asg2023

Closing session of All Systems Go! 2023 about this event: https://cfp.all-systems-go.io/all-systems-go-2023/talk/PKSMVD/

Closing session of All Systems Go! 2023 about this event: https://cfp.all-systems-go.io/all-systems-go-2023/talk/PKSMVD/

In this talk we’ll discuss antlir2, Meta’s solution to building container and bare metal operating system images. We’ll talk about how we have built performant, hermetic and deterministic image building infrastructure on top of buck2 (Meta’s new open source build system) and how we enable users to compose their own multi-language projects with full operating systems, write tests and deploy their images. Along the way, we’ll also cover how antlir2 wrangles dnf and other upstream tooling to behave more predictably for better, more reliable images. about this event: https://cfp.all-systems-go.io/all-systems-go-2023/talk/9E9MLC/

sdbusplus generates ergonomic and compile-time type-checked dbus bindings built atop sd-bus. This library is heavily used within the OpenBMC project to provide all IPC between its many userspace processes. This talk will give an overview of how OpenBMC leverages dbus, how sdbusplus facilitates its usage, as well as an introduction on our approach for asynchronous programming with C++ co-routines. about this event: https://cfp.all-systems-go.io/all-systems-go-2023/talk/QUMHR3/

In this talk we’ll discuss antlir2, Meta’s solution to building container and bare metal operating system images. We’ll talk about how we have built performant, hermetic and deterministic image building infrastructure on top of buck2 (Meta’s new open source build system) and how we enable users to compose their own multi-language projects with full operating systems, write tests and deploy their images. Along the way, we’ll also cover how antlir2 wrangles dnf and other upstream tooling to behave more predictably for better, more reliable images. about this event: https://cfp.all-systems-go.io/all-systems-go-2023/talk/9E9MLC/

sdbusplus generates ergonomic and compile-time type-checked dbus bindings built atop sd-bus. This library is heavily used within the OpenBMC project to provide all IPC between its many userspace processes. This talk will give an overview of how OpenBMC leverages dbus, how sdbusplus facilitates its usage, as well as an introduction on our approach for asynchronous programming with C++ co-routines. about this event: https://cfp.all-systems-go.io/all-systems-go-2023/talk/QUMHR3/

BuildStream is a tool for building / integrating software stacks. In a way, it has a similar goal to bitbake / yocto and Android repo, but takes a completely different approach. It can be used to take software from various sources, build it with various buildsystems in a reproducible sandbox, and cache results for speedy rebuilds. In this talk I give a brief overview of Buildstream, how it is used to build GNOME OS, and the challenges we face in using it. I also go over freedesktop-sdk which is a base runtime that can be used as a base to build your own system. I also discuss the challenges we encountered with using buildstream with ostree and the steps we're taking to support updating with systemd-sysupdate. about this event: https://cfp.all-systems-go.io/all-systems-go-2023/talk/G8UZGL/

A quick journey through the Azure infrastructure, specifically looking at how image-based Linux is used for Azure Boost, what it enables, what interesting security and performance features were added and where to find them upstream. Believe it or not, today Linux is right at the core of Microsoft Azure's infrastructure, on the very nodes that run all those fancy virtual machines. Getting there was not easy, and a lot of work was needed to meet the very stringent security and performance goals that were set. We built a custom distribution, added several security features such as signed dm-verity and kernel-enforced code integrity, came up with a way to keep state alive across kexec with PMEM, and implemented the stackable Portable Services image model that ultimately became sysexts and confexts. And much more! This talk will walk through this effort, starting with a peek under the cover at the hardware that powers it and what it enables, passing through the custom OS and ending up at all the features we added to systemd and elsewhere that you all can enjoy as well. about this event: https://cfp.all-systems-go.io/all-systems-go-2023/talk/7URRNC/

A quick journey through the Azure infrastructure, specifically looking at how image-based Linux is used for Azure Boost, what it enables, what interesting security and performance features were added and where to find them upstream. Believe it or not, today Linux is right at the core of Microsoft Azure's infrastructure, on the very nodes that run all those fancy virtual machines. Getting there was not easy, and a lot of work was needed to meet the very stringent security and performance goals that were set. We built a custom distribution, added several security features such as signed dm-verity and kernel-enforced code integrity, came up with a way to keep state alive across kexec with PMEM, and implemented the stackable Portable Services image model that ultimately became sysexts and confexts. And much more! This talk will walk through this effort, starting with a peek under the cover at the hardware that powers it and what it enables, passing through the custom OS and ending up at all the features we added to systemd and elsewhere that you all can enjoy as well. about this event: https://cfp.all-systems-go.io/all-systems-go-2023/talk/7URRNC/

A quick journey through the Azure infrastructure, specifically looking at how image-based Linux is used for Azure Boost, what it enables, what interesting security and performance features were added and where to find them upstream. Believe it or not, today Linux is right at the core of Microsoft Azure's infrastructure, on the very nodes that run all those fancy virtual machines. Getting there was not easy, and a lot of work was needed to meet the very stringent security and performance goals that were set. We built a custom distribution, added several security features such as signed dm-verity and kernel-enforced code integrity, came up with a way to keep state alive across kexec with PMEM, and implemented the stackable Portable Services image model that ultimately became sysexts and confexts. And much more! This talk will walk through this effort, starting with a peek under the cover at the hardware that powers it and what it enables, passing through the custom OS and ending up at all the features we added to systemd and elsewhere that you all can enjoy as well. about this event: https://cfp.all-systems-go.io/all-systems-go-2023/talk/7URRNC/

BuildStream is a tool for building / integrating software stacks. In a way, it has a similar goal to bitbake / yocto and Android repo, but takes a completely different approach. It can be used to take software from various sources, build it with various buildsystems in a reproducible sandbox, and cache results for speedy rebuilds. In this talk I give a brief overview of Buildstream, how it is used to build GNOME OS, and the challenges we face in using it. I also go over freedesktop-sdk which is a base runtime that can be used as a base to build your own system. I also discuss the challenges we encountered with using buildstream with ostree and the steps we're taking to support updating with systemd-sysupdate. about this event: https://cfp.all-systems-go.io/all-systems-go-2023/talk/G8UZGL/

BuildStream is a tool for building / integrating software stacks. In a way, it has a similar goal to bitbake / yocto and Android repo, but takes a completely different approach. It can be used to take software from various sources, build it with various buildsystems in a reproducible sandbox, and cache results for speedy rebuilds. In this talk I give a brief overview of Buildstream, how it is used to build GNOME OS, and the challenges we face in using it. I also go over freedesktop-sdk which is a base runtime that can be used as a base to build your own system. I also discuss the challenges we encountered with using buildstream with ostree and the steps we're taking to support updating with systemd-sysupdate. about this event: https://cfp.all-systems-go.io/all-systems-go-2023/talk/G8UZGL/

mkosi is a tool for building operating system images. In this talk we'll give an introduction to mkosi, how we use it to develop systemd and discuss how we want to support running and updating systems with mkosi and other systemd tooling. Github repository: https://github.com/systemd/mkosi/ Initial blog post on mkosi: https://0pointer.net/blog/mkosi-a-tool-for-generating-os-images.html about this event: https://cfp.all-systems-go.io/all-systems-go-2023/talk/ASV8ZM/

Are you using container images with hundreds of known vulnerabilities? The majority of us are using images based on the Docker official images available on the Docker Hub. This includes base images – such as Debian and Ubuntu – as well as application images such as nginx and redis. Unfortunately these images often have hundreds of known vulnerabilities due to excessively large dependency trees with out-of-date packages. This security debt can lead to unnecessary security risks and slower development cycles. Wolfi (​​https://github.com/wolfi-dev/) is a new Linux distribution optimized for building minimal, secure container images. Wolfi maintainers prioritize a rolling release model built on a rapid package update cycle, which ensures that new vulnerabilities are remediated quickly. This talk not only describes the problems that motivate Wolfi but also provides hands-on knowledge to help developers take advantage of Wolfi. By the end of the talk, developers will learn about packaging techniques with apko and melange, tools specifically designed to build Wolfi packages and turn them into minimal, low- or no-vulnerability containers. Key Takeaways and Highlights Popular, off-the-shelf base images and containers often have hundreds of known vulnerabilities (“CVEs”), which can, at worst, be a security risk and, at best, be a giant time suck. Wolfi is a new secure-by-default linux distribution that prioritizes rapid package updates and, by extension, fast mean time-to-remediation for known vulnerabilities. Packages in Wolfi can form the foundation of secure, minimal base images and containers, freeing developers of tedious vulnerability management tasks and increasing security for cloud-native applications. Talk Outline The Cloud-Native Application Status Quo: Bloated, Outdated, Vulnerability-Laden Images Containers 101 Show the results of running security scanners against popular Dockerhub official images Use (grype, an open source scanner) to scan golang:latest and nginx:latest. Show via command line. Show data and analysis on package counts, package staleness, vulnerability counts of official Docker Hub images Draw on six months of daily scanning results collected by presentation team Overview of Wolfi Fast package update times Fast vulnerability mean time-to-remediation Granular packages Wolfi packages are often packaged at a more granular level than their counterparts in other distributions, which allows developers to pick and choose only the components that are essential for an image, without dragging in unnecessary functionality and attack surface. Rolling release Why not alternative approaches, either other minimal images or using other distros? Google distroless Debian-based so there can be slow update times for packages Debian - Slow package updates How to build images with Wolfi packages Explain melange and building packages Example of building a package with melange Explain apko and building images Demo of building an image with apko about this event: https://cfp.all-systems-go.io/all-systems-go-2023/talk/V9EZSS/

mkosi is a tool for building operating system images. In this talk we'll give an introduction to mkosi, how we use it to develop systemd and discuss how we want to support running and updating systems with mkosi and other systemd tooling. Github repository: https://github.com/systemd/mkosi/ Initial blog post on mkosi: https://0pointer.net/blog/mkosi-a-tool-for-generating-os-images.html about this event: https://cfp.all-systems-go.io/all-systems-go-2023/talk/ASV8ZM/

Are you using container images with hundreds of known vulnerabilities? The majority of us are using images based on the Docker official images available on the Docker Hub. This includes base images – such as Debian and Ubuntu – as well as application images such as nginx and redis. Unfortunately these images often have hundreds of known vulnerabilities due to excessively large dependency trees with out-of-date packages. This security debt can lead to unnecessary security risks and slower development cycles. Wolfi (​​https://github.com/wolfi-dev/) is a new Linux distribution optimized for building minimal, secure container images. Wolfi maintainers prioritize a rolling release model built on a rapid package update cycle, which ensures that new vulnerabilities are remediated quickly. This talk not only describes the problems that motivate Wolfi but also provides hands-on knowledge to help developers take advantage of Wolfi. By the end of the talk, developers will learn about packaging techniques with apko and melange, tools specifically designed to build Wolfi packages and turn them into minimal, low- or no-vulnerability containers. Key Takeaways and Highlights Popular, off-the-shelf base images and containers often have hundreds of known vulnerabilities (“CVEs”), which can, at worst, be a security risk and, at best, be a giant time suck. Wolfi is a new secure-by-default linux distribution that prioritizes rapid package updates and, by extension, fast mean time-to-remediation for known vulnerabilities. Packages in Wolfi can form the foundation of secure, minimal base images and containers, freeing developers of tedious vulnerability management tasks and increasing security for cloud-native applications. Talk Outline The Cloud-Native Application Status Quo: Bloated, Outdated, Vulnerability-Laden Images Containers 101 Show the results of running security scanners against popular Dockerhub official images Use (grype, an open source scanner) to scan golang:latest and nginx:latest. Show via command line. Show data and analysis on package counts, package staleness, vulnerability counts of official Docker Hub images Draw on six months of daily scanning results collected by presentation team Overview of Wolfi Fast package update times Fast vulnerability mean time-to-remediation Granular packages Wolfi packages are often packaged at a more granular level than their counterparts in other distributions, which allows developers to pick and choose only the components that are essential for an image, without dragging in unnecessary functionality and attack surface. Rolling release Why not alternative approaches, either other minimal images or using other distros? Google distroless Debian-based so there can be slow update times for packages Debian - Slow package updates How to build images with Wolfi packages Explain melange and building packages Example of building a package with melange Explain apko and building images Demo of building an image with apko about this event: https://cfp.all-systems-go.io/all-systems-go-2023/talk/V9EZSS/

Recently, atomic updates via image based systems have become more relevant for servers and desktops, as they allow predictable management of large fleets. In the embedded Linux space, this approach has been the default for many years and proven updaters exist already. In this talk, we will delve into RAUC and look at how its design and features have been driven by the requirements for robust, atomic updates. The presentation will introduce the fundamental concepts surrounding A/B fallback and update signing in the context of embedded Linux updates. We will then explore the commonalities and differences between RAUC and systemd's sysupdate. The discussion will progress to cover RAUC's bundle-based update system, which allows for comprehensive system updates without the need for local storage, thanks to HTTP streaming. Additionally, we will demonstrate how adaptive updates minimize download sizes without necessitating version-specific patch management. about this event: https://cfp.all-systems-go.io/all-systems-go-2023/talk/NEQ9TX/

openSUSE Aeon (formerly MicroOS Desktop) aims to be a fully fledged modern Linux Desktop leveraging as many of the latest user space innovations available including: - Immutable OS with Transactional Updates - Secure Boot - TPM Encryption - Flatpaks & OCI containers as primary application delivery This talk will introduce the distribution, highlight the adoption of some of the latest foundational user space technologies as well as share some of the pain points being faced and invite the audience to contribute to this exciting platform. about this event: https://cfp.all-systems-go.io/all-systems-go-2023/talk/RV3UZD/

Recently, atomic updates via image based systems have become more relevant for servers and desktops, as they allow predictable management of large fleets. In the embedded Linux space, this approach has been the default for many years and proven updaters exist already. In this talk, we will delve into RAUC and look at how its design and features have been driven by the requirements for robust, atomic updates. The presentation will introduce the fundamental concepts surrounding A/B fallback and update signing in the context of embedded Linux updates. We will then explore the commonalities and differences between RAUC and systemd's sysupdate. The discussion will progress to cover RAUC's bundle-based update system, which allows for comprehensive system updates without the need for local storage, thanks to HTTP streaming. Additionally, we will demonstrate how adaptive updates minimize download sizes without necessitating version-specific patch management. about this event: https://cfp.all-systems-go.io/all-systems-go-2023/talk/NEQ9TX/

openSUSE Aeon (formerly MicroOS Desktop) aims to be a fully fledged modern Linux Desktop leveraging as many of the latest user space innovations available including: - Immutable OS with Transactional Updates - Secure Boot - TPM Encryption - Flatpaks & OCI containers as primary application delivery This talk will introduce the distribution, highlight the adoption of some of the latest foundational user space technologies as well as share some of the pain points being faced and invite the audience to contribute to this exciting platform. about this event: https://cfp.all-systems-go.io/all-systems-go-2023/talk/RV3UZD/