Opening Day 1

Infrastructure engineering has been built on predictability. If you specify the state, enforce it consistently, and eliminate drift, the system behaves as expected. Determinism was the goal and configuration management gave us the tools to get there. However, today’s AI models, agentic systems, and other probabilistic workloads break that mental model. You can deliver a perfectly reproducible environment and still see the application layer behave differently from run to run. The foundations didn’t fail; the workloads simply play by different rules.

Open source has always balanced freedom and power. Each era, from the rise of Linux to the cloud to generative AI, reveals the same flaw and the same strength: ideals built to maximize liberty inevitably create new leverage points. This talk traces that recurring pattern and argues that open source’s periodic crises are not failures but feedback loops, teaching us how to keep freedom alive in changing infrastructures.

I get it. You tried using AI tooling to write some terraform, or to vibe code an application, and it generated an unholy mess of slop. We’re ruining the planet with the heat generated from datacenters, people are losing their jobs, and the whole thing feels like a bad speed run of web-3 style crypto grift combined with astronomical levels of unattainable hype. It’s a bubble that’s bound to pop. What you want is for the whole thing to just go away, really, if we’re being honest with each other.

But it won’t. Because it turns out, LLMs are incredibly useful technologies, and the industry has only really learned how to use them well in the last six months. The metaphorical genie is, in fact, out of the bottle. In this talk I’ll show you how building an AI Agent transformed System Initiative from the top down, and radically changed my perspective on what’s possible in infrastructure automation. I’ll go deep into how things work, why they work, and what it all means for how our corner of the industry works moving forward.

Lets face it ... containers are here to stay, yes plenty of people abuse them for the wrong reasons , but they have some benefits too.
But the ecosystem to run them is till way to complex for the average organisation. You are not Google, You ain't gonna need K8s. But do want Just Enough Container Orchestration.

This Ignite will give you an idea on how to get there.
Maybe even a working Proof of Concept.

GitOps promises simplicity, consistency, and automation, but without discipline, it can just as easily invite drift, outages, and operational pain. GitOps is not a "set it and forget it" solution; it's a living, breathing system that requires ongoing maintenance and nurturing over time.

In this talk, you will learn to understand the pitfalls of not caring about best practices in GitOps through real-world examples and lessons learned. We will cover sins such as pride (ignoring drift), envy (Blindly copying other GitOps setups), sloth (ignoring reconciliation errors), and others, as well as practical fixes and patterns that teams can apply to build more resilient and sustainable workflows.

Whether you're new to GitOps or scaling an enterprise platform, this talk will help you spot warning signs early, avoid painful mistakes, and strengthen your GitOps practices with confidence.

Short Talk about the new features in OpenVoxView and short Introduction to OpenVoxView

This talk examines the factors that can significantly increase developer and team efficiency. According to a study by IDC, developers today spend only about 30% of their time on coding and requirements. I’ll share experiences from teams where I’ve helped build a developer experience that raised that number to around 80%. Through standardization and automation, we improved both productivity and team collaboration. These foundations also make it easier to adopt AI effectively and gain even more efficiency from AI-driven workflows.

CI/CD is sold as automation magic, just hook up your pipeline and watch your problems disappear! Except... they don’t. Because what really keeps DevOps moving isn’t code, it’s communication. I’ll argue that the real CI/CD is Communication and Iteration. The human stuff we pretend is soft skills but actually determines if your deploy goes smoothly or takes something down unexpectedly. In this 5 minute talk, we’ll go through how culture, not config files, makes or breaks your pipeline.

Pabawi is a new Web frontend to manage and inventory your infrastructure systems: it currently supports Bolt and Puppet, with planned integrations with Ansible and other tools that interface with good old "legacy" physical or virtual systems (there's always an OS somewhere to deal with, after all).
The Ignite is a quick overview of Pabawi features.

After 30 years in this field and too many years away from actual code, I came back. What I found frustrated me enough to start building. AI gave me the velocity, but the direction came from decades of seeing the same patterns return, dressed in new syntax.
I built most of these tools around Kubernetes. Not because I love it, but because I was already frustrated from working with it. After five years of managing a DevOps consultancy, I understood something: you can't convince everyone who doesn't need it not to use it. It's a standard now. It's everywhere. So I stopped fighting.
But going deep into its ecosystem, really learning it, something clicked. I remembered there was something else out there. Something that could do some of these things more elegantly.
Eleven tools in seven months. Still a work in progress. Our modern stack has real engineering in it. But somewhere along the way, we fragmented what used to be unified. We solved problems that were already solved, just in places we weren't looking.

Building your own internal developer platform can seem attractive, but it's a risky proposition. In a platform as a product approach, when you build it, you own it, and now you're in the business of developing a product instead of your actual business. In this talk, drawing from 10 years of platform engineering case studies of large organizations, Coté will go over seven risks of building your own platform: expansive scopes, underestimating cost, project mindsets, death by customization, skills, security and compliance, resume-driven development. You can learn from the many people who've suffered these risks already and, hopefully, avoid them yourself.

Getting started with Ansible is exciting and rapidly improves your productivity. However I've revisited playbooks that I wrote almost a decade ago and found the code today to be almost unmaintainable. Should I have created a role instead of a playbook? Was it really a good idea to copy-paste between projects? (Spoiler: yes, but we've all done it somewhere!) This talk shares the practical knowledge I've gathered over years of working with Ansible—the kind of insights that only come from actually using it in production, making mistakes, and finding better approaches. In this talk, I'll share what worked, what didn't, and why—so you can build automation you'll still be happy with months down the line. You'll leave with both the fundamentals and the perspective that usually takes years to develop.

Nowadays, everybody seems to be talking about Platform Engineering. The world of software development and cloud native technologies have been flooded with new tools and frameworks under the label of Platform Engineering. This talk aims to unpack these technologies by exploring their underlying principles and addressing the following questions:

• What is Platform Engineering?
• What are the core principles that define Platform Engineering and differentiate it from traditional DevOps?
• How do Infrastructure as Code (IaC) and Configuration Management interplay with Platform Engineering?
• Can we build platforms tailored to the needs of infrastructure automation developers and how would they look like?

The session concludes with a live demo of an Infrastructure Automation Platform that combines the following technologies:
- Backstage
- Ansible
- HashiCorp Vault
- GitLab
- Eclipse Che

This demonstration showcases a practical approach to architecting, building and maintaining an Infrastructure Automation Platform - an approach that can be adapted to platforms composed out of other tech stacks as well. Finally, we will take a glimpse in the future of possible platform capabilities and how they might reshape the way we collaborate.

As organizations increasingly adopt containerization, Kubernetes has become the de facto standard for orchestrating clusters. However, for many teams, the complexity and operational overhead of managing a Kubernetes environment can be daunting.
In this talk, we'll explore a practical alternative built on open standards and simple tools: using: * Ansible for automation * Podman for container management * bootc for the operating system.
While Ansible and Podman are very established technologies, bootc is an emerging technology that reimagines how systems are built and updated by transforming container images into fully bootable, atomic operating systems. It brings the simplicity, consistency, and automation of container workflows all the way down to the OS layer.
You'll learn how to use Ansible to define and manage containerized applications and services, leverage Podman's daemonless architecture for secure deployments, and then go one step further by using bootc to build and manage image-based operating systems directly from your container definitions.
We'll wrap up with a live demo creating podman containers using Ansible on a bootc system, showing how these tools together can deliver lightweight, reproducible, and maintainable infrastructure in a simple way.

Join us for the annual Foreman Community Updates to explore the key developments, discussions, and long-term efforts shaping the Foreman ecosystem over the past year.
We’ll cover major feature work, including the new Job Invocation Detail page, the RFC on Recurring Logic Redesign, and improvements to testing plugins from Foreman Core. On the Katello side, beyond the headline features in the Katello 4.19 release, we are introducing enhancements to Image Mode and Flatpak support. We’re actively seeking user feedback on the use of Image Mode (known upstream as bootable containers) with Foreman & Katello, as well as on our container registry experience.
A significant multi-year effort is underway to modernize the entire Foreman UI to PatternFly 5. This will be a long process (roughly two years) and users can expect many UI changes throughout that period.
We’ll also highlight improvements to the documentation site, such as clearer navigation, new version banners ("Pre-release", "Unsupported", reworked guide/flavor navigation, and continued plans to update documentation around the containerization work. As containerization progresses, especially through the emerging foremanctl tooling, we anticipate extensive documentation updates, including a future streamlined installation guide. For now, only the foremanctl quickstart guide is published.
We’ll review documentation updates including a restructured Provisioning Hosts guide and new OpenSCAP content for non-RHEL clients.
We will also touch on recent community activities, such as the Foreman + AI meetup held in Brno. While AI isn’t a major community focus yet, we plan to share the event recordings soon.
This session is your chance to stay informed, give feedback, and help influence the direction of Foreman’s next generation.

Can you build an enterprise-grade web app and get it up and running from scratch in exactly 30 minutes using nothing but GenAI and open source software? That's the question and goal of this talk. We'll start using a .env file with credentials, a detailed design describing the desired app and... an empty git repo! Let's hope the demo gods will be kind to us.

Kubernetes is often described as "just a bunch of APIs" - powerful, flexible, and notoriously opaque. But it doesn’t have to stay that way. In this talk, we’ll look at how tools like Headlamp can turn Kubernetes from a wall of YAML and kubectl output into something far more approachable and insightful.

We’ll explore how Headlamp provides a clean, extensible UI that surfaces real-time cluster state, RBAC insights, workloads, and events — without compromising on power or security. You’ll see how to deploy it safely, extend it for your team’s needs, and use it alongside existing tooling to improve developer experience and operational visibility.

If you’ve ever wished your cluster had a single dashboard that your teammates could actually use, this session with demos will show you how to make Kubernetes not just manageable, but genuinely user-friendly.

I'm sure I don't have to describe the chaos inflicted on the Puppet community when Perforce decided to sequester the source away. Open Source Puppet is no more and many of us have been suddenly thrust into the roles of managing a large group maintaining a large, mature, and very hairy bit of software.

Let's take a no-holds-barred stroll through the story of this last year. I'll share some of the things that worked really well, and a whole lot of things that haven't. We'll talk about some tech challenges that were smaller hills to climb than we thought, and some that turned out to be real bears. I'll talk a bit about the biggest challenge we've faced. (Hint, it's people, time, and communication. It's always people, time and communication.)

In an age where GitOps and Configuration as Code are redefining how we build and operate systems, reproducibility has become essential. Yet, while we often talk about Infrastructure as Code, the developer experience is still too often left behind.

In this talk, we’ll explore how to extend the "... as Code" philosophy to the entire software development lifecycle. From Development Environment as Code, through custom package builds, to full Infrastructure as Code, using the Nix ecosystem as the backbone.

We will walk step by step through the process of evolving a trivial Nix setup into a fully reproducible, modular, and GitOps-friendly workflow:

• Starting from a traditional shell.nix,
• Transitioning to a declarative flake.nix setup,
• Leveraging a flake framework for modular design,
• Defining multiple development shells (for NodeJS, Go, Python, Java, etc.),
• Building wrappers to ensure custom and consistent environment behaviour.
• Building full operating system and deploy them on a real machine or simply testing them in a virtual machine

The session will be highly practical and supported by live demos.

All examples will be based on an open-source tutorial I have started to develop. Attendees will be able to reproduce every step afterwards and apply the same ideas directly in their own environments or workplaces. Designing the repository for educational purposes has been a challenge in itself: each commit is tagged and associated with a dedicated branch, illustrating the evolution of the project step by step. Every new feature or idea comes with its own commit and branch, making it easy to compare changes and understand the reasoning behind each decision. You could even call it "Tutorial as Code": a fully reproducible learning experience where every change tells a story.

By the end of the presentation, you’ll see how Nix enables a seamless continuum from developer laptop to production system, empowering teams to tame complexity, ensure reproducibility, and make their workflows truly "Everything as Code", a real GitOps approach.

Whether you’re a DevOps engineer, software engineer, or curious technologist, this session will provide you with concrete techniques and design patterns to strengthen your GitOps practice and simplify your daily workflow.

Sebastian Stadil is a cofounder of OpenTofu and serves as the program chair for OpenTofu at Kubecon, part of the CNCF and Linux Foundation.

This short talk provides an update on the project, and presents the agenda for the day.

Katello adds a suite of content management tools to Foreman. Content mirroring & distribution, patching, lifecycle management, and access management are all included. This presentation will teach you how to get started with a Katello environment along with the conceptual knowledge necessary to start applying it into your computing environment. Features new to the past few releases, like bootable containers and OCI flatpaks, will be discussed as well.

Amazon Bedrock makes it easy to start building with generative AI, but managing it with Infrastructure as Code is another story.
In this talk I’ll go through what actually works right now when using OpenTofu and the AWS CDK to define a small Bedrock environment.
I’ll show what parts you can manage cleanly, what still needs workarounds, and how both tools can fit together in a simple workflow.
The goal is to give an honest view of where things stand and what you can expect if you try to do this yourself today.

At Config Management Camp 2025 we started the OpenVoxProject.
In the past year we worked on open source successors for Puppet Agent, Server, DB and Bolt.
We secured funding, scaled our CI infrastructure and organized our first own conference in Nürnberg!

Let us make a recap about everything we achived.
Also I want to provide an overview about upcoming topics and possible ways to engage and support the community!

Nix lets us define entire systems as pure functions - deterministic, reproducible, and immutable.
Once evaluated, though, these functions produce fixed values: snapshots in time of the desired state.

Functional Reactive Programming (FRP), as implemented in mgmt, extends this model.
In FRP, instead of yielding a fixed value, functions can return a dynamic signal: a value that evolves over time, responding to other changes in the system.

Reactive Nix explores how these two paradigms meet:
What if Nix's purely functional configurations could describe continuous systems - systems which stay declarative but react automatically as their dependencies change?

Red Hat Lightspeed offers predictive analytics and risk assessment in a hosted environment. To extend this value, an initiative is underway to integrate core capabilities—such as Advisor (proactive risk identification) and Vulnerability (security management for RHEL systems)—into self-managed Foreman (with Katello) environments, leveraging open source collaboration with the Foreman project.

This presentation will detail bringing these capabilities to on-premises users, covering the project's history, open source strategy, high-level architecture, and roadmap. Attendees will understand the initial services' function and integration. The talk aims to foster engagement, gather feedback, and explore contribution opportunities within the Foreman community.

Infrastructure used to be something you learned by breaking things, fixing them, and asking people smarter than you for help.

Today, AI tools promise to skip that part. You can generate configs, debug systems, and write code without ever really understanding what’s going on. It’s fast and efficient, but it also quietly removes the path from junior to senior.

If we replace learning with automation, we won’t just lose jobs; we’ll lose the next generation of people who know how things work. This isn’t only a technical problem. It’s a cultural one.

As a community, we have to decide whether open source remains a space for shared learning and mentorship or just another layer of abstraction we consume.
This talk is a reflection on what we’re giving up in the name of progress and how the open source world might still hold the antidote.

This talk will show you how to finally solve bootstrapping your infrastructure/laptop/coffee machine anywhere.

I will show you how I've solved packaging Ansible into a self-contained, offline-capable installer that can run anywhere, with zero dependencies - no docker or other OCI runtime, no python, just a minimal linux box.

Debugging Kubernetes YAML can be frustrating, especially when wrestling with missing line breaks or maintaining hundreds of lines of curly template brackets. Fortunately, there are alternative approaches to declaring complex infrastructures with more suitable programming languages! In this talk, I’ll present how CDK8s can be used to enhance your Infrastructure as Code organization and share valuable tips we gleaned during our migration journey within the Datadog Alerting team.

Most teams have observability and monitoring strategies to fix problems with their applications in production, but what if the issue is actually earlier in the delivery process?

You might have CI/CD systems to test and deploy your applications, but what happens when your CI/CD tools themselves become the issue?

Without granular visibility into the performance of your pre-production testing and deployment pipelines, organizations often experience development outages due to slow builds or increases in failing or flaky tests.

In this session, Peter Souter will talk about how to fix that, move observability left, and bring observability into your pipelines and test runs. He’ll go through tracking key CI/CD metrics over time, catching those pesky flaky tests, and building out a DORA-based culture to improve your pre-production processes.

The Ansible community lacks official debugging tools. In this session, I’ll present our reference implementation of an Ansible Playbook Debugger that allows you to inspect variables without relying on 'printf' debugging.

This debugger is useful in many scenarios, such as:

Retrieving structured results from tasks

Evaluating Jinja expressions or real variables and facts at runtime

Listing Ansible facts

Checking actual FQCN used when a short name was used in a playbook

In this session, I’ll showcase practical use cases where this tool has proven valuable, including live demos that highlight how it simplifies development, inspects variables, and improves visibility into your playbooks.

Foreman provides framework for host provisioning and lifecycle management, but its integration with different compute resources remains limited. We are working on developing a new Foreman plugin for host provisioning via OpenTofu, enabling administrators to leverage OpenTofu’s extensive provider ecosystem directly within Foreman. The plugin abstracts OpenTofu operations to provision hosts across diverse compute environments while maintaining Foreman’s familiar management interface. Designed with extensibility in mind, it supports easy adaptation for new resource types and providers. The integration brings together Foreman’s orchestration and OpenTofu’s declarative model to simplify and automate provisioning. The talk discusses the plugin’s architecture, implementation details, and use cases demonstrating improved scalability and flexibility in diverse compute and virtualization environments.

This talk will examine some of the challenges I encountered while helping various teams at Red Hat integrate their CI/CD pipelines with Pulp. The solutions to these problems required changes in client tooling, Pulp's REST API, and the Tasking System architecture. As we examine each problem we will take a look at Bash and Python scripts that help upload and organize content that is produced by multiple different build systems at Red Hat. I will also hightlight some of the new features that were inspired by the problems we experienced over the last year.

For years, I was asking myself the wrong question: "Terraform or Ansible?" As if infrastructure provisioning and configuration management were the same problem. Spoiler: they're not, and trying to make one tool do both jobs is why your infrastructure code is a mess. This talk is about the liberation of discovering that OpenTofu (the Terraform fork) excels at infrastructure provisioning while Ansible owns configuration management—and that they work beautifully together when you go with the flow and use each tool for exactly what it was designed for.

In this talk I will go over how I set up my personal infrastructure using Nix. I will cover how I manage my hypervisors and VMs using microvm.nix, how I set up advanced networking (vpn tunnels, bgp, connection to DN42, ...), how I monitor everything and will share tips and tricks I discovered along the way.

Ansible, Terraform, OpenTofu: Choosing between one of these tools becomes a dilemma when teams have to automate their IT environment.

Like many community members, we are also convinced by how these tools work together and their potential to automate and standardize infrastructure.

In this presentation, we'll explore different ways to take infrastructure-as-code to the next level and leverage an end-to-end automation flow.
The presentation will conclude with a live demo showcasing a concrete use case for integrating these tools.

In this talk we will discuss client tools like ansible modules or cli to interact with your repositories managed on a Pulp server. We will focus on the technical aspect of how they are similar and why we build them on a library called pulp_glue.

We all have constraints, like budget, time, and resources. Dealing with them through imperfect choices results in technical debt, while learning and better technology creates opportunities for optimizations and refactors.

How can we practice dealing with these things before they cause us significant issues ?

Factory‑sim games (like Factorio, Satisfactory, and many others) might drop us on an alien world with a pickaxe and a deadline: survive long enough to research technology and build supply chains to launch stuff in space.

• Starting from scratch, we'll need to learn what tools and architecture are available to us.
• At first we'll craft things manually like we would with a CLI but that doesn't scale.
• Soon, we start automating with machines (like scripts) and eventually we automate the automators, Ansible or Terraform style.
• Then, entire factories can be packaged with clear inputs and outputs just like containerized applications.
• Before long, these factories are connected by networks of conveyor belts, drones and trains like supply chains in the middle of pipelines.
• We'll need to troubleshoot issues and identify bottlenecks with the help of observability and alerting, too.
• We might even need to defend ourselves and set up security.

Sound familiar ?

These games mirror the skills we need as engineers. In this talk, we'll explore some of these games, in order to show how they provide a fun and safe place to improve our skills in designing & building scalable systems.

Kubernetes is the de-facto container orchestration system. However debugging Kubernetes in production environment, is not straightfoward. That’s where the power of eBPF and Inspektor Gadget comes in, which allows to do real time, in-cluster debugging to find out root cause of an issue.

Inspektor Gadget leverages eBPF to instrument the Linux kernel dynamically, exposing valuable insights about what’s really happening inside Kubernetes cluster — all in real time and without requiring to install any sort of agent. In this talk, we will explore how we can use different gadgets from the Inspektor Gadget toolkit to find out things like:

TCP connections made by a pod

DNS requests

syscalls

traceloop - a flight recorder for syscalls
and others

This will be a practical talk, starting with an introduction of eBPF and going into the Inspektor Gadget suite. We will see different gadgets in action, and at the end, audience will be able to understand how to make their lives easier by using Inspektor Gadget to debug when there is a difficult problem. We will also learn how to capture the output in a much more user friendly manner, for parsing them later.

At noris network, a German IT service provider, we have a long history of using OpenSource Puppet (or now OpenVox) for configuration management of Linux servers which we operate for our customers. From time to time, we set up dedicated Puppet setups for individual customers with special security requirements. While these customers usually have a mix of Linux and Windows servers, we initially used Puppet only on the Linux servers and managed Windows servers in different ways. About 4 years ago, we started to use Puppet on Windows servers as well. Our goal was to harmonize configuration and operating processes of both operating systems.

This talk is about our experiences with puppet in a mixed Linux/Windows environment, both from the technical and the organizational perspective.
The technical part include e.g. the structure of git repos, our hiera data tree, and module selection. The organizational aspect is the cooperation of Linux engineers with a deep puppet knowledge and Windows engineers new to puppet.

What works well for us? What did not?

Managing advanced Hiera data can be tough. Nevertheless, I will share two additional techniques for even more headaches:
- Use dynamic hierarchy paths with scoped Puppet variables to streamline services
- Incorporate Puppet functions in Hiera lookups for powerful data retrieval.

See (im)practical hacks that can simplify complex OpenVox configurations and make your automation more fun!

Ansible has become indispensable for modern configuration management. Once you start writing Ansible code, the first thing that you should do is to put it under version control. From there, a whole new world of automation possibilities through CI/CD pipelines opens up.

In this session, we will explore how to leverage CI/CD pipelines to supercharge your Ansible repositories. Using GitLab CI/CD as the primary example, we will walk through several real-life scenarios, each illustrated with a live demo. We will start with the simple yet impactful step of adding automatic linting. We will then move on to more advanced use cases such as automatically building collections and execution environments, generating CHANGELOGs with antsibull-changelog, and performing automated testing with Molecule.

Whether you are just starting with Ansible or already managing complex automation frameworks, this talk will offer practical examples and ideas to take your Ansible code management to the next level.

Infrastructure-as-code runs are black boxes. When a deployment takes 20 minutes, operators have no visibility into what's actually slow: provider API calls,s tate operations, network latency, or something else entirely. Traditional logs show what happened, but not why it's slow.

This talk demonstrates how OpenTofu integrated native OpenTelemetry support to expose infrastructure deployment internals through distributed tracing. The speaker walks through real-world debugging scenarios where OTel traces revealed hidden bottlenecks such as slow provider downloads, inefficient state operations, and API throttling, previously all things that may be invisible in traditional logs.

Jinja's tricky. Few things can so quickly evoke chutzpah, fear, and regret in the soul of a playbook author; often all at once! Join Ansible Core architect nitzmahone for a light-hearted exploration of some Jinja anti-patterns, and a dive into powerful new Jinja features enabled in recent Ansible Core releases. Learn to confidently embed handlebars in your automation without going "over the handlebars".

Modern infrastructure teams manage CI/CD pipelines across diverse tools but lack standardized observability, creating blind spots in deployment workflows.

This talk demonstrates event-driven observability using CDEvents, a vendor-neutral specification for continuous delivery events. See real deployment data visualized in Grafana: deployment frequency, promotion delays between environments, and pipeline duration trends—collected from GitHub Actions, artifact registries, and ArgoCD.

Learn the open source architecture (CDviz collector + PostgreSQL/TimescaleDB + Grafana), incremental adoption path, and how standardized events enable future automation—providing pipeline observability without vendor lock-in.

An introduction session into the Foreman project - one tool to manage the whole lifecycle of your servers fleet from a web-based UI.

When onboarding a new enterprise client to the world of DevOps and Kubernetes, it’s tempting to deploy the usual, dominant tools. However, we introduced a twist: we strategically sought, tested, and implemented robust open-source alternatives.

This presentation chronicles our journey to build a highly available, production-ready environment without relying on the most common software defaults. We will detail the how—creating a foundation using tools like Podman instead of Docker, Gitea instead of GitLab, and implementing PostgreSQL with Timescale for critical, high-volume tasks.

Crucially, we explore the why. Why challenge the status quo? What are the true technical benefits, security gains, and cost advantages of these non-standard yet powerful combinations? Learn how we achieved reliability and enterprise-level functionality while avoiding "caviar" solutions, providing valuable lessons for any team looking to customize their technology stack.

Operations and DevOps teams – both human and agent-based – struggle to keep a coherent view of their infrastructure. Infrastructure as Code repositories, configuration management tools, orchestrators and monitoring systems often drift apart from each other and from reality. Knowledge about “what is running where and why” is fragmented across people, services and tools, especially in fast-moving hybrid setups spanning on-premise and multiple clouds.

In this talk we present Foliage, an open-source project that helps to build a distributed, graph-based “digital twin of infrastructure”. The system aggregates facts from cloud and on-prem sources, enriches them with human and automated knowledge, and formalizes the relationships between them in a loosely-coupled set of models that continuously update themselves from events in your infrastructure.

Instead of a single monolithic model, we work with many small, loosely coupled graphs that can evolve independently, be owned by different teams and shared or reused across domains. These models can be sliced into task-specific views – from incident investigation and drift detection to change-impact analysis and migration planning. We will show real-world examples from production and a live demo of how such models look and behave.

The talk targets operations and DevOps engineers, SREs, platform and tooling architects who are interested in building flexible, extensible and transparent knowledge systems around the infrastructure they manage:

– collecting facts from cloud and on-prem sources;

– building distributed graph models on top of configuration and runtime data;

– creating domain- and task-specific “slices” of the model to support day-to-day operations and automation;

– sharing knowledge, practices, and policies via exchangeable fragments of the knowledge graph.

This talk introduces how Nix-based tools (nix-shell, devenv, and flox) can create reproducible, portable, and team-friendly C++ development environments. Through practical examples, we’ll see how each of these tools work and help eliminate “It Works On My Machine” problems.

Bootable container images and image mode machines form a new concept that the Enterprise Linux world is still deciding how to use. Katello, the content management plugin to Foreman, has already begun making decisions about how systems administrators would like to manage image mode machines. Come to this talk to learn about bootable container images, learn how Katello can help keep your image mode machines up to date, and to discuss how the future of image mode machine management should look.

There is a list conceptual differences between Salt and Ansible, but we want to provide some solutions to build a bridge between these two distinct worlds.

Recent months have seen several supply chain attacks, such as the tj-actions incident. Is your CI/CD pipeline prepared to defend against them?

Pipelines have privileged access to your code, infrastructure, and secrets, making them a critical component of any modern software development lifecycle (SDLC).

In this talk, we will show practical strategies to secure your pipeline, covering both common vulnerabilities and lesser-known attack vectors. We will go beyond basic recommendations like pinning actions by SHA, and explore how misconfigured repositories can lead to remote code execution (RCE) simply by opening a pull request.

Attendees will leave with actionable steps and a deeper understanding of how to fortify their pipelines against real-world threats.

How do you take the best of cloud-native beyond the data center, to empower farmers in the field?

Aurea Imaging powers precision agriculture by running AI inference directly on devices mounted on tractors. Using onboard sensors, cameras, and GPUs, these devices analyze trees in real time to optimize spraying and reduce waste. But getting cloud-native workloads to run reliably on the far edge, in environments that are often air-gapped, disconnected, and physically demanding, requires more than just containerizing code.

Together with the CNCF Sandbox project Kairos, Aurea Imaging built a production platform where devices boot from container images: an immutable, reproducible system running K3s and managing its lifecycle “as code.” This approach replaces traditional embedded provisioning with declarative configuration, image-based deployment, and seamless OTA updates, bringing the power of cloud-native and AI beyond the data center.

Come listen of a panel of OpenTofu maintainers talk about their experience running the project and collaborating with the community.

50% of the panel time will be dedicated to answering questions from the community, gathering feedback, and perhaps even sharing fun anecdotes from the journey.

When every dev team rolls out their own infrastructure dependencies you know what is coming: chaos. In one of my recent projects I ended up with hundreds of Terraform solutions, sometimes even split across different teams working on the same app. It worked, but it was not pretty.

That is when I gave the teams some ASO powers. With the Azure Service Operator they could deploy their application dependencies in the same way they already deploy their containers. Suddenly things looked a lot cleaner, more consistent and easier to manage.

In this session I will share what that looked like in practice, the lessons learned, the benefits and of course a demo. You will walk away with concrete ideas on how to cut down Terraform sprawl, make life easier for your developers and bring some order back into your deployments.

This talk demonstrates how to deploy SUSE Linux Enterprise Server 16 (SLES16) hosts using Foreman, streamlining provisioning and configuration processes. With SLES16 replacing YaST with Agama, additional adjustments are required for host provisioning in Foreman. The session also highlights the integration with the SUSE Customer Center (SCC) for seamless access to official SLES repositories.

At BCIX we have moved from writing switch configurations by hand to a mostly automated process centered around NetBox.

Previously, the information required for the network switch configurations has been scattered across different tools and locations:
- IXP Manager (an open-source management platform designed to facilitate the operations and administration of Internet Exchange Points (IXPs) developed by INEX)
- NetBox
- existing device configurations.

This over time created inconsistencies. To solve this issue, we have come up with a four step plan:
- Collecting Data in NetBox using ansible
- Generating the configs with jinja2-templates
- Compare and validate actual vs intended configurations
- Deployment of the configs on the switches

This improved consistency across IXP Manager, NetBox and the switch configurations. Additionally this has enabled us to leverage NetBox for further automation tasks like preparing, announcing and doing Maintenances on the BCIX Peering Platform more efficiently.

How do you transform dozens of ansible network collections into predictable, “always-green” releases? We will share how the Ansible Networking team standardizes structure, testing, and release hygiene across collections, so users get fewer surprises and faster fixes. We will cover our CI gates (sanity/unit/integration), Galaxy readiness checks, branch strategy, and what “Done” means before publishing.

Modern Puppet module development requires more than just local Vagrant tests. In this talk, we’ll explore Beaker providers like beaker-kubevirt and beaker-google, and show how they make it possible to test modules in Kubernetes and cloud environments. We’ll also demonstrate how to integrate Beaker tests into CI pipelines using GitLab CI and GitHub Actions, making acceptance testing easier and more reliable.

Open Source is essential for most IT orgs.

Whether you run native applications or containers, there is always open source underneath.

Open Source is developed in public by people who are interested and engaged.

Companies take open source, change colors and sell this as a product. The larger the company, the higher the price.

Why should a community not participate as business and get their value?

Have we just reached the limits of shifting left? are we now limited by "Devs doing Ops? After the emergence of SRE we are now in the age of Platform engineering. Platform engineering massively improves the developer experience which in and of it self enables teams to do exactly what needed to be done to get features in front of users instead of being bogged down things that have no unique selling point for their platform or product. This general doesnt work well with how we traditionally use roles and profiles, this talk explains, based on real world experience, how you can build reusable roles and profiles that will fit right in in a platform engineering world

Managing infrastructure-related repositories can be repetitive and error-prone—keeping dependencies, configurations, and manifests up-to-date is a constant challenge. Updatecli offers a practical, declarative approach to automate these updates, making infrastructure maintenance safer, faster, and more predictable.

In this session, I’ll demonstrate how to use Updatecli in real-world scenarios:

Detecting and updating dependencies across multiple repositories.

Writing declarative update rules that are safe and repeatable.

Integrating Updatecli into CI/CD pipelines to automate maintenance.

Through a live demo, attendees will see how to turn tedious manual updates into automated workflows. You’ll leave with actionable knowledge to keep your infrastructure repositories current, compliant, and easier to manage—without adding complexity.

Antsibull-nox is a extension for nox that makes it easy to run various tests and other testing tools for Ansible collections. In this talk, I want to present some background on why I created antsibull-nox, why I chose nox (instead of, say, tox), and demonstrate on how you can use antsibull-nox to test your Ansible collections.

Curious about what is new in Pulp Python? This talk highlights recent features with a focus on their practical application.

Over the last year I've been working on migrating Fedora's aging Nagios & Collectd stack to Zabbix, using Ansible to deliver the full Zabbix config - no UI-side config needed.

In this talk, we'll explore:
- Why we moved to Zabbix over other tools
- The perils of a separate monitoring role, and how to instead put your application monitoring in your application roles
- The tech debt of figuring out how & why checks exist in your old stack... is "this one" even needed any more?
- The people side of tech debt work - practicalities for helping the people around you to get on board when "the current thing still works, doesn't it?"

It's been an interesting journey getting this project over the line, and while there might not be any shiny new technologies to come from it, I think there are lessons worth sharing. We all have tech debt, after all.

Social event across the street

Opening Day 2

Configuration management has long struggled to reconcile the stability of static definitions with the agility of dynamic environments. This traditional separation has led to fragmented tools, complex workflows, and costly outages.

Challenging the common view of configuration as a purely static entity, we will demonstrate how to seamlessly integrate static schemas and versioned configurations with the demands of dynamic components, such as policy enforcement, monitoring, and ephemeral configuration using CUE's logic-based approach to configuration. We show by means of real-life examples that this approach goes beyond mere templating, enabling the slicing and dicing of configuration from different sources and formats to enable cross-cutting functionality that adapts to evolving conditions.

The first two decades of the 21st Century were a Gilded Age for open source, and the tech industry, with all that implies. That age is over, and open source is now entering a new era; the available resources for open source development are declining, with corporate layoffs, shifting priorities, the adoption of source-available licensing, and developer burnout all taking a toll.

What comes now is uncertain; open source is here to stay, but in what form?

The last two years have seen a shift in cloud computing: Each and every cloud platform either is sovereign
or at least has a sovereign option or product. The term Sovereign Cloud has lost its meaning. Just like green washing one can speak of sovereign washing. However there are relevant values, attributes and characteristics to the field of digital sovereign cloud computing and this talk covers the work of the Sovereign Cloud Stack project in this area.

In the course of their module stewardship over community Puppet code and tooling, the Vox Pupuli organzation maintains a sprawling ecosystem of Puppet modules with lint, spec, and acceptance tests across many OS/version matrices. This Ignite shows how they turned noisy CI into signal by wiring GitHub Actions to Datadog CI Visibility - surfacing flaky tests, speeding triage, and tracing bottlenecks. We’ll share the dashboards, alerts, and tags that keep regressions at bay- and how to reuse the pattern in your repos.

Are you interested in starting a company? A year ago, a friend and I got a wild hair and did just that. We took no VC, committed to Open Source and sticking it to the man. A year in, things are developing much slower than I’d wanted but we’re doing all right. We’re signing some decent contracts and have made our first few hires.

I’d like to tell you a few quick stories and maybe help you work up the nerve to jump in the pool too.

Ever shipped a "simple fix" at 4 PM on Friday that took down production? Felt like a genius after making Kubernetes work, only to realize six months later you understood nothing? Welcome to the beautiful, chaotic feedback loop of technology work. This talk explores how our brains betray us in the most predictable ways. You'll discover why dopamine hits from solving problems make us addicted to complexity, how the Dunning-Kruger effect means we're most confident when we know the least, and why the tech industry's rapid change keeps us perpetually cycling through peaks of "I've got this!" and valleys of "I know nothing."

An introduction why we need clean code and how we achieve it.

We love to do Agile and have DevOps and implement tools and frameworks and processes, but are we really any better off than we were fifteen or more years ago? What is the basis for how we go forward as engineers?

As one of the big events on the Ansible Community calendar, CfgMgmtCamp is an opportunity to get together and review how we're doing as a community.

This talk is aimed at anyone with an interest in Ansible, as all voices are welcome in the discussion of how to shape the community in the coming year.

Compliance as Code shouldn’t stop at a single operating system. With Compliance Engine, we’ve expanded support beyond the traditional RHEL family to include Windows systems, and we’re working toward Ubuntu/Debian as well. This talk will explore the challenges and lessons learned while bringing compliance data and enforcement to multiple platforms. We’ll discuss differences in compliance frameworks, strategies for testing and verification, and how to keep compliance data consistent and reusable across diverse environments.

OpenAPI is an open manufacturer-independent standard for defining HTTP APIs. The Swagger suite offers tools for easily API definitions and generating server and client code easily. In addition to this, Ansible offers ways to simplify scaffolding Ansible plugins - e.g. using ansible.content_builder with OpenAPI support.

This sounds promising in theory, but how hard is it to actually create Ansible plugins for the third-party applications? Join us as we take a closer look during the session.

s observability systems grow more complex, the cognitive load on users increases quite fast. This talk presents an approach that could be game-changer in the future: using AI assistants as intelligent interfaces to your observability stack. By implementing and using MCP (Model Context Protocol) servers, we can transform how observability users interact with metrics, logs, and traces. You will see how teams can query their stack in plain English and use natural language to explore data, debug issues, and even work with configurations.
The session covers both theoretical foundations and practical implementation. It demonstrates how you can integrate AI assistants directly into your day-to-day workflows and provides a comprehensive walkthrough of:
- MCP architecture and how it enables LLMs (Large Language Models) to execute observability tasks
- Setting up and configuring MCP servers (demonstrated with VictoriaMetrics) and integration with popular AI assistants
- Current and planned features of VictoriaMetrics MCP Server
- Real-world use cases: data exploring, query explanation, working with alerting rules, cardinality analysis, intelligent debugging, obtaining context-rich answer for your questions, etc
- Various tips on how to make AI assistants work better with the observability stack
Whether you're an SRE looking to reduce toil, a platform engineer seeking to democratize monitoring access, or a leader evaluating AI's role in operations, this talk provides practical insights and tools for possible transformation of your observability practice.
This approach doesn't replace monitoring expertise at the moment — it amplifies it, making expert knowledge accessible to entire teams, giving you a powerful teammate in the form of AI assistant.

Learn how 3 nerds help keep the Netherlands secure and accessible using Nix and NixOS.

Rudder is an open source solution for managing system security and configuration, with a strong focus on continuous checks and compliance.

With its GUI, it makes it easier for users to define security configurations and get feedback. Its API allows integration with most softwares that interact with your infrastructure.

This talk will present Rudder and its use cases, then focus on the new version, Rudder 9.0, and conclude with a demo of configuring and hardening new instances on AWS

Ansible has long been a cornerstone of configuration management in the Foreman ecosystem.
While the existing integration offers robust capabilities, users have expressed desire for DevOps workflows.

In this talk, we will introduce a reimagined Ansible integration, designed to address these needs.
This new approach brings advanced features, such as

• version control integration,
• isolated execution environments and
• lifecycle management.

For Foreman users and developers alike, this talk gives an overview of "foreman_ansible_director", ATIX's new Ansible integration for Foreman.
This overview consists of our design decisions, lessons learned during development, a look ahead and a live demo!

Automation management tools focus on enforcement, pushing desired state
to systems. But we see growing needs for configuration auditing, especially for security reasons, which do not fit this workflow. It requires the ability to fetch real values and check them with a wide range of criteria.
This talk presents a tool designed specifically for configuration files auditing. It is based on Augeas, leveraging its powerful parsing capabilities and lens-based architecture, and extends it with dedicated auditing keywords, such as regex matching, numerical comparisons, allowed-value lists, and more. Output is designed to provide useful context, using compiler-like messages, diffs outputs, etc. The tool stays capable of doing remediation.
We' will demonstrate configuration files checks in the context of several security benchmarks, showing how this approach bridges the gap dedicated audit scripts and automation tooling.

LLMs can write Ansible roles and playbooks as well as plugins and modules to a relative degree of competency with commodity hardware that you can run offline, at home, with less privacy and security concerns.

They certainly understand what Ansible is, how it works and they can write YAML, Jinja or Python.

What about troubleshooting an issue with an Ansible playbook ?
You could provide it with a log file or copy & paste the results of your ansible-playbook command.
Maybe it could point you in the right direction... or hallucinate. Who knows ? ¯\(ツ)/¯

ARA Records Ansible playbook results to a database and provides an API to query the results.
What if we gave a LLM programmatic access to that API using Model Context Protocol (MCP) ?
It would allow the model to include context like host facts, playbook files and detailed task results, amongst other things.

The author experimented with it (for science) and the results are interesting.

Join us to learn about the experiment, how it works and how it might be useful in a number of ways.

The demand for more control over corporate IT assets grow significantly in the last 2 years. The project EU OS proposes a concept based on open source to setup and control a corporate Linux laptop fleet in the public (and private) sector.

In this talk, we present the problem EU OS attempts to solve, the proposed solution based on bootc clients managed by foreman, report on on-going proof of concepts and present our wish list to cover missing features. For this, we leverage foreman for provisioning of EU OS, imagemode patching, artefact store for both the OS and for corporate flatpaks, and enrolment in FreeIPA for user management.

Your code is released with a free license, but your project runs on proprietary platforms like Slack, GitHub, Notion, or Zoom. Does it matter? In this talk, I will show how relying on non-free tools contradicts open source values, excludes contributors, locks your community into corporate ecosystems, and drives away idealistic contributors who care deeply about freedom. We’ll also tackle common justifications, like convenience or popularity, and show how they often mask deeper trade-offs.

Modern times allow extraordinary things, like writing from scratch modern web interfaces to hosts management tools without knowing how to code.
Pabawi is a Web Interface to Puppet, Ansible, Bolt and potentially any infrastructure management tool. It's mostly written by Claude Sonnet, via Kiro, where the human, Alessandro Franceschi, keeps on asking, testing and asking again.

The presentation is both about Pabawi usage and features, and about the AI tools used in the process, with the inevitable lessons learned and things that proved to be useful.

IHEPCC is the Computing Center of the Institute of High Energy Physics, Chinese Academy of Sciences. We have been using Foreman and Puppet to manage our high-energy physics computing platform since 2013, currently managing over 4000 nodes and multiple data centers. In this report, I will introduce how we use Foreman and Puppet, and the corresponding development we have done for our local computing environment. I also hope to share and learn from other experts in this area.

The OpenTelemetry framework has, next to log and metrics, signals for application tracing information. The ecosystem is geared towards webapplications, but is not exclusive to it. In this talk, I'll discuss how we added basic tracing support to PowerDNS, how we pass trace info to downstream servers via DNS, and what this looks like in Jeager. We did this without using the existing OpenTelemetry C++ SDK, so strap in for some code and protocol hijinks and get more familiar with OpenTelemetry Tracing in the process.

In network automation, reliable backups are critical but often overlooked. This session explores how to design a consistent, vendor-neutral backup and restore workflow using Ansible.
Backups that “usually work” aren’t good enough. This talk presents a battle-tested, backup/restore workflow for Cisco IOS/IOS-XR/NX-OS using Ansible and Validated Content. We’ll show how to pick the right transfer method (SCP/SFTP/TFTP), enable and secure internal file servers, and make tasks idempotent across vendors. We’ll also cover selecting device-native paths (bootflash:/, disk0:, /misc/config) to avoid path pitfalls.
We will also go through a lightweight, offline rules + ML approach that scores the severity of configuration diffs (e.g., VLAN/ACL/BGP/interface changes) to prioritize reviews and automate safe rollbacks. Live demos include copying configs, verifying hashes, ranking diff severity, and controlled restores.

SysInspect began life as an ADAS integrity observer in automotive systems. Over time, it morphed into a full-blown configuration & anomaly monitoring framework. Now it’s pushing into the embedded & IoT domain, where the usual CM tools usually don’t dare to. In this talk I’ll show how SysInspect handles anomaly detection, integrity in very constrained devices, and scales seamlessly up to full clusters.

CNCF Landscape is continuously evolving as more new projects are emerging either in the category of cloud-native, CI-CD, container runtime, or more.

The main source of these projects is the Open Source contributors that help to drive these projects from Sandbox to the Graduate ones by providing valuable feedback, identifying bugs and addressing real-world use cases.

However, there are times when you need to find the right Open Source tools and get help from the Community to get the best results for your project.

In this talk, you will get an understanding about the the Grafana Open Source Eco-system and how it is helping the CNCF Community/Projects. This will be a beginner-level talk, but everyone is welcome to join no matter how much experience you might have.

How to migrate your Puppet [Enterprise] CA to OpenVox server. Just a short step by step guide on how to migrate.

Integrating Red Hat Lightspeed Compliance into Foreman

Day One operations focus on initial deployment, provisioning resources, and achieving operational state. Day Two operations encompass ongoing lifecycle management: updates, drift correction, decommissioning, and sustained operational health.
The evolution from Puppet and Chef to Ansible, Terraform, Pulumi, and platforms like Crossplane represents decades of innovation in infrastructure automation. Each generation has advanced deployment capabilities, yet consistent patterns emerge in post-deployment operational challenges.
This talk explores the intricate transition from deployment to sustained operations, a journey marked by recurring themes in the evolution of configuration management. We'll dissect how different approaches handle this transition, exploring operational challenges across infrastructure layers from bare metal through hypervisors to cloud platforms.
Through comprehensive historical analysis, we'll delve into questions such as: Why do similar operational challenges persist across different generations of tooling? How do state management approaches compare to distributed coordination systems? What can we learn from examining infrastructure as dynamic systems rather than static code?
Additionally, we'll explore the relationship between infrastructure automation tools and observability platforms, investigating how the separation between these domains affects operational visibility and decision-making during Day Two operations.
You'll gain insights into approaches to infrastructure management that address the complete operational lifecycle, leaving you prepared to tackle the challenges ahead.

There are several Ansible Style Guides and I would like to present a different one based on existing ones with certain guidelines added and changed

It covers topics such as list of dictionaries as recommended structure for "more complex" variable, usage of set_fact, etc.

Ever scaled your database to handle more users, only to find the WAF's old rate-limiting rules are now blocking legitimate traffic?

This is one of examples of the classic configuration drift problem. Maintaining a coherent configuration of the many components the modern systems are composed of is a challenging task.
Evolving this configuration to match the constantly changing world is even tougher.

This talk introduces "Expectations Driven Deployments" (EDD), a practical engineering approach influenced by Test Driven Development. EDD suggests encoding our expectations about the system behavior with the goal of driving infrastructure, application, and observability configuration then refining these expectations using the data obtained from the live system.

Implementation examples we'll consider in the talk are based on CUE language which gives powerful means to achieve sustainable composition of a complex system.

The Ansible community team at Red Hat work to dismantle closed infrastructure and open up workloads and processes to community contributors.

Join me to hear how we moved from locked-down Jenkins jobs to transparent, community-managed GitHub workflows. I'll share how we navigated the technical challenges of migrating a truly chonky Sphinx build process, preserved a decade of SEO authority, and scored some major quality improvements by providing contributor access.

It all started at an Ansible contributor summit at CfgMgmtCamp 2023 too! So please join me as I share what we learned about infrastructure, trust, and some unexpected ways investment in OSS can unlock community potential.

With the unexpected proliferation of Puppet implementations, you may be wondering how to test your modules effectively. Interestingly, this isn't a new problem. It's a somewhat known secret that even the Supported modules on the Puppet Forge weren't ever tested against Puppet Enterprise, but like Bruno we don't talk about that. Because it didn't really matter, except -- well, when it did.

That was bad enough, but now we've splintered into four separate implementations built by two wildly different groups with very different priorities. We have the legacy Open Source Puppet that's still in broad use, there's the new proprietary Puppet Core which requires a EULA and a license key to download, there's Puppet Enterprise which used to be built on OSP but will be based on Puppet Core going forward. And now we have the truly Open Source OpenVox implementation built by your friends at Vox Pupuli. They're diverging as we speak.

This talk will go over topics such as
- why it's difficult for community module authors to test their code against Puppet Core.
- why it's (was) effectively impossible to test modules against multiple implementations.
- the legal thorniness preventing Vox Pupuli from signing the EULA.
- the rough spot the ecosystem has been forced into in which paid customers were being forced into using effectively untested modules.

Many of my customers are current or former Puppet customers and they're methodically migrating from legacy OSP to OpenVox so they can keep up with security patches, project evolution, and new features. But module and gem test suites have always been written with the assumption that they only had to test against legacy OSP. Some can be tricked into running against OpenVox, but being able to test against both at the same time? Not a chance.

My customers cannot and will not accept an ecosystem with untested code, and you probably don't want to either. But you still need a way to continue testing on legacy OSP until your migration to OpenVox is complete.

We have been hard at work building a pipeline that makes this possible, with very little upstream modification. Come see how it works.

In cloud-native environments, understanding the behavior of distributed applications requires complete observability across metrics, logs, and traces. OpenTelemetry has become the standard for data collection, but it still depends on a backend capable of handling all three signals efficiently.
VictoriaMetrics, fully compatible with the Prometheus ecosystem, was designed to ingest and query large volumes of metrics with recognized performance and efficiency. Today, it extends these capabilities to logs and traces, enabling teams to centralize observability in a single open source system.
This session builds on the OpenTelemetry demo to show how signals are collected, stored, and correlated in VictoriaMetrics, then explored in Grafana. Attendees will see how this approach reduces operational complexity and provides a cloud-native, scalable observability stack without reliance on proprietary solutions.

Foreman is a powerful - and complex - piece of software, especially if you want to use its Metal-as-a-Service functionality, or just simply provision bare metal on it.
What if we could strip it down to just a Rails service, without losing any of that functionality?

Many monitoring solutions exist for tracking numbers and percentages which change, trends, outliers, spikes, and so on. However, what about things that don't change, or rather, shouldn't change? There are many examples of these relevant for security teams to know about. And since you don't expect them to change, any change is noteworthy.

Crowdsec is something like fail2ban but across multiple hosts/clusters. Mitigation of the attacks can be done by for example in web server module, firewalls or custom components (formerly called bouncers). This is a story how to use a Mikrotik router as mitigation tool for Crowdsec using opensource project I forked few weeks ago.

While JavaScript has long been the backbone of the Foreman frontend, both for plugins and core alike, I decided to shake things up for foreman_ansible_director.
A year and over 9,000 lines of TypeScript code later, I'm here to share what I learned.

This talk will explore:

• The surprisingly smooth integration of TypeScript into an existing JavaScript ecosystem
• The real benefits of type safety
• Interoperability with existing code
• What this implies for packaging

This talk isn’t just about TypeScript - it’s a story of how type safety can reduce errors, make life easier for developers, and improve maintainability of the codebase.

Over the past year, we’ve migrated dozens of Puppet modules to OpenVox. This talk focuses on the technical aspects of migration from tooling and automation to testing strategies, providing a roadmap for others facing the same challenges.

Nervous about upgrading to Ansible Core 2.19? Learn how the revamped template engine and error handling in Ansible's latest release will make your life easier from a self-proclaimed Ansible lover.

Infrastructure as Code (IaC) describes standardized infrastructure using code - versionable, reproducible, and automated. But as environments become larger and more diverse, teams must develop and maintain more different API integrations to connect tools, platforms, and processes.
The result: a complex interface landscape of (proprietary) interfaces, small-scale workarounds, and selective bridges that are not only prone to errors but also difficult to scale.
The Model Context Protocol (MCP) offers a different approach here: instead of building a separate API solution for each tool connection, MCP creates a uniform, standardized format for context information. The extension by MCP Server represents the next logical step, in which they become the linchpin for keeping models, metadata, and infrastructure knowledge accessible independently of specific tools. They store the required context centrally, version it, and make it available organization-wide - as a “single source of truth” for infrastructure knowledge.

This talk will present the concept and possibilities and discuss the advantages and disadvantages of MCP. It will also touch on the cultural and technical implications of such a new standard.

OpenVox server runs on top of the Java Virtual Machine (JVM). JVM ist just the interpreter, but the languages used are Clojure and Ruby. Once upon a time this architecture was choosen for performance reasons. OpenVox server is hard to bundle, it uses its own package manager (ezbake) and service supervision (read systemd clone aka trapperkeeper). The JVM in production use is hard to deal with, there are constraints on memory, caching, and scaling.
Can we ditch the JVM (and Clojure)?
Yes, but...
... these are all the tradeoffs you need to know:

• ruby implementations
• ruby concurrency
• performance
• architecture workarounds

Secrets are everywhere in modern infrastructure - API keys, credentials, tokens, certificates - but what exactly qualifies as a "secret"? What are static or dynamic secrets?

Ansible content developers lose hours each day to context switching, which kills productivity and increases the risk of human errors.

We've integrated an AI-powered Model Context Protocol (MCP) server directly into the Ansible VS Code extension to address this problem. The result is a single, unified development experience that goes beyond an ordinary AI code assistant. Adding MCP server capabilities to the Ansible VS Code extension gives you an intelligent development environment that allows you to work within the context of all your existing Ansible content, including playbook, roles, and inventories. As a result, teams can reduce fragmentation in their workflows to gain productivity and standardise and accelerate Ansible content development.

You know the AWS Cloud Development Kit (CDK) lets you define infrastructure as code using programming languages like TypeScript and Python, but what if you could do much more than that?
In this talk, we will see code: from CDK Constructs, Blueprints, and Aspects to fine-grained assertions. Then, we will explore the powerful combination of CDK and LocalStack, showing how simulating AWS environments locally or in CI can help you level up your infrastructure.

Ansible Contributor Summit is a full day working session for community users and contributors to interact with each another along with Ansible development teams. We will discuss important issues facing the Ansible community with a goal to shape the future of Ansible in a way that improves and increases collaboration.

It's 2am. Deployments are failing. Your team scrambles between ArgoCD, Kubernetes dashboards, and Git history trying to correlate what changed. What if an AI assistant could traverse these tools for you, not just suggesting commands, but actually executing investigations with your approval?

This hands-on workshop teaches you to build AI-assisted operational workflows using Agents supported by MCPs. We're going to create a multi-agent setup that leverages several MCPs (Kubernetes, ArgoCD, GitHub, Pulumi) to autonomously work on classical DevOps and SRE tasks while having a human in the loop for full enterprise compatibility.

What You'll Build

Participants will construct a working multi-agent system where:
- Specialized agents handle different operational domains (infrastructure, application delivery, source control)
- Agents autonomously detect configuration drift across Kubernetes namespaces
- Cross-agent coordination correlates ArgoCD sync failures with infrastructure changes in Pulumi
- GitHub integration queries recent commits and proposes remediation PRs
- Human approval gates maintain control over critical operations

Session 1: Getting Started & Discovery (60 min)

Intro (10 min)
- Workshop goals and environment setup
- Install SI: curl -fsSL systeminit.com/install | bash

Hands-On: Building Your Digital Twin (50 min)
- Connect SI to a sample cloud environment
- Import existing infrastructure resources
- Explore the visual map of resources, relationships, and dependencies
- Exercise: Use AI to analyze and document what's actually running
- Discussion: Compare discovered state vs. expected state

Session 2: Troubleshooting & Remediation (45 min)

Hands-On: Fix It in Simulation (45 min)
- Introduce a broken service scenario
- Walk through issue identification with SI
- Pull in relevant resources automatically
- Propose and review fixes in simulation mode
- Exercise: Approve and apply the fix
- Debrief: How this changes incident response workflows

Break (15 min)

Session 3: Repeatable Infrastructure with Dynamic Templates (60 min)

Hands-On: From Working to Replicated (60 min)
- Take a working infrastructure setup
- Create a dynamic template from it
- Exercise 1: Deploy to a new region
- Exercise 2: Promote from dev to prod with parameter changes
- Demonstrate importing a new service without breaking automation
- Discussion: Template strategies for HA, DR, and multi-environment

Session 4: Policy Enforcement (45 min)

Hands-On: Three Layers of Policy (45 min)

• Layer 1 - Cloud Provider Policies (10 min)

• Configure AWS SCPs/RCPs to block non-compliant resources

• Layer 2 - Component Qualifications (15 min)

• Exercise: Set standards (encryption, instance types, backups)

• Trigger and review qualification flags

• Layer 3 - AI-Driven Compliance (20 min)

• Write a compliance control in plain English
• Run evaluation against infrastructure
• Review compliance report (SOC 2 / HIPAA / PCI-DSS example)

Wrap-Up & Q&A (15 min)

• Recap of workflows covered
• Resources for continued learning
• Open Q&A

Materials Needed:
- Laptop with terminal access
- Cloud account credentials (sandbox provided or bring your own)
- Pre-configured sample environments for each exercise

Curious about DevOps? Learn the Infrastructure-as-Code (IaC) part of DevOps with OpenTofu. In this workshop you will provision cloud resources and deploy a simple web app on them. Using Terragrunt you will then replicate the same infrastructure in different environments.

No experience? No problem! We'll start from zero.

To get the most out of this hands-on workshop it would be best if you have access to an AWS account to play with. However, for most parts it's not strictly necessary.

Infrastructure-as-code is a large landscape. Talks typically focus on a specific tool and provide introductory to in-depth knowledge for that tool, which is great! In practice one needs to bring a combinations of tools together to deploy some application or service. This workshop aims to provide you with a lab environment and some guidance to do just that, in practice.

Modern networks generate vast amounts of telemetry—but turning that data into actionable insight requires more than dashboards. In this 4-hour hands-on workshop, based on the book Modern Network Observability (Packt), we’ll build a complete observability stack from the ground up using open-source and cloud-native tools.

Participants will explore how to collect, model, and visualize network telemetry using modern protocols and data pipelines. We’ll move from raw gNMI/streaming telemetry to rich network context and analytics, integrating observability directly into automation workflows and CI/CD pipelines.

Through guided exercises and live demos, attendees will learn how to:

• Collect and normalize telemetry using Telegraf.
• Stream and store data in a Prometheus time-series setup.
• Build contextual dashboards in Grafana, correlating metrics, traces, and topology.
• Integrate event-driven insights using Kafka, NATS, or webhooks to trigger network automation.

By the end of the workshop, participants will have built their own working observability lab—capable of monitoring, analyzing, and reacting to changes in a dynamic network environment.

This workshop is designed for network engineers, SREs, and automation practitioners who want to move beyond legacy monitoring and embrace an open, programmable, and analytics-driven approach to network operations.

Lab Requirements:
- Local setup: Python >3.10, Docker, Containerlab
or
- Playbook to deploy a virtual server in Digital Ocean with all the dependencies

SELinux and AppArmor are probably the best-known representatives of Linux Security Modules. Both approaches implement Mandatory Access Control and serve to increase the security of a Linux system. While AppArmor originally comes from desktop development, SELinux is primarily aimed at servers and takes the approach of prohibiting everything that is not explicitly permitted – which often confuses beginners and force them to disable the technology.

In this workshop, we will work through the basics of the technologies and solve some practical tasks to build a solid foundation of understanding. The goal is to never disable AppArmor and SELinux again.

Vox Pupuli's Community Day is a space for community and contributors to engage directly with each other and collaboratively learn and make some magic. Do you have a burgeoning project you want to workshop and get feedback and ideas on? Do you want get the first glimpses at changes coming to the OpenVox platform? Or maybe you'd just like to help shape the next year of the community.

Expect a full day of content facilitated by the Vox Pupuli community leaders. We'll talk about the roadmap for the platform. We'll collaborate on ideas and get a pulse on what people are working on and help each other solve problems. If time and interest allows, we will hold bird of a feather sessions and/or lightning talks.

Bring projects you'd like to work on and get advice and guidance from peers and Vox Pupuli contributors. We'll have workshop time on TBD topics.

New to the community? Learn about ways to participate and how to get involved with Vox Pupuli, our premier community group.

Lunch Wednesday

Ansible Contributor Summit is a full day working session for community users and contributors to interact with each another along with Ansible development teams. We will discuss important issues facing the Ansible community with a goal to shape the future of Ansible in a way that improves and increases collaboration.

In this hands-on workshop, we will use Flox to introduce the core concepts and advantages of the Nix ecosystem without requiring participants to learn the Nix language or climb its steep learning curve. We will start by tackling the classic “works on my machine” problem and show how Flox environments create consistent and reproducible setups across laptops, CI systems, and production hosts. After that foundation is set, we will explore advanced environment features such as layering, composition, version pinning, and secret management. These examples will give participants practical patterns they can apply immediately in their own workflows.

Once everyone has a solid grasp of environments, we will move into packaging and deployment. Participants will learn how to build software with Flox, how to manage reproducible artifacts, and how to run those environments reliably using systemd or Kubernetes. Along the way, we will occasionally look under the hood to show where Nix concepts appear and where Flox intentionally simplifies them with more guided workflows. By the end of the workshop, attendees will have working environments, a clear mental model of how Nix-style reproducibility functions, and enough hands-on experience to decide how Flox can improve their current development or automation practices.

Lately I have published vision and strategy documents to outline the way we want to continue developing Foreman UI. I would like to discuss those documents in more details in a face to face meeting with a broader group.

Learn about the latest features of CUE and new ideas on how to organize CUE. As usual, we will use this opportunity to gather much appreciated user feedback.

Docling is rapidly becoming the de-facto standard in open source document AI. The project has achieved remarkable adoption with over 45K GitHub stars, more than 1.5 million monthly downloads, and multiple top rankings on global GitHub and HuggingFace trending leaderboards. Incubated as a Linux Foundation AI & Data project, Docling provides local-first, enterprise-grade capabilities, excelling at parsing complex layouts, extracting tables, and converting unstructured documents into AI-ready structured formats.

In this hands-on session, you'll get a chance to:
- ingest and parse multiple doc formats including PDF, DOCX and more
- convert complex tables into usable formats
- extract and prepare images for AI processing
- preserve metadata for visual grounding
- explore AI integration with frameworks like LangChain to power RAG and model training

Misconfigured cloud resources remain one of the top causes of security breaches, yet manual compliance audits don't scale in fast-moving, multi-cloud environments.

This hands-on workshop dives into Prowler, a powerful open-source tool designed to assess and improve your cloud security posture, with support for AWS, Azure, GCP, M365, Github, Kubernetes and more. In this workshop, participants will learn how to deploy and customize Prowler to perform automated compliance checks aligned with industry standards such as CIS, GDPR, HIPAA, and more.

The session will also introduce practical techniques for extending Prowler’s capabilities with (or without) the help from our MCP, and basic AI-assisted analysis to prioritize risks and surface actionable insights.

Anyone interested in using Pulp should join this event hosted by Pulp developers.

Vox Pupuli's Community Day is a space for community and contributors to engage directly with each other and collaboratively learn and make some magic. Do you have a burgeoning project you want to workshop and get feedback and ideas on? Do you want get the first glimpses at changes coming to the OpenVox platform? Or maybe you'd just like to help shape the next year of the community.

Expect a full day of content facilitated by the Vox Pupuli community leaders. We'll talk about the roadmap for the platform. We'll collaborate on ideas and get a pulse on what people are working on and help each other solve problems. If time and interest allows, we will hold bird of a feather sessions and/or lightning talks.

Bring projects you'd like to work on and get advice and guidance from peers and Vox Pupuli contributors. We'll have workshop time on TBD topics.

New to the community? Learn about ways to participate and how to get involved with Vox Pupuli, our premier community group.

What if your entire workstation—OS configuration, installed packages, dotfiles, and secrets—lived in Git repositories? What if spinning up a perfectly configured development environment was just git clone and a reboot away? This workshop teaches you to define your computing environment entirely as code. No manual configuration. No "I think I installed this package." No hunting for that config file you tweaked six months ago. Everything—from the base operating system to your shell prompt—declared, versioned, and reproducible.