Feed cleverhans-blog [copy] http://www.cleverhans.io/feed.xml has loading error: cURL error 22: The requested URL returned error: 404
How I optimized away 94% CPU from zbus (asg2025)
Haven’t you ever wanted to find ways to make your Rust code the most optimal in the world? I know how you feel. This is a talk, where I’d tell you how easy it is to profile your Rust software and how most often the solutions are trivial. This is a story of how I used a few readily-available Open Source tools to achieve huge optimizations in [zbus](https://crates.io/crates/zbus), a pure Rust D-Bus library. This was long journey but gains were worth the efforts. I will go through each single bottleneck found, how it was found...
BPF Tokens in systemd (asg2025)
Running **BPF** programs today requires *CAP_BPF* capability, which is an all or nothing BPF capability.
But BPF nowadays spans a large area, from simple monitoring to potentially invasive fields like network or tracing.
BPF Tokens aims to add fine grained BPF capabilities to systemd units and containers, avoiding to give the whole *CAP_BPF* capability or even worse running the service as privileged user.
References:
https://lwn.net/Articles/947173/
https://github.com/systemd/systemd/pull/36134
Licensed to the public under https://creativecommons.org/licenses/by/4.0/de/
about this event: https://cfp.all-systems-go.io/all-systems-go-2025/talk/TEH3QN/
Video:asg2025-363-eng-BPF_Tokens_in_systemd_hd.mp4
Integrating systemd-sysext images in an update stack (asg2025)
systemd-sysext provides a nice way to enhance a distribution with a read-only root filesystem without the need to reboot. But there is additional tooling necessary to manage the sysext images: * install an image which is compatible with the installed OS version * update installed images to the newest compatible version * rollback images in case of an OS rollback * cleanup unneeded images In this presentation I will talk about which tooling systemd itself provides for this (importctl, updatectl, ...) and what the benefits and disadvantages of this tools are compared with real world use cases. In the...
ParticleOS: Why is Lennart still not dogfooding systemd?! (asg2025)
More than six months have passed since Daan tried to ~~shame~~ gently peer pressure Lennart to actually use the stuff he builds, via a FOSDEM talk: https://fosdem.org/2025/schedule/event/fosdem-2025-4057-particleos-can-we-make-lennart-poettering-run-an-image-based-distribution-/ Did he succeed? Is dogfooding standard practice now in the systemd development process? Or do things like randomly breaking logging in GNOME (*cough*) still happen from time to time? Join us for this talk to find out, and to apply yet more peer pressure. We will also spend some time talking about more boring and mundane topics, such as giving an overview of the current status of ParticleOS, and how...
A simpler and faster firewall with bpfilter (asg2025)
For many years, firewall solutions on Linux have grown and evolved, without any major change, until eBPF. While eBPF can allow very fast and efficient packet filtering, the learning curve doesn't make it easily accessible to non-developers. bpfilter aims to bridge the gap between existing tools (nftables, iptables) and modern technologies such as eBPF.
By translating filtering rules into native code, bpfilter abstracts the complexity behind cutting-edge kernel technologies while maintaining backward compatibility with existing solutions. Let's discuss about bpfilter and see it in action!
Licensed to the public under https://creativecommons.org/licenses/by/4.0/de/
about this event: https://cfp.all-systems-go.io/all-systems-go-2025/talk/JEVBTZ/
Video:asg2025-329-eng-A_simpler_and_faster_firewall_with_bpfilter_hd.mp4
Linux IPC: Lost between Threading and Networking (asg2025)
Communication is paramount in modern application development. This applies equally well to the process of writing applications and to the code itself. The complexity of the tasks ahead of us calls for a distributed and coordinated development effort, and this often manifests in our code: We design distributed, communicating systems to split complexity and responsibility among many people and teams, and at the same time meet the demand for ever faster systems. The last decade showed significantly increased popularity in API design, network protocols, and distributed computations. At the same time some of the most...
systemd: state of the project (asg2025)
Same as every year, a lot has happened in the systemd project since last year's
ASG. We released multiple versions, packed with new components and features.
This talk will provide an overview of these changes, commenting on successes and
challenges, and a sneak peak at what lies ahead.
Licensed to the public under https://creativecommons.org/licenses/by/4.0/de/
about this event: https://cfp.all-systems-go.io/all-systems-go-2025/talk/B8RVCJ/
Video:asg2025-337-eng-systemd_state_of_the_project_hd.mp4
Accessing shadow records via varlink (asg2025)
Provide a varlink service to access /etc/passwd and /etc/shadow so that no setuid and setgid binaries are necessary for this task. There are two independent "problems" which can be solved with the same idea: all files in /usr should be owned by root:root and no setuid binary should be needed. The first one is a requirement of image based updates of /usr to avoid UID/GID drift, the second one is a security feature wished by systemd developers and security teams. Currently most setuid binaries (or setgid binaries owned by group shadow) beside su and sudo only...
isd: interactive systemd (asg2025)
Simplify systemd management with `isd`! `isd` is a TUI offering fuzzy search for units, auto-refreshing previews, smart sudo handling, and a fully customizable interface for power-users and newcomers alike. If you ever became frustrated while typing: - `systemctl start --user unit-A.service` (manually starting a unit) - `systemctl status --user unit-A.service` (seeing that it failed) - `journalctl -xe --user -u unit-A.service` (checking the logs) - `systemctl edit --user unit-A.service` (updating the unit) - (repeat until problem is solved) `isd` could help. In this presentation, we will discuss the features that `isd` currently supports, the features that are planned for the future, and the...
A new systemd container runtime?! (asg2025)
At Meta, we've been looking to revamp our internal container runtime (Twine). Instead of maintaining all the low level container runtime code ourselves, we'd much prefer having more of this managed by systemd. This talk will go over what we did to make systemd transient units a suitable environment for running system containers (pid namespace support, cgroup namespace support, namespace delegation, ...), and why we went this route instead of reusing systemd-nspawn.
Licensed to the public under https://creativecommons.org/licenses/by/4.0/de/
about this event: https://cfp.all-systems-go.io/all-systems-go-2025/talk/BBTJSF/
Video:asg2025-342-eng-A_new_systemd_container_runtime_hd.mp4