Security metrics and activities

Hi folks. I’m really interested to learn more about the kind of security checks you guys do as part of DevOps. From pipeline stuff to how you manage or ensure security or your containers? Also interested in resources to learn about the kind of security metrics you can and should gather in your environment? Any pointers to good resources will be appreciated.

https://redd.it/oh0xnt
@r_devops

No Escape from Data+ML Lock-in

Reflecting on a recent a16z article on cloud costs, it occurred to me that there's no workload portability for Data & ML. I dug into it some in this post based on my experience but would love to hear from others if this makes sense. I've had some peers review it too and it seems to hit the mark, despite some gaps in my knowledge and experience (e.g. core network infra world). Have others observed this too? What am I not thinking of from a Data+ML workload portability perspective?

The domain (data+ML) is still nascent so use cases, tech and pricing are far from mature but from my perspective, it seems like there's a clear product strategy on Cloud providers' part to build these irreproducible strategic assets that lock you into their platform.

https://redd.it/ogqcnn
@r_devops

Difficulties of viewing backlogs when you use a single project with multiple areas in Azure Boards

All the MS documentation these days seems to suggest the use of a single project for almost all use cases. It also looks like they suggest using areas to divide this project so that you can limit what you view in some views as the Product Backlog .

However for me I have a problem in that as soon as I use the filter to view one area then the hierarchy goes away and it changes to a flat view.

I seem to share this problem with many others who have been complaining about this since 2018. Do you also have this problem? If so then how does it effect you and do you have some resolution for dealing with it? Also if it effects you then might be a good idea to upvote here.

https://developercommunity.visualstudio.com/t/boards-backlogs-please-keep-displaying-the-hierarc/366475

On checking the above link in more detail it appears that the person who is working at Microsoft who it is assigned to has had no issues or activity since Feb 21 :-(

https://redd.it/ohbfyh
@r_devops

Current market rates for 100% remote (US)?

I am the business manager for a very small (\~10 people) cloud consulting company & it's been a real struggle to find good DevOps/Platform Engineer folks to join our team. The existing guys are all really smart & amazing at what they do and have worked together in the past at other (much bigger) consulting firms. They are just stretched so thin right now due to how in demand we are & I really want to find some great new people to add to the team.

I am realistic in that I know we are a very small shop and do not have any kind of brand recognition other companies do, so I want to ensure the package we are offering is good enough for the realities of the market.

Currently:

* 100% remote (US only right now), will always be remote.
* 20+ days paid vacation, plus sick leave, plus personal leave.
* Medical/Dental/Vision/Life insurance (2 options, Platinum/Silver), 75% premiums paid by us.
* Additional training and certificates encouraged and paid for by us.
* Hands-off "management", not completely flat but very close.
* Opportunity for career progression and growth with the company and input in shaping the culture and structure.
* We plan to add 401(k) options next year.

Right now our (very broad) salary bands are:

Junior -- $60k-$100k
Mid-level -- $100k-$140k
Senior -- $140k-$180k
Senior/Management - $180k-$200k

Does this suck? Would appreciate feedback as the average rates I see on Google don't seem to align with what I see in this subreddit.


Ty!

https://redd.it/ogxryu
@r_devops

NewRelic

When I connect to a website using newrelic, certain pages show in uBlock Origin that I connect to log-api.newrelic.com. Other pages (such as the home page or other navigation pages) only show me connecting to js-agent.newrelic.com. I just wanted to know why this is the case? Thank you!

https://redd.it/ogwtmx
@r_devops

Looking for high quality advanced training in Devops topics ?

I checked out a lot of resources in udemy, kodekloud, and LinkedIn but they are very beginner focused and it’s like deploy hello world or create a Docker container

Where I can learn advanced topics or practice labs that are complex and can prepare you for interviews?

Something like build a full CiCd pipeline with testing and code coverage linking several repositories

Are there some good GitHub forkable projects to play around with? I prefer the structure of a course or video to understand the concepts and how and why

Expectation from interview is you know it way in depth and not basic “what is a vm vs container”

Preferably want to learn more about nginx ingress controller, service meshes, and Gitops. I just see companies say they are looking for terraform and kubernetes experiences, with Cicd

It can be a huge monster in how complex it is.. and I want to learn concepts someone who is a subject matter expert

I found books to be more detailed and technical .. a lot of video content is basic YouTube explain a concept but it’s on a high school level or very general

Or they talk theory when you should know in’s and outs, gotchas, and industry best practices .. it’s super rare to find these training materials

Do you guys craft your own training study agenda and work to make progress? It’s easy to hit a ceiling where your skills are not leveling up because the practice is not challenging enough

https://redd.it/ohhajc
@r_devops

Deploying a .netcore app on elastic beanstalk

I have been trying to deploy a .netcore app on elastic beanstalk using amazon linux 2 and .netcore 2.1 with nginx and getting a unhandled exception error.
I have been also manually trying to deploy on a instance as well and having issue with the same error. Here is the error,

web: Unhandled Exception: System.Security.Cryptography.CryptographicException: Unix LocalMachine X509Store is limited to the Root and CertificateAuthority stores. ---> System.PlatformNotSupportedException: Unix LocalMachine X509Store is limited to the Root and CertificateAuthority stores.

From NGINX error log:
connect() failed (111: Connection refused) while connecting to upstream, client: xxx.xxx.xxx.xxx, server: , request: "GET / HTTP/1.1", upstream: "https://127.0.0.1:5000/", host: "xxx.xxx.xxx.xxx"

I have created a public certificate using aws cert manager and attached it to a load balancer on beanstalk configuration with enabling listen port for https.

Previously the development team was deploying on azure webapp where i have been told that azure itself used to attach a SSL certificate to its app or service and they had nothing to worry about.

Now they are planning to deploy on AWS as well. Which i am assigned to.

I have been trying to do this for a week and not able to deploy it with this Certificate error.

Any devops engineers who have worked with deploying .netcore app on linux?

Please advise/suggest if there is anything wrong or something that i am missing to do.

https://redd.it/ohi960
@r_devops

What DOES your position primarily CONSIST of?

How much time do you spend scripting vs managing configuration? Or do you end up coding a lot of solutions?

https://redd.it/ohj9u3
@r_devops

Cross Browser Testing - Why is it useful and how it's helped you?

Hey there devs, hope you guys are doing well.

​

What Cross Browser Testing Tool do you guys use and why?

​

And what do you guys love about using Cross Browser Testing Tools?

​

And what kind of big problems has it solved within your business or company you work for?

​

Would love to hear your guy's thoughts CC::

https://redd.it/ohl23p
@r_devops

Are we ever just DevOps

Forgive the rant and its meandering quality. Feeling extra low and stressed out about life and work right now. Rough Rough week.

A long term generalist who got roped into taking a DevOps job two months ago, without any specific DevOps experience and I'm starting to worry that I've bet on the wrong horse.

So I don't have a way to compare or have a reliable baseline to gauge my experience relative to the others in the industry.

We're a smallish company based in the South and I was told that since DevOps is a new culture in the company that it would be a unique time to really learn about the CI/CD process (we aren't doing either yet) and that they were ok with all of my knowledge gaps as long as I demonstrated a willingness and ability to learn.

Probably not atypical for a small shop, but they basically have 1 or 2 gatekeepers who've not documented what they've done, and have built a pretty impressive ansible infra that is largely self-explanatory, although not always.

This tightly coupled knowledge base kills me. It was what I've always fought against in other organizations so that we can empower other people and have less silos etc. It's like a boat anchor in this shop. And there is so much weird shit in this place. Legacy gear, windows shit, 10+ year CentOs boxes, FreeBSD, some awful VmWare Sphere clusters, some AWS and Google Cloud etc. So for me this is dizzying with stuff I know so so, and other parts that I'm clueless about.

I feel like I kind of put out fires and straddle sysAdmin/Linux desk jockey, and deploy jobs, add new deploys on top of existing ones, build out environments, but am not really solving real problems or contributing much because it takes so many asks to wrap my head around where something is because of the lack of documentation that my colleagues sometimes seem frustrated.

I use TeamCity and Jenkins but am not sure I could set shit up from scratch. It's like a Ground Hog Day type feeling with repeating the first day you tried riding a bike.

Finally, being on call...I'm on call every other week and getting AlertOps as 2am was not what I had in mind. Feel exhausted and inadequate. Not loving doing the late night deploys. Am I the only one that thinks it's fucked to work till two AM routinely?

Have others gone through this? Did you come out oK? My concern is that I've never been a Dev, just a scripter with Python and worry that I just don't have the mindset for this.

Maybe as a 30 something I've merely forgotten what growing pains are about and need to shift my mindset to the "i'm getting paid to learn cool shit" attitude.

Salaries at this job are also really high. A colleague was like, yeah, they pay about 30% over market rate so that they can just throw you to the wolves without any resources...

https://redd.it/ohjzqc
@r_devops

DevOps vs Fullstack Development

I'm currently a Fullstack Developer (mainly JS, but know my way around PHP, Java, Python, etc) with some DevOps knowledge (CI/CD using Jenkins, some AWS, Heroku and bash).
I'm in dilema if I should double down on the DevOps side, studying some Terraform and getting AWS certifications or continue more focused on the development side.
I want to evaluate the pros and cons of the 2 career paths. Right now, I think DevOps is winning:
- Easy way to have credentials with Certifications
- Higher paying opportunities
- Better scoped tasks: software is never done, you can say IaC is done if it doesn't breaks.
- More opportunities for freelancing: I see lots of startups in need of consultancy for building a scalable cloud infra.
Want to hear your folks opinions, what are the bad sides of DevOps work I'm missing? What are the advantages of SWE I'm not seeing? The best part for me in SWE is basically being more fun in general, but it surely can be cumbersome at times too.

https://redd.it/ohn4e4
@r_devops

Automation for ECS Fargate standalone tasks - does this even viable?

Good am guys, posting this question hoping for any valuable input.

So the situation is this, I'd been given a task requesting to come up with a solution for delivering an automated deployment of ECS Fargate tasks. Now, while it sounds trivial, in fact it does not seem so: among requirements there are 1 task definition for all tasks, each task should be able to override default environmental variables and as I understood that's the main reason on why they don't need ECS services.
So it has to be 1 task definition, no services and a fleet of tasks, each having unique env vars per tenant (customer).

And the other thing is that they don't need to build images as a part of this deployment/automation as they (devs) wish to take care of that someway else.

So far I've been trying to wrap my head around this for just a couple of days and have not yet had a chance to ask further questions or raise concerns (but inevitably that's gonna happen). Also the task itself is not new and there was the other guy which already worked on it for some time and suggested to create some Jenkins jobs to automate this. However, at this point, I feel like the whole concept is not really viable and all I can think of right now is a series of some bash scripts running awscli commands to start/run/stop tasks and probably creating task definition revisions.

The other way around could be a bunch of task definitions, each containing unique set of env vars, used by services and subsequently tasks. However, as they want various stages (dev, prod) and dozens of tenants, I'm not so sure in this method as well.

Anyways, I would really appreciate any insights concerning this matter. Has anyone had any similar tasks back in the day?

Thanks in advance!

p.s: Im really sorry for my illiterate english in here, it's not my native language.

https://redd.it/ohm4dt
@r_devops

kubernetes: nginx ingress vs nginx server

Hello! Sorry if my question is going to be noob-ish, but I have only been learning k8s for 4 months and now reached out istio and ingress stages. So my question is:

Imagine I am running a site having php-fpm + nginx (via an upstream socket). On a "bar metal" I would simply install php + its php-fpm module and let nginx handle the requests via fastcgi and locations.

Now imagine I want to move my site into the kubernetes cluster, I have chosen ingress for flexible traffic management. How should the final architecture look? I mean where is the actual "nginx+php-fpm" should it be:

1. We install the nginx ingress
2. We run 2 containers (php-fpm + nginx) in the same pod/deployment

... or could ingress actually handle my php-fpm requests? I am concerned because in practice the nginx ingress looks like yet another web server handling the requests, so in fact it seems we have ingress + a separate server in the pod/deployment, that is why the question arose.

https://redd.it/ohm9oy
@r_devops

Who uses Sentry or Clubhouse.io ?

Does anyone use Sentry? How is it compared to Jira?


What can and can’t you do in the free version
I’m working on a project myself…. Will I see that big of a difference?

https://redd.it/ohttn6
@r_devops

How does managed services work?

Hi all, I've been interested in some devops topics for a while, but there's something that I've been curious about for quite a while, but can't find much information.

I was wondering exactly how managed services like AWS RDS, DigitalOcean Kubernetes, AWS SQS, etc etc works. I know of Ansible, where I could write playbooks and automate installations and server configuration and etc. But it still not clear to me how exactly does it work.

So when I click on AWS the frontend sends a JSON payload to the backend, but how exactly does that translate to Ansible actions in a server? Is it a combination of Terraform and Ansible or something?

And how about the so called serverless services? I've been using lambda for quite a while, but how would one implement a service like Lambda?

This probably is not the most well formed question, so I was wondering if anyone could point me in the right direction to understand this a bit better.

Thanks!

https://redd.it/ohtqr9
@r_devops

Upgrading helm deploy with a different chart

Hello,

I ran into this peculiar issue in my home lab and want to use it as a learning opportunity.

I am running bitwarden local server, which was originally named bitwardenrs. I have used helm chart from k8s-at-home to deploy it - charts/charts/stable/bitwardenrs at bitwardenrs-2.1.11 · k8s-at-home/charts (github.com)

The server was recently renamed to vaultwardenrs and the deploy chart got updated as well - charts/charts/stable/vaultwarden at master · k8s-at-home/charts (github.com)

Now if I try to simply upgrade from one to another while providing existing deploy's name, I get the following error:

>Error: UPGRADE FAILED: template: vaultwarden/templates/common.yaml:1:3: executing "vaultwarden/templates/common.yaml" at <include "common.all" .>: error calling include: template: vaultwarden/charts/common/templates/_all.tpl:29:6: executing "common.all" at <include "common.pvc" .>: error calling include: template: vaultwarden/charts/common/templates/_pvc.tpl:7:19: executing "common.pvc" at <$PVC.enabled>: can't evaluate field enabled in type interface {}

I think the "right" process is to take backup of bitwarden, delete it, start up new container and restore config. But I want to see if there's a way to migrate it to another chart.

Any suggestions on how to approach this? I am honestly not even sure if helm supports migration from one chart to another and I my googling fails me so far.

Thanks!

https://redd.it/ohtdk3
@r_devops

Terraform Conditional Loop

https://youtu.be/VVVa2o4d0rs?sub\_confirmation=1

https://redd.it/ohzu7q
@r_devops

With Azure DevOps, use of a single project, and a team of ten who can each work on everything in the project. Is there any advantage to using multiple teams rather than one single teams for everyone?

I have an organization that develops around 10 simple mobile apps a year. We are a team of ten people, 6 developers, marketing, research, graphics, project manager. Every person has the potential to be involved in every app, either designing, developing, fixing bugs, or creating assets.

We are planning to use Agile Scrum with an Azure DevOps single project to handle everything. What I would like to know is if there is any advantage in having a single or multiple teams. For example:

- One team for everyone
or
- One team for developers, one for marketing, one for management

https://redd.it/oi2q8b
@r_devops

What do you have within your pipelines to ensure that containers deployed are secure?

Leaning more about this space and im wondering what you can get to ensure that your containers are secure all the time in terms of software patches and adhering to a specific hardening standard?

https://redd.it/oi3ut5
@r_devops

Ideas for a simple data Pipeline

I have a friend with a startup and he needs to set up a data pipeline that looks something like this:

1. Clients upload CSV files via his site, his backend stores them in S3.
2. Periodically (not in real time and not even same day), his data team needs to clean and transform the data.
3. The data folks also want to update training models based on this data.
4. The output needs to be dumped to a data lake.
5. Lastly, the output needs to be displayed/available in dashboards.

I've set up simple pipelines before but I'm not too clear on the tools/work involved in steps 2 and 3. I believe that Sagemaker could be useful here. My friend's team uses Jupyter notebooks and Python extensively. He was thinking about using Snowlake but I think Athena might work well to start. Also, he's wondering about Tableau vs Looker.

tl;dr there are MANY different ways to do this kind of thing, I'm looking for recommendations on any/all of the above. Thanks in advance.

https://redd.it/oi5rd4
@r_devops

Can Chinese users use Azure DevOps?

I am looking at a project that will be hosted on Azure DevOps, with some pipelines that will have self-hosted runners, some in US, some in China.

Does anyone know, if there are any major difficulties for Chinese users to be able to use DevOps hosted repository and ability to pull/push code to git repo?

I know we'll need to test all this but just wondering if anyone has had some experience with getting US and Chinese contributors to work together like this and what obstacles have you encountered.

https://redd.it/oi9n72
@r_devops