LinuxCon ContainerCon CloudOpen China

We all recognize that the world of open source technology is advancing rapidly. With such rapid change how has that effected Cloud computing and in particular mature projects such as OpenStack. How does this change impact their technology, community and relationships with other related open source innovative efforts?  Through this session Alan will provide some insight into the latest cloud industry trends, OpenStack community adoption to this change and the ties to cloud use for business today and tomorrow.

Whilst anyone can inspect the source code of free software for malicious flaws, most Linux distributions provide binary or "compiled" packages to end users.

The motivation behind "reproducible" builds is to allow verification that no flaws have been introduced during this compilation process by promising identical binary packages are always generated from a given source.

This prevents against the installation of backdoor-introducing malware on developers' machines - an attacker would need to simultaneously infect or blackmail all developers attempting to reproduce the build.

This talk will focus on how exactly software can fail to be reproducible, the tools, tests & specifications we have written to fix & diagnose issues as well as the many amusing "fails" in upstream code that have been unearthed by this process. In addition, you will learn what to avoid in your own software.

Blocking and waking on an event is one of the most fundamental tasks any general purpose operating system must do. Being so common it is fundamental it be efficient, incurring in minimal overhead, but it also means that this functionality can occur under many different constraints throughout the kernel. There have been numerous changes targeting both performance and real-time which improve waiting on events. As such, this presentation hopes to update the audience on these increasingly changing kernel interfaces;illustrating a number of new calls that build upon, and extends the basic wait/wake semantics to very ad-hoc situations. Understanding when and how to use them are important when integrating new functionality in the kernel that make use of blocking for something.

Grub is a decent bootloader for many Linux distros that supports rich functionalities. Recent TrustedGRUB2 supports measured boot with TPM. It measures the integrity of booting process, generating a hash value that could be used for root-of-trust. On the other hand, UEFI defines secure boot, which checks the validity of the bootloader and kernel. Unfortunately, both have some limitations: measured boot lacks in enforcement mechanism, and secure boot doesn't give any provenance of integrity to use as root-of-trust. Secure boot+measured boot makes Linux booting harden. Secure boot will check the integrity of binary, with proper enforcement mechanism; measured boot will provide root-of-trust that measures the system integrity information to the post-boot software. This talk will review why and how the two booting processes (secure boot and measured boot) can be integrated with TrustedGRUB.

There are best practices to understand when building products from open source software, but there are a number of anti-patterns that crop up along the way. Product teams (from engineering to marketing) need to understand these patterns and practices to participate best in open source project communities and deliver products and services to their customers at the same time. These patterns hold regardless of whether the vendor created and owns the project or participates in projects outside their control.

Unikernel is a novel software technology that links an application with OS in the form of a library and packages them into a specialized image that facilitates direct deployment on a hypervisor. Comparing to the traditional VM or the recent containers, Unikernels are smaller, more secure and efficient, making them ideal for cloud environments. There are already lots of open source projects like OSv, Rumprun and so on. But why these existing unikernels have yet to gain large popularity broadly? We think Unikernels are facing three major challenges: 1. Compatibility with existing applications; 2. Lack of production support (e.g. monitoring, debugging, logging); 3. Lack of compelling use case. In this presentation, we will review our investigations and exploration of if-how we can convert Linux as Unikernel to eliminate these significant shortcomings, plus some explorations of coordinating and cooperating with hypervisor.

Keeping time in Linux is not simple and virtualization adds additional challenges as well as new opportunities to it. In this presentation, Vitaly will review KVM, Xen, and Hyper-V related time keeping techniques and the corresponding parts of Linux kernel. The talk will cover existing hardware features, clocksources and clockevents, the newly added PTP sources, read methods and more.

In 2012, Alibaba released its source of RocketMQ, a third-generation distributed messaging middleware. Through several years of technical improvement, RocketMQ is now capable of transferring trillions of concurrent online messages as in Alibaba’s Nov. 11th Shopping Festival.

In November 2016, Alibaba donated RocketMQ to the Apache Software Foundation (ASF) as an incubator project. That was a huge step for Alibaba to make it through ASF’s competitive evaluation process. During the Alibaba’s annual Nov. 11 Global Shopping Festival , RocketMQ robustly provided stable infrastructure with a transfer throughput of more than one trillion messages.

What have we done to optimize behind such magic figure?This sharing will give you a details about the optimization about RocketMQ’ storage engine, especially about low-latency request optimization under the linux kernel.

UEFI HTTP/HTTPS Boot is a new feature of UEFI 2.5+. In the meantime, this feature is not yet implemented in any Linux bootloader. This Birds of a Feather session will give an introduction to UEFI HTTP/HTTPS Boot, and share a proof-of-concept implementation based on grub2 that works on both the emulator (QEMU/OVMF) and HPE ProLiant Gen10 servers.

For HTTPS, the experience and comparison will be shared between the purely software-based and UEFI-based implementations in the aspects of ease of implementation, security strength, and limitation.

Kdump is a long existing method for acquiring dump of crashed kernel, however very few literatures are available to understand it's usage and internals. We receive a lot of queries on kexec mailing list about different issues related to the kexec/kdump environment.
In this presentation, we talk about basics of kdump usage and some internals about kdump/kexec kernel implementation. It includes end to end flow from kdump kernel configuration to crash analysis. We discuss some of the problem which is frequently faced by kdump users. It also includes related information about ELF structure, so that one can debug if vmcore itself gets corrupted because of any architecture related issue.

There are three interconnected stories of how the largest clouds in production came together through the Xen Project to develop an industry leading open source security process to manage software vulnerabilities effectively, how those vendors collaborated to stop cloud reboots through Live Patching and how security and CPU vendors collaborated to protect against 0-day vulnerabilities and advanced persistent threats using hardware assisted virtual machine introspection. The talk will cover the impact these technologies have on sys admins and in general.