by Rootconf

Rootconf 2019

On infrastructure security, DevOps and distributed systems.

Rootconf 2019

Rootconf 2019

On infrastructure security, DevOps and distributed systems.

by Rootconf


21–22 Jun 2019, Bangalore



NIMHANS Convention Centre


Rootconf 2019 is situated in the middle of an era of data leaks and vulnerabilities, managing and running large infrastructure systems, architecting for the cloud and simultaneously optimizing costs.

The 2019 edition is a two-track conference, organized as:

  1. Security talks in track 1 on 21 June.
  2. DevOps and architecture talks in track 1 on 22 June.
  3. Talks and discussions on distributed systems in track 2 on 21 and 22 June. This track, curated by Colin Charles and Rootconf alumni, is targeted at systems engineers, architects, principal architects and CTOs.

Confirmed talks and schedule:

Below is a list of the first set of confirmed talks for security and DevOps track at Rootconf 2019:

  1. Securing infrastructure starts from your home. Or so indicates Abhay Rana (Nemo) as he talks about his experiments with running a home server and recommends why you should run one too.
  2. If giving SSH access to developers was not a pain point, how do you scale access in large organizations? Pulkit Vaishnav suggests that SSH certificate-based authentication provides an alternative for scaling SSH access.
  3. Are you aware that your organization could be leaving digital trails of its infrastructure on the internet? Hackers refer to this publicly available information as Open Source INTelligence(OSINT). Bharath, a security engineer at Appsecco, explains how to create a pipeline for gathering and storing OSINT data, visualize this data, and how to create monitoring systems for tracking this data.
  4. Data exfiltration attacks like Magecart have allowed attackers to steal millions of users’ credit card data. Existing security systems fail to prevent or even detect these attacks. This is a major blind-spot in the security monitoring systems. Lavakumar Kuppan explains how DevOps engineers can leverage Content Security Policy (CSP) – a standard supported in most modern browsers – to increase protection against Magecart type attacks.
  5. Python is used in many environments where security is critical. Validating dependencies of such projects is also important along with the actual project source code. Or else, the vulnerabilities in these dependencies will have cascading effects for users. Therefore, how do you build reproducible Python applications for secured environments? Using a case study, Kushal Das will demonstrate this talk live, at Rootconf 2019.
  6. Open standards versus managed infrastructure – are we trading freedom for convenience? In this keynote talk, Bernd Erk argues that open standards go beyond the boundaries of development and operation. They are the foundation for barrier-free interoperability and independent communications. This is why we must preserve open standards.
  7. How do you productionize Kafka streams at a scale as large as Walmart? Deepak Goyal explains in this experiential talk.
  8. Shakthi Kannan, senior DevOps engineer at Aerospike, will talk about the implementation of, and learnings from, a Wireshark Lua plugin to solve issues at the wire level, and how you can do it too.

BOF sessions on DevSecOps, testing infrastructure code building remote teams and others will be held in parallel to the main conference sessions, post-lunch.

Who should attend Rootconf?

  1. DevOps programmers
  2. Systems engineers
  3. Infrastructure security professionals and experts
  4. Cloud service providers
  5. Companies with heavy cloud usage
  6. Providers of the pieces on which an organization’s IT infrastructure runs – monitoring, log management, alerting, etc
  7. Organizations dealing with large network systems where data must be protected
  8. VPs of engineering
  9. Engineering managers looking to optimize infrastructure and teams

If you missed submitting a talk for the conference, you can do so now, and here:
For inquiries about submitting talks, write to

For information about Rootconf, sponsorships or bulk ticket purchases, contact or call 7676332020.


Sponsor for developer evangelism, community outreach, networking with IT managers and decision-makers, and hiring.

Download our sponsorship deck or write to us for customised options. Email

Sponsorship deck

Sponsors section


  • Learnings from running my Home Server (and why you should run one too)

    Abhay Rana (Nemo)

    Learnings from running my Home Server (and why you should run one too)

    This talk will cover the important bits:

    1. A brief overview of my homeserver setup
      i. What all Hardware is involved ii. What all services are running iii. Networking and how to route traffic to your home.
    2. Infrastructure Setup
      i. Terraform Configuration ii. Service Configuration iii. Running a Kubernetes Cluster iv. Security
    3. Q&A
  • SSH Certificates: A way to scale SSH access

    Pulkit Vaishnav

    SSH Certificates: A way to scale SSH access

    • Traditional Public key (asymmetric key) cryptography authentication(2 min)
      • Traditional SSH authentication methods
      • Password-based authentication
      • Public-key (asymmetric) based authentication
      • Generic Security Service Application Program Interface (an API to access servers)
    • Centralized authentication approach & limitations (3 min)
      • How LDAP/Kerberos working (in brief)
      • Limitations of a cenralized system
    • A adventures ride with SSH certificates (6 min)
      • Working of SSH certificates
      • Generate signed certificate from CA
      • Configuration on the host system
      • Configuration on the user system
    • Demo (3 min)
    • Features of SSH CA (3 min)
      • Role-based access
      • Host-based access
      • Certificate validity
      • Certificate identity
    • Limitation & solutions (3 min)
  • From data to decisions - Leveraging OSINT data to take security decisions


    From data to decisions - Leveraging OSINT data to take security decisions

    • What is OSINT?
    • What can attackers do with OSINT data?
    • Where/How do attackers(or I) find this OSINT data? (Tools/Techniques)
    • What can I do about OSINT data on my organisation?
    • Building visualisation, monitoring and alerting solutions
      • Monitoring an organisation’s SSL/TLS certificates, domains and subdomains in near-real time
      • Visualising public datasets ( to gain insights into an organisation’s external posture
        • Answering business related security questions using visualisations
      • Building monitoring and alerting solutions around various OSINT data
    • Key takeaways and Moving forward
  • Deploying and Managing CSP - the Browser-side Firewall

    Lavakumar Kuppan

    Deploying and Managing CSP - the Browser-side Firewall

    • Introduction to client-side Data Exfiltration attacks
    • Introduction to Content-Security Policy
    • Content Security Policy to prevent Data Exfiltration attacks ○ What is possible ○ What are the limitations
    • How to design and deploy CSP to detect/prevent Data Exfiltration attacks
    • How to monitor policy violations and alerts
  • Building reproducible Python applications for secured environments

    Kushal Das

    Building reproducible Python applications for secured environments

    • Introduction - 1 minute
    • Why all of these painful steps? 2 minutes
    • SecureDrop client desktop tools and their dependency on other upstream projects (or think about an application structutre and standard deployment strategy)- 3 minutes
    • Updating dependencies or do we read all updates? - 2 minutes
    • Development environment and using pipenv + tools to create requirements.txt wtih hashes only for source - 3 minutes
    • Structure of a static HTML based private package index - 4 minutes
    • GPG signed list of already built wheels + syncing them locally - 2 minute
    • Running python3 sdist to create the release tarball + a step before to have a requirements..txt with only binary hashes from our list of wheels. - 5 minutes
    • Final Debinan packaging script (for automation) which does double verification of the wheel hashes. - 3 minutes
    • Reproducible Debian package as end product - 2 minutes
    • Possibility in the RPM land - 1 minute
    • QA/feedback
  • Kafka Streams at Scale


    Kafka Streams at Scale

    Problem Statement: Stateful Realtime Processing of multi-million events.

    1. Intro Kafka Streams and event flow (2 slides)
    2. Challenges in Kafka Streams
      a. Fault Recovery b. Horizontal Scalability c. Cloud Readiness d. Restricted RocksDB e. Large Clusters
    3. Lay a background on why are these a challenge.
    4. How we forked the code to solve each of these over the past year.
    5. Conclusion
    6. Future Works
  • Shooting the trouble down to the Wireshark Lua plugin

    Shakthi Kannan

    Shooting the trouble down to the Wireshark Lua plugin

    • Objectives
    • Lua and Wireshark Lua
    • Usage and Example
    • Debugging and Linting
    • Literate Programming
    • Markdown Structure
    • lit2lua
    • Protocol Dissection Pattern
    • Dissector Table
    • Wireshark User Interface
    • Info, Message and Heartbeat Protocol
    • Hot key Report
    • Testing
    • Demo
    • Future Work
    • References

    Source Code:

  • Keynote: How convenience Is killing open standards

    Bernd Erk

    Keynote: How convenience Is killing open standards

    All the technical diversity we enjoy in our industry is the result of internal evangelism 20 yers ago. Now all three major cloud providers have been pushing their serverless solutions to lure customers into a new form of vendor lock-in. I think it is time, to remind ourselves about Open Standards.

  • Scale MySQL beyond limits with ProxySQL

    Ratnadeep Debnath

    Scale MySQL beyond limits with ProxySQL

    • Setting up the scene: MySQL database flooded with connections, more than it can handle
    • Vision: Achieve 10x scale without 10x cost
    • An ideal solution?
    • Solutions available: ProxySQL, MaxScale, Nginx, HAProxy
    • Why ProxySQL?
    • Benchmarking ProxySQL
    • Conneting the missing dots
    • Chosing an architecture for deployment and why
    • Challenges and workarounds
    • The end result!
    • The Future
  • Using Pod Security Policies to harden your Kubernetes cluster

    Suraj Deshmukh

    Using Pod Security Policies to harden your Kubernetes cluster

    This talk will start with current state of Kubernetes security and how folks are setting up their clusters. How folks are using shortcuts to get around changing their old bad practices. The talk will explain folks what’s worst that can happen if they keep using those bad practices. Specially in the multi-tenant setup this can lead to massive breakouts.

    The above topics are there to create a ground for folks to appreciate the security feature of Kubernetes Pod Security Policy.

    We then come to core of the talk this is where I will explain what Pod Security Policy is and how it can help in hardening the cluster. I will explain all the supported features that PSP has and what feature stops what kind of attack vector in a multi-tenant untrusted environment.

    Also I will explain the benefits of having secure & hardened clusters from the development phase itself and how it helps you understand and catch the issues that you might encounter only while deploying on production.

  • Birds of a Feather: DevSecOps

    Neelu Tripathy

    Birds of a Feather: DevSecOps

    We are looking to bring forth the following issues:

    -Challenges in integrating security in a fast paced DevOps Cycle -Current Practices being followed for DevSecOps in their Organizations -How is SAST & DAST placed in the lifeCycle -Embedding Security in the Pipeline and Automation -Whats different when dealing with containers and cloud

  • Let’s talk about routing security

    Anurag Bhatia

    Let’s talk about routing security

    This talk covers how (in)secure in the routing at the global scale, covers about IRR in detail. Includes examples, tools and challenges with IRR based BGP filtering. It also gives a brief introduction to RPKI as well as latest developments in this domain (AT&T doing RPKI based filtering, Google about to do IRR based filtering etc)

  • Virtual Nodes to auto-scale applications on Kubernetes

    vivek sridhar

    Virtual Nodes to auto-scale applications on Kubernetes

    Let’s see a demo application using ServiceMonitor for Prometheus, a HPA, and a custom container that will count the instances of the application and expose them to Prometheus. Finally, Grafana dashboard to view the metrics in real-time.

  • Securing infrastructure with OpenScap: The automation way

    Jaskaran Narula

    Securing infrastructure with OpenScap: The automation way

    Audience will learn about Openscap. Tools used by openscap along with profiles and components of openscap. I will also through some light on how we all can have our own set of policies and how we can develop certain profiles and policies that will be custom of yourself and also useful for upstream. This talk will also involve how to deploy openscap, how to use different tools of openscap and warping up with the analysis of the reports generated by the scap policies. At the end you get a clear picture of openscap also with managing all the tools and reports by them.

  • Birds of a Feather: Art and science of choices in engineering

    srujan akumarthi

    Birds of a Feather: Art and science of choices in engineering

    How’s the choice usually made? What’re the several factors involved?

    Do you really have a problem the tool is solving or the tool is making us think you’ve a problem.. how to find out if you’ve the problem or going to face it later.

    The cost breakup of all elements:
    Benefits of the tool >> Time to decide + cost (Engineering) + Cost (Operations/maintenance) + Cost (Infrastructure) + Cost (cultural drift)+etc.
    How much percentage of cost is acceptable for the benefit.

    Idenfifying elements unique to your company, that contribute to overall decision.

  • Security Paranoid OS

    Sayan Chowdhury

    Security Paranoid OS

    In the wake of one data breach after another, and in this age of surveillance, security has become serious business. The trust on the big giants like Facebook, Google, etc has diminished over the years. Security has been a huge concern in the recent times for many of us, and a lot of them have grown a valid paranoia around security and privacy. The term “valid” signfies just not be a paranoid but to be methodical in your action.

    As we grow dependent more and more on internet-based services, the more vunerable are we becoming to exploits, and you can easily notice how in the recent times the exploits has affected a large number of people.

    And, there could be no better place to start than your OS itself. There has been a growing list of OS targeted towards security. There are bunch of options these days, like TailOS, QubeOS, Silverblue, Whonix etc each behaving a bit differently but trying to acheive the same goal, Security & Privacy

    We gather to discuss our ideas and concerns on this topic, discuss our methods, how we compartmentalize applications to fight vulnerabilties.

  • Config management 2.0

    by Senthil V S

    Config management 2.0

    We at Simpl manage a microservices polyglot platform with about 40 services. We handle 10 - 30 million requests per day and can handle 100x or more. We’ve managed >99.99% of availability. Containerized, auto-scalable and completely automated DevOps platform.

    All these were handled by the seven backend developers and no dedicated DevOps person.

    This is possible because of the unique approach we’ve taken towards DevOps. Instead of using tools like Chef/Ansible, we’ve taken a unique approach that simple and hence naturally scales.

    I’ve spoken about this in couple of meetups and people found this useful. Would love to share the journey with a larger audience.

    This talk would have four parts.

    • Introducing the problem (tech stack, constraints, complexity etc)
    • Why not config management tools like Chef, Puppet, Ansible
    • The approach we’ve taken. Demo, details and of course code.
    • Learning that would be useful in your org.
  • OLTP or OLAP? Why not both?

    by Jiten Vaidya

    OLTP or OLAP? Why not both?

    • Vitess history
    • Vitess architecture
    • Vitess resharding and demo
    • VReplication explained
    • VReplication demo
  • Functional programming and Nix for reproducible, immutable infrastructure

    by Brian McKenna

    Functional programming and Nix for reproducible, immutable infrastructure

    1. Why functions?
    2. How are functions relevant to package management?
    3. How are functions relevant to operating systems?
    4. Development shells
    5. Docker without Dockerfiles
  • Load Balancing : in-depth study to scale @ 80K TPS

    by Shrey Agarwal

    Load Balancing : in-depth study to scale @ 80K TPS

    • Referencing the 13 yr old article of willy tarreau ( 2006 )
    • 5 categories of LB

    • Evaluation params of LBs

    • DNS Load Balancing Detail

    • Layer 3/4 Loadbalancing
    • Haproxy example and monitoring params

    • Layer 7 Loadbalancing

    • Hardware and Software Routing ( setups and cases of each )

    • LVS: history and implementation

      • NAtting
      • Direct Routing
      • Tunnel Based routing
    • RP Filter

    • What to monitor
    • Interrupts handling and CPU affinity
    • HA with Keepalived and consul

    • References

  • Log Analytics Platform with aggressive cost optimisation and infinite scale

    by Denis Dsouza

    Log Analytics Platform with aggressive cost optimisation and infinite scale

    Business Requirements/Use Cases
    - Log analysis platform (Application, Web-Server, Database logs) - Data Ingestion rate: ~300GB/day - Frequently accessed data: last 8 days - Infrequently accessed data: 82 days (90 - 8 days) - Uptime: 99.9 - Hot Retention period: 90 days - Cold Retention period: 90 days (with potential to increase) - Cost effective solution

    Areas of optimization
    - Application - Infrastructure

    Cost Optimization
    - Replica counts and its impacts - How to run ELK on Spot instances correctly. - EBS Costs can be high, how to set up Hot / Cold data storage - Auto Scaling - On-demand ELK Cluster

    Infinite Data Retention
    - How to setup S3 as a hot backup - Recover on Demand

    - Cost/GB data ingested - Trade-offs made - DR mechanisms

    - Building a log analytics is not rocket science. But it can be painfully iterative if you are not aware of the options. Be aware of the trade-offs you are OK making and you can roll out a solution specifically optimized for that.

  • Software/Site Reliability of Distributed Systems

    by Piyush Verma

    Software/Site Reliability of Distributed Systems

    Consider a sample application:
    A number that user sends an SMS text to of the form “Remind <date format> about <y>.” When it’s due, a service calls you back. User is charged for each SMS and reminders that they answer.

    Where all do you think this can start failing?

    Static Failures:

    • Disks
    • Network
    • CPU
    • Memory

    Behaviour Failures:

    • Degradation
    • Latency
    • Freshness
    • Correctness
    • DDos

    What are the right tools and strategies to measure and monitor these failure points?
    What is the cost of measuring or leaving it un-measured?

    There are Queues in the system. How do you monitor synchronous and asynchronous architectures?

    The load has started to increase, but before we discuss strategies Let’s discuss CAP quickly.
    How do we decide if we need sharding, better CPU or Clustering?

    How do we add backups? Should they be asynchronous or synchronous?
    Criteria to consider before picking up a strategy.

    So far, we have been reactive about failures. How do we move to a proactive model?
    And Meanwhile, could you trace that request from that particular user for me?

    At what stage and how do we start injecting reliability as a part of the Software development process?

    Lastly, while all of this is said to improve and fix things, how do we prove that it does? How do you validate that MySQL replicas come back when the master dies. The only way to know is by simulating. How do we set up Simulations? A decade ago it used to be called FMEA; now it’s called Chaos Engineering.

    And oh, we should also discuss Site vs Software Reliability.




NIMHANS Convention Centre
NIMHANS Convention Centre
Hosur Road, Lakkasandra
Bangalore 560029