{"acronym":"asg2025","aspect_ratio":"16:9","updated_at":"2026-04-04T17:15:04.899+02:00","title":"All Systems Go! 2025","schedule_url":"https://cfp.all-systems-go.io/all-systems-go-2025/schedule.xml","slug":"conferences/all_systems_go/asg2025","event_last_released_at":"2025-10-12T00:00:00.000+02:00","link":"","description":"","webgen_location":"conferences/all_systems_go/asg2025","logo_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/logo.png","images_url":"https://static.media.ccc.de/media/events/all_systems_go/2025","recordings_url":"https://cdn.media.ccc.de/events/all_systems_go/2025","url":"https://api.media.ccc.de/public/conferences/asg2025","events":[{"guid":"b554c661-6ac3-5565-a372-e26c22abbd70","title":"Container Networking With Netkit: The BPF Programmable Network Device","subtitle":null,"slug":"all-systems-go-2025-327-container-networking-with-netkit-the-bpf-programmable-network-device","link":"https://cfp.all-systems-go.io/all-systems-go-2025/talk/WAHYE8/","description":"Introduced in kernel v6.7, the Netkit device is an eBPF-programmable network device designed with containers in mind. In this talk, I will go over the the basics of the Netkit device, and discuss the performance gains we have realized and challenges we faced when rolling out Netkit across millions of containers at Meta.\n\nLicensed to the public under https://creativecommons.org/licenses/by/4.0/de/","original_language":"eng","persons":["Mike Willard"],"tags":["327","2025","asg2025","Galerie","asg2025-eng","asg2025","Day 1"],"view_count":201,"promoted":false,"date":"2025-09-30T10:15:00.000+02:00","release_date":"2025-10-12T00:00:00.000+02:00","updated_at":"2026-03-28T18:30:04.634+01:00","length":1280,"duration":1280,"thumb_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/327-b554c661-6ac3-5565-a372-e26c22abbd70.jpg","poster_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/327-b554c661-6ac3-5565-a372-e26c22abbd70_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/327-b554c661-6ac3-5565-a372-e26c22abbd70.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/327-b554c661-6ac3-5565-a372-e26c22abbd70.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/all-systems-go-2025-327-container-networking-with-netkit-the-bpf-programmable-network-device","url":"https://api.media.ccc.de/public/events/b554c661-6ac3-5565-a372-e26c22abbd70","conference_title":"All Systems Go! 2025","conference_url":"https://api.media.ccc.de/public/conferences/asg2025","related":[]},{"guid":"50421c7a-c88f-5463-bfab-57eede41677e","title":"Privilege delegation for rootless containers, what choices do we have?","subtitle":null,"slug":"all-systems-go-2025-349-privilege-delegation-for-rootless-containers-what-choices-do-we-have-","link":"https://cfp.all-systems-go.io/all-systems-go-2025/talk/SPGAXS/","description":"Going for minimal containers with restricted system calls and unprivileged users is the usual Kubernetes approach these days, and it works great for most web apps. However, the development of more complex infrastructure extensions frequently hinders application functionality.\n\nWhile looking for a solution to deploy virtiofsd in an unprivileged container for KubeVirt, we stumbled on seccomp notifiers. Seccomp notifiers are a kernel feature which monitors syscalls and get notifications to a userspace application when a syscall is executed. \n\nAlternative options involved either the use of a custom protocol using UNIX sockets or the deployment of virtiofs as a privileged component alongside the unprivileged VM.\n\nAfter our evaluation, the seccomp notifier turned out to be the simplest solution among all the choices. Unfortunately, the main constraint is the monitor's resilience after a restart, such as after a crash or an upgrade. This limitation forced us to back up to one of the less elegant approaches. But there is hope how this could be solved!\n\nThe session will explain why seccomp notifiers are a lean solution to avoid extra userspace communication and synchronization, the current limitations and possible future solutions to overcome today’s challenges.\n\nOur experience will teach audiences several methods for dividing their privileged infrastructure. Utilizing virtiofsd as an actual example and a target application for KubeVirt integration and deployment. We will discuss the difficulties of using rootless containers in this session, as well as the design patterns, technologies, and tactics we thought about and ultimately chose to maintain or reject.\n\nLicensed to the public under https://creativecommons.org/licenses/by/4.0/de/","original_language":"eng","persons":["Alice Frosi","German Maglione"],"tags":["349","2025","asg2025","Loft","asg2025-eng","asg2025","Day 2"],"view_count":94,"promoted":false,"date":"2025-10-01T12:10:00.000+02:00","release_date":"2025-10-01T00:00:00.000+02:00","updated_at":"2026-04-02T16:45:04.153+02:00","length":1303,"duration":1303,"thumb_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/349-50421c7a-c88f-5463-bfab-57eede41677e.jpg","poster_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/349-50421c7a-c88f-5463-bfab-57eede41677e_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/349-50421c7a-c88f-5463-bfab-57eede41677e.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/349-50421c7a-c88f-5463-bfab-57eede41677e.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/all-systems-go-2025-349-privilege-delegation-for-rootless-containers-what-choices-do-we-have-","url":"https://api.media.ccc.de/public/events/50421c7a-c88f-5463-bfab-57eede41677e","conference_title":"All Systems Go! 2025","conference_url":"https://api.media.ccc.de/public/conferences/asg2025","related":[]},{"guid":"ba519802-5565-51fe-abc6-db42bb831aff","title":"Forget zbus, zlink is the future of IPC in Rust","subtitle":null,"slug":"all-systems-go-2025-340-forget-zbus-zlink-is-the-future-of-ipc-in-rust","link":"https://cfp.all-systems-go.io/all-systems-go-2025/talk/SYGBNH/","description":"Last year, Lennart Poettering of the systemd fame, [gave a presentation](https://media.ccc.de/v/all-systems-go-2024-276-varlink-now-) at this very same conference, where he introduced Varlink, a modern yet simple IPC mechanism. He presented a case for Varlink, rather than [D-Bus](https://en.wikipedia.org/wiki/D-Bus) to be the future of Inter-process communication on Linux. As someone who works on D-Bus, I took upon myself to prove him wrong, only to find out that I achieved exactly the opposite.\n\nIt didn't take long before I got convinced of his vision. Since I was largely responsible for giving the world [an easy to use D-Bus Rust library](https://crates.io/crates/zbus), I thought it's only fitting that I do the same for Varlink. This talk will be the story of the creation of such a library, the challenges I faced, where Varlink fits the Rust idioms really well and where it does not and how all of this affected the development and the API.\n\nLicensed to the public under https://creativecommons.org/licenses/by/4.0/de/","original_language":"eng","persons":["Zeeshan Ali Khan"],"tags":["340","2025","asg2025","Galerie","asg2025-eng","asg2025","Day 2"],"view_count":262,"promoted":false,"date":"2025-10-01T14:05:00.000+02:00","release_date":"2025-10-01T00:00:00.000+02:00","updated_at":"2026-03-27T23:15:07.793+01:00","length":2294,"duration":2294,"thumb_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/340-ba519802-5565-51fe-abc6-db42bb831aff.jpg","poster_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/340-ba519802-5565-51fe-abc6-db42bb831aff_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/340-ba519802-5565-51fe-abc6-db42bb831aff.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/340-ba519802-5565-51fe-abc6-db42bb831aff.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/all-systems-go-2025-340-forget-zbus-zlink-is-the-future-of-ipc-in-rust","url":"https://api.media.ccc.de/public/events/ba519802-5565-51fe-abc6-db42bb831aff","conference_title":"All Systems Go! 2025","conference_url":"https://api.media.ccc.de/public/conferences/asg2025","related":[]},{"guid":"5c0b7c1e-ad34-5d70-a71f-b39571292ecb","title":"Integrating systemd-sysext images in an update stack","subtitle":null,"slug":"all-systems-go-2025-331-integrating-systemd-sysext-images-in-an-update-stack","link":"https://cfp.all-systems-go.io/all-systems-go-2025/talk/8AA87L/","description":"systemd-sysext provides a nice way to enhance a distribution with a read-only root filesystem without the need to reboot. But there is additional tooling necessary to manage the sysext images:\n* install an image which is compatible with the installed OS version\n* update installed images to the newest compatible version\n* rollback images in case of an OS rollback\n* cleanup unneeded images\n\nIn this presentation I will talk about which tooling systemd itself provides for this (importctl, updatectl, ...) and what the benefits and disadvantages of this tools are compared with real world use cases. In the end I created an own, generic and distribution independent tool for this using systemd tools in the backend. Using openSUSE MicroOS as example I will demonstrate how we solved the problems with it and how we integrated it in our update stack.\n\nLicensed to the public under https://creativecommons.org/licenses/by/4.0/de/","original_language":"eng","persons":["Thorsten Kukuk"],"tags":["331","2025","asg2025","Loft","asg2025-eng","asg2025","Day 1"],"view_count":84,"promoted":false,"date":"2025-09-30T14:50:00.000+02:00","release_date":"2025-09-30T00:00:00.000+02:00","updated_at":"2026-03-26T14:30:06.239+01:00","length":1579,"duration":1579,"thumb_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/331-5c0b7c1e-ad34-5d70-a71f-b39571292ecb.jpg","poster_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/331-5c0b7c1e-ad34-5d70-a71f-b39571292ecb_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/331-5c0b7c1e-ad34-5d70-a71f-b39571292ecb.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/331-5c0b7c1e-ad34-5d70-a71f-b39571292ecb.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/all-systems-go-2025-331-integrating-systemd-sysext-images-in-an-update-stack","url":"https://api.media.ccc.de/public/events/5c0b7c1e-ad34-5d70-a71f-b39571292ecb","conference_title":"All Systems Go! 2025","conference_url":"https://api.media.ccc.de/public/conferences/asg2025","related":[]},{"guid":"215cc62a-5f1d-55f2-a223-0e2a1d81c134","title":"Shipping Flatpak applications with an image based system","subtitle":null,"slug":"all-systems-go-2025-378-shipping-flatpak-applications-with-an-image-based-system","link":"https://cfp.all-systems-go.io/all-systems-go-2025/talk/98W9EX/","description":"Flatpak is the de-facto standard for distributing desktop applications across various Linux based systems. It also offers other advantages such as sandboxing. It is particularly useful for image based systems as it installs the applications into a separate location and doesn't try to modify the system.\n\nGNOME OS is GNOME's development, testing and QA operating system. It builds the latest and greatest in-development versions of the GNOME desktop and core applications. It is also Linux based system that tries to fully embrace the systemd ecosystem.\n\nThe applications are however built into the system. While this might be great for testing the apps as they would be in most distros, we also want to build our Flatpak applications from the same build definitions and our users (or more correctly early adopters) prefer to use Flatpak for various reasons.\n\nIn this talk we'll explore what other image based distributions do to provide Flatpak applications to their users, what users expect from \"Flatpak applications\" and the various proposals for implementing that in GNOME OS. We hope to be able to present our end result by the time of the conference.\n\nLicensed to the public under https://creativecommons.org/licenses/by/4.0/de/","original_language":"eng","persons":["Abderrahim Kitouni"],"tags":["378","2025","asg2025","Galerie","asg2025-eng","asg2025","Day 2"],"view_count":71,"promoted":false,"date":"2025-10-01T10:00:00.000+02:00","release_date":"2025-10-01T00:00:00.000+02:00","updated_at":"2026-02-08T20:00:09.157+01:00","length":1678,"duration":1678,"thumb_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/378-215cc62a-5f1d-55f2-a223-0e2a1d81c134.jpg","poster_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/378-215cc62a-5f1d-55f2-a223-0e2a1d81c134_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/378-215cc62a-5f1d-55f2-a223-0e2a1d81c134.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/378-215cc62a-5f1d-55f2-a223-0e2a1d81c134.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/all-systems-go-2025-378-shipping-flatpak-applications-with-an-image-based-system","url":"https://api.media.ccc.de/public/events/215cc62a-5f1d-55f2-a223-0e2a1d81c134","conference_title":"All Systems Go! 2025","conference_url":"https://api.media.ccc.de/public/conferences/asg2025","related":[]},{"guid":"4414eec2-3464-5430-bdfe-1514aca0e1d9","title":"Leveraging bootable OCI images in Fedora CoreOS and RHEL CoreOS","subtitle":null,"slug":"all-systems-go-2025-375-leveraging-bootable-oci-images-in-fedora-coreos-and-rhel-coreos","link":"https://cfp.all-systems-go.io/all-systems-go-2025/talk/87TFB7/","description":"In last year's ASG!, bootc and bootable containers were introduced. In this talk, we'll go over what changed since last year, and how Fedora CoreOS and RHEL CoreOS are leveraging bootable containers to reduce maintenance and increase sharing.\n\nLicensed to the public under https://creativecommons.org/licenses/by/4.0/de/","original_language":"eng","persons":["Jonathan Lebon","Timothée Ravier"],"tags":["375","2025","asg2025","Loft","asg2025-eng","asg2025","Day 2"],"view_count":123,"promoted":false,"date":"2025-10-01T15:20:00.000+02:00","release_date":"2025-10-01T00:00:00.000+02:00","updated_at":"2026-03-03T19:00:08.495+01:00","length":1551,"duration":1551,"thumb_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/375-4414eec2-3464-5430-bdfe-1514aca0e1d9.jpg","poster_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/375-4414eec2-3464-5430-bdfe-1514aca0e1d9_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/375-4414eec2-3464-5430-bdfe-1514aca0e1d9.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/375-4414eec2-3464-5430-bdfe-1514aca0e1d9.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/all-systems-go-2025-375-leveraging-bootable-oci-images-in-fedora-coreos-and-rhel-coreos","url":"https://api.media.ccc.de/public/events/4414eec2-3464-5430-bdfe-1514aca0e1d9","conference_title":"All Systems Go! 2025","conference_url":"https://api.media.ccc.de/public/conferences/asg2025","related":[]},{"guid":"7ca1bceb-0e80-5c27-a297-3ad4938eaa73","title":"From initramfs-tools to mkosi-initrd","subtitle":null,"slug":"all-systems-go-2025-365-from-initramfs-tools-to-mkosi-initrd","link":"https://cfp.all-systems-go.io/all-systems-go-2025/talk/E989ZX/","description":"Marco will review the features available in the initramfs-tools ecosystem, the initrd generator used by Debian and Ubuntu, and how they can be implemented (or not) by adopting mkosi-initrd.\n\nLicensed to the public under https://creativecommons.org/licenses/by/4.0/de/","original_language":"eng","persons":["Marco d'Itri"],"tags":["365","2025","asg2025","Loft","asg2025-eng","asg2025","Day 1"],"view_count":196,"promoted":false,"date":"2025-09-30T17:15:00.000+02:00","release_date":"2025-09-30T00:00:00.000+02:00","updated_at":"2026-04-03T22:45:05.827+02:00","length":415,"duration":415,"thumb_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/365-7ca1bceb-0e80-5c27-a297-3ad4938eaa73.jpg","poster_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/365-7ca1bceb-0e80-5c27-a297-3ad4938eaa73_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/365-7ca1bceb-0e80-5c27-a297-3ad4938eaa73.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/365-7ca1bceb-0e80-5c27-a297-3ad4938eaa73.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/all-systems-go-2025-365-from-initramfs-tools-to-mkosi-initrd","url":"https://api.media.ccc.de/public/events/7ca1bceb-0e80-5c27-a297-3ad4938eaa73","conference_title":"All Systems Go! 2025","conference_url":"https://api.media.ccc.de/public/conferences/asg2025","related":[]},{"guid":"d606b45a-38da-5e4d-a4b5-c12f515ff9e2","title":"Modernizing GNOME","subtitle":null,"slug":"all-systems-go-2025-364-modernizing-gnome","link":"https://cfp.all-systems-go.io/all-systems-go-2025/talk/FQE7QZ/","description":"GNOME has collected some very old code over the years. During the recent GNOME 49 release, we've made some drastic cleanups. Most visibly, we've dropped support for X11 and gained many dependencies on systemd. Let's explore some of the what and why for these changes!\n\nLicensed to the public under https://creativecommons.org/licenses/by/4.0/de/","original_language":"eng","persons":["Adrian Vovk"],"tags":["364","2025","asg2025","Galerie","asg2025-eng","asg2025","Day 2"],"view_count":528,"promoted":false,"date":"2025-10-01T11:25:00.000+02:00","release_date":"2025-10-01T00:00:00.000+02:00","updated_at":"2026-04-03T08:45:03.853+02:00","length":1914,"duration":1914,"thumb_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/364-d606b45a-38da-5e4d-a4b5-c12f515ff9e2.jpg","poster_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/364-d606b45a-38da-5e4d-a4b5-c12f515ff9e2_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/364-d606b45a-38da-5e4d-a4b5-c12f515ff9e2.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/364-d606b45a-38da-5e4d-a4b5-c12f515ff9e2.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/all-systems-go-2025-364-modernizing-gnome","url":"https://api.media.ccc.de/public/events/d606b45a-38da-5e4d-a4b5-c12f515ff9e2","conference_title":"All Systems Go! 2025","conference_url":"https://api.media.ccc.de/public/conferences/asg2025","related":[]},{"guid":"6d0ce2a8-97f6-5932-9884-be4c71d80956","title":"Slim device software with systemd targets and nspawn","subtitle":null,"slug":"all-systems-go-2025-343-slim-device-software-with-systemd-targets-and-nspawn","link":"https://cfp.all-systems-go.io/all-systems-go-2025/talk/Z3NGWJ/","description":"It has been 10 years since Axis Communications had a presentation at the systemd conference. Back then, we have shown how we have increased our product quality, stability and boot times by porting our platform to systemd. 10 years later, we had different challenges to keep the resource usages and boot times under control. We have started from bottom up and sliced our software for this purpose. This work also got us inspired to create virtual versions of our hardware products that we cluster deploy using systemd's nspawn.\n\nWe have hundreds of engineers working on a software platform that is the base for different product types. It is a different challenge to keep the resource usages of different software composition when so many independent engineers collaborate together. We have applied a different strategy to keep our products as slim and as optimized as possible using different systemd principles like targets, slices, resource prioritization. \nAs a side effect of this work, we have started from ground up and started to virtualize our products using systemd-nspawn. The next step for us was to figure out how in best way to cluster deploy our virtual products so that we can increase the quality of our end to end systems.\n\nLicensed to the public under https://creativecommons.org/licenses/by/4.0/de/","original_language":"eng","persons":["Umut Tezduyar Lindskog","Fredrik Hugosson"],"tags":["343","2025","asg2025","Loft","asg2025-eng","asg2025","Day 2"],"view_count":38,"promoted":false,"date":"2025-10-01T10:45:00.000+02:00","release_date":"2025-10-01T00:00:00.000+02:00","updated_at":"2026-02-18T15:15:08.540+01:00","length":1463,"duration":1463,"thumb_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/343-6d0ce2a8-97f6-5932-9884-be4c71d80956.jpg","poster_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/343-6d0ce2a8-97f6-5932-9884-be4c71d80956_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/343-6d0ce2a8-97f6-5932-9884-be4c71d80956.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/343-6d0ce2a8-97f6-5932-9884-be4c71d80956.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/all-systems-go-2025-343-slim-device-software-with-systemd-targets-and-nspawn","url":"https://api.media.ccc.de/public/events/6d0ce2a8-97f6-5932-9884-be4c71d80956","conference_title":"All Systems Go! 2025","conference_url":"https://api.media.ccc.de/public/conferences/asg2025","related":[]},{"guid":"6559bfea-c315-5c0c-b225-1f869cc34f3c","title":"How I optimized away 94% CPU from zbus","subtitle":null,"slug":"all-systems-go-2025-339-how-i-optimized-away-94-cpu-from-zbus","link":"https://cfp.all-systems-go.io/all-systems-go-2025/talk/TYRJUG/","description":"Haven’t you ever wanted to find ways to make your Rust code the most optimal in the world? I know how you feel. This is a talk, where I’d tell you how easy it is to profile your Rust software and how most often the solutions are trivial.\n\nThis is a story of how I used a few readily-available Open Source tools to achieve huge optimizations in [zbus](https://crates.io/crates/zbus), a pure Rust D-Bus library. This was long journey but gains were worth the efforts. I will go through each single bottleneck found, how it was found and why it was a bottleneck and how it was optimized away.\n\nWhile attending this talk will by no means make you an expert in optimizations, it is my hope that by you will be able to relate to some of bottlenecks or solutions I will present (“hey”, I also do that in my code!”) and learn from my experience. Maybe afterwards, you can suggest an even better solution? Moreover, if you don’t already have any experience with profiling and optimizations, this talk should be a good introduction for that.\n\nLicensed to the public under https://creativecommons.org/licenses/by/4.0/de/","original_language":"eng","persons":["Zeeshan Ali Khan"],"tags":["339","2025","asg2025","Galerie","asg2025-eng","asg2025","Day 1"],"view_count":151,"promoted":false,"date":"2025-09-30T11:55:00.000+02:00","release_date":"2025-09-30T00:00:00.000+02:00","updated_at":"2026-03-04T21:45:09.543+01:00","length":1443,"duration":1443,"thumb_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/339-6559bfea-c315-5c0c-b225-1f869cc34f3c.jpg","poster_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/339-6559bfea-c315-5c0c-b225-1f869cc34f3c_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/339-6559bfea-c315-5c0c-b225-1f869cc34f3c.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/339-6559bfea-c315-5c0c-b225-1f869cc34f3c.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/all-systems-go-2025-339-how-i-optimized-away-94-cpu-from-zbus","url":"https://api.media.ccc.de/public/events/6559bfea-c315-5c0c-b225-1f869cc34f3c","conference_title":"All Systems Go! 2025","conference_url":"https://api.media.ccc.de/public/conferences/asg2025","related":[]},{"guid":"fde36d11-94c7-5285-a3f4-8f6b61805b09","title":"A terminal for operating clouds: administering S3NS with image-based NixOS","subtitle":null,"slug":"all-systems-go-2025-357-a-terminal-for-operating-clouds-administering-s3ns-with-image-based-nixos","link":"https://cfp.all-systems-go.io/all-systems-go-2025/talk/TBDBDA/","description":"S3NS is a trusted cloud operator that self-hosts Google Cloud infrastructure in France, targeting the SecNumCloud certification, the most stringent Cloud certification framework. SecNumCloud includes strict legal and operational constraints. \n\nTo manage these systems securely and reproducibly, we’ve built a family of dedicated administration terminals based on the image based philosophy. \n\nThese terminals rely on NixOS semantics and draw from the ParticleOS ecosystem: systemd-repart, and dm-verity, ensuring atomic updates, full immutability of the Nix store, and verifiable integrity of the boot chain and runtime system (measured boot), while using remote attestations by TPM2 when connecting to production assets.\n\nWe will present the purpose of these terminals and what needs they serve along with their high level characteristics: partition layouts, provisioning and connection flow to the production assets.\n\nThis talk will show an application of many of the concepts that were presented in the NixOS ecosystem and in All Systems Go itself by the systemd community.\n\nLicensed to the public under https://creativecommons.org/licenses/by/4.0/de/","original_language":"eng","persons":["Ryan Lahfa","Frederic Ruget","Gautier LABADIE"],"tags":["357","2025","asg2025","Galerie","asg2025-eng","asg2025","Day 2"],"view_count":84,"promoted":false,"date":"2025-10-01T16:00:00.000+02:00","release_date":"2025-10-01T00:00:00.000+02:00","updated_at":"2026-04-03T08:30:04.473+02:00","length":2094,"duration":2094,"thumb_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/357-fde36d11-94c7-5285-a3f4-8f6b61805b09.jpg","poster_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/357-fde36d11-94c7-5285-a3f4-8f6b61805b09_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/357-fde36d11-94c7-5285-a3f4-8f6b61805b09.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/357-fde36d11-94c7-5285-a3f4-8f6b61805b09.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/all-systems-go-2025-357-a-terminal-for-operating-clouds-administering-s3ns-with-image-based-nixos","url":"https://api.media.ccc.de/public/events/fde36d11-94c7-5285-a3f4-8f6b61805b09","conference_title":"All Systems Go! 2025","conference_url":"https://api.media.ccc.de/public/conferences/asg2025","related":[]},{"guid":"56d84dcc-90fe-53e4-a14d-36b03686f060","title":"container-snap: Atomic Updates from OCI Images using Podman’s Btrfs Driver","subtitle":null,"slug":"all-systems-go-2025-366-container-snap-atomic-updates-from-oci-images-using-podman-s-btrfs-driver","link":"https://cfp.all-systems-go.io/all-systems-go-2025/talk/YTCMSG/","description":"Traditional package updates using tools like RPM or Zypper can introduce risks, such as incomplete updates or accidentally breaking the running system. To overcome these challenges, we developed **container-snap**, a prototype plugin designed to deliver atomic OS updates—updates that are fully applied or rolled back without compromising the system's state.\n\ncontainer-snap leverages OCI images as the source for updates and integrates seamlessly with openSUSE’s [tukit](https://github.com/openSUSE/transactional-update) to enable transactional OS updates. By utilizing Podman’s btrfs storage driver, it creates btrfs subvolumes directly from OCI images, allowing systems to boot from the OCI image. This approach empowers users to construct their own OS images using familiar container image-building tools, like Docker or [Buildah](https://buildah.io/).\n\nIn this session, we’ll dive into:\n- The architecture and technical implementation of container-snap\n- Challenges encountered during development and how we resolved them\n- Key lessons learned along the way\n- A live demo showcasing container-snap in action\n\nCome and join this session to learn more about how to boot from an OCI image without bricking your system!\n\nLicensed to the public under https://creativecommons.org/licenses/by/4.0/de/","original_language":"eng","persons":["Dan Čermák"],"tags":["366","2025","asg2025","Loft","asg2025-eng","asg2025","Day 2"],"view_count":65,"promoted":false,"date":"2025-10-01T14:50:00.000+02:00","release_date":"2025-10-01T00:00:00.000+02:00","updated_at":"2026-04-03T11:15:06.154+02:00","length":1366,"duration":1366,"thumb_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/366-56d84dcc-90fe-53e4-a14d-36b03686f060.jpg","poster_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/366-56d84dcc-90fe-53e4-a14d-36b03686f060_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/366-56d84dcc-90fe-53e4-a14d-36b03686f060.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/366-56d84dcc-90fe-53e4-a14d-36b03686f060.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/all-systems-go-2025-366-container-snap-atomic-updates-from-oci-images-using-podman-s-btrfs-driver","url":"https://api.media.ccc.de/public/events/56d84dcc-90fe-53e4-a14d-36b03686f060","conference_title":"All Systems Go! 2025","conference_url":"https://api.media.ccc.de/public/conferences/asg2025","related":[]},{"guid":"15ee7958-ca26-527b-80e8-b158da3d19e3","title":"Why you should contribute to systemd!","subtitle":null,"slug":"all-systems-go-2025-341-why-you-should-contribute-to-systemd-","link":"https://cfp.all-systems-go.io/all-systems-go-2025/talk/B8LJKD/","description":"I'll use these 20 minutes to explain why and why contributing to systemd is a great experience. We'll avoid beating dead horses by not discussing git forges and email, but instead focus on the development experience, from building systemd distribution packages from git main, running integration tests against those distribution packages, debugging failures, writing new tests, and installing the distribution packages on real hardware to debug issues.\n\nLicensed to the public under https://creativecommons.org/licenses/by/4.0/de/","original_language":"eng","persons":["Daan De Meyer"],"tags":["341","2025","asg2025","Loft","asg2025-eng","asg2025","Day 1"],"view_count":115,"promoted":false,"date":"2025-09-30T10:15:00.000+02:00","release_date":"2025-09-30T00:00:00.000+02:00","updated_at":"2026-03-06T13:30:06.936+01:00","length":1408,"duration":1408,"thumb_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/341-15ee7958-ca26-527b-80e8-b158da3d19e3.jpg","poster_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/341-15ee7958-ca26-527b-80e8-b158da3d19e3_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/341-15ee7958-ca26-527b-80e8-b158da3d19e3.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/341-15ee7958-ca26-527b-80e8-b158da3d19e3.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/all-systems-go-2025-341-why-you-should-contribute-to-systemd-","url":"https://api.media.ccc.de/public/events/15ee7958-ca26-527b-80e8-b158da3d19e3","conference_title":"All Systems Go! 2025","conference_url":"https://api.media.ccc.de/public/conferences/asg2025","related":[]},{"guid":"503eff50-b331-55d8-9002-4594741eed50","title":"pidfd: What have we been up to?","subtitle":null,"slug":"all-systems-go-2025-381-pidfd-what-have-we-been-up-to-","link":"https://cfp.all-systems-go.io/all-systems-go-2025/talk/3BMJVH/","description":"File descriptors for processes on Linux have been available for quite some time now. Userspace has adapted them widely.\n\nOver the last two years or so we've extended the abilities of pidfds significantly. This talk will go over all the new features and deep dive into their implementation and usage.\n\nLicensed to the public under https://creativecommons.org/licenses/by/4.0/de/","original_language":"eng","persons":["Christian Brauner"],"tags":["381","2025","asg2025","Loft","asg2025-eng","asg2025","Day 2"],"view_count":94,"promoted":false,"date":"2025-10-01T14:05:00.000+02:00","release_date":"2025-10-01T00:00:00.000+02:00","updated_at":"2026-02-01T21:30:13.175+01:00","length":2368,"duration":2368,"thumb_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/381-503eff50-b331-55d8-9002-4594741eed50.jpg","poster_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/381-503eff50-b331-55d8-9002-4594741eed50_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/381-503eff50-b331-55d8-9002-4594741eed50.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/381-503eff50-b331-55d8-9002-4594741eed50.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/all-systems-go-2025-381-pidfd-what-have-we-been-up-to-","url":"https://api.media.ccc.de/public/events/503eff50-b331-55d8-9002-4594741eed50","conference_title":"All Systems Go! 2025","conference_url":"https://api.media.ccc.de/public/conferences/asg2025","related":[]},{"guid":"9f940552-19c0-5895-8dff-8fd597ecee72","title":"What's up with test.thing","subtitle":null,"slug":"all-systems-go-2025-348-what-s-up-with-test-thing","link":"https://cfp.all-systems-go.io/all-systems-go-2025/talk/MLTTHW/","description":"`test.thing` is a VM runner which targets guests using an API defined by systemd.  It started after a conversation at devconf about turning `mkosi qemu` into a library.  A quick intro.\n\n~~composefs is an approach to image-mode systems without the disk images.  Files are stored in a de-duplicated content-addressed storage with integrity guaranteed through fs-verity.  The last year has seen an acceleration of development on composefs-rs, a pure Rust implementation of the ideas behind composefs.  Our goal is unification of the storage of bootable system images (via bootc), application Flatpaks, and traditional OCI container environments, bringing deduplication and integrity guarantees to all three.  An overview.~~\n\nLicensed to the public under https://creativecommons.org/licenses/by/4.0/de/","original_language":"eng","persons":["Allison Karlitskaya"],"tags":["348","2025","asg2025","Loft","asg2025-eng","asg2025","Day 2"],"view_count":60,"promoted":false,"date":"2025-10-01T16:45:00.000+02:00","release_date":"2025-10-01T00:00:00.000+02:00","updated_at":"2026-03-27T06:30:04.809+01:00","length":1520,"duration":1520,"thumb_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/348-9f940552-19c0-5895-8dff-8fd597ecee72.jpg","poster_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/348-9f940552-19c0-5895-8dff-8fd597ecee72_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/348-9f940552-19c0-5895-8dff-8fd597ecee72.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/348-9f940552-19c0-5895-8dff-8fd597ecee72.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/all-systems-go-2025-348-what-s-up-with-test-thing","url":"https://api.media.ccc.de/public/events/9f940552-19c0-5895-8dff-8fd597ecee72","conference_title":"All Systems Go! 2025","conference_url":"https://api.media.ccc.de/public/conferences/asg2025","related":[]},{"guid":"25d528e9-697e-5420-abe3-6e341b4034cc","title":"Introducing ue-rs, minimal and secure rewrite of update engine in Flatcar","subtitle":null,"slug":"all-systems-go-2025-359-introducing-ue-rs-minimal-and-secure-rewrite-of-update-engine-in-flatcar","link":"https://cfp.all-systems-go.io/all-systems-go-2025/talk/JAC3DH/","description":"Introduce ue-rs, a fresh project that aims to be a drop-in reimplementation of update engine, written in Rust.\n\nThe goal of ue-rs is to have a minimal, secure and robust implementation of update engine, required by A/B update mechanism of Flatcar Container Linux. Just like the existing update engine, it downloads OS update payloads from a Nebraska server, parses its Omaha protocol, verifies signatures, etc. This project, however, is different from the original update engine in the following aspects. First, it aims to be minimal, by reducing heavyweight legacies in the update engine. Moreover, written in Rust, it brings a huge advantage for security, especially memory safety, in contrast to the original update engine, which is written mainly in C++ and bash. Finally, in addition to traditional OS update payloads, it supports systemd-sysext OEM, which is supported by Flatcar.\n\nLicensed to the public under https://creativecommons.org/licenses/by/4.0/de/","original_language":"eng","persons":["Dongsu Park"],"tags":["359","2025","asg2025","Galerie","asg2025-eng","asg2025","Day 2"],"view_count":19,"promoted":false,"date":"2025-10-01T15:20:00.000+02:00","release_date":"2025-10-01T00:00:00.000+02:00","updated_at":"2026-02-02T10:45:08.484+01:00","length":1460,"duration":1460,"thumb_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/359-25d528e9-697e-5420-abe3-6e341b4034cc.jpg","poster_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/359-25d528e9-697e-5420-abe3-6e341b4034cc_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/359-25d528e9-697e-5420-abe3-6e341b4034cc.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/359-25d528e9-697e-5420-abe3-6e341b4034cc.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/all-systems-go-2025-359-introducing-ue-rs-minimal-and-secure-rewrite-of-update-engine-in-flatcar","url":"https://api.media.ccc.de/public/events/25d528e9-697e-5420-abe3-6e341b4034cc","conference_title":"All Systems Go! 2025","conference_url":"https://api.media.ccc.de/public/conferences/asg2025","related":[]},{"guid":"c32bc75f-4207-53d9-9033-de40802d87b2","title":"UKI, composefs and remote attestation for Bootable Containers","subtitle":null,"slug":"all-systems-go-2025-362-uki-composefs-and-remote-attestation-for-bootable-containers","link":"https://cfp.all-systems-go.io/all-systems-go-2025/talk/TNKPQS/","description":"With Bootable Containers (bootc), we can place the operating system files inside a standard OCI container. This lets users modify the content of the operating system using familiar container tools and the Containerfile pattern. They can then share those container images using container registries and sign them using cosign.\n\nUsing composefs and fs-verity, we can link a UKI to a complete read only filesystem tree, guaranteeing that every system file is verified on load. We integrate this in bootc by creating a reliable way to turn container images into composefs filesystem trees, and then including the UKI in the container image.\n\nWe will share the progress on the integration of UKI and composefs in bootc and how we are going to enable remote attestation for those systems using trustee, notably for Confidential Computing use cases.\n\nhttps://github.com/containers/composefs-rs\nhttps://github.com/bootc-dev/bootc\nhttps://github.com/confidential-containers/trustee\n\nLicensed to the public under https://creativecommons.org/licenses/by/4.0/de/","original_language":"eng","persons":["Timothée Ravier","Pragyan","Vitaly Kuznetsov"],"tags":["362","2025","asg2025","Loft","asg2025-eng","asg2025","Day 2"],"view_count":408,"promoted":false,"date":"2025-10-01T16:00:00.000+02:00","release_date":"2025-10-01T00:00:00.000+02:00","updated_at":"2026-03-26T22:15:10.696+01:00","length":2570,"duration":2570,"thumb_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/362-c32bc75f-4207-53d9-9033-de40802d87b2.jpg","poster_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/362-c32bc75f-4207-53d9-9033-de40802d87b2_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/362-c32bc75f-4207-53d9-9033-de40802d87b2.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/362-c32bc75f-4207-53d9-9033-de40802d87b2.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/all-systems-go-2025-362-uki-composefs-and-remote-attestation-for-bootable-containers","url":"https://api.media.ccc.de/public/events/c32bc75f-4207-53d9-9033-de40802d87b2","conference_title":"All Systems Go! 2025","conference_url":"https://api.media.ccc.de/public/conferences/asg2025","related":[]},{"guid":"037b3493-4600-5360-9b2d-97c166a418b3","title":"systemd-confext Two Years On: Versioned Overlays for /etc, Reloaded","subtitle":null,"slug":"all-systems-go-2025-360-systemd-confext-two-years-on-versioned-overlays-for-etc-reloaded","link":"https://cfp.all-systems-go.io/all-systems-go-2025/talk/GSRYLR/","description":"systemd-confext is a lightweight overlay mechanism for /etc, allowing you to drop in a configuration extension (\"confext\") bundle and let systemd make it visible to your service as though it was already shipped with the base image. Building on the same extension magic as systemd-sysext, confext also introduces extra features tailored for the /etc use case, such as vpick-ing the newest version and the ability to pick up config revisions with a `systemctl reload`.\n\nThis talk presents the changes to systemd-confext since [its debut at All Systems Go! 2023](https://cfp.all-systems-go.io/all-systems-go-2023/talk/XLQNDJ/), the lessons learned along the way to make it work, and how we leverage this capability at Microsoft already to deliver configuration payloads in production.\n\nImmutable Linux distributions offer stability and reproducibility, but at the cost of configuration changes needing time to build. A small configuration or system change can then require complete redeployment of the entire OS, adding friction to development work and impacting customers. This is not acceptable for certain Linux environments at Microsoft, where only seconds of planned downtime budget exist every year.\n\nsystemd-confext is intended to be a signed, `dm-verity`-protected, live configuration update mechanism meant to address this issue. It provides a way to make quick additions in a secure and reliable way with minimum customer impact. Two years later, confext now supports host-level payloads to /etc and also works in the individual namespaces of services and portable units via `ExtensionImages=` and `ExtensionDirectories=` too.\n\nOne of the recent significant additions is that systemd-confext has been integrated with `systemctl reload`, giving it the ability to pick up new configuration revisions during a reload, not just a restart. Combined with services that implement notify-reload, it is possible to simply drop a new versioned extension into the watched directory to trigger the reload flow and update the service config.\n\nWe'll review how these features can be used and include a demo of a couple of use cases, including path-activated units to deploy config payloads in production at Microsoft. We'll also briefly discuss the namespace and mounting changes needed in the systemd codebase to make this integration work.\n\nLicensed to the public under https://creativecommons.org/licenses/by/4.0/de/","original_language":"eng","persons":["Maia Xiao","Maanya Goenka"],"tags":["360","2025","asg2025","Loft","asg2025-eng","asg2025","Day 1"],"view_count":186,"promoted":false,"date":"2025-09-30T12:25:00.000+02:00","release_date":"2025-09-30T00:00:00.000+02:00","updated_at":"2026-03-30T19:15:06.611+02:00","length":1545,"duration":1545,"thumb_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/360-037b3493-4600-5360-9b2d-97c166a418b3.jpg","poster_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/360-037b3493-4600-5360-9b2d-97c166a418b3_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/360-037b3493-4600-5360-9b2d-97c166a418b3.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/360-037b3493-4600-5360-9b2d-97c166a418b3.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/all-systems-go-2025-360-systemd-confext-two-years-on-versioned-overlays-for-etc-reloaded","url":"https://api.media.ccc.de/public/events/037b3493-4600-5360-9b2d-97c166a418b3","conference_title":"All Systems Go! 2025","conference_url":"https://api.media.ccc.de/public/conferences/asg2025","related":[]},{"guid":"7a202915-a672-58c4-a265-d94046c4c861","title":"Dirlock: a new tool to manage encrypted filesystems","subtitle":null,"slug":"all-systems-go-2025-355-dirlock-a-new-tool-to-manage-encrypted-filesystems","link":"https://cfp.all-systems-go.io/all-systems-go-2025/talk/AAWNQT/","description":"In the Linux world there are several tools and technologies to encrypt data on a hard drive, most falling into one of two categories: block device encryption (like LUKS) or stacked filesystem encryption (like EncFs or gocryptfs). This presentation will introduce Dirlock, a new tool that belongs to a third category: native filesystem encryption, using the kernel's fscrypt API. Dirlock is currently being developed and its aim is to provide a flexible way to encrypt files, suitable for both user accounts and arbitrary directories, with full PAM integration, support for hardware-backed mechanisms such as FIDO2 or TPM and with a D-Bus API for easy management.\n\nLicensed to the public under https://creativecommons.org/licenses/by/4.0/de/","original_language":"eng","persons":["Alberto Garcia"],"tags":["355","2025","asg2025","Galerie","asg2025-eng","asg2025","Day 2"],"view_count":132,"promoted":false,"date":"2025-10-01T14:50:00.000+02:00","release_date":"2025-10-01T00:00:00.000+02:00","updated_at":"2026-02-09T22:00:08.813+01:00","length":1587,"duration":1587,"thumb_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/355-7a202915-a672-58c4-a265-d94046c4c861.jpg","poster_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/355-7a202915-a672-58c4-a265-d94046c4c861_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/355-7a202915-a672-58c4-a265-d94046c4c861.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/355-7a202915-a672-58c4-a265-d94046c4c861.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/all-systems-go-2025-355-dirlock-a-new-tool-to-manage-encrypted-filesystems","url":"https://api.media.ccc.de/public/events/7a202915-a672-58c4-a265-d94046c4c861","conference_title":"All Systems Go! 2025","conference_url":"https://api.media.ccc.de/public/conferences/asg2025","related":[]},{"guid":"a4ce5c99-0ecb-5d76-9d1c-5d0694e3a711","title":"BPF Tokens in systemd","subtitle":null,"slug":"all-systems-go-2025-363-bpf-tokens-in-systemd","link":"https://cfp.all-systems-go.io/all-systems-go-2025/talk/TEH3QN/","description":"Running **BPF** programs today requires *CAP_BPF* capability, which is an all or nothing BPF capability.\nBut BPF nowadays spans a large area, from simple monitoring to potentially invasive fields like network or tracing.\n\nBPF Tokens aims to add fine grained BPF capabilities to systemd units and containers, avoiding to give the whole *CAP_BPF* capability or even worse running the service as privileged user.\n\nReferences:\nhttps://lwn.net/Articles/947173/\nhttps://github.com/systemd/systemd/pull/36134\n\nLicensed to the public under https://creativecommons.org/licenses/by/4.0/de/","original_language":"eng","persons":["Matteo Croce"],"tags":["363","2025","asg2025","Loft","asg2025-eng","asg2025","Day 1"],"view_count":206,"promoted":false,"date":"2025-09-30T10:45:00.000+02:00","release_date":"2025-09-30T00:00:00.000+02:00","updated_at":"2026-03-25T09:15:05.480+01:00","length":1430,"duration":1430,"thumb_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/363-a4ce5c99-0ecb-5d76-9d1c-5d0694e3a711.jpg","poster_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/363-a4ce5c99-0ecb-5d76-9d1c-5d0694e3a711_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/363-a4ce5c99-0ecb-5d76-9d1c-5d0694e3a711.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/363-a4ce5c99-0ecb-5d76-9d1c-5d0694e3a711.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/all-systems-go-2025-363-bpf-tokens-in-systemd","url":"https://api.media.ccc.de/public/events/a4ce5c99-0ecb-5d76-9d1c-5d0694e3a711","conference_title":"All Systems Go! 2025","conference_url":"https://api.media.ccc.de/public/conferences/asg2025","related":[]},{"guid":"3b3efc57-2a06-5099-b726-fa9ceb4b24f5","title":"Unprivileged Containers, with Transient User Namespaces and ID Mapping, but Without SETUID Binaries","subtitle":null,"slug":"all-systems-go-2025-353-unprivileged-containers-with-transient-user-namespaces-and-id-mapping-but-without-setuid-binaries","link":"https://cfp.all-systems-go.io/all-systems-go-2025/talk/E7FHPY/","description":"Many traditional container engines make use of the \"subuid\" concept and the \"newuidmap\" tool to implement a concept of \"unprivileged\" user-namespace containers on Linux. This approach has many shortcomings in my PoV, from both a security and scalability standpoint.\n\nRecent systemd versions provide a more powerful, more secure, mor scalable alternative, via systemd-nsresourced, systemd-mountfsd and other components.\n\nIn this talk I want to shed some light on the problems with the \"old ways\", and in particular focus on what the \"new ways\" bring to the table, and how to make use of them in container runtimes.\n\nLicensed to the public under https://creativecommons.org/licenses/by/4.0/de/","original_language":"eng","persons":["Lennart Poettering"],"tags":["353","2025","asg2025","Loft","asg2025-eng","asg2025","Day 2"],"view_count":175,"promoted":false,"date":"2025-10-01T10:00:00.000+02:00","release_date":"2025-10-01T00:00:00.000+02:00","updated_at":"2026-03-04T11:15:09.163+01:00","length":2513,"duration":2513,"thumb_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/353-3b3efc57-2a06-5099-b726-fa9ceb4b24f5.jpg","poster_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/353-3b3efc57-2a06-5099-b726-fa9ceb4b24f5_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/353-3b3efc57-2a06-5099-b726-fa9ceb4b24f5.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/353-3b3efc57-2a06-5099-b726-fa9ceb4b24f5.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/all-systems-go-2025-353-unprivileged-containers-with-transient-user-namespaces-and-id-mapping-but-without-setuid-binaries","url":"https://api.media.ccc.de/public/events/3b3efc57-2a06-5099-b726-fa9ceb4b24f5","conference_title":"All Systems Go! 2025","conference_url":"https://api.media.ccc.de/public/conferences/asg2025","related":[]},{"guid":"f5968a69-ccc3-527c-a2e6-5a882538c093","title":"oo7-daemon: One year later – Progress, Challenges, and What’s next","subtitle":null,"slug":"all-systems-go-2025-369-oo7-daemon-one-year-later-progress-challenges-and-what-s-next","link":"https://cfp.all-systems-go.io/all-systems-go-2025/talk/NFNFJS/","description":"oo7-daemon is the new D-Bus Secret Service provider that aims to fully replace gnome-keyring. In this followup (continuation of my 2024 talk) lightning talk, I will go through the progress made, the challenges faced and the status of systemd credentials integration.\n\nLicensed to the public under https://creativecommons.org/licenses/by/4.0/de/","original_language":"eng","persons":["Dhanuka Warusadura"],"tags":["369","2025","asg2025","Loft","asg2025-eng","asg2025","Day 1"],"view_count":110,"promoted":false,"date":"2025-09-30T17:20:00.000+02:00","release_date":"2025-09-30T00:00:00.000+02:00","updated_at":"2026-03-26T03:00:03.605+01:00","length":188,"duration":188,"thumb_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/369-f5968a69-ccc3-527c-a2e6-5a882538c093.jpg","poster_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/369-f5968a69-ccc3-527c-a2e6-5a882538c093_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/369-f5968a69-ccc3-527c-a2e6-5a882538c093.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/369-f5968a69-ccc3-527c-a2e6-5a882538c093.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/all-systems-go-2025-369-oo7-daemon-one-year-later-progress-challenges-and-what-s-next","url":"https://api.media.ccc.de/public/events/f5968a69-ccc3-527c-a2e6-5a882538c093","conference_title":"All Systems Go! 2025","conference_url":"https://api.media.ccc.de/public/conferences/asg2025","related":[]},{"guid":"09f5910d-9b71-5ee9-b35b-ca8d38a6f2f9","title":"Linux IPC: Lost between Threading and Networking","subtitle":null,"slug":"all-systems-go-2025-347-linux-ipc-lost-between-threading-and-networking","link":"https://cfp.all-systems-go.io/all-systems-go-2025/talk/8WW7YH/","description":"Communication is paramount in modern application development. This applies equally well to the process of writing applications and to the code itself. The complexity of the tasks ahead of us calls for a distributed and coordinated development effort, and this often manifests in our code: We design distributed, communicating systems to split complexity and responsibility among many people and teams, and at the same time meet the demand for ever faster systems.\n\nThe last decade showed significantly increased popularity in API design, network protocols, and distributed computations. At the same time some of the most intriguing language research improves how multi-threaded applications synchronize and exchange information without sacrificing safety or performance. Between these two lies an almost forgotten world: Linux Inter-process communication (IPC) has lost ground to thread-communication and networking protocols.\n\nLet us look at how other operating systems have evolved their IPC layers, what new systems decide to go with, and why Linux IPC has not seen any major changes since the 90s. And finally, can we lift Linux IPC out of stagnation and catch up with everyone else?\n\nLicensed to the public under https://creativecommons.org/licenses/by/4.0/de/","original_language":"eng","persons":["David Rheinsberg"],"tags":["347","2025","asg2025","Galerie","asg2025-eng","asg2025","Day 1"],"view_count":192,"promoted":false,"date":"2025-09-30T11:25:00.000+02:00","release_date":"2025-09-30T00:00:00.000+02:00","updated_at":"2026-04-04T17:15:04.896+02:00","length":1557,"duration":1557,"thumb_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/347-09f5910d-9b71-5ee9-b35b-ca8d38a6f2f9.jpg","poster_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/347-09f5910d-9b71-5ee9-b35b-ca8d38a6f2f9_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/347-09f5910d-9b71-5ee9-b35b-ca8d38a6f2f9.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/347-09f5910d-9b71-5ee9-b35b-ca8d38a6f2f9.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/all-systems-go-2025-347-linux-ipc-lost-between-threading-and-networking","url":"https://api.media.ccc.de/public/events/09f5910d-9b71-5ee9-b35b-ca8d38a6f2f9","conference_title":"All Systems Go! 2025","conference_url":"https://api.media.ccc.de/public/conferences/asg2025","related":[]},{"guid":"ee1273f1-cffb-5536-aebd-79574ad66f50","title":"Accessing shadow records via varlink","subtitle":null,"slug":"all-systems-go-2025-350-accessing-shadow-records-via-varlink","link":"https://cfp.all-systems-go.io/all-systems-go-2025/talk/RUTE9Y/","description":"Provide a varlink service to access /etc/passwd and /etc/shadow so that no setuid and setgid binaries are necessary for this task.\n\nThere are two independent \"problems\" which can be solved with the same idea: all files in /usr should be owned by root:root and no setuid binary should be needed. The first one is a requirement of image based updates of /usr to avoid UID/GID drift, the second one is a security feature wished by systemd developers and security teams.\nCurrently most setuid binaries (or setgid binaries owned by group shadow) beside su and sudo only need this to read the shadow entry of the calling user. This task could be delegated to a systemd socket activated service which provides the user shadow entry for the calling user.\nIn this talk I will present the why, the current implementation and feedback from security teams.\n\nLicensed to the public under https://creativecommons.org/licenses/by/4.0/de/","original_language":"eng","persons":["Thorsten Kukuk"],"tags":["350","2025","asg2025","Galerie","asg2025-eng","asg2025","Day 1"],"view_count":74,"promoted":false,"date":"2025-09-30T12:25:00.000+02:00","release_date":"2025-09-30T00:00:00.000+02:00","updated_at":"2026-02-21T05:45:03.434+01:00","length":1572,"duration":1572,"thumb_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/350-ee1273f1-cffb-5536-aebd-79574ad66f50.jpg","poster_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/350-ee1273f1-cffb-5536-aebd-79574ad66f50_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/350-ee1273f1-cffb-5536-aebd-79574ad66f50.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/350-ee1273f1-cffb-5536-aebd-79574ad66f50.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/all-systems-go-2025-350-accessing-shadow-records-via-varlink","url":"https://api.media.ccc.de/public/events/ee1273f1-cffb-5536-aebd-79574ad66f50","conference_title":"All Systems Go! 2025","conference_url":"https://api.media.ccc.de/public/conferences/asg2025","related":[]},{"guid":"f4820009-ff1d-5c91-8d21-dc0c175afac9","title":"A Security Model for systemd","subtitle":null,"slug":"all-systems-go-2025-354-a-security-model-for-systemd","link":"https://cfp.all-systems-go.io/all-systems-go-2025/talk/FE98ZY/","description":"Linux lacks a coherent security model, and by extension we never defined one for the systemd project either.\n\nIn this talk I'd like to start changing this, and begin defining some general security design guidelines that we so far mostly followed implicitly, and make them more explicit. After all, systemd to a large degree is involved in security subsystems, from SecureBoot, Measured Boot \u0026 TPM, to its service sandboxing, dm-verity/dm-crypt support, its FIDO2/PKCS#11 hookups, its many security boundaries, secure parameterization, Linux Security Module initialization and more.\n\nWhile this distributions \u0026 applications consuming systemd might follow different security models I think it's important to talk about a unified vision from the systemd upstream perspective, even if various downstreams then make modifications or only deploy a subset of it.\n\nLicensed to the public under https://creativecommons.org/licenses/by/4.0/de/","original_language":"eng","persons":["Lennart Poettering"],"tags":["354","2025","asg2025","Loft","asg2025-eng","asg2025","Day 1"],"view_count":1527,"promoted":false,"date":"2025-09-30T09:30:00.000+02:00","release_date":"2025-09-30T00:00:00.000+02:00","updated_at":"2026-04-03T15:15:03.537+02:00","length":2431,"duration":2431,"thumb_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/354-f4820009-ff1d-5c91-8d21-dc0c175afac9.jpg","poster_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/354-f4820009-ff1d-5c91-8d21-dc0c175afac9_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/354-f4820009-ff1d-5c91-8d21-dc0c175afac9.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/354-f4820009-ff1d-5c91-8d21-dc0c175afac9.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/all-systems-go-2025-354-a-security-model-for-systemd","url":"https://api.media.ccc.de/public/events/f4820009-ff1d-5c91-8d21-dc0c175afac9","conference_title":"All Systems Go! 2025","conference_url":"https://api.media.ccc.de/public/conferences/asg2025","related":[]},{"guid":"aa10feb3-aa4c-5c03-9ca5-149827ecb5c4","title":"systemd: round table","subtitle":null,"slug":"all-systems-go-2025-338-systemd-round-table","link":"https://cfp.all-systems-go.io/all-systems-go-2025/talk/PXZGEL/","description":"Let's have an open discussion with systemd developers who are at ASG and users in the audience. We will open with the developers saying what they plan to work on in the near future, and then allow questions / comments from the audience.\n\nLicensed to the public under https://creativecommons.org/licenses/by/4.0/de/","original_language":"eng","persons":["Luca Boccassi","Mike Yuan","Zbigniew Jędrzejewski-Szmek","Daan De Meyer","Lennart Poettering","Yu Watanabe"],"tags":["338","2025","asg2025","Loft","asg2025-eng","asg2025","Day 1"],"view_count":144,"promoted":false,"date":"2025-09-30T11:55:00.000+02:00","release_date":"2025-09-30T00:00:00.000+02:00","updated_at":"2026-02-09T04:15:03.859+01:00","length":1692,"duration":1692,"thumb_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/338-aa10feb3-aa4c-5c03-9ca5-149827ecb5c4.jpg","poster_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/338-aa10feb3-aa4c-5c03-9ca5-149827ecb5c4_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/338-aa10feb3-aa4c-5c03-9ca5-149827ecb5c4.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/338-aa10feb3-aa4c-5c03-9ca5-149827ecb5c4.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/all-systems-go-2025-338-systemd-round-table","url":"https://api.media.ccc.de/public/events/aa10feb3-aa4c-5c03-9ca5-149827ecb5c4","conference_title":"All Systems Go! 2025","conference_url":"https://api.media.ccc.de/public/conferences/asg2025","related":[]},{"guid":"a66c4715-dd04-5a02-8d67-8ad2ac9e000e","title":"Extending Fedora Atomic Desktops using systemd system extensions","subtitle":null,"slug":"all-systems-go-2025-356-extending-fedora-atomic-desktops-using-systemd-system-extensions","link":"https://cfp.all-systems-go.io/all-systems-go-2025/talk/DCVQLK/","description":"On image based desktops distributions such as Fedora Atomic desktops and Universal Blue, users are expected to run their graphical applications using Flatpaks and their command line ones using containers. But that approach does not work well for some applications that require more privileges, direct access to devices or kernel interfaces.\n\nWith systemd system extensions (sysexts), it is possible to extend an image based system on demand. Sysexts come with a lot of advantages: they can be created out of arbitrary content (not only packages), are quickly enabled or disabled and can be built and shared independently of the main distribution channels.\n\nWe will demonstrate how the Atomic Desktops can take benefit of sysexts to provide extensions such as virtual machine management (libvirt), alternative container runtimes (moby-engine or docker), IDE (VS Code) or debugging (gdb).\n\nWe will also look at important details when building sysexts, the current limits when deploying them (SELinux policy modules, service management, RPM database update), what is currently blocking us from using it for more complex cases (kernel modules) and what we would need to properly manage and update them.\n\nSupporting examples for this talk: https://github.com/travier/fedora-sysexts\nWork in progress sysexts manager that targets managing sysexts on Bootable Container systems: https://github.com/travier/sysexts-manager\n\nLicensed to the public under https://creativecommons.org/licenses/by/4.0/de/","original_language":"eng","persons":["Timothée Ravier"],"tags":["356","2025","asg2025","Loft","asg2025-eng","asg2025","Day 1"],"view_count":355,"promoted":false,"date":"2025-09-30T14:20:00.000+02:00","release_date":"2025-09-30T00:00:00.000+02:00","updated_at":"2026-03-16T19:30:06.226+01:00","length":1554,"duration":1554,"thumb_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/356-a66c4715-dd04-5a02-8d67-8ad2ac9e000e.jpg","poster_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/356-a66c4715-dd04-5a02-8d67-8ad2ac9e000e_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/356-a66c4715-dd04-5a02-8d67-8ad2ac9e000e.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/356-a66c4715-dd04-5a02-8d67-8ad2ac9e000e.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/all-systems-go-2025-356-extending-fedora-atomic-desktops-using-systemd-system-extensions","url":"https://api.media.ccc.de/public/events/a66c4715-dd04-5a02-8d67-8ad2ac9e000e","conference_title":"All Systems Go! 2025","conference_url":"https://api.media.ccc.de/public/conferences/asg2025","related":[]},{"guid":"37c80164-bf16-5b3b-a7ea-d83d9000b0fd","title":"New Linux Kernel Coredump Infrastructure","subtitle":null,"slug":"all-systems-go-2025-345-new-linux-kernel-coredump-infrastructure","link":"https://cfp.all-systems-go.io/all-systems-go-2025/talk/MADB7R/","description":"Coredumping on Linux has long been a nightmare. Currently two modes are supported:\n\n(1) Dumping directly into a file somewhere on the filesystem.\n(2) Dumping into a pipe connected to a usermode helper process spawned as a child of the system_unbound_wq or kthreadd.\n\nFor simplicity I'm mostly ignoring (1). There's probably still some users of (1) out there but processing coredumps in this way can be considered adventurous especially in the face of set*id binaries.\n\nThe most common option should be (2) by now. It works by allowing userspace to put a string into /proc/sys/kernel/core_pattern like:\n\n        |/usr/lib/systemd/systemd-coredump %P %u %g %s %t %c %h\n\nThe \"|\" at the beginning indicates to the kernel that a pipe must be used. The path following the pipe indicator is a path to a binary that will be spawned as a usermode helper process. Any additional parameters pass information about the task that is generating the coredump to the binary that processes the coredump.\n\nIn the example core_pattern shown above systemd-coredump is spawned as a usermode helper. There's various conceptual consequences of this (non-exhaustive list):\n\n- systemd-coredump is spawned with file descriptor number 0 (stdin) connected to the read-end of the pipe. All other file descriptors are closed. That specifically includes 1 (stdout) and 2 (stderr). This has already caused bugs because userspace assumed that this cannot happen (Whether or not this is a sane assumption is irrelevant.).\n\n- systemd-coredump will be spawned as a child of system_unbound_wq. So it is not a child of any userspace process and specifically not a child of PID 1. It cannot be waited upon and is in a weird hybrid upcall which are difficult for userspace to control correctly.\n\n- systemd-coredump is spawned with full kernel privileges. This necessitates all kinds of weird privilege dropping excercises in userspace to make this safe.\n\n- A new usermode helper has to be spawned for each crashing process.\n\nOn recent kernels a new mode has been added making use of AF_UNIX sockets. This talk will talk about the new modes, how they can be used, what advantages they have in comparison to the other modes, and look at technical implementation details.\n\nLicensed to the public under https://creativecommons.org/licenses/by/4.0/de/","original_language":"eng","persons":["Christian Brauner"],"tags":["345","2025","asg2025","Loft","asg2025-eng","asg2025","Day 2"],"view_count":112,"promoted":false,"date":"2025-10-01T11:25:00.000+02:00","release_date":"2025-10-01T00:00:00.000+02:00","updated_at":"2026-03-05T00:15:07.257+01:00","length":2464,"duration":2464,"thumb_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/345-37c80164-bf16-5b3b-a7ea-d83d9000b0fd.jpg","poster_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/345-37c80164-bf16-5b3b-a7ea-d83d9000b0fd_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/345-37c80164-bf16-5b3b-a7ea-d83d9000b0fd.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/345-37c80164-bf16-5b3b-a7ea-d83d9000b0fd.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/all-systems-go-2025-345-new-linux-kernel-coredump-infrastructure","url":"https://api.media.ccc.de/public/events/37c80164-bf16-5b3b-a7ea-d83d9000b0fd","conference_title":"All Systems Go! 2025","conference_url":"https://api.media.ccc.de/public/conferences/asg2025","related":[]},{"guid":"8491ee5b-c904-57b7-829b-6b9d3f713eab","title":"isd: interactive systemd","subtitle":null,"slug":"all-systems-go-2025-330-isd-interactive-systemd","link":"https://cfp.all-systems-go.io/all-systems-go-2025/talk/GCV3PM/","description":"Simplify systemd management with `isd`! `isd` is a TUI offering fuzzy search for units, auto-refreshing previews, smart sudo handling, and a fully customizable interface for power-users and newcomers alike.\n\nIf you ever became frustrated while typing:\n\n- `systemctl start --user unit-A.service` (manually starting a unit)\n- `systemctl status --user unit-A.service` (seeing that it failed)\n- `journalctl -xe --user -u unit-A.service` (checking the logs)\n- `systemctl edit --user unit-A.service` (updating the unit)\n- (repeat until problem is solved)\n\n`isd` could help.\n\nIn this presentation, we will discuss the features that `isd` currently supports, the features that are planned for the future, and the experience of developing a TUI for `systemd` commands.\n\nI hope attendees will find the content engaging and practical. Audience participation is highly encouraged. I am especially eager to hear your thoughts, ideas, and feature requests. If you think a tool like `isd` might be unnecessary or redundant, I'd love to hear your perspective, too!\n\nLicensed to the public under https://creativecommons.org/licenses/by/4.0/de/","original_language":"eng","persons":["Kai Norman Clasen"],"tags":["330","2025","asg2025","Loft","asg2025-eng","asg2025","Day 1"],"view_count":194,"promoted":false,"date":"2025-09-30T16:15:00.000+02:00","release_date":"2025-09-30T00:00:00.000+02:00","updated_at":"2026-03-20T17:30:08.976+01:00","length":1182,"duration":1182,"thumb_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/330-8491ee5b-c904-57b7-829b-6b9d3f713eab.jpg","poster_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/330-8491ee5b-c904-57b7-829b-6b9d3f713eab_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/330-8491ee5b-c904-57b7-829b-6b9d3f713eab.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/330-8491ee5b-c904-57b7-829b-6b9d3f713eab.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/all-systems-go-2025-330-isd-interactive-systemd","url":"https://api.media.ccc.de/public/events/8491ee5b-c904-57b7-829b-6b9d3f713eab","conference_title":"All Systems Go! 2025","conference_url":"https://api.media.ccc.de/public/conferences/asg2025","related":[]},{"guid":"e018fe43-b835-5514-aa43-75d7b2559939","title":"Look ma, no secrets! - bootstrapping cryptographic trust in my homelab using Nix, UKIs, TPMs and SPIFFE","subtitle":null,"slug":"all-systems-go-2025-379-look-ma-no-secrets-bootstrapping-cryptographic-trust-in-my-homelab-using-nix-ukis-tpms-and-spiffe","link":"https://cfp.all-systems-go.io/all-systems-go-2025/talk/X3ZSXV/","description":"All the big cloud providers provide your machines with a unique cryptographic identity that can be used to talk to their cloud services securely without having to manage or rotate any cryptographic secrets yourself.  For example GCP has Service accounts and AWS has IAM roles.  This ubiquity of cloud identity and the seamless integration with all the the services of  these cloud providers is one of the reasons why they are so successful.\n\nSPIFFE (Secure Production Identity Framework For Everyone) tries to unify these concepts of workload identity in a vendor neutral framework. But how do we bootstrap our cryptographic identity securely when we are running things on our own hardware as opposed to on cloud? What is our bottom turtle?\n\nIn this talk, I will show how I use Nix in combination with the swiss-army knife of tools provided by systemd (ukify, systemd-measure,  systemd-repart, systemd-veritysetup-generator) to create reproducible images for which we can predict TPM measurements.\n\nPaired with a custom attestation plugin for SPIRE (the reference CA server for SPIFFE) that uses TPM remote attestation I can give each of my servers a unique identity encoded in a TLS certificate if and only if they were booted up with the software that I intended them to boot up with.\n\nThis then allows me to have workloads talk to each other with mutual TLS without having to manage any keys or certificates myself.\n\nLicensed to the public under https://creativecommons.org/licenses/by/4.0/de/","original_language":"eng","persons":["Arian van Putten"],"tags":["379","2025","asg2025","Galerie","asg2025-eng","asg2025","Day 1"],"view_count":533,"promoted":false,"date":"2025-09-30T14:20:00.000+02:00","release_date":"2025-09-30T00:00:00.000+02:00","updated_at":"2026-03-30T20:30:04.739+02:00","length":1655,"duration":1655,"thumb_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/379-e018fe43-b835-5514-aa43-75d7b2559939.jpg","poster_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/379-e018fe43-b835-5514-aa43-75d7b2559939_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/379-e018fe43-b835-5514-aa43-75d7b2559939.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/379-e018fe43-b835-5514-aa43-75d7b2559939.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/all-systems-go-2025-379-look-ma-no-secrets-bootstrapping-cryptographic-trust-in-my-homelab-using-nix-ukis-tpms-and-spiffe","url":"https://api.media.ccc.de/public/events/e018fe43-b835-5514-aa43-75d7b2559939","conference_title":"All Systems Go! 2025","conference_url":"https://api.media.ccc.de/public/conferences/asg2025","related":[]},{"guid":"094a81bc-e198-5c8b-b4e6-08e05a3e373c","title":"One Boot Config to Rule Them All: Bringing UAPI Boot Specification to Legacy BIOS","subtitle":null,"slug":"all-systems-go-2025-328-one-boot-config-to-rule-them-all-bringing-uapi-boot-specification-to-legacy-bios","link":"https://cfp.all-systems-go.io/all-systems-go-2025/talk/ANC879/","description":"The UAPI Boot Loader Specification defines conventions that let multiple operating systems and bootloaders share boot config files. So far, only systemd-boot implements it - and it’s UEFI-only by design.\n\nAs a result, hybrid UEFI/BIOS images require maintaining (and keeping in sync) two sets of bootloader configs: one for systemd-boot, and one for a legacy bootloader such as syslinux.\n\nI set out to fix that by building a BIOS bootloader that uses the UAPI Boot Loader Specification - allowing both UEFI and legacy boot to use a single shared set of config files. This talk is about why that matters, how I built it, and what comes next.\n\nIn this talk, I’ll cover:\n\n- What the UAPI boot spec is\n- Why you'd want to use legacy boot instead of EFI/systemd-boot - *spoiler: you don't! but you might have to*\n- How I implemented UAPI boot support for legacy BIOS\n- What about UKIs?\n- A live demo of the bootloader in action\n- The current state of the project and what’s next\n\nhttps://uapi-group.org/specifications/specs/boot_loader_specification\nhttps://github.com/nkraetzschmar/bootloader\n\nLicensed to the public under https://creativecommons.org/licenses/by/4.0/de/","original_language":"eng","persons":["Nikolas Krätzschmar"],"tags":["328","2025","asg2025","Galerie","asg2025-eng","asg2025","Day 2"],"view_count":117,"promoted":false,"date":"2025-10-01T17:15:00.000+02:00","release_date":"2025-10-01T00:00:00.000+02:00","updated_at":"2026-03-19T10:30:06.835+01:00","length":1499,"duration":1499,"thumb_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/328-094a81bc-e198-5c8b-b4e6-08e05a3e373c.jpg","poster_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/328-094a81bc-e198-5c8b-b4e6-08e05a3e373c_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/328-094a81bc-e198-5c8b-b4e6-08e05a3e373c.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/328-094a81bc-e198-5c8b-b4e6-08e05a3e373c.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/all-systems-go-2025-328-one-boot-config-to-rule-them-all-bringing-uapi-boot-specification-to-legacy-bios","url":"https://api.media.ccc.de/public/events/094a81bc-e198-5c8b-b4e6-08e05a3e373c","conference_title":"All Systems Go! 2025","conference_url":"https://api.media.ccc.de/public/conferences/asg2025","related":[]},{"guid":"eb790ac0-2dac-5f63-836d-acd30c27376d","title":"Closing session of All Systems Go! 2025","subtitle":null,"slug":"all-systems-go-2025-383-closing-session-of-all-systems-go-2025","link":"https://cfp.all-systems-go.io/all-systems-go-2025/talk/DR8ELH/","description":"Closing session of All Systems Go! 2025\n\nLicensed to the public under https://creativecommons.org/licenses/by/4.0/de/","original_language":"eng","persons":[],"tags":["383","2025","asg2025","Loft","asg2025-eng","asg2025","Day 2"],"view_count":55,"promoted":false,"date":"2025-10-01T17:45:00.000+02:00","release_date":"2025-10-01T00:00:00.000+02:00","updated_at":"2026-03-04T09:45:05.651+01:00","length":142,"duration":142,"thumb_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/383-eb790ac0-2dac-5f63-836d-acd30c27376d.jpg","poster_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/383-eb790ac0-2dac-5f63-836d-acd30c27376d_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/383-eb790ac0-2dac-5f63-836d-acd30c27376d.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/383-eb790ac0-2dac-5f63-836d-acd30c27376d.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/all-systems-go-2025-383-closing-session-of-all-systems-go-2025","url":"https://api.media.ccc.de/public/events/eb790ac0-2dac-5f63-836d-acd30c27376d","conference_title":"All Systems Go! 2025","conference_url":"https://api.media.ccc.de/public/conferences/asg2025","related":[]},{"guid":"be331d57-9f47-5105-8433-d77866133e29","title":"Systing: tracing for the lazy","subtitle":null,"slug":"all-systems-go-2025-384-systing-tracing-for-the-lazy","link":"https://cfp.all-systems-go.io/all-systems-go-2025/talk/UHSCHF/","description":"Systing helps you solve problems in minutes rather than days. Out of the box it gives you everything you could possibly need, combined with perfetto’s visualization you will never be confused again.\n\nThis talk will introduce systing, a tracer that is built on modern BPF tooling, purpose built to debug large applications with complicated interactions.\n\nThis will be little talk and mostly demo. Two decades of experience debugging kernel problems has been poured into this tool to make it as straightforward as possible. I will walk through the basic usage, and show a case study investigation to give a feel for the various features that set it apart from the lower level tools we all use and love.\n\nLicensed to the public under https://creativecommons.org/licenses/by/4.0/de/","original_language":"eng","persons":["Josef Bacik"],"tags":["384","2025","asg2025","Galerie","asg2025-eng","asg2025","Day 1"],"view_count":206,"promoted":false,"date":"2025-09-30T10:45:00.000+02:00","release_date":"2025-09-30T00:00:00.000+02:00","updated_at":"2026-04-01T10:00:05.158+02:00","length":1764,"duration":1764,"thumb_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/384-be331d57-9f47-5105-8433-d77866133e29.jpg","poster_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/384-be331d57-9f47-5105-8433-d77866133e29_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/384-be331d57-9f47-5105-8433-d77866133e29.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/384-be331d57-9f47-5105-8433-d77866133e29.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/all-systems-go-2025-384-systing-tracing-for-the-lazy","url":"https://api.media.ccc.de/public/events/be331d57-9f47-5105-8433-d77866133e29","conference_title":"All Systems Go! 2025","conference_url":"https://api.media.ccc.de/public/conferences/asg2025","related":[]},{"guid":"11da911b-3842-5b9a-9cde-982f8972183e","title":"A simpler and faster firewall with bpfilter","subtitle":null,"slug":"all-systems-go-2025-329-a-simpler-and-faster-firewall-with-bpfilter","link":"https://cfp.all-systems-go.io/all-systems-go-2025/talk/JEVBTZ/","description":"For many years, firewall solutions on Linux have grown and evolved, without any major change, until eBPF. While eBPF can allow very fast and efficient packet filtering, the learning curve doesn't make it easily accessible to non-developers. bpfilter aims to bridge the gap between existing tools (nftables, iptables) and modern technologies such as eBPF.\n\nBy translating filtering rules into native code, bpfilter abstracts the complexity behind cutting-edge kernel technologies while maintaining backward compatibility with existing solutions. Let's discuss about bpfilter and see it in action!\n\nLicensed to the public under https://creativecommons.org/licenses/by/4.0/de/","original_language":"eng","persons":["Quentin Deslandes"],"tags":["329","2025","asg2025","Galerie","asg2025-eng","asg2025","Day 1"],"view_count":192,"promoted":false,"date":"2025-09-30T15:20:00.000+02:00","release_date":"2025-09-30T00:00:00.000+02:00","updated_at":"2026-03-23T08:45:04.929+01:00","length":2379,"duration":2379,"thumb_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/329-11da911b-3842-5b9a-9cde-982f8972183e.jpg","poster_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/329-11da911b-3842-5b9a-9cde-982f8972183e_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/329-11da911b-3842-5b9a-9cde-982f8972183e.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/329-11da911b-3842-5b9a-9cde-982f8972183e.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/all-systems-go-2025-329-a-simpler-and-faster-firewall-with-bpfilter","url":"https://api.media.ccc.de/public/events/11da911b-3842-5b9a-9cde-982f8972183e","conference_title":"All Systems Go! 2025","conference_url":"https://api.media.ccc.de/public/conferences/asg2025","related":[]},{"guid":"885f655d-ee1c-509d-93f2-3ac9b87f68d6","title":"systemd: state of the project","subtitle":null,"slug":"all-systems-go-2025-337-systemd-state-of-the-project","link":"https://cfp.all-systems-go.io/all-systems-go-2025/talk/B8RVCJ/","description":"Same as every year, a lot has happened in the systemd project since last year's\nASG. We released multiple versions, packed with new components and features.\nThis talk will provide an overview of these changes, commenting on successes and\nchallenges, and a sneak peak at what lies ahead.\n\nLicensed to the public under https://creativecommons.org/licenses/by/4.0/de/","original_language":"eng","persons":["Luca Boccassi","Zbigniew Jędrzejewski-Szmek"],"tags":["337","2025","asg2025","Loft","asg2025-eng","asg2025","Day 1"],"view_count":492,"promoted":false,"date":"2025-09-30T11:25:00.000+02:00","release_date":"2025-09-30T00:00:00.000+02:00","updated_at":"2026-03-30T13:00:07.206+02:00","length":1307,"duration":1307,"thumb_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/337-885f655d-ee1c-509d-93f2-3ac9b87f68d6.jpg","poster_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/337-885f655d-ee1c-509d-93f2-3ac9b87f68d6_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/337-885f655d-ee1c-509d-93f2-3ac9b87f68d6.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/337-885f655d-ee1c-509d-93f2-3ac9b87f68d6.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/all-systems-go-2025-337-systemd-state-of-the-project","url":"https://api.media.ccc.de/public/events/885f655d-ee1c-509d-93f2-3ac9b87f68d6","conference_title":"All Systems Go! 2025","conference_url":"https://api.media.ccc.de/public/conferences/asg2025","related":[]},{"guid":"1df26fd7-afa0-5b82-8407-50a29b590293","title":"GNOME OS' prêt-à-booter image","subtitle":null,"slug":"all-systems-go-2025-352-gnome-os-prt--booter-image","link":"https://cfp.all-systems-go.io/all-systems-go-2025/talk/QRJVL3/","description":"GNOME OS is a distribution based around systemd-sysupdate. This year, we finally created a live installer image using the same /usr partition as the installed OS. The main innovation however is the ability to install without the need to reboot. The user can start working while the installation is happening.\n\nThis live image is built using systemd-repart. And the installer itself also uses systemd-repart. But systemd-repart is not the complete solution and we had to solve some challenges.\n\nLicensed to the public under https://creativecommons.org/licenses/by/4.0/de/","original_language":"eng","persons":["Valentin David"],"tags":["352","2025","asg2025","Galerie","asg2025-eng","asg2025","Day 2"],"view_count":82,"promoted":false,"date":"2025-10-01T10:45:00.000+02:00","release_date":"2025-10-01T00:00:00.000+02:00","updated_at":"2026-04-03T15:00:05.101+02:00","length":1565,"duration":1565,"thumb_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/352-1df26fd7-afa0-5b82-8407-50a29b590293.jpg","poster_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/352-1df26fd7-afa0-5b82-8407-50a29b590293_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/352-1df26fd7-afa0-5b82-8407-50a29b590293.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/352-1df26fd7-afa0-5b82-8407-50a29b590293.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/all-systems-go-2025-352-gnome-os-prt--booter-image","url":"https://api.media.ccc.de/public/events/1df26fd7-afa0-5b82-8407-50a29b590293","conference_title":"All Systems Go! 2025","conference_url":"https://api.media.ccc.de/public/conferences/asg2025","related":[]},{"guid":"6d688e51-c573-5252-9073-4cce9423eb00","title":"A new systemd container runtime?!","subtitle":null,"slug":"all-systems-go-2025-342-a-new-systemd-container-runtime-","link":"https://cfp.all-systems-go.io/all-systems-go-2025/talk/BBTJSF/","description":"At Meta, we've been looking to revamp our internal container runtime (Twine). Instead of maintaining all the low level container runtime code ourselves, we'd much prefer having more of this managed by systemd. This talk will go over what we did to make systemd transient units a suitable environment for running system containers (pid namespace support, cgroup namespace support, namespace delegation, ...), and why we went this route instead of reusing systemd-nspawn.\n\nLicensed to the public under https://creativecommons.org/licenses/by/4.0/de/","original_language":"eng","persons":["Daan De Meyer"],"tags":["342","2025","asg2025","Loft","asg2025-eng","asg2025","Day 1"],"view_count":291,"promoted":false,"date":"2025-09-30T16:45:00.000+02:00","release_date":"2025-09-30T00:00:00.000+02:00","updated_at":"2026-03-29T16:15:03.838+02:00","length":1645,"duration":1645,"thumb_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/342-6d688e51-c573-5252-9073-4cce9423eb00.jpg","poster_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/342-6d688e51-c573-5252-9073-4cce9423eb00_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/342-6d688e51-c573-5252-9073-4cce9423eb00.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/342-6d688e51-c573-5252-9073-4cce9423eb00.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/all-systems-go-2025-342-a-new-systemd-container-runtime-","url":"https://api.media.ccc.de/public/events/6d688e51-c573-5252-9073-4cce9423eb00","conference_title":"All Systems Go! 2025","conference_url":"https://api.media.ccc.de/public/conferences/asg2025","related":[]},{"guid":"697f1e7f-166d-5ab2-8ccc-6651175b30e3","title":"CentOS Proposed Updates: Bridging the Gap between development and production","subtitle":null,"slug":"all-systems-go-2025-336-centos-proposed-updates-bridging-the-gap-between-development-and-production","link":"https://cfp.all-systems-go.io/all-systems-go-2025/talk/9QUZNY/","description":"CentOS Stream is especially suited for production deployments. In these environments it's often common to develop improvements to distribution packages and want to contribute them upstream. Unfortunately, until very recently that required one to then maintain their own build and deployment pipeline for the packages, at least until the changes made their way into the distribution.\n\nCentOS Proposed Updates (CPU) SIG aims to bridge this gap - changes that have been submitted as merge requests can be built in this SIG, providing those who run Stream in production with access to needed updates while they make their way into CentOS Stream. We hope this will help increase collaboration between RHEL engineers, CentOS Stream contributors, and the rebuild community as well, especially those that have distributions derived from CentOS Stream directly (such as AlmaLinux with AlmaLinux OS Kitten), as everyone can focus on making improvements without reinventing their own build pipelines.\n\nLicensed to the public under https://creativecommons.org/licenses/by/4.0/de/","original_language":"eng","persons":["Michel Lind","Davide Cavalca"],"tags":["336","2025","asg2025","Galerie","asg2025-eng","asg2025","Day 2"],"view_count":38,"promoted":false,"date":"2025-10-01T12:10:00.000+02:00","release_date":"2025-10-01T00:00:00.000+02:00","updated_at":"2026-03-17T23:30:05.923+01:00","length":1532,"duration":1532,"thumb_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/336-697f1e7f-166d-5ab2-8ccc-6651175b30e3.jpg","poster_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/336-697f1e7f-166d-5ab2-8ccc-6651175b30e3_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/336-697f1e7f-166d-5ab2-8ccc-6651175b30e3.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/336-697f1e7f-166d-5ab2-8ccc-6651175b30e3.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/all-systems-go-2025-336-centos-proposed-updates-bridging-the-gap-between-development-and-production","url":"https://api.media.ccc.de/public/events/697f1e7f-166d-5ab2-8ccc-6651175b30e3","conference_title":"All Systems Go! 2025","conference_url":"https://api.media.ccc.de/public/conferences/asg2025","related":[]},{"guid":"113e09bf-4f50-5914-8be9-d6a119c68d42","title":"Verification of OS artifacts without stateful keyrings","subtitle":null,"slug":"all-systems-go-2025-374-verification-of-os-artifacts-without-stateful-keyrings","link":"https://cfp.all-systems-go.io/all-systems-go-2025/talk/7DDSVZ/","description":"Many OS artifacts today are still verified using proprietary, stateful keyring formats.\nWith the \"File Hierarchy for the Verification of OS Artifacts (VOA)\" an attempt is made to rid the ecosystem of this limitation by implementing a generic lookup directory.\nWith extensibility in mind, this unifying hierarchy currently provides integration for OpenPGP, with further integrations in planning.\n\nWhile working on improvements to the [ALPM](https://alpm.archlinux.page) ecosystem, the way packages and other OS artifacts are currently verified on Arch Linux has been evaluated.\nNoticing the extensive vendor lock-in to GnuPG and with today's widespread availability of [Stateless OpenPGP](https://wiki.archlinux.org/title/Stateless_OpenPGP) implementations in mind, a plan was hatched to create a more generic, stateless approach.\n\nA specification and implementation for the [UAPI group](https://uapi-group.org/) has been started to create a [\"File Hierarchy for the Verification of OS Artifacts (VOA)\"](https://github.com/uapi-group/specifications/pull/134).\nThis approach is meant to be technology agnostic and allow further integrations, such as SSH and X.509.\n\nFollow along for an overview of what this specification is trying to improve upon and how today's tools could benefit from it in the future.\n\nLicensed to the public under https://creativecommons.org/licenses/by/4.0/de/","original_language":"eng","persons":["David Runge"],"tags":["374","2025","asg2025","Galerie","asg2025-eng","asg2025","Day 1"],"view_count":118,"promoted":false,"date":"2025-09-30T16:15:00.000+02:00","release_date":"2025-09-30T00:00:00.000+02:00","updated_at":"2026-04-01T18:45:05.029+02:00","length":1300,"duration":1300,"thumb_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/374-113e09bf-4f50-5914-8be9-d6a119c68d42.jpg","poster_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/374-113e09bf-4f50-5914-8be9-d6a119c68d42_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/374-113e09bf-4f50-5914-8be9-d6a119c68d42.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/374-113e09bf-4f50-5914-8be9-d6a119c68d42.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/all-systems-go-2025-374-verification-of-os-artifacts-without-stateful-keyrings","url":"https://api.media.ccc.de/public/events/113e09bf-4f50-5914-8be9-d6a119c68d42","conference_title":"All Systems Go! 2025","conference_url":"https://api.media.ccc.de/public/conferences/asg2025","related":[]},{"guid":"76682a8e-6217-5367-982f-f356f657547e","title":"OS as a Service at Meta Platforms","subtitle":null,"slug":"all-systems-go-2025-332-os-as-a-service-at-meta-platforms","link":"https://cfp.all-systems-go.io/all-systems-go-2025/talk/VNCDRL/","description":"I overview how OS management is done at Meta. We run millions of Linux servers and we have to make sure that OS gets updated on all of them in a given period of time. To do that we developed several products: MetalOS (Image based version of CentOS), Antlir (image builder) and Rolling OS Update (a service that keeps a set of DNF repos in sync with upstream repos and uses them to update OS )\n\nLicensed to the public under https://creativecommons.org/licenses/by/4.0/de/","original_language":"eng","persons":["Serge Dubrouski"],"tags":["332","2025","asg2025","Loft","asg2025-eng","asg2025","Day 2"],"view_count":178,"promoted":false,"date":"2025-10-01T17:15:00.000+02:00","release_date":"2025-10-01T00:00:00.000+02:00","updated_at":"2026-03-02T02:15:04.031+01:00","length":1530,"duration":1530,"thumb_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/332-76682a8e-6217-5367-982f-f356f657547e.jpg","poster_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/332-76682a8e-6217-5367-982f-f356f657547e_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/332-76682a8e-6217-5367-982f-f356f657547e.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/332-76682a8e-6217-5367-982f-f356f657547e.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/all-systems-go-2025-332-os-as-a-service-at-meta-platforms","url":"https://api.media.ccc.de/public/events/76682a8e-6217-5367-982f-f356f657547e","conference_title":"All Systems Go! 2025","conference_url":"https://api.media.ccc.de/public/conferences/asg2025","related":[]},{"guid":"6bb9947a-7de8-55c6-931d-bb95247878cf","title":"ParticleOS: Why is Lennart still not dogfooding systemd?!","subtitle":null,"slug":"all-systems-go-2025-335-particleos-why-is-lennart-still-not-dogfooding-systemd-","link":"https://cfp.all-systems-go.io/all-systems-go-2025/talk/QMYAMS/","description":"More than six months have passed since Daan tried to ~~shame~~ gently peer pressure Lennart to actually use the stuff he builds, via a FOSDEM talk:\n\nhttps://fosdem.org/2025/schedule/event/fosdem-2025-4057-particleos-can-we-make-lennart-poettering-run-an-image-based-distribution-/\n\nDid he succeed? Is dogfooding standard practice now in the systemd development process? Or do things like randomly breaking logging in GNOME (*cough*) still happen from time to time? Join us for this talk to find out, and to apply yet more peer pressure.\n\nWe will also spend some time talking about more boring and mundane topics, such as giving an overview of the current status of ParticleOS, and how we build it as a ready-to-consume and secure-by-default signed and self-enrolling appliance on the SUSE Open Build Service.\n\nhttps://github.com/systemd/particleos\nhttps://build.opensuse.org/package/show/system:systemd/particleos-fedora\nhttps://build.opensuse.org/package/show/system:systemd/particleos-debian\n\nLicensed to the public under https://creativecommons.org/licenses/by/4.0/de/","original_language":"eng","persons":["Luca Boccassi","Daan De Meyer"],"tags":["335","2025","asg2025","Loft","asg2025-eng","asg2025","Day 1"],"view_count":502,"promoted":false,"date":"2025-09-30T15:20:00.000+02:00","release_date":"2025-09-30T00:00:00.000+02:00","updated_at":"2026-04-01T09:45:02.912+02:00","length":2266,"duration":2266,"thumb_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/335-6bb9947a-7de8-55c6-931d-bb95247878cf.jpg","poster_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/335-6bb9947a-7de8-55c6-931d-bb95247878cf_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/335-6bb9947a-7de8-55c6-931d-bb95247878cf.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/335-6bb9947a-7de8-55c6-931d-bb95247878cf.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/all-systems-go-2025-335-particleos-why-is-lennart-still-not-dogfooding-systemd-","url":"https://api.media.ccc.de/public/events/6bb9947a-7de8-55c6-931d-bb95247878cf","conference_title":"All Systems Go! 2025","conference_url":"https://api.media.ccc.de/public/conferences/asg2025","related":[]},{"guid":"1c609169-704f-5a73-b8d7-2874fc15ce19","title":"Sandboxing services with Landlock","subtitle":null,"slug":"all-systems-go-2025-368-sandboxing-services-with-landlock","link":"https://cfp.all-systems-go.io/all-systems-go-2025/talk/FXWDCF/","description":"Landlock is an unprivileged kernel feature that enables all Linux users to sandbox their processes. Complementary to seccomp, developers can leverage Landlock to restrict their programs in a fine-grained way. While Landlock can be used by end users through sandboxer tools, there is currently no well-integrated solution to define security policies tailored to system services. Although AppArmor and seccomp security policies can already be tied to a system unit, we aim to provide a more dynamic, standalone, and unprivileged option with Landlock.\n\nIn this talk, we'll briefly explain what Landlock is and highlight its differences from other Linux security features (e.g., namespaces, seccomp, other LSMs). We'll then focus on the new configuration format we are designing for Landlock security policies, its characteristics, and how it could extend systemd units by taking into account runtime context (e.g., XDG variables).\n\nLicensed to the public under https://creativecommons.org/licenses/by/4.0/de/","original_language":"eng","persons":["Mickaël Salaün"],"tags":["368","2025","asg2025","Galerie","asg2025-eng","asg2025","Day 1"],"view_count":206,"promoted":false,"date":"2025-09-30T14:50:00.000+02:00","release_date":"2025-09-30T00:00:00.000+02:00","updated_at":"2026-03-31T22:45:07.247+02:00","length":1501,"duration":1501,"thumb_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/368-1c609169-704f-5a73-b8d7-2874fc15ce19.jpg","poster_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/368-1c609169-704f-5a73-b8d7-2874fc15ce19_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/368-1c609169-704f-5a73-b8d7-2874fc15ce19.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/368-1c609169-704f-5a73-b8d7-2874fc15ce19.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/all-systems-go-2025-368-sandboxing-services-with-landlock","url":"https://api.media.ccc.de/public/events/1c609169-704f-5a73-b8d7-2874fc15ce19","conference_title":"All Systems Go! 2025","conference_url":"https://api.media.ccc.de/public/conferences/asg2025","related":[]},{"guid":"0c036290-5749-5158-b956-ce2ba4991119","title":"Yocto's hidden gem: OTA and seamless updates with systemd-sysupdate","subtitle":null,"slug":"all-systems-go-2025-370-yocto-s-hidden-gem-ota-and-seamless-updates-with-systemd-sysupdate","link":"https://cfp.all-systems-go.io/all-systems-go-2025/talk/MU7JM8/","description":"Updates are a critical piece of managing your fleet of devices. Nowadays, Yocto-based distributions can utilize layers for well-established update mechanisms. But, did you know that recent releases of Yocto already come with a simple update mechanism?\n\nEnter systemd-sysupdate: a mechanism capable of automatically discovering, downloading, and installing A/B-style updates. By combining it with tools like systemd-boot, we can turn it into a\ncomprehensive alternative for common scenarios.\n\nIn this talk, we will briefly introduce systemd-sysupdate, show how it can be integrated with your Yocto distribution, and share thoughts on how it can be improved further.\n\nLicensed to the public under https://creativecommons.org/licenses/by/4.0/de/","original_language":"eng","persons":["Emmanuele Bassi","Martín Abente Lahaye"],"tags":["370","2025","asg2025","Galerie","asg2025-eng","asg2025","Day 2"],"view_count":162,"promoted":false,"date":"2025-10-01T16:45:00.000+02:00","release_date":"2025-10-01T00:00:00.000+02:00","updated_at":"2026-04-02T09:00:04.700+02:00","length":1593,"duration":1593,"thumb_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/370-0c036290-5749-5158-b956-ce2ba4991119.jpg","poster_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/370-0c036290-5749-5158-b956-ce2ba4991119_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/370-0c036290-5749-5158-b956-ce2ba4991119.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/370-0c036290-5749-5158-b956-ce2ba4991119.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/all-systems-go-2025-370-yocto-s-hidden-gem-ota-and-seamless-updates-with-systemd-sysupdate","url":"https://api.media.ccc.de/public/events/0c036290-5749-5158-b956-ce2ba4991119","conference_title":"All Systems Go! 2025","conference_url":"https://api.media.ccc.de/public/conferences/asg2025","related":[]}]}