Its still not RIP Ruby on Rails fellas

This is why Ruby on Rails is my go-to backend technology!

https://medium.com/devtechtoday/this-is-why-ruby-on-rails-is-my-go-to-app-development-platform-391770bce70

https://redd.it/nr5n9u
@r_devops

Creating Keycloak integration

Hi folks!

I’m in the process of evaluating Keycloak.

Is there anyone here who recommend an open source web app that’s easy to integrate with Keycloak?

I’m thinking something like Wordpress, Mediawiki, phpMyFAQ or similar.

My plan is to try it out using Docker on my laptop, to get a feeling for it before starting to roll it out on a larger scale.

Would love any recommendations on this topic.

https://redd.it/nqklzk
@r_devops

Ansible Package Configuration Security - new and old hacks

Hi folks, my team wrote up a Hack Series blog post that we're hoping would be valuable to those using Ansible for DevOps. You can read the whole post below, but here's a TL;DR if somebody doesn't have the time to read the whole post. Hope this helps!

Our top 10 Ansible security checks to remember when reviewing a configuration:

1. Is an old version of Ansible being used which is vulnerable to known CVEs?

2. Are hardcoded secrets checked into YAML files?

3. Are managed nodes in different environments (production, development, staging) not appropriately separated into inventories?

4. Are the control nodes which Ansible is running from not completely locked down?

5. Are unsafe lookups which facilitate template injection enabled?

6. Are SSHD config files using unrecommended settings like permitting root login or enabling remote port forwarding?

7. Are alternative connection methods being used (such as ansible-pull) and are they being appropriately secured?

8. Is the output of playbook runs not being logged or audited by default?

9. Is the confidential output of privileged tasks being logged?

10. Are high-impact roles/tasks (e.g. those that are managing authentication, or installing packages) actually doing what they appear to be?

https://blog.includesecurity.com/2021/06/hack-series-is-your-ansible-package-configuration-secure/

https://redd.it/nqr0ew
@r_devops

Linuxacademy to whatever guru to pluralsight

Is there another linuxacademy out there? This is sad.

https://redd.it/nqpgra
@r_devops

Reverse proxy for Active directory

Hi all, i hope you are doing well.
I have a problem at work where the windows pods on my cluster cannot communicate with internal services (on premise servers, like SAP, IBM db2, SQL servers ...) (probably a hyper-v config of the vmswitch that wasn't done, didn't have to investigate or fix the issue). to work around that i've deployed reverse proxies that would route the traffic to the various internal services (SAP, databases etc ..), since the windows pods can reach out to only other pods on the cluster (headache ? hang on..)


Now the windows pods need to auth via AD to a web app. I thought i'd install an AD reverse proxy that routes the traffic on port 636 of the original AD server (i checked the port). But apparently and since i have no experience with AD, it seems like i need to install a Domain controller server that would point the pod to the AD. Now the idea i have is that i need to install a Pod/service Domain Controller that would serve the AD reverse proxy on my cluster. What do you all think ? any suggestions ?

https://redd.it/nqu2em
@r_devops

Integration pattern question: SNS / SQS

Hey guys

Imagine the following setup: there is an on prem application that needs to send a message to another application that runs in public cloud (AWS).

How would you go about this in best practice?

1. The on prem application sends using the api a message to an SQS queue owned by the cloud application
2. The on prem application publishes a message on a topic owned by the on prem application, and the SQS queue subscribes on this topic.

Why would one be better than the other?

Thanks for your insight...

https://redd.it/nql0id
@r_devops

Trying to set-up a VPN in github actions for continues deployment

Hi everyone,
I'm currently trying to set-up a VPN in my CICD pipeline to a private VM in an organization.
Please correct me if I'm wrong but so far as i know I've to first set-up a VPN to the organization to be able to push/deploy code on the VM.
The problem is that I've no clue how to set up this VPN in my CICD pipeline.
Any ideas or alternative solutions are welcome and will be appreciated.
Thanks

https://redd.it/nqgx18
@r_devops

DOUBT regarding Grafana Dashboard - (Prometheus-Grafana)

Hey guys!

TL: DR - I need to know 2 things,

1- Where to place the JSON files I have taken from here.
2- If I start changing a few things using the Grafana UI, ie edit/delete boards. Will the JSON get updated in my VM as well? (stored in /usr/share/grafana/public/dashboards/ ) ?

What I have done?
So I have been working on setting up the Aerospike-Monitoring-Stack, I have set up,

1- Aerospike Cluster with Aerospike-Prometheus-Exporter on it,
2- Prometheus Server (Standalone)
3- Grafana Server (Standalone)

\- Coming to Grafana, I have copied the JSON files provided here into /usr/share/grafana/public/dashboards/<json - files>


AND THEN

\- I have manually pasted the JSONs in (Create > Import via panel JSON > Load). Web UI of Grafana. Doing this is getting my service up and running. I CAN SEE MY METRICS/NODES/CLUSTER etc, everything!

What are my 2 doubts?

1 - If this is how I got my dashboard up and. running, what is the use of
/etc/grafana/provisioning/datasources/all.yaml and
/etc/grafana/provisioning/dashboards/all.yaml ?

&#x200B;

2- If I drag around the metrics, make some changes, remove a few, etc, this changes the JSON, hence Grafana asks me to save them, WHERE IS IT SAVING THEM? Are the JSON files in my /usr/share/grafana/public/dashboards/<json - files -here> path being overwritten?

&#x200B;

Please let me know, I am very confused here,

Again,

Setup \- Aerospike-Monitoring-Stack,
JSONs \- https://github.com/aerospike/aerospike-monitoring/tree/master/config/grafana/dashboards
Method of Provisioning Dashboards \- Manually Pasting the JSON Content into Import via Panel JSON
Current location of JSON files saved in VM - /usr/share/grafana/public/dashboards/<json - files>

&#x200B;

Thank you.

https://redd.it/nqk8qz
@r_devops

How to perform CI/CD in mobile development (andorid/apple)

Hello,

I am quite familiar with DevOps pipeline ad CI/CD for backend systems... but I am getting quite confused on how will that work on a mobile development...

here is my setting:

backend of the Mobile app has three environments (Terraform and Ansible powered)
Development (in one machine) where the developer "deploy locally" the backend (containerized) and performed changes and unit tests
Staging (in AWS), where the mobile developers connect the APIs and perform mobile testing
Production (in AWS), where the "live mobile app" is connected

At the moment the mobile app (frontend) is developed in a silos and there is not really anything in place in terms of pipeline, CI/CD etc...

Initially I thought to use the built in feature of the stores (Apple and Google):

Apple TestFlight
Google Alfa/Beta Channels

But the challenge is that once I publish the app (either in Apple or Google) in the "beta test mode" (TestFlight and/or Alfa/Beta Channels) I cannot point the app to a "staging/Test" environment, but it will be in production...

Is there something am I missing? how do you have beta testers on mobile front end? (in test environment and not production....

maybe what is not clear to me is the overall Pipeline Ci/CD for the mobile front end... (the part that will be ultimately uploaded into the store)...

Than you all!

https://redd.it/nqjbse
@r_devops

Whole picture vs split by environments

In most cases I prefer complete separation of environments. DBs, apis, Kafka streams should all be the same across environments which afford the benefits of proper CI, CD.

When you start to look at the whole picture sometimes its helpful to have consolidates views. One good example is consolidated dashboards with git lab https://dashboards.gitlab.com/

This can be true for other cases like logs, tracing, saml Auth, and third party integration.


What is a good mental model and splitting point for where you see something and think it needs replicas for different environments vs a consolidated view?

https://redd.it/nqj41f
@r_devops

Practical kubernetes projects

Does anyone know or have a practical kubernetes project
I would like learn stuffs by doing it
Is there any guide/book/course which can help me
Good with kubernetes basics

https://redd.it/nqiybo
@r_devops

Seeking advice on which cloud services to use with my project (SPA w/ AWS potentially)

Hi all,

Forgive me if this post is inappropriate for this sub - I am looking for some guidance. I am currently developing a Single page application that will be based on an AWS multi-tenant model (i.e single primary database for PII/Users table , separate RDS instance generated for each client's data set - no PII, but important)

The application requires users to answer a series of questions, where the answers will be reported on in an admin panel within the app. All clients will access the same EC2 instance through a subdomain (www.mycomapny.[client-name\].com/app) and ideally will pair to their allocated RDS instance on arrival. The EC2 instance contains my app (Nuxt w/ Laravel API), and for now my primary DB with user names, tenant ID's etc

Additonally, each client will have their own homepage (I would image tis repository would sit on S3 - (www.mycomapny.[client-name\].com)) which could be updated through a 'config' page within the application admin panel, triggering some sort of continuous deployment process and update to the home page.

Soooo...I was hoping you guys could kindly offer some advice:

\- Is what I am describing achievable within AWS? Are there better/more achievable ways of doing this? Open to suggestions outside of AWS

\- Could you guys recommend a way to dynamically set the correct tenant DB when they arrive on the page from a specific URL?

\- Security and meeting privacy standards are crucial. Is there anything in particular I should be doing or keep in mind?

\- Expenses may become and issue. Might this set up be expensive? Can you recommend a good way of calculating costs, ballpark?

Really hope this is clear, apologies if this is too vague - a lot of this is new to me. Please don't eat me reddit!

Any guidance (even just resources/other subs/etc) would be very much appreciated.

Thanks

https://redd.it/nqgi0i
@r_devops

Send VM's system information to a Webhook

Hello, I have created a bionic Ubuntu virtual machine using KVM and virt-install. How can I send its information to a webhook when it boots for the first time? How can I create a webhook? I'd appreciate it if anyone could explain it to me.

https://redd.it/nqfnic
@r_devops

How are you handling package/Image security?

Hey r/devops. . . haven't posted one of these in a while. . .I need to lock down, monitor and clean up my teams' usage of

* language packages (Python, Go, Javascript)
* Dockerfile dependencies - yum/apt packages and other misc non-language dependencies
* A new one - GH Action dependencies i.e. Actions that my teams are using in their CI/CD pipelines. The rub here is the we all LOVE GH Actions but we're also using a bunch of random actions which is horrible from a security standpoint.

We're using GitHub and GitHub Actions, ECR for images and no surprise, a bunch of open source libraries.

I need a sane way to alert on unapproved libraries/packages/actions or at least *new* usages of the above and ideally also enforce the usage of known code/tools. There are lots of different tools to use here and we're already using dependabot, native ECR scanning, various linters (e.g. golangci-lint).

Just looking for ideas and recommendations. . . I'm considering something like Artifactory and/or AWS Code Artifact to pin and control (and cache) external dependencies. Also, contemplating vendoring our Go code. I'm not even thinking about licensing scans at this point but that's something we'll probably need too (e.g. BlackDuck).

tl;dr how do you secure and manage your external dependencies???

https://redd.it/nqakxa
@r_devops

Best logging solution for startups

What’s a good paid logging management solution for a small startup. Logs are mostly for our api and worker clusters that will be used for troubleshooting errors. We don’t have resources to build our own stack and Cloudwatch’s UI just doesn’t seem to cut it.

https://redd.it/nq9pqk
@r_devops

Supported options for Docker Swarm persistent storage?

Preface: Yes I know about Kubernetes and no, at this point in time, it's not a feasible solution for this use case.

Does anyone know of an actively maintained persistent storage driver for Docker Swarm? My google-fu has revealed a ton of (understandably) dead projects that were consumed by kubernetes. I suspect this to be a dead-end search in 2021, but I figured I would reach out in case anyone is still running swarm and can share how their handling persistent storage.

For reference, I'm working within a VMWare vSphere environment (which, unfortunately, seems to no longer maintain their Docker-specific driver).

https://redd.it/nqaz7e
@r_devops

What are you making with Go? CLI's? REST APIs?

Looking for inspiration. Maybe thinking some simple file serving via Json, but not that handy with structs yet. Then love the idea of not needing to publish requirements.txt and interpreter everywhere.
Good simple projects? Plan is to write more go this year.

https://redd.it/nrpp3t
@r_devops

Are there good options for researching Splunk Use?

I’ve worked at a company that hasn’t really made DevOps a priority since it’s inception, mostly having AWS do all the heavy lifting. Now we’re trying to go through the base steps of getting some observability in the app through the use of Prometheus for metrics and Splunk for logging.

Of course, Splunk is a huge app that does a ton more than logging, so if we’re going to get set up with a subscription I want to make sure we’re using tools of theirs that fill all our holes if it makes sense. My problem is I’m having a very hard time looking into it what each individual section of the app does. Does anyone know of good resources to look into this? Their website isn’t super detailed and I feel I need those details when considering things like RUM and APM, I’ll do all the reading or listening I need to do, just need to find good resources.

https://redd.it/nrsaqz
@r_devops

Simple kubernetes for staging/test server?

I’m new to devops. Rather than going full-blown k8, I was wondering whether there is something that can help quickly setup and deploy containerized apps into a server. Docker-compose maybe? For production it makes sense for me to go k8.

https://redd.it/nrjv78
@r_devops

Move from US to EUrope but Work remotely for US company?

Hello all,

Looking for some advice. I'm a linux engineer who operates as a standard devops/sre in most orgs with over a decade of experience. Currently born and raised as a US citizen. Due to some family reasons, we're considering moving to my spouse's hometown in a European country and spending time close to the family there.

Prior to Covid I would have not even considered this as reasonable option, but now that everyone is working remotely more and demanding that, I suspect it's likely a more likely option now. I know most US companies won't hire an employee remotely except sometimes as 1099 due to the tax implications / legal hiring implications often associated with countries, but I know larger corporations are more open to this.

My question is... does anyone know where would one would start? All of my contacts / search sites / recruiters are in the US and operate solely there. I know it's been done, and it's rare, but ... Not really sure where to begin. :)

Thanks for the advice in advance.

https://redd.it/nrmhrl
@r_devops

Writing QCOW2 image to disk?

Does anyone have a way to write a disk image to an actual, physical disk? What I'm trying to do is have a Packer image that is applied to bare metal machines. Right now, what I do is make the disk image a block device with qemu-nbd. I then dd that block device (/dev/nbd0) to the disk (/dev/sda). However, I'm writing all the zeros in the disk as well, which is extremely inefficient and defeats the entire purpose. Does anyone have tools that they use for this or am I off into uncharted territories?

https://redd.it/nrkmqy
@r_devops