
Chaos Computer Club - archive feed
14,494 episodes — Page 19 of 290
Quietscheentchen ahoi: Abenteuer und Geschichte vom schwimmenden Entenland (mrmcd24)
“Quietscheentchen ahoi” erkundet die faszinierende Welt der Quietscheentchen, von ihrer Geschichte und Herstellung bis hin zu ihrer kulturellen Bedeutung und den physikalischen Eigenschaften. Der Vortrag bietet Anekdoten, wissenschaftliche Einblicke und interaktive Elemente, die die vielfältigen Facetten dieser beliebten Badebegleiter beleuchten. Der Vortrag “Quietscheentchen ahoi: Abenteuer und Geschichte vom schwimmenden Entenland” bietet eine spannende Erkundung der Welt der Quietscheentchen. Beginnend mit ihrer Entstehung und Entwicklung werden die frühen Herstellungsprozesse und Materialien bis hin zu den modernen Varianten beleuchtet. Die Rolle der Quietscheente in der populären Kultur wird durch Beispiele aus Filmen, Fernsehen und Literatur verdeutlicht. Wissenschaftliche Erklärungen zu ihren physikalischen Eigenschaften, wie dem Schwimmen und Quietschen, sowie moderne Fertigungstechniken und Sicherheitsstandards werden ebenfalls thematisiert. Die kulturelle Bedeutung der Quietscheente wird durch psychologische und soziologische Einblicke erklärt, und ihre Rolle als Sammelobjekt und Symbol wird hervorgehoben. Zudem werden verschiedene Veranstaltungen wie Quietscheentenrennen und Wohltätigkeitsaktionen vorgestellt. Der Vortrag enthält auch Anekdoten und persönliche Geschichten, die berühmte Persönlichkeiten und ihre Quietscheentchen präsentieren. Eine interaktive Komponente ermöglicht dem Publikum, eigene Erlebnisse zu teilen. Abschließend fasst der Vortrag die Hauptpunkte zusammen und bietet eine Q&A-Runde zur Vertiefung der Themen. https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://talks.mrmcd.net/2024/talk/MCZPJZ/
Building an "affordable" home cockpit (mrmcd24)
Since the beginning of this year I've been working on a home cockpit with the goal to finally have some (open source) resources for an "affordable" home cockpit If you're an aviation enthusiast and want to bring your flight sim experience to the next level with a home cockpit, you've got a few options right now: * Get a pre-built one... those cost you somewhere around 60-80k EUR * Get individual parts and build it your self... that's also expensive. A simple front panel (without any electronics) can cost more than it costs me to built it with self designed PCB and 3D printed front panel... Also, some ready to use panels are expensive too. The MCDU for example, the part where pilots interact with the Flight Management and Guidance Computer (FMGC), can cost around one grand each, and for the A320 you need 2 of them. * The last option is fully DIY. There are some people out there who have done that already but sources for building your own are scarce, at times in proprietary formats and generally only bits and pieces here and there, not a repo of ready to use files for a full cockpit. So I set out to build part of my own A320 cockpit, this time also with the explicit goal to make it easy for others to replicate this. I gonna talk about the journey I've had so far, where I ran into issues and what I'm looking forward to https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://talks.mrmcd.net/2024/talk/NHKAX7/
Offene parlamentarische Daten – eine Schatzsuche (mrmcd24)
Wie kommt man jetzt an eine Liste aller Mitglieder des Deutschen Bundestags – bitte maschinenlesbar? Das ist eine Frage, die gar nicht so leicht zu beantworten ist. Der Bundestag bemüht sich um Offene Daten – wer etwas tiefer gräbt, stellt aber schnell fest: die Sache ist etwas komplizierter. Deshalb machen wir uns gemeinsam auf die Suche nach Maschinenlesbarkeit in deutschen Parlamenten, fischen in XMLs und schrubben IDs. Die sind nämlich im Laufe der Zeit... äh... etwas dreckig geworden. Wir entdecken, wie viele unterschiedliche IDs es für Abgeordnete alleine in der Dateninfrastruktur der Bundestagsverwaltung gibt (fümpf!), welche Gefahren bei der Arbeit mit Namen lauern (Prof. Dr. gleicher Nachname und hat jetzt auch noch geheiratet lässt grüßen) und wie man am Ende dann doch noch ins Rettungsboot springt. Der Talk gibt also nicht nur einen Überblick, welche Daten verfügbar sind – sondern auch, wie man damit umgeht, ganz praktisch, zum Nachmachen und mit Beispielcode. Wir schauen uns an, wie man mit Python/Pandas an Daten kommt, was darin steckt und wie man die verschachtelten Datenstrukturen umformen und auswerten kann. https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://talks.mrmcd.net/2024/talk/WSZ8JU/
Warum genau Du genau jetzt mit Amateurfunk anfangen solltest! (mrmcd24)
Wau Holland war Funkamateur, es gibt die Chaoswelle und auch sonst laufen einem im Chaos immer wieder Wesen über den Weg, die Amateurfunk als Hobby haben. Trotzdem gibt es vielleicht noch Menschen, die die Faszination an diesem rund 100 Jahre alten Hobby besser verstehen wollen. In diesem Vortrag geht es darum die Vielfalt bzw. die "Hobbies im Hobby" vorzustellen. Es wird außerdem beleuchtet wie und womit Mensch auch mit kleinerem Budget, ohne Einfamilienhaus mit riesiger Antennenanlage anfangen und vor allem sehr viel Spaß haben kann. Darüber hinaus wird ein Einblick in die Amateufunk-Lingo und das Drumherum gewährt: Was ist eigentlich ein QSO und was hat es mit diesen Rufzeichen auf sich? Was darf ich ohne Lizenz machen und wozu benötige ich überhaupt eine Lizenz? Und welche Dinge, die ich im Amateurfunk lerne, begegnen mir im "echten Leben" wieder? https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://talks.mrmcd.net/2024/talk/VJTBR3/
Heizkeller sehen und sterben (mrmcd24)
Vom Chaos in deutschen Heizkellern und warum dort neuerdings Linux läuft. Wir, meine Kolleg*innen und ich, bei othermo GmbH installieren Linux Gateways in deutschen Heizkellern und versuchen dem Chaos an Hersteller-spezifischen Protokollen der letzten 30 Jahre Herr zu werden und auf einer vereinheitlichten Datenbasis Einblicke und Optimierungen zu ermöglichen. Vom Leid und der Freude diese Protokolle zu reverse-engineeren und dann in einem Linux-Gateway mit unserem größtenteils Open Source Software Stack zu verarbeiten wollen wir euch berichten. Wusstet Ihr, das vermutlich eure Verbrauchsdaten der Heizkörper durch die Luft schwirren? Oder das eure Heizung vermutlich mehr Daten zum Lesen und Einstellen bereit hält als ihr vermutlich denkt? Hacken auf eigene Gefahr! Abrunden wollen wir das ganze mit schmerzhaften Anekdoten von offenen telnet ports und gestorbenen Standardisierungsversuchen. https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://talks.mrmcd.net/2024/talk/Y9EKD9/
Dein ISMS, das unbekannte Wesen (mrmcd24)
In vielen (größeren) Organisationen ist ein ISMS (**I**nformations**s**icherheits**m**anagement**s**ystem) vorhanden: Was ist das? Was soll das? Was kann das? Was nicht? Und: Kann man das hacken? Agenda - Einführung - Management-Systeme - ISO 27001, IT-Grundschutz, ... - ISMS Paradoxen (aka: Theorie) - Quantensprünge zwischen abstrakten und konkreten Welten - Risikobewertungen - ISMS-oxid und Sie (aka: Praxis) - Motivation / Ursachen - Compliance(-Reporting) - Audits & Zertifizierungen - Anekdoten - Empfehlungen https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://talks.mrmcd.net/2024/talk/FLSXPQ/
Brackwasser hacken (mrmcd24)
Das schwarze, koffein-haltige Gold aus Bohnen gewonnen hat mehr komplexität in seiner Zubereitung als den meisten bewusst ist. Wie geht man vor, beim hacken seines Kaffees, um ein dem eigenen Geschmack passendes Heißgetränk aus den Bohnen zu extrahieren? In diesem Talk soll es um einen Crash-Kurs in den maßgeblichen Variablen der Kaffeezubereitung gehen und wie auf dem Koordinatensystem der Geschmäcker navigiert wird um die hohe See des Kaffeegeschmacks zu ergründen und in neue, noch unerschlossene Fahrwasser zu gelangen. Wer sich dieser Reise bisher nicht gestellt hat weiß nicht was einem entgeht. Wir beginnen mit einer kurzen Einführung über die verzehrbaren Bohnenarten, deren Röstung (Röstgrade), über gängige Zubereitungsmethoden und deren Variablen bis hin zur Navigation durch die hohe See des Kaffeegeschmacks. Am Ende des Talks sollte man eine erste Idee davon haben, welche Bohnen sich für welche Zubereitung eignen, worauf man beim Kauf achten kann und wie man sich stück für stück ausprobiert. https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://talks.mrmcd.net/2024/talk/H7FTZZ/
Paperless – was das ist und warum du das haben willst (mrmcd24)
Wir haben ihn alle: Den unordentlichen Stapel geöffneter Briefe, Faxe und Flaschenpostsendungen irgendwo in einer Ecke, den man einmal im Jahr durchwühlt, um seine Steuererklärung zu machen. Fortgeschrittene haben Aktenordner, aber auch in denen findet man Dinge schwer wieder. Und dann gibt es da auch noch diese neuartigen digitalen Dokumente, die es einem regelmäßig ins Postfach spült. Was macht man eigentlich damit? Fear not! Elektronische Dokumentenmanagementsysteme gibt es inzwischen in Open Source, und sie ergeben sowohl für Organisationen als auch für Privatpersonen Sinn. Lerne auch du, mit Technik Ordnung in deine Dokumentensammlungen zu bringen. Bürokratie kann so aufregend sein! In diesem Talk werde ich auf die Nachteile klassischer heimischer Dokumentenablageansätze eingehen und erklären, wie sich diese mit einem Dokumentenmanagement lösen lassen. Weiterhin werde ich einen Crashkurs zum Aufbau eines eigenen Ablagesystems auf Basis von Paperless-ngx geben. https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://talks.mrmcd.net/2024/talk/B9K89S/
Wartungsarme Bastelinfrastruktur? Ein Versuch. Über systemd-timer & ähnliche Tools (mrmcd24)
Früher war es nur ein kleines Debian! Dann war es kaputt. Oder wollte Updates. Oder reboots. Oder Backups. Oder Redundanz. Menschen haben das tatsächlich genutzt! Mit 18 habe ich vor der Schule noch schnell Mailserver geflickt. Irgendwann wollte ich dann noch ruhiger Schlafen, und habe ein Monitoring dazu gebaut. Ein Erfahrungsbericht über ca. 10 Jahre Infrastrukturbetrieb. Am Ende kennt ihr mein Setup einer "wartungsarmen" persönlichen Infrastruktur, und auch alles, was ich nicht nochmal so machen würde. Seit einigen Jahren betreibe ich "ein wenig" Infrastruktur (das Monitoring zählt 108 "instance"-Werte). Das alles bunt gemischt und teilweise IPv6 only im eigenen Netzwerk. In diesem Vortrag erzähle ich von meinen Erfahrungen, und was ich euch mitgeben möchte. Ein paar Tools uns Skripte sind entstanden, vielleicht ist ja auch was für euch dabei? Konkrete Themen sind unter anderem: - automatische Updates - Reboots nach Kernelupdates - Backups - Configmanagement - Monitoring all dieser Tasks - (Geo-)Redundanz - Kubernetes!? - Was man noch so alles tun müsste https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://talks.mrmcd.net/2024/talk/BMFXS9/
Knots (mrmcd24)
Basic knots and how to tie them. Knots provide secure and reliable ways to join ropes or other materials, ensuring stability and safety in various applications such as climbing, sailing, and construction. They are versatile tools for binding, securing loads, and creating functional loops or bends. https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://talks.mrmcd.net/2024/talk/G97UT8/
Schiffe erkennen leicht gemacht (mrmcd24)
Nach einer Vorstellung des AIS (Automated Identification System), mit dem fast alle Schiffe Position, Fahrt usw. mitteilen müssen, gehe ich noch detaillierter auf verschiedene Punkte des verwendeten AIS-Protokolls ein. Seit etwa 20 Jahren müssen Schiffe ab einer bestimmten Größe verschiedenste Informationen per AIS senden, um die Verkehrslenkung und Kollisionsverhütung zu unterstützen. Diese Informationen sind mit geringem Aufwand frei empfangbar. Bei der Beschäftigung mit diesem System bin ich in der Definition des Protokolls und der Nachrichtenformate auf einige Punkte gestoßen, die ich sehr elegant gelöst fand und gerne vorstellen möchte. https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://talks.mrmcd.net/2024/talk/KYHJ8Y/
Stapellauf (mrmcd24)
Es geht los ! https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://talks.mrmcd.net/2024/talk/AJC9PV/
Nokia TCSM2, a bank of TRAUs with E1 interfaces: Part 2, the working state (retronetcall)
about this event: https://c3voc.de
Laser Einführung - Teil 2 (chaotikum)
Wir haben seit einigen Wochen ein neues Gerät in unserem Hackspace. Nach langem überlegen, welches Modell wir kaufen wollen, wie wir es anschließen und wie wir die Abluft lösen können, haben wir uns für den Lasercutter Flux Hexa entschieden. Dieser 60W CO2 Laser hat eine Arbeitsfläche von 73 x 41 cm und kann unter Idealbedingungen Holz bis zu einer Stärke von 1 cm schneiden! - https://chaotikum.org/nobreakspace/inventory/fluxhexa/ - https://wiki.chaotikum.org/hackspace:infrastruktur:fluxhexalasercutter Hier eine Aufzeichnung der Einweisung für das Gerät. Erster Teil (Sicherheitseinweisung) unter: https://chaotikum.org/media/2024-09-27-laser-einfuehrung-teil-1/ This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License (CC BY NC ND 4.0). https://creativecommons.org/licenses/by-nc-nd/4.0/ Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://chaotikum.org/blog/2024/09/18/habemuslaser/
Laser Einführung - Teil 1 (chaotikum)
Wir haben seit einigen Wochen ein neues Gerät in unserem Hackspace. Nach langem überlegen, welches Modell wir kaufen wollen, wie wir es anschließen und wie wir die Abluft lösen können, haben wir uns für den Lasercutter Flux Hexa entschieden. Dieser 60W CO2 Laser hat eine Arbeitsfläche von 73 x 41 cm und kann unter Idealbedingungen Holz bis zu einer Stärke von 1 cm schneiden! - https://chaotikum.org/nobreakspace/inventory/fluxhexa/ - https://wiki.chaotikum.org/hackspace:infrastruktur:fluxhexalasercutter Hier eine Aufzeichnung der Sicherheitseinweisung für das Gerät. Zweiter Teil mit mehr Praxis: https://chaotikum.org/media/2024-09-27-laser-einfuehrung-teil-2/ This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License (CC BY NC ND 4.0). https://creativecommons.org/licenses/by-nc-nd/4.0/ Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://chaotikum.org/blog/2024/09/18/habemuslaser/
initrd performance improvements (asg2024)
Every second spent on waiting for a system to boot is wasted time. In this talk I present the steps we took in Ubuntu to speed up the boot and the initrd generation time. The presented improvements are not specific to Ubuntu and can be ported to other implementations (like dracut) to benefit other distributions as well. The talk will present further speed improvements that can/will be implemented in the future. That includes rewriting parts in modern languages like Rust. Licensed to the public under https://creativecommons.org/licenses/by/4.0/de/ about this event: https://cfp.all-systems-go.io/all-systems-go-2024/talk/9T8LTT/
Can systemd-resolved replace Avahi? (asg2024)
Multicast DNS (mDNS) and DNS Service Discovery (DNS-SD), collectively know as zeroconf, are technologies used for devices to find each other and advertise services on the local network. There are two widely used FOSS implementations: mDNSResponder is used by Apple and Android, while Avahi is used by most GNU/Linux distributions. However, there is a third one in systemd-resolved -- widely installed but rarely used. In this talk, I will explain how mDNS and DNS-SD work individually and together, and explore how to use them with resolvectl. I'll also try to go over the deficiencies in the systemd-resolved and have a discussion about the ways that it can be improved to replace Avahi as the default implementation on GNU/Linux systems. Licensed to the public under https://creativecommons.org/licenses/by/4.0/de/ about this event: https://cfp.all-systems-go.io/all-systems-go-2024/talk/C3DZDS/
Home Directory Encryption in GNOME (asg2024)
Thanks to work made possible by the STF grant, all the pieces are there for GNOME to integrate with systemd-homed. This talk describes what it took to get here, what new features it gives us, what still remains to be done Licensed to the public under https://creativecommons.org/licenses/by/4.0/de/ about this event: https://cfp.all-systems-go.io/all-systems-go-2024/talk/FFY3BB/
mkosi-initrd: initrds built from system packages (asg2024)
mkosi-initrd is a project to build initrds from normal system packages (rpms, debs). Initially separate, it now is part of mkosi — just another build stage. systemd uses mkosi for automated tests, and this now includes building an initrd and booting a VM with it, so such initrds are getting fairly wide testing, albeit in fairly narrow circumstances. The process of adoption of mkosi-initrd in distributions has been slow, but with an implementation natively in mkosi, the technical base is really good. What remains to be done to make this the default approach? Can Fedora 41 finally make this an option for users? Licensed to the public under https://creativecommons.org/licenses/by/4.0/de/ about this event: https://cfp.all-systems-go.io/all-systems-go-2024/talk/JTXJR7/
GNOME OS + systemd-sysupdate (asg2024)
As a reference for developers and testers, GNOME OS is an experimental Linux distribution that ships the latest in-development GNOME desktop, core applications, and stack. GNOME OS is currently using OSTree, this talk covers the ongoing work to add features to systemd-sysupdate and transition to it. Features like optional transfers, delta updates, and major version upgrades. GNOME OS is an experimental Linux distribution that ships the latest in-development GNOME desktop, core applications, and stack. It serves as a reference for developers and testers. This operating system is designed and built around the modern systemd and GNU-based userland built from the Freedesktop SDK. Currently, GNOME OS uses OSTree to deploy the root filesystem and manage updates. This means that the base OS is immutable (read-only) and updates can be quickly downloaded as deltas. OSTree allows easy rollback to multiple previous versions of the root filesystem, which is essential for a testing-first distribution focused on finding bugs. Our work focuses on transitioning GNOME OS to use systemd-sysupdate. Migrating to sysupdate would bring the following benefits: * Provide a trust chain from the bootloader, all the way up, both online and offline; * Achieve a closer integration with systemd; * Advance our support for image-based design and its benefits, e.g., immutability, auto-updating, adaptability, factory reset, uniformity and other modernised security properties around image-based OSes. For that, we are adding a number of features to systemd-sysupdate to make it more production ready; * Implement optional transfers in systemd-sysupdate * sysupdate should allow upgrading to a newer major version * pluggable backends for systemd-sysupdate (or systemd-import) This project was partly inspired by Lennart Pottering's article "Brave New Trusted Boot World", in which he explains a vision of the future of Linux systems. Licensed to the public under https://creativecommons.org/licenses/by/4.0/de/ about this event: https://cfp.all-systems-go.io/all-systems-go-2024/talk/MGDHYQ/
Successes and struggles using the systemd user instance in developer environments (asg2024)
This talk will explore several of the ways we've leveraged the systemd user instance in our developer environments at Meta, challenges we faced while doing so, and how we worked around those challenges. Licensed to the public under https://creativecommons.org/licenses/by/4.0/de/ about this event: https://cfp.all-systems-go.io/all-systems-go-2024/talk/H7CVUQ/
Installing your OS with systemd-repart (asg2024)
There's a new installer for GNOME OS, and it's built on top of systemd-repart. Here's how and why we did it Licensed to the public under https://creativecommons.org/licenses/by/4.0/de/ about this event: https://cfp.all-systems-go.io/all-systems-go-2024/talk/CMQTNL/
Improving systemd’s integration testing infrastructure (asg2024)
The Sovereign Tech Fund paid Codethink to help improve the integration testing infrastructure of systemd. This talk covers how the integration test suite used to work and what it does now. Systemd's integration test suite used to have a number of shortcomings in terms of features and maintainability. The Sovereign Tech Fund provided an opportunity to improve things, and rewrite the test suite to use a select number of special-purpose tools and Licensed to the public under https://creativecommons.org/licenses/by/4.0/de/ about this event: https://cfp.all-systems-go.io/all-systems-go-2024/talk/9JKWCT/
Boring infrastructure: Building a secure signing environment (asg2024)
Many Linux distributions rely on cryptographic signatures for their packages and release artifacts. However, most of the used signing solutions either do not rely on hardware backed private key material or are run in untrusted environments. This presentation will provide a general overview of the [Signstar](https://gitlab.archlinux.org/archlinux/signstar/) project, which is currently under development by Arch Linux to provide a generic signing solution based on a Hardware Security Module (HSM). To improve build automation and general supply chain security for Arch Linux, some of its developers have started to conceptualize and work on a generic, central signing solution: [Signstar](https://gitlab.archlinux.org/archlinux/signstar/). In this context, related work has been evaluated for adoption, but it soon became clear, that to meet the distribution's requirements a custom solution would be implemented. For transparency and auditability reasons Nitrokey's NetHSM has been chosen as Hardware Security Module (HSM). Developers are actively working on a high-level Rust library and CLI to interface with the device over network. In this presentation I will introduce the viewer to some of Arch Linux's relevant history and requirements, the evaluated architecture and setup. Together we will have a look at Signstar's threat model, its design for minimizing credentials exposure of the HSM, as well as its integration with the OpenPGP ecosystem. Additionally, we will explore avenues for future work on other generic cryptographic operations in the context of X.509, SSH and Secure Boot. Licensed to the public under https://creativecommons.org/licenses/by/4.0/de/ about this event: https://cfp.all-systems-go.io/all-systems-go-2024/talk/WWEGGC/
SSH authentication using user and machine identities (asg2024)
Strong authentication requires multiple signals: identity claims proves that identity of the person, while device attestation proves possession of a given machine, and device bound keys prevent the key from being stolen. In this presentation we will take a look at how the TPM provides device attestation and device bound keys. We will connect this with identity claims from SSO providers to provide a centrally managed short-lived SSH certificates for users and their devices. This is implemented as an open-source project called “ssh-tpm-ca-authority”. Licensed to the public under https://creativecommons.org/licenses/by/4.0/de/ about this event: https://cfp.all-systems-go.io/all-systems-go-2024/talk/JCJ9YT/
Avocado Linux: Highly Secure Accelerated Embedded Development Platform for (A)IoT (asg2024)
Developing embedded products often involves a trade-off between robust security and accelerated development. Production environments, while offering high security and immutability, can inhibit rapid development cycles. Conversely, sandbox environments provide the flexibility and integration needed for fast development but are not suitable for production deployment. The transition between these two environments is typically fraught with challenges, consuming significant time and effort. This talk introduces Avocado Linux, a highly secure, image-based operating system and layer repository with deeply integrated developer tools. Avocado strikes a perfect balance between flexibility and immutability, combining the best of both worlds, accelerating time to market without compromising on security. By leveraging innovative systemd features like System Extensions, Configuration Extensions, and Portable Services, Avocado Linux provides a robust framework for service management, process isolation, and secure, atomic updates. Its design ensures robust security and system integrity, with comprehensive use of dm-verity and mechanisms for recovery and factory reset, safeguarding device data integrity even in the face of unexpected failures. Join us to explore how Avocado can transform your embedded systems development with faster integration, enhanced reliability, and seamless composability. Discover how this distribution delivers significant business value by enabling rapid deployment, maintaining security, and ensuring system integrity. Learn how Avocado abstracts away the complexities of system development, allowing your team and applications to thrive and your embedded product to scale and succeed. About the Talk In this talk we will explore * Demo use cases for building complex products * Developer tools and workflows * Manufacturing optimizations for provisioning and end of line testing * In field debugging and system fault tolerance Licensed to the public under https://creativecommons.org/licenses/by/4.0/de/ about this event: https://cfp.all-systems-go.io/all-systems-go-2024/talk/QWTAFC/
busd: There is a new D-Bus broker in town (asg2024)
D-Bus is an IPC mechanism that is very ubiquitous on Linux systems everywhere (desktop, cloud and embedded). It is the mechanism you'd use to communicate with many of the core Linux userspace subsystems, such as systemd, NetworkManager etc. Traditionally, most of these services have been written in C, a language known for its lack of safety and expressiveness. In the past years, Zeeshan has developed a library, called zbus for enabling implementation of D-Bus services and clients in a programming language designed for safety: Rust. zbus has become the go-to library for writing D-Bus code in Rust. While that is major step forward, the communication typically still happens through a broker and the two major broker implementation are both are written in C and have been stagnating for years. This is why Zeeshan has recently started working on writing a D-Bus broker based on zbus, called busd, which not only aims provide a drop-in replacement for existing brokers, but also modernize the D-Bus space by providing new features needed by apps and services, such as systemd. In this talk, Zeeshan will walk us through a summary of his journey so far, the current state of busd and his plans and dreams for the future of D-Bus. Licensed to the public under https://creativecommons.org/licenses/by/4.0/de/ about this event: https://cfp.all-systems-go.io/all-systems-go-2024/talk/WB7DYF/
What's your PID 1 up to? (asg2024)
How do you continually test and release new versions of systemd with confidence? Also, once released, how do you monitor PID 1 itself and your PID 1 usage across your server fleet? This talk dives into Meta’s way of answering these questions so we can minimize the risk of breaking changes and fun each systemd release brings us. Some of the technology in the talk is OSS, so you too, can join in on the fun knowing how your systemd usage is across your own infrastructure! This talk will dive into how Meta baseline’s our systemd usage across the fleet and use that data for CI, releasing and monitoring systemd. * Who am I + what do I work on * The common big monitoring hole many bare bone infrastructures have * PID 1 * PID 1 usage * Systemd @ meta * Imaging initrd * Initrd * Main os * Twine containers * Overview of OS image building and deployment @ meta * How we build images * How we provision servers * Chef’s role * What we check from our PID1 statistics to ensure a box is “healthy” enough to take workloads * Usage of hyperscale’s systemd-cd @ meta * What is systemd-cd * [https://sigs.centos.org/hyperscale/internal/ci/](https://sigs.centos.org/hyperscale/internal/ci/) * How do we use it * What issues has it found for us * Monitoring of meta’s systemd usage across the millions of hosts * Stats collected * Introduce monitord * Dbus (fun) vs. varlink * mention OSS alternative(s) found - explain why invented monitord * Introduce monitord-exporter * Show usage outside of meta (will be my small home infra + VPS’s) Licensed to the public under https://creativecommons.org/licenses/by/4.0/de/ about this event: https://cfp.all-systems-go.io/all-systems-go-2024/talk/7APG3H/
Removing Cloud Providers From the Zero Trust Equation (asg2024)
This presentation introduces a novel approach to enhance the trust in SPIFFE by leveraging confidential computing technologies, specifically Confidential Virtual Machines. The presentation will provide an introduction to the realm of confidential computing, as well as an overview of SPIFFE/SPIRE. Armed with this knowledge we will demonstrate a practical example that integrates the AWS Instance Identity Document plugin with AMD SEV-SNP, showcasing the implementation challenges and solutions. SPIFFE is a framework to generate identities for software systems in dynamic and heterogeneous environments. SPIFFE Verifiable Identity Documents (SVIDs) enable us to be explicit about the trust we place in systems. However, the degree of trust we can place in SVIDs relies heavily on the soundness of the data gathering and verification process during node attestation. This presentation introduces a novel approach to enhance the trust in SVIDs by leveraging confidential computing technologies, specifically Confidential Virtual Machines (CVMs) such as AMD SEV-SNP or Intel TDX. These technologies enable us to track platform information directly in hardware, including firmware, boot loader, and kernel images, which are then signed with a key rooted inside the CPU itself. By incorporating hardware-protected platform information directly into the SVID generation process, we can significantly enhance the confidence placed in the resulting identity documents. Additionally, consumers of these SVIDs will be able to assert these properties before placing trust in a system. The presentation will provide an introduction to the realm of confidential computing, as well as provide an overview of SPIFFE/SPIRE, including the architecture of SPIRE agents and servers, the concept of workloads and SPIFFE SVIDs, and the role of node plugins in the attestation process. A practical example that integrates the AWS Instance Identity Document plugin with AMD SEV-SNP will be demonstrated, showcasing the implementation challenges and solutions. Through this presentation, attendees will gain insights into how confidential computing technologies can bolster the security of critical systems in an untrusted cloud environment, paving the way for more robust and resilient infrastructure in modern computing environments. Licensed to the public under https://creativecommons.org/licenses/by/4.0/de/ about this event: https://cfp.all-systems-go.io/all-systems-go-2024/talk/AG7L3K/
Integrating systemd soft-reboot into a distribution and surviving it (asg2024)
In this talk, I will discuss how Linux distributions can integrate and benefit from using systemd soft-reboot. Using openSUSE Tumbleweed as an example, I will show where and how it makes sense for traditional Linux distributions to use it and where the pitfalls are. With openSUSE MicroOS, we have a distribution with a read-only root file system that particularly benefits from a soft-reboot because a reboot is necessary after every update in order to change the root file system. However, this also requires special measures to ensure that it always functions smoothly. Afterwards I will talk about the requirements and solutions for services to survive a soft reboot and what's necessary to make the whole thing supportable. Licensed to the public under https://creativecommons.org/licenses/by/4.0/de/ about this event: https://cfp.all-systems-go.io/all-systems-go-2024/talk/YUAPMX/
Building Secure Container Images for the Cloud with Yocto (asg2024)
Yocto is a tool for building custom Linux distros. When you think about it, a container image is just a custom Linux distro. The distro (e.g. Alpine) is your base image and the customizations are the rest of your application or microservice. Like Podman, Yocto can generate a complete root filesystem in the form of an OCI container image. Originally targeted at bare metal, the Yocto configuration and build process seems complex when compared to the Containerfile approach of cloud native tools. Yocto's OpenEmbedded origins also mean that reduced image size, SBOM generation, license compliance, and reproducible builds were concerns early on in the project rather than afterthoughts. With security and risk of litigation now top of mind, this talk explains Yocto's uniquely layered and ultimately monolithic approach to solving these real-world software problems. Licensed to the public under https://creativecommons.org/licenses/by/4.0/de/ about this event: https://cfp.all-systems-go.io/all-systems-go-2024/talk/KZPRPN/
Booting an embedded system like a PC (asg2024)
This shows how to boot an [mkosi](https://github.com/systemd/mkosi) generated arm64 [Debian](https://debian.org) Image with [UKI](https://github.com/uapi-group/specifications/blob/main/specs/unified_kernel_image.md) and systemd-boot on a [u-boot](https://docs.u-boot.org/en/latest/develop/uefi/u-boot_on_efi.html) based EFI firmware with a [fTPM](https://github.com/microsoft/ms-tpm-20-ref/tree/main/Samples/ARM32-FirmwareTPM/optee_ta/fTPM) as a Trusted-Application in [OP-TEE](https://optee.readthedocs.io/en/latest/general/about.html) Embedded systems are very similar to IT managed PCs. A manufacturer of the device wants to ensure, that the system integrity is good, e.g. before unlocking secrets that allow accessing cloud services. Therefore the recent developments of the UAPI group and systemd are also very useful in the embedded world. This talk gives an overview of the involved software components and how they are combined. It shows how to build a firmware for an i.MX8MM that allows booting modern Linux images. Licensed to the public under https://creativecommons.org/licenses/by/4.0/de/ about this event: https://cfp.all-systems-go.io/all-systems-go-2024/talk/VZGAAG/
systemd-ifying postmarketOS, our immutable future, and why Alpine is cooler than you thought (asg2024)
postmarketOS was started with the lofty goal of enabling long term support for mobile phones and other devices with traditionally short lifespans, and doing so outside of the Android walled garden. This has inevitably resulted in a lot of upstream focused hardware bringup and development. Join us and learn what our community have been building, how we're running systemd on Alpine Linux and what we see in the future for postmarketOS. Through community driven efforts and collaboration, postmarketOS has grown into a highly adaptable platform which runs on anything from smartwatches and TVs to phones and laptops. In this talk, Caleb and Clayton discuss how our unique approach to tooling and package management have allowed such a small community to scale up to support hundreds of devices with more than 5 different bootloaders, over a dozen user interfaces, and now two init systems. They will cover: * A rough overview of the distro architecture * How device abstractions work in postmarketOS * Pmbootstrap and apk for fast developer iteration at a low cost * Systemd bootstrapping and current status * Our plan for an immutable postmarketOS (and request for feedback) Licensed to the public under https://creativecommons.org/licenses/by/4.0/de/ about this event: https://cfp.all-systems-go.io/all-systems-go-2024/talk/LJXCKK/
libpathrs: securing path operations for system tools (asg2024)
Container runtimes and other privileged system management tools have historically struggled with safely operating on a path within a directory tree controlled by a malicious user. [libpathrs][] is a library which makes it easy to do said path operations, as well as providing some other safe path-related utilities such as providing safe wrappers to operate on procfs files in a safe way. [libpathrs]: https://github.com/openSUSE/libpathrs As part of the kernel work on openat2(2) and continuing kernel work to make magic-links safer (against both confused deputy attacks and resource re-opening attacks), the need for a library to make it easy to do all sorts of VFS operations safely became obvious, and so [libpathrs][] was born. [libpathrs][] uses openat2(2) if available, but has a fallback to the old fashioned (and more finicky) method of doing safe-ish path resolutions. This talk will talk about how [libpathrs][] works and how it can help secure container runtimes and privileged system management tools against attacks, as well as touching on some ongoing kernel work which would allow for even more hardening. After the talk, slides will be available from [my site](https://www.cyphar.com/talks). [libpathrs]: https://github.com/openSUSE/libpathrs Licensed to the public under https://creativecommons.org/licenses/by/4.0/de/ about this event: https://cfp.all-systems-go.io/all-systems-go-2024/talk/ZZFL7L/
Varlink Now! (asg2024)
Why bother with Varlink IPC, and why now? The Varlink IPC has been around for a while, but recently we started using it heavily in systemd. In this talk I'd like to explain what Varlink IPC is, and why we are now adopting it so heavily. And I also want to explain why I think that Varlink is a good candidate as IPC of choice for any Linux software, both low-level and higher-level. We'll compare it with D-Bus in particular, and highlight where it shines (and where it doesn't shine so much). Licensed to the public under https://creativecommons.org/licenses/by/4.0/de/ about this event: https://cfp.all-systems-go.io/all-systems-go-2024/talk/XSYMKW/
systemd: round table (asg2024)
Let's have an open discussion with systemd developers who are at ASG and users in the audience. We will open with the developers saying what they plan to work on in the near future, and then allow questions / comments from the audience. Licensed to the public under https://creativecommons.org/licenses/by/4.0/de/ about this event: https://cfp.all-systems-go.io/all-systems-go-2024/talk/YQZBGT/
using io_uring for storage (asg2024)
A brief report about how we use io_uring in SLASH/fellow https://gitlab.com/uplex/varnish/slash, an always consistent, eventually persistent storage engine for Varnish-Cache. (FOSS, LGPL) Licensed to the public under https://creativecommons.org/licenses/by/4.0/de/ about this event: https://cfp.all-systems-go.io/all-systems-go-2024/talk/U7GJJW/
systemd: state of the project (asg2024)
Same as every year, a lot has happened in the systemd project since last year's ASG. We released multiple versions, packed with new components and features. This talk will provide an overview of these changes, commenting on successes and challenges, and a sneak peak at what lies ahead. Licensed to the public under https://creativecommons.org/licenses/by/4.0/de/ about this event: https://cfp.all-systems-go.io/all-systems-go-2024/talk/RLZEPD/
Reproducible Builds at Sidero Labs: Tools and Techniques (asg2024)
Ensuring consistent and secure software builds is crucial in today's cloud-native environments. At Sidero Labs, we've developed a comprehensive approach to reproducible builds for Talos Linux using a variety of tools and techniques. This talk will explore our use of Docker Buildx, Kres, and other key components that contribute to our build system. We'll share insights into our methods, challenges faced, and solutions implemented, providing practical guidance for developers aiming to achieve reproducibility in their own projects. To achieve a fully reproducible stack, from the kernel and initramfs to the software we own and third-party software we build, we use multiple tools in our toolset: - Buildx: Provides a consistent environment for building software. - Kres: Our project scaffolding tool for generating and updating build instructions and dependencies. - Code Patches: Address issues in third-party projects that prevent reproducible builds. - Tests: Written by us to ensure and verify reproducibility. In this talk, we will cover each of these tools and techniques, providing examples and practical insights. You will learn how to apply these methods to achieve reproducible builds in your own projects, gaining a complete picture of our approach and how it can be adapted to your needs. Licensed to the public under https://creativecommons.org/licenses/by/4.0/de/ about this event: https://cfp.all-systems-go.io/all-systems-go-2024/talk/RYZJ9W/
Ideas for improving systemd-boot (asg2024)
Ideas for improving systemd-boot Licensed to the public under https://creativecommons.org/licenses/by/4.0/de/ about this event: https://cfp.all-systems-go.io/all-systems-go-2024/talk/DT3RCU/
A new way to develop on immutable Linux (asg2024)
A new way to develop on immutable Linux Licensed to the public under https://creativecommons.org/licenses/by/4.0/de/ about this event: https://cfp.all-systems-go.io/all-systems-go-2024/talk/NSKLAR/
Integration testing environment for mixed HPC and cloud workloads (asg2024)
Integration testing environment for mixed HPC and cloud workloads Licensed to the public under https://creativecommons.org/licenses/by/4.0/de/ about this event: https://cfp.all-systems-go.io/all-systems-go-2024/talk/XNQLTE/
Debian, empty /var/, empty /etc/ and factory reset (asg2024)
This presentation will review how far Debian (and more generally, traditional distributions) is from supporting factory reset: what can work, what is missing and possible hacks^Wways to do it without starting a distribution-wide effort. Licensed to the public under https://creativecommons.org/licenses/by/4.0/de/ about this event: https://cfp.all-systems-go.io/all-systems-go-2024/talk/3K8NZT/
oo7-daemon + systemd per-user credentials (asg2024)
oo7-daemon (a temporary name based on the oo7 client library) project aims to provide a replacement for the gnome-keyring-daemon as the new D-Bus Secret Service provider in the GNOME desktop environment. In this talk I will go through the latest development plans and the progress made to integrate TPM backed credentials support to oo7-daemon using systemd per-user credentials as a backend. Licensed to the public under https://creativecommons.org/licenses/by/4.0/de/ about this event: https://cfp.all-systems-go.io/all-systems-go-2024/talk/8TMT9T/
Efficient RAUC Updates using composefs (asg2024)
A quick overview of how RAUC uses libcomposefs to handle new use-cases. Traditionally, RAUC focused on A/B updates for whole partitions, either by using filesystem images or tar archives. While the image-based OS approach has many benefits, there are scenarios where more loosely coupled components need to be handle in addition to the root filesystem. In RAUC, these can be handled with using the new "artifact updates" support. As a system might have many artifacts installed in parallel, such as for containers (systemd-nspawn or otherwise) and systemd-sysexts, efficient storage is important. In many cases, these are updated often, so download efficiency is important as well. After evaluating multiple alternatives, we've now decided to integrate composefs. Besides solving the requirements above, it additionally provides the same level of integrity protection as a dm-verity root filesystem, which is important in systems using secure boot. This talk will show how RAUC uses libcomposefs and the new use-cases supported by having an efficient content-addressed backing store with full authentication. Licensed to the public under https://creativecommons.org/licenses/by/4.0/de/ about this event: https://cfp.all-systems-go.io/all-systems-go-2024/talk/3DKX9V/
Rediscovering systemd Portable Services (asg2024)
systemd introduced Portable Services support in 2018, as part of v239. This feature was covered at ASG 2018 and in a blog post published at the time: https://0pointer.net/blog/walkthrough-for-portable-services.html But a lot has changed in the past 6 years, and very crucial new features have been introduced, so it is time to have another look at this topic and see what has happened in the meanwhile, what new use cases have opened up, and what is coming in the near future. https://systemd.io/PORTABLE_SERVICES/ Licensed to the public under https://creativecommons.org/licenses/by/4.0/de/ about this event: https://cfp.all-systems-go.io/all-systems-go-2024/talk/DGVBSC/
interacting with systemd from high level languages (asg2024)
Probably the way systemd is thought of and used is mostly as a service manager, and a collection of tools built around the idea of “low level user space”. We rarely think of it as a library that can be used as part of any high level language or application. This talk will cover this aspect of systemd, and through the lens of pystemd, explore how applications can use (and abuse) systemd. Licensed to the public under https://creativecommons.org/licenses/by/4.0/de/ about this event: https://cfp.all-systems-go.io/all-systems-go-2024/talk/VAQPQW/
Waiter, an OS please, with some sysext sprinkled on top (asg2024)
On general purpose image based systems such as Flatcar and Fedora CoreOS, users are encouraged to run all their applications using containers. To make updates safe and predictable, the system is mounted as read only and local modifications are discouraged. While containers offer a lot of flexibility on Linux, there are still cases where installing binaries or running applications directly on the host operating system is preferred. For example to add kernel modules, use an alternative container runtime version, add more udev rules, etc. Some of those use cases could be addressed with statically linked binaries, but their management is manual and their usage creates new issues around updates, versionning, memory footprint and not everything can be statically compiled. Alternatively, one can build its own image but at non-negligeable maintenance costs. Systemd's system extensions (sys-ext) provide a mechanism to extend the content of the host while preserving the safety guarentees around updates. We will demonstrate how Flatcar, Fedora CoreOS and Atomic Desktops are leveraging sysext images to securely extend the OS. With practical examples and usecases (e.g Cluster API) learn how to install Python, Podman, Kubernetes, ZFS, everything at the same time, by composing your very own image with systemd-sysext. Licensed to the public under https://creativecommons.org/licenses/by/4.0/de/ about this event: https://cfp.all-systems-go.io/all-systems-go-2024/talk/HJLF3C/
Creating Arch Linux images using mkosi (asg2024)
Arch Linux creates 2 cloud images, 2 vagrant images every month using custom bash scripts and requiring root for building. This talk will look at how these images can be created using mkosi, building them in CI, testing the build images and as a bonus; build reproducible? Project link: https://gitlab.archlinux.org/archlinux/arch-boxes Licensed to the public under https://creativecommons.org/licenses/by/4.0/de/ about this event: https://cfp.all-systems-go.io/all-systems-go-2024/talk/QFUGLT/
Portable software bills of materials with Nix and systemd portable services (asg2024)
While software bills of materials become of increasing value to further trust in the software supply chain, generating high quality SBOMs still poses some challenges in some ecosystems due to the lack of proper tooling or accessible build metadata. In this talk, I'll explain and demonstrate how we can leverage the static dependency graph of functional package managers like Nix to generate very precise SBOMs, that can be relevant for running a service on any linux distribution thanks to systemd portable services. Licensed to the public under https://creativecommons.org/licenses/by/4.0/de/ about this event: https://cfp.all-systems-go.io/all-systems-go-2024/talk/7XGYDC/