Feed cleverhans-blog [copy] http://www.cleverhans.io/feed.xml has loading error: cURL error 22: The requested URL returned error: 404
pidfd: What have we been up to? (asg2025)
File descriptors for processes on Linux have been available for quite some time now. Userspace has adapted them widely.
Over the last two years or so we've extended the abilities of pidfds significantly. This talk will go over all the new features and deep dive into their implementation and usage.
Licensed to the public under https://creativecommons.org/licenses/by/4.0/de/
about this event: https://cfp.all-systems-go.io/all-systems-go-2025/talk/3BMJVH/
Video:asg2025-381-eng-pidfd_What_have_we_been_up_to_hd.mp4
Shipping Flatpak applications with an image based system (asg2025)
Flatpak is the de-facto standard for distributing desktop applications across various Linux based systems. It also offers other advantages such as sandboxing. It is particularly useful for image based systems as it installs the applications into a separate location and doesn't try to modify the system. GNOME OS is GNOME's development, testing and QA operating system. It builds the latest and greatest in-development versions of the GNOME desktop and core applications. It is also Linux based system that tries to fully embrace the systemd ecosystem. The applications are however built into the system. While this might...
Privilege delegation for rootless containers, what choices do we have? (asg2025)
Going for minimal containers with restricted system calls and unprivileged users is the usual Kubernetes approach these days, and it works great for most web apps. However, the development of more complex infrastructure extensions frequently hinders application functionality. While looking for a solution to deploy virtiofsd in an unprivileged container for KubeVirt, we stumbled on seccomp notifiers. Seccomp notifiers are a kernel feature which monitors syscalls and get notifications to a userspace application when a syscall is executed. Alternative options involved either the use of a custom protocol using UNIX sockets or the deployment of...
Leveraging bootable OCI images in Fedora CoreOS and RHEL CoreOS (asg2025)
In last year's ASG!, bootc and bootable containers were introduced. In this talk, we'll go over what changed since last year, and how Fedora CoreOS and RHEL CoreOS are leveraging bootable containers to reduce maintenance and increase sharing.
Licensed to the public under https://creativecommons.org/licenses/by/4.0/de/
about this event: https://cfp.all-systems-go.io/all-systems-go-2025/talk/87TFB7/
Video:asg2025-375-eng-Leveraging_bootable_OCI_images_in_Fedora_CoreOS_and_RHEL_CoreOS_hd.mp4
Details of a Scam
Longtime Crypto-Gram readers know that I collect personal experiences of people being scammed. Here’s an almost:
Then he added, “Here at Chase, we’ll never ask for your personal information or passwords.” On the contrary, he gave me more information—two “cancellation codes” and a long case number with four letters and 10 digits.
That’s when he offered to transfer me to his supervisor. That simple phrase, familiar from countless customer-service calls, draped a cloak of corporate competence over this unfolding drama. His supervisor. I mean, would a scammer have a supervisor?
The line went mute for a few seconds, and a second man greeted...
systemd: state of the project (asg2025)
Same as every year, a lot has happened in the systemd project since last year's
ASG. We released multiple versions, packed with new components and features.
This talk will provide an overview of these changes, commenting on successes and
challenges, and a sneak peak at what lies ahead.
Licensed to the public under https://creativecommons.org/licenses/by/4.0/de/
about this event: https://cfp.all-systems-go.io/all-systems-go-2025/talk/B8RVCJ/
Video:asg2025-337-eng-systemd_state_of_the_project_hd.mp4
systemd-confext Two Years On: Versioned Overlays for /etc, Reloaded (asg2025)
systemd-confext is a lightweight overlay mechanism for /etc, allowing you to drop in a configuration extension ("confext") bundle and let systemd make it visible to your service as though it was already shipped with the base image. Building on the same extension magic as systemd-sysext, confext also introduces extra features tailored for the /etc use case, such as vpick-ing the newest version and the ability to pick up config revisions with a `systemctl reload`. This talk presents the changes to systemd-confext since [its debut at All Systems Go! 2023](https://cfp.all-systems-go.io/all-systems-go-2023/talk/XLQNDJ/), the lessons learned along the way...
BPF Tokens in systemd (asg2025)
Running **BPF** programs today requires *CAP_BPF* capability, which is an all or nothing BPF capability.
But BPF nowadays spans a large area, from simple monitoring to potentially invasive fields like network or tracing.
BPF Tokens aims to add fine grained BPF capabilities to systemd units and containers, avoiding to give the whole *CAP_BPF* capability or even worse running the service as privileged user.
References:
https://lwn.net/Articles/947173/
https://github.com/systemd/systemd/pull/36134
Licensed to the public under https://creativecommons.org/licenses/by/4.0/de/
about this event: https://cfp.all-systems-go.io/all-systems-go-2025/talk/TEH3QN/
Video:asg2025-363-eng-BPF_Tokens_in_systemd_hd.mp4
Integrating systemd-sysext images in an update stack (asg2025)
systemd-sysext provides a nice way to enhance a distribution with a read-only root filesystem without the need to reboot. But there is additional tooling necessary to manage the sysext images: * install an image which is compatible with the installed OS version * update installed images to the newest compatible version * rollback images in case of an OS rollback * cleanup unneeded images In this presentation I will talk about which tooling systemd itself provides for this (importctl, updatectl, ...) and what the benefits and disadvantages of this tools are compared with real world use cases. In the...
systemd: round table (asg2025)
Let's have an open discussion with systemd developers who are at ASG and users in the audience. We will open with the developers saying what they plan to work on in the near future, and then allow questions / comments from the audience.
Licensed to the public under https://creativecommons.org/licenses/by/4.0/de/
about this event: https://cfp.all-systems-go.io/all-systems-go-2025/talk/PXZGEL/
Video:asg2025-338-eng-systemd_round_table_hd.mp4