Event Loft

rkt is a modern container runtime, built for security, efficiency, and composability. It is one of the container runtimes supported by Kubernetes but the current implementation (“rktnetes”) doesn’t support the Container Runtime Interface (CRI). Th...

Cockpit: A Linux sysadmin session in your Browser

Galerie

Cockpit is an open source project that has built the new system admin UI for Linux. It turns Linux server into something discoverable and usable. Its goal is to remove the steep learning curve for Linux deployments. Cockpit lets you immediately...

Saturday 15:00


Portals, dynamic permissions in Flatpak

Event Loft

Desktop application sandboxing is quite different than traditional container isolation, learn how flatpak does it, using the concept of portals.

Flatpak is a distribution independent bundling and deployment system for Linux, focusing on desktop applications. One core aspect of flatpak is application sandboxing, which has very different requirements on the desktop than in the traditional container space. Applications need to be isolated from the system, yet in order to be easy and intuitive to use they must integrate with the desktop environment in complex ways. Flatpak solves this by using a concept called Portals. This talk will discuss how Flatpak sandboxing/security works and the how Portals fit in this system.

Reproducible Builds - where do we want to go tomorrow?

We've made lots of progress, but we are still far from our goals of changing the (software) world - Galerie

A status report on Reproducible builds, which enable everyone to verify that a given binary is made from the source it is claimed to be made from, by enabling anyone to create bit by bit identical binaries.

This talk will report on the state of reproducible builds in various distributions (Debian, Archlinux, coreboot, F-Droid, Fedora, FreeBSD, Guix, NetBSD, OpenWrt, SuSE, and Qubes OS - to name a few) and thus should be interesting and insightful for anyone working on any free software project. Holger will explain how he started working on this in the Debian context and how his focus shifted slightly over the time. So he will start with explaining the status of Reproducible Debian, but this is quickly followed by an overview of common problems and solutions, followed by a quick explaination of the shared test infrastructure for reproducible tests of any project. You will learn how the community was broadened, what future plans we have to address what might be needed beyond being able to reproducible build something, so this becomes truly meaningful for users in practice. In this talk you will also learn about the challanges we're facing to deliver on the promise. Being able to reproducibly build in theory is not enough, one needs to be able to do so in practice. And enabling this on a distro scale is much harder than we thought…

Saturday 15:45


Building containers all day

Galerie

Containers have become a popular way of packaging and running applications, especially for server applications using microservice architectures. As containers can be started in no time, building new container images replacing old ones has become t...

Containers: What Did We Learn?

Event Loft

Containers: love 'em or hate 'em -- whether you think they're the hottest new thing or yesteryear's same ideas in new clothing -- the both rapid and sustained rate of adoption of recent container technologies says one thing clearly: We Were Missin...

Containers have brought a lot of new patterns and behaviors into focus. For example, atomic deploys have become part of everyday conversation; fully captured dependencies and snapshots are now the norm; and the very concept of "releasing" software is beginning to morph. But many of these concepts -- at least, as implemented in popular container systems today -- seem to be somewhere between poorly integrated or outright in conflict with our present understanding of "package managers" and "config management". What do containers need to learn from the decades of package management before today? And what hints do the package managers we all know and love need to take from the explosion of containers? Containers are an exciting opportunity to revisit many of our oldest assumptions about how to design systems: let's take this opportunity to think carefully and ask tough questions.

Saturday 16:00


Break

Have a tea, coffee and/or Club Mate! - Galerie

Break

Have a tea, coffee and/or Club Mate! - Event Loft

Saturday 16:15


Fix, forget, or forge a new path?

Event Loft

As Infrastructure operators we're exposed to a lot of plumbing and not a lot of porcelain. Worse, because our concerns are often esoteric (in the eyes of application developers) we have to fix our own pipes too. Often this leads to the "homeowner...

On the systems side AAA services haven't kept up with the pace of application development, our hardware is aging, and there are components of infrastructure that have fallen by the wayside. Modern switches still support (non-TLS) RADIUS and TACACS+, other networking gear still only supports SNMP v1, and then we've got logging... In this talk we take stock of the landscape and discuss which pieces should be fixed, which desperately need to be abandoned, and which we have been thinking about all wrong.

Using systemd for containers @ Facebook

Galerie

To achieve faster and easier containerization at Facebook we have started utilizing Chef, Btrfs and Systemd to improve our container system. These tools helped us to design a robust base for our cluster management will allow us to concentrate more...

Co-presented by Zoltan Puskas and Zeal Jagannatha

Saturday 17:00


Landlock LSM: Towards unprivileged sandboxing

Galerie

Landlock is a proposal for a new Linux Security Module (LSM) to create secure sandboxes with the goal “to empower any process, including unprivileged ones, to securely restrict themselves.” This presentation will give an overview on what Landlock ...

Streamlining systemd's code and safety

Event Loft

Today, the systemd project uses a non-standard superset of C to get destructor-like functionality. But, we pay a heavy price for doing it this way: we lose compiler portability, use hundreds of boilerplate macros, and confuse static analysis tools...

<p>Today, the systemd project uses a non-standard superset of C to get destructor-like functionality. But, we pay a heavy price for doing it this way: we lose compiler portability, use hundreds of boilerplate macros, and confuse static analysis tools (which don't always realize why we're not leaking memory). At compilation, the cleanup functionality gets mapped to the same facilities that handle C++ destructors. So, essentially, we're already using a non-standard version of C++ as well as a non-standard version of C. We can end this charade by following in GCC's footsteps and <a href="https://lwn.net/Articles/542457/">explicitly using a subset of C++</a>. By doing so, we can shed thousands of lines of C-trying-to-be-C++. We can also improve memory safety and code readability -- <a href="https://medium.com/@davidtstrauss/choosing-some-c-over-c-f5acb3dce4f5">all while keeping the feel of C</a>.</p> <p>In this presentation, we'll consider options for systems'd codebase:</p> <ul> <li>Converting instances of "cleanup" to destructors. This should allow us to discard a couple thousand lines of boilerplate and many "goto cleanup" situations.</li> <li>Converting raw pointers to equ...

Saturday 17:30


A gentle introduction to [e]BPF

Event Loft

BPF is a Linux in-kernel virtual machine that is used for networking, tracing, seccomp and more. This talk will give an introduction to the extended BPF subsystem in Linux, an overview on how it works, show available tools to work with and explain...

Software updates for connected Linux devices: key requirements

Galerie

A key requirement for connected Linux devices is the ability to deploy remote software updates to them so that bugs, vulnerabilities and new features can be addressed while devices live in the field for up to 10 years. As part of the Mender.io ...

In order to address these requirements, design trade-offs need to be made. In this presentation, we will cover the most common update strategies, such as using A/B dual rootfs, maintenance-mode updates, package managers, tarballs, and see the trade-offs of each approach. Remote Software Updates for Connected Devices: Key Considerations A key requirement for connected devices is the ability to deploy remote software updates to them so that bugs, vulnerabilities and new features can be addressed while devices live in the field for up to 10 years. As part of the Mender.io project, we have interviewed more than 100 embedded developers to understand best practices and the current state of enabling software updates for connected devices today. The key requirements found during this study can be split into the following areas: Robust - the cost of bricking devices is high Ease - teams generally do not have much time to invest in an updater mechanism Performant - bandwidth is the key limiting resource for connected devices, but other system resources should also be conserved during the update process. Downtime during the update process should be kept to a minimum. ...

Saturday 18:00


Containers without a Container Manager, with systemd

Event Loft

systemd service management today supports a number of the features that container management is known for, but for classic system services. Let's see which ones, and how to make use of them.

systemd service management today supports a number of the features that container management is known for, but for classic system services. Let's see which ones, and how to make use of them. We'll talk about sandboxing, resource bundling, service management and resource management, and more. We'll discuss what container managers can do, that systemd service management can't and vice versa. Last but not least we'll have a look at systemd-nspawn, systemd's very own container manager and what it adds on top of systemd's native service management.

Securing Home Automation with Tor

Be Safe. Be Secure - Galerie

Today the technological worlds centralize principle is to automate each conceivable thing for simplicity in life, providing security, saving electricity and time. <cite>Home automation is “The Internet of Things"…The way that all of our devices...

Automation is, unsurprisingly, one of the two main characteristics of home automation. Automation refers to the ability to program and schedule events for the devices on the network. The programming may include time-related commands, such as having your lights turn on or off at specific times each day. It can also include non-scheduled events, such as turning on all the lights in your home when your security system alarm is triggered. Home automation systems are advancement to the mechanization processes wherein human efforts are needed with the machinery equipments to operate various loads in homes.The popularity of home automation has been expanding incredibly because of much higher reasonableness and straightforwardness through Smartphones and wireless networks. <cite>"Internet of Things"</cite> is interlinked through these networks; because of the popularity of the home automation is improved by the quality of service provided by the devices. Different home automation systems are developed for automatically on and off the appliances with different applications. Once you start to understand the possibilities of home automation scheduling, you can come up with any n...

Saturday 19:00


Social Event

Meet people and be merry! - Galerie

Sunday 09:30


kube-spawn: testing multi-node Kubernetes clusters on Linux systems

Galerie

kube-spawn is a tool to easily start a local, multi-node Kubernetes cluster on a Linux machine. While it was originally meant to be used mainly by developers of Kubernetes, it has been turned into a tool that is great for just trying Kubernetes ou...

kube-spawn aims to become the easiest means of testing and fiddling with Kubernetes on Linux. It provides an environment that Kubernetes will eventually be running on, a full Linux OS. On the host side, end users are able to run native Kubernetes command-line tools to get every nodes and pods to work. For each container, kube-spawn bootstaps each instance based on CoreOS Container Linux, with the help of systemd-nspawn. In this talk I will introduce kube-spawn briefly from the perspective of end users. After that, I'm going to cover several integration issues, which have been discovered during implementation. It will range from administration tools like kubeadm to low-level issues such as btrfs-based storage pools.

What If Component xxx Dies? Introducing Self-Healing Kubernetes

Event Loft

Kubernetes promises healing your application on all kinds of failure scenarios, but why not self-heal Kubernetes itself?

This talk introduces self-hosted Kubernetes (K8s inside itself) to autonomously recover from failure scenarios with the help of e.g. itself, systemd and checkpointing. We will ask and answer questions like “What happens when xxx dies”. The theory will be followed by a demo on a live cluster showcasing what happens when we kill central Kubernetes components, like the API-Server. Let’s see how well Kubernetes recovers.

Sunday 10:00


cgroupv2: Linux's new unified control group hierarchy

Galerie

cgroupv1 (or just "cgroups") has helped revolutionise the way that we manage and use containers over the past 8 years. A complete overhaul is coming -- cgroupv2. This talk will go into why a new control group system was needed, the changes from cg...

kubernetes for toasters?

potential solutions to achieving containerization on constrained devices. - Event Loft

Potential solutions to achieving containerization on constrained devices. 1. Why? 2. a content addressable elf linker (bolter) 3. space efficient container imaging (korhal) 4. oci compliant runtime (railcar)

Sunday 10:45


Using BPF in Kubernetes

Linux superpowers in the cloud - Event Loft

In this talk, I will present different use cases for using BPF in a Kubernetes cluster. BPF is a Linux in-kernel virtual machine and there are different kinds of BPF programs for different subsystems that will be considered: kprobes, traffic contr...

BPF and Kubernetes are both Open Source technologies on Linux but their respective communities initially had little overlaps. I want to bring more visibility of what BPF can offer to Kubernetes users and developers.

Unbreaking reloads: strategies for fast and non-blocking reconfiguration

Galerie

When configuration changes, daemon-reload stops the world in an increasingly unsustainable way. The problem is getting worse for two reasons: (1) heavier use of systemd means more units and longer reload times and (2) expanded use of socket activa...

<p>When configuration changes, daemon-reload stops the world in an increasingly unsustainable way. The problem is getting worse for two reasons: (1) heavier use of systemd means more units and longer reload times and (2) expanded use of socket activation/D-Bus activation/automount means more things urgently need PID 1's attention. There are ways to fix this up, but we'll need to move away from stopping the world (the main event loop), throwing out most loaded state, reloading state, and then resuming event handling.</p> <p>We'll explore these options:</p> <ul> <li>Incremental state reloading, possibly when dependencies and other cascading configuration remains the same</li> <li>Amortized state reloading with an atomic switch on completion</li> <li>Offloading configuration loading to a separate thread or process, followed by an atomic switch-over on completion.</li> </ul> <p>We'll need to be careful to maintain the memory footprint on resource-constrained devices, but we have options:</p> <ul> <li>Choosing to still stop the world when a system is resource-constrained</li> <li>Storing unit data in a tree that supports snapshots and copy-on-write, which would constrai...

Sunday 11:15


Break

Have a tea, coffee and/or Club Mate! - Galerie

Break

Have a tea, coffee and/or Club Mate! - Event Loft

Sunday 11:30


Simulate hardware for integration testing

Event Loft

How to get a slightly broken hard disk for testing file systems or udisks? A wifi access point which supports the old 802.11b standard for writing a test case for NetworkManager? Downloading a photo from a particular camera model which you don't o...

Modern deployment for Embedded Linux and IoT

Galerie

In a world of connected devices, IoT and embedded systems, building robust products needs a modern deployment workflow where security and constant updates are as important as the product itself. The abilities of these systems to protect themselves...

In a world of connected devices, IoT and embedded systems, building robust products needs a modern deployment workflow where security and constant updates are as important as the product itself. The abilities of these systems to protect themselves, isolate applications inside sandboxes or containers, and support constant updates will enhance the product's security, its longevity and all the offered services around it. In this regard, Linux containers are one of the mechanisms that may allow to solve some of the Embedded and IoT systems problems, however their adoption is still facing some challenges such how can these mechanisms fit in the final embedded environment ? In order to improve container integration in the Embedded Linux world, we will explore in this presentation some upcoming systemd and Linux kernel features, notably a new Security Permission model for systemd, a new lightweight container environment that allows to deploy and sandbox portable applications, some new kernel hardening features that can be used by both containers and the kernel itself to protect the entire system. Additionally we will discuss how to apply constant updates, how we can integrate this w...

Sunday 12:00


Cyborg Teams

Happy humans, tired machines - Event Loft

n the Cockpit project we’ve done something amazing: We’ve built “robot” contributors to an Open Source project. “Cockpituous”, our project’s #5 contributor, is actually our automated team members. Bots do the mundane tasks that would otherwise ...

Synchronizing images with casync

Galerie

casync is a novel tool for delivering OS images across the Internet. While there are many tools like this around, casync has some features that set it apart. In this talk we'll discuss why it is useful for delivering your IoT, container, applicati...

casync is a novel tool for delivering OS images across the Internet. While there are many tools like this around, casync has some features that set it apart. In this talk we'll discuss why it is useful for delivering your IoT, container, application or OS images, and how you can make use of it.

Sunday 12:45


Lunch

Yummy food available from food trucks in the courtyard - Event Loft

Lunch

Yummy food available from food trucks in the courtyard - Galerie

Sunday 14:15


Meson and the changing Linux build landscape

Event Loft

The Meson build system has been picking up steam this year and many fundamental projects have transitioned to it from their old build systems. In this talk we shall look at the advantages and disadvantages these transitions have brought, what we...

The build system may seem like a simple and unimportant part of software development but it turns out to have implications that are both wide and deep. For example when Debian changed their package builds of systemd to use Meson, the build time on mips machines dropped from almost two hours to less than one. These sorts of changes enable workflows and process changes that simply were not possible or feasible with old tools. In addition to single projects, this transition has wider implications for distros and other aggregate works. We shall look into some of these changes ranging from full distro rebuilds to the core dependencies and tooling needed to build a modern Linux distro and how that might change in the future.

Which network to use when - Socket Intents

Hacking the Socket API for fun and research - Galerie

Nowadays, most end devices have multiple network interfaces to connect to the Internet. They usually pick a statically configured default interface, such as WiFi, which they prefer over LTE when both are available, but this is not necessarily the ...

The Socket Intents framework is a research prototype developed at the INET group at TU Berlin, running in user space on Linux and Mac OS. It is written in C and released under a BSD license. Using the Socket Intents library, an application can set up a connection specifying its "Intents", e.g., whether the connection is going to be a small query or a large bulk transfer, whether it is intended to be a long-lived steady stream of data or a series of interactive bursts, and whether it is time-critical or background traffic. The client library then queries a daemon, the Multi Access Manager (MAM), to make a decision about which of the available network interfaces to bind this connection to, based on the Intents and on current performance estimates if available. Socket Intents aims to overcome the assumption that only one network interface would be available at a time, or that there is always the same statically configured "default" interface to use. By itself, the Socket API does not provide a good way to choose between different interfaces without placing the burden on the application. Instead of having each applications implement an interface selection logic by itself, Socket I...

Sunday 15:00


Virtualization: what changed in the last decade

Galerie

Containers are pretty cool, but in scenarios where they don't satisfy all the requirements, service providers still rely on virtualization. Hardware virtualization became mainstream 1 decade ago and it never stopped evolving. I even dare to say th...

Insecure containers?

Event Loft

Open Source Software underpins the internet and many enterprises, but has repeatedly proven itself vulnerable to accident and tampering. As we fight to continuously secure millions of servers from attack, have we found a crucial panacea in containers? This talk examines the anatomy of major vulnerabilities, demonstrates their applicability to containerised applications, and explores container native security tooling throughout the pipeline. It covers recent major CVEs, container security models and extensions (cgroups, namespaces, rlimits, capabilities, Seccomp, AppArmor), their implementation in Docker and Kubernetes (flags, configuration best practices, entitlements), container breakout and hardening live demos, and container native security tooling (static/dynamic analysis, secret leakage prevention, IDS).

Sunday 15:45


Update on new WiFi daemon for Linux

Galerie

This presentation is about a new 802.11 wireless daemon for Linux. It is a lightweight daemon handling all aspects around WiFi support for Linux. It is designed with a tiny footprint for IoT use cases in mind. After its initial release last year, ...

Creating your own 1password clone

Event Loft

AgileBits, the company behind the 1password password manager, published a spec for their “opvault” format to show how confident they are in its design. This eliminates the need to reverse-engineer the encryption when trying to read from such a vau...

Sunday 16:15


Break

Have a tea, coffee and/or Club Mate! - Event Loft

Break

Have a tea, coffee and/or Club Mate! - Galerie

Sunday 16:30


What's in a container? The OCI Answer

Galerie

The container has become one of the most overloaded industry buzzwords of the last five years. From Jails to LXC to Zones to systemd-nspawn Docker to rkt - there's an assortment of different tools on different platforms that call themselves contai...

Building a secure boot chain to userland

Event Loft

Secure boot as it currently exists in desktop Linux distributions is sufficient to verify that the bootloader and kernel have not been tampered with, but generally does nothing to ensure that userland is secure. How can we fix that?

Full system security requires the ability to determine that the entire system is in a trustworthy state. Secure Boot as currently implemented in Linux gets us partway there, but not all the way. Going further involves tying into additional security functionality, much of which already exists but is poorly integrated. This presentation will cover what needs to be done, the components required to do it and the integration work that distributions will need to do to make it viable.

Sunday 16:45


Tango with systemd

Galerie

Used by many major distributions, systemd is widely known in the desktop and server world. But it is not so common to find it in embedded product. In this talk, we will show how systemd can be a real benefit for the embedded world; for both you...

Building a product from scratch is a challenge, even more so with a small team. Every line of code that you don't have to maintain; every hour you win by using an already existing piece of code that solve your problem, is more hours you can spend creating new features for your product. Using systemd in an embedded device is not a choice done by many, but it can be really beneficial to your product, your team and yourself. We'll first start discussing how to reduce systemd to debunk the fact that it's huge. Then we will see the benefits of using systemd and how it can help you build your system without worrying.

Sunday 17:15


Journal as a Storage and Other Adventures in User Session Recording

Galerie

See how Red Hat's Session Recording project is using Systemd Journal to store and playback recordings of terminal sessions. Wonder at the challenges the project faces, such as dealing with various terminal types, character encodings, random playba...

Red Hat's customers in financial, medical, government and other areas have been asking for a session recording feature for a while, and so the User Session Recording project was started. Nikolai Kondrashov is going to introduce our project briefly and then show how we use Systemd Journal to store and playback recordings of terminal sessions for our Cockpit UI. He is going to talk about limitations of, and possible improvements for this solution, and then about other challenges the project faces: dealing with different terminal types, character encodings, implementing recording playback, etc. And, of course, there is going to be a demo!

Updating Embedded Systems -- Putting it all Together

Event Loft

Updating embedded systems reliably requires more than just the actual update process. This presentation gives an overview of the overall design and components needed for successful system updates.

With the security issues in recent year, the fact that updates are necessary is no longer in question. Still, for embedded systems updates remain a challenge. With no administrator to handle unexpected problems, a failed update can render the device unusable, which is not acceptable. Performing updates reliably is only possible when updating is considered in the design of the entire system, from the bootloader to the application. This presentation gives an overview of the building blocks and decisions made to create such a design. The configuration and boot choices in the bootloader, watchdog handling, monitoring at boot- and runtime and, of course, the actual update process itself. The result is showcased using various open source components such as barebox, systemd, rauc and casync.

Sunday 17:45


Closing

Till the next time! - Event Loft