New Podcast "DevOps Domination" - All things DevOps, Software, and Infrastructure!

Hey everyone! 👋

I recently launched a podcast about DevOps, and wanted to get some feedback. I only have one episode up but give it a listen and let me know what you think! Description follows:

>All the juicy details of being a DevOps/Site Reliability Engineer for large enterprises at your eardrums!

This is my first podcast and I don't have a proper microphone, and perhaps I say "um" too much, but if you can forgive all that, you might learn something interesting!

Link to the first episode on Spotify: https://open.spotify.com/episode/2G7xysNexS5KskJ11FEkMo?si=CpTLcb1rR\_C-0YY-vx2YFA

If other people use different podcast hosts, let me know and I'll try to publish it there as well.

Looking forward to your feedback and suggestions for future episodes!

https://redd.it/qh5kg6
@r_devops

Curling apache gives 401 and varnish gets 500 from Apache

[centos@staging03 ~]$ sudo netstat -plnt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:80 0.0.0.0:* LISTEN 3600/httpd
tcp 0 0 127.0.0.2:80 0.0.0.0:* LISTEN 1574/varnishd
tcp 0 0 172.31.22.60:80 0.0.0.0:* LISTEN 1539/nginx
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1251/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1501/master
tcp 0 0 127.0.0.1:443 0.0.0.0:* LISTEN 3600/httpd
tcp 0 0 127.0.0.1:6082 0.0.0.0:* LISTEN 1573/varnishd
tcp 0 0 127.0.0.1:9000 0.0.0.0:* LISTEN 3468/php-fpm
tcp 0 0 127.0.0.1:11211 0.0.0.0:* LISTEN 1229/memcached
tcp 0 0 127.0.0.1:6379 0.0.0.0:* LISTEN 1061/redis-server 1
tcp 0 0 :::22 :::* LISTEN 1251/sshd
tcp 0 0 :::3306 :::* LISTEN 1383/mysqld

​

I checked to investigate what's the issue with my server, and when I did:

​

curl [127.0.0.1:80](https://127.0.0.1:80)

​

I got:

​

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Authorization Required</title>
</head><body>
<h1>Authorization Required</h1>
<p>This server could not verify that you
are authorized to access the document
requested. Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
<hr>
<address>Apache/2.2.15 (CentOS) Server at 127.0.0.1 Port 80</address>
</body></html>

&#x200B;

On a different server where everything is working, I get a blank response. So I am thinking this is why I am getting a 500 varnish error from Apache.

&#x200B;

In the Apache log, I didn't really get anything when I curled, but before that I got:

&#x200B;

[Wed Oct 27 17:02:25 2021] [notice] caught SIGTERM, shutting down
[Wed Oct 27 17:02:25 2021] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Wed Oct 27 17:02:25 2021] [notice] Digest: generating secret for digest authentication ...
[Wed Oct 27 17:02:25 2021] [notice] Digest: done
[Wed Oct 27 17:02:25 2021] [notice] FastCGI: process manager initialized (pid 3602)
[Wed Oct 27 17:02:25 2021] [notice] Apache/2.2.15 (Unix) DAV/2 mod_fastcgi/2.4.6 configured -- resuming normal operations

&#x200B;

So it seems FastCGI is properly configured and the issue I am getting from Apache is an authentication issue strangely enough. Is there anything else I can do to pin point what the problem is?

&#x200B;

Varnish gives the following:


12 TxHeader b X-Varnish: 1537309960
12 RxProtocol b HTTP/1.1
12 RxStatus b 500
12 RxResponse b Internal Server Error
12 RxHeader b Date: Wed, 27 Oct 2021 21:14:18 GMT
12 RxHeader b Server: Apache/2.2.15 (CentOS)
12 RxHeader b Expires: Wed, 11 Jan 1984 05:00:00 GMT
12 RxHeader b Cache-Control: no-cache, must-revalidate, max-age=0

&#x200B;

However, I have no way of checking what the 500 Internal Server Error is, because the error logs for php seems to be empty. One thing I noticed is that when I reboot and don't start Apache I get a

503 error, but now it's a 500 error. However, the reason for the error is not logged anywhere. Maybe you know how to get that log. Thanks.

https://redd.it/qh78x7
@r_devops

Storing secrets

Currently, all our passwords, API keys, etc are embedded in our code.

I started looking online but it just got me into a huge rabbit hole as there are just so many suggestions and considerations to make.

One of the things I saw more often is the use of vaults like Hashicorp/Ansible vault. I know a bit about Ansible Vault and I recall it requiring inputting the vault password to retrieve the encrypted secrets.

This can be a problem since the code has to use the secrets as well.

Even if the code would be able to input the vault password, isn't it a problem by itself? Since that vault password would then be seen in the code? What approach should I consider? How/what components should interact with each other? Would it have operations considerations like monitoring, backups, deployments, etc?

Thanks ahead!

https://redd.it/qh5be6
@r_devops

I am currently a Cyber Security Analyst who is being offered a free 14 week devops course. Should i take it?

I value my time. I don’t want to take it just because its free. I don’t know a whole lot about devops or devsecops. Could you please tell me how it would be useful for me to take the course in terms of my career.

Edit:
It suppose to Prepare you for in-demand DevOps engineer type roles with hands-on experience maintaining application infrastructure through deployment, provisioning, configuration management and monitoring. You'll also learn about cloud technologies available for DevOps operations

https://redd.it/qhc0q0
@r_devops

Free parallel jobs, stages, pipelines?

I've been working with Azure DevOps Pipelines and was looking at implementing parallel pipelines. Pipelines that would run concurrently for my microservices:

* /
* /admin
* /api

Apparently, this is not possible with Microsoft-hosted agent pools--I'm looking into self-hosted. Azure DevOps Pipelines supports parallel Jobs, which would run $40/mo per parallel job. So under a Stage, I would need a Job for each of the micro services.

Before dropping that, I was curious what, if any, other pipeline (GitHub Actions, Gitlab CI/CD, etc.) might offer free parallel pipelines, stages, jobs, etc. or if this is a pretty common practice.

https://redd.it/qh6aq5
@r_devops

How to iterate and dynamically add the nic to loadbalancer in azure using terraform

Hi all ,

I am trying to get the data source of network interface id dynamically as a variable and i want the code to iterate through the list and it should add itself to the backendpool association . I am able think of the below logic but am facing error like count can be used only when count argument is set , Please help me code is below

&#x200B;

```

data "azurerm_network_interface" "example" {

count = length(var.nic_name)

name = var.nic_name[count.index\]

resource_group_name = "networking"

}

&#x200B;

resource "azurerm_network_interface_backend_address_pool_association" "example"

{

network_interface_id = data.azurerm_network_interface.example[count.index\].id

ip_configuration_name = data.azurerm_network_interface.example[count.index\].ip_configuration[0\].name

backend_address_pool_id = azurerm_lb_backend_address_pool.example.id

}

&#x200B;

variable "nic_name" {

type = list

default = [ "somenic1","somenic2"\]

}

```

https://redd.it/qh5a81
@r_devops

Being afraid of asking a technical question to my coworkers

I have been hired (mid DevOps) along with 2 juniors at the same time. Currently, I am assigned to one project with one of them and one senior dev. We have some K8s to deploy in AWS.

The second junior has been fired after failing one project where his senior was angry at him all the time just because he was asking a lot of technical questions.

Now I am afraid that I will be fired too even if I have some troubles on my way.

Is it a normal state of the company? Previously I was in a company where everyone was learning from everyone and asking a question was a common thing.

https://redd.it/qhiaue
@r_devops

Future proofing... Realistic things I can do, without having programming experience?

So, Systems Engineer here focusing on networks and voice.

The writing is on the wall for my role (not straight away, probably 5 years or so) as it is now, and will be absorbed into a virtual and automated platform....

I have a looonnggg time left in my career, so what can I do to future proof myself? Bearing in mind these skills will only be built in a "non work" environment, as I currently don't deal with virtualisation or automation. I just don't want to be in a position where I've been de-skilled by technology...

I've done a year each in college of C, C++ and Java, but that was over 10 years ago and never professionally.

I can drive Linux for what I need it to do at the moment, can do basic scripting, have a basic understanding of Python.

I am almost a CCNP also.

What can I be doing to cultivate DevOPS skills, that I can present in an interview, that isn't seen as personal time "fluff". I'm almost certain I won't get experience in DevOPS skills for a year or 2 at least in my current role.

The Cisco Devnet exams seem like a logical choice, but still isn't real life examples.

https://redd.it/qhj5c9
@r_devops

Not allowed to have a cross-functional DevOps team

My team are now DevOps and have been for around 2 years. It has been a transition from the "old" model where Software Engineers developed the software and another team handled infrastructure and operations. We've now moved our systems from on-premise to the cloud and the team are supposed to be DevOps Software Engineers doing both development and operations, including creating, deploying, operating the virtualised infrastructure.

We are a team full of Software Engineers with no prior "Operations" experience and we're getting tired of just doing Operations and not enough Development. We had the idea to ask our line manager to put someone in our team with an Operations focus to join the team to make it cross-functional so the "Software Engineers" could get a satisfying diet of development and the Operations expert could get a satisfying diet of Operations.

My line manager has declined the request saying that our company has a policy of not having cross-functional teams. We are not allowed to have cross-functional DevOps teams in our company supposedly. Instead, every engineer must do both Dev & Ops.

What are your thoughts on this situation and what are your thoughts on advantages/disadvantages of having a cross-functional team so that developers can get their fair share of satisfying "coding"? :-)

https://redd.it/qhk2d7
@r_devops

Grafana

Is there a way to visualise latency for different API endpoints through Prometheus in grafana dashboards?

https://redd.it/qhnpj5
@r_devops

Trigger github action after commenting a specific message

I want my github action to trigger only after a specific message/command is commented on the PR. Is this possible ?

https://redd.it/qhuj3k
@r_devops

Share your DevOps horror stories 🎃👻 🎃

Hey folks, as part of Halloween, share your DevOps horror stories that can be of use to others.

https://redd.it/qhqyhl
@r_devops

Have you managed to make a self-service EC2 portal?

What I mean is this: we have a lot of devs constantly testing things. We were a very small infra/DevOps team until lately and so most of them are used to having admin privileges and just kinda using the dev account as a playground.

The result, unsurprisingly, is dozens of instances with no clear owner, and we're unsure if it's even needed. Most surely aren't.

We're in the process of implementing tagging and other such identifiers, but an ambitious goal of ours is to allow people to spin up instances but with more "guardrails", and using Terraform.

I imagine this can be accomplished with a Flask frontend collecting variables, building a tfvar, and then passing it into Terraform or something similar. But of course that sounds a bit difficult and hard to maintain to say the least.

I wanted to ask if any of you have done this successfully, or if you know of some good - ideally free - software that can do it. Or is it just a fool's errands to try to wrangle unpredictable needs into a template like this? Is this taking "self service" too far in the name of cutting down on technical debt? Will we just make ourselves more debt at the end of the day?

https://redd.it/qhxtlc
@r_devops

The process of declining a git push.

I'm trying to understand the process of automatically declining a push that has failed CI tests.

Is the flow goes like the following?

* someone attempts to push changes
* remote branch sees the change but doesn't accept it yet, routes to CI server
* CI server run tests and based on return code decide if to accept the push or not

If not, what happens after the push? What component in git doesn't accept the push yet, and how does it interact with the CI tests?

Thanks ahead!

https://redd.it/qhvh4p
@r_devops

How do I config php-fpm properly?

Ok, so I checked the Apache configs on the server where I can get websites running and the configs on the website where varnish keeps returning 503 and 500 and I found they were the same. The only difference is php-fpm, but I can't think of the reason why that would be the case.

&#x200B;

[root@webdev01 \~\]# sudo netstat -plnt

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name

tcp 0 0 127.0.0.2:800.0.0.0:* LISTEN 1679/varnishd

tcp 0 0 172.31.23.5:800.0.0.0:* LISTEN 1644/nginx

tcp 0 0 127.0.0.1:800.0.0.0:* LISTEN 1620/httpd

tcp 0 0 0.0.0.0:220.0.0.0:* LISTEN 1177/sshd

tcp 0 0 127.0.0.1:250.0.0.0:* LISTEN 1439/master

tcp 0 0 172.31.23.5:4430.0.0.0:* LISTEN 1644/nginx

tcp 0 0 127.0.0.1:4430.0.0.0:* LISTEN 1620/httpd

tcp 0 0 127.0.0.1:60820.0.0.0:* LISTEN 1678/varnishd

tcp 0 0 127.0.0.1:112110.0.0.0:* LISTEN 1155/memcached

tcp 0 0 127.0.0.1:63790.0.0.0:* LISTEN 1072/redis-server 1

tcp 0 0 :::22 :::* LISTEN 1177/sshd

tcp 0 0 :::3306 :::* LISTEN 1315/mysqld

[root@webdev01 \~\]#

&#x200B;

This is where it's working, and we don't see php-fpm.

&#x200B;

[centos@staging script\]$ sudo /usr/sbin/php-fpm

[28-Oct-2021 15:17:31\] ERROR: An another FPM instance seems to already listen on /var/run/php-fpm/php5-fcgi-staging01.sock

[28-Oct-2021 15:17:31\] ERROR: FPM initialization failed

&#x200B;

So it's running on a sock? But for some reason I don't see it listening to a port? Are they different?

&#x200B;

[root@webdev01 \~\]# sudo service php-fpm status

php-fpm (pid 1455) is running...

&#x200B;

So it's running.

&#x200B;

On the server where I can't have it running I have:

&#x200B;

[centos@staging03 script\]$ sudo netstat -plnt

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name

tcp 0 0 127.0.0.2:800.0.0.0:* LISTEN 2624/varnishd

tcp 0 0 127.0.0.1:800.0.0.0:* LISTEN 2580/httpd

tcp 0 0 172.31.22.60:800.0.0.0:* LISTEN 1582/nginx

tcp 0 0 0.0.0.0:220.0.0.0:* LISTEN 1290/sshd

tcp 0 0 127.0.0.1:250.0.0.0:* LISTEN 1544/master

tcp 0 0 127.0.0.1:4430.0.0.0:* LISTEN 2580/httpd

tcp 0 0 127.0.0.1:60820.0.0.0:* LISTEN 2623/varnishd

tcp 0 0 127.0.0.1:90000.0.0.0:* LISTEN

3397/php-fpm

tcp 0 0 127.0.0.1:112110.0.0.0:* LISTEN 1268/memcached

tcp 0 0 127.0.0.1:63790.0.0.0:* LISTEN 1061/redis-server 1

tcp 0 0 :::22 :::* LISTEN 1290/sshd

tcp 0 0 :::3306 :::* LISTEN 1422/mysqld

&#x200B;

&#x200B;

I looked inside etc/php-fpm.d and found this file:

&#x200B;

[php5-fcgi-elvis\]

listen = /var/run/php-fpm/php5-fcgi-elvis.sock

listen.allowed_clients = 127.0.0.1

user = elvis

;group = elvis

pm = dynamic

pm.max_children = 50

pm.start_servers = 14

pm.min_spare_servers = 14

pm.max_spare_servers = 25

pm.max_requests = 500

catch_workers_output = yes

request_slowlog_timeout = 8

slowlog = /var/log/php-fpm/www-slow.log

php_admin_value[error_log\] = /var/log/php-fpm/www-error.log

php_admin_flag[log_errors\] = on

php_value[session.save_handler\] = files

php_value[session.save_path\] = /var/lib/php/session



listen.owner = apache

listen.group = apache

listen.mode = 0666

&#x200B;

And it's almost the same as the one on the faulty server:

&#x200B;

[php5-fcgi-staging03\]

listen = /var/run/php-fpm/php5-fcgi-staging03.sock

listen.allowed_clients = 127.0.0.1

user = staging03

;group = staging03

pm = dynamic

pm.max_children = 13

pm.start_servers = 4

pm.min_spare_servers = 4

pm.max_spare_servers = 7

pm.max_requests = 500

catch_workers_output = yes

request_slowlog_timeout = 8

slowlog = /var/log/php-fpm/www-slow.log

php_admin_value[error_log\] = /var/log/php-fpm/www-error.log

php_admin_flag[log_errors\] = on

php_value[session.save_handler\] = files

php_value[session.save_path\] = /var/lib/php/session



listen.owner = apache

listen.group = apache

listen.mode = 0666

&#x200B;

However, I found this www.conf file also:

&#x200B;

[www\]

group = apache

listen = 127.0.0.1:9000

listen.allowed_clients = 127.0.0.1

pm = dynamic

pm.max_children = 50

pm.start_servers = 5

pm.min_spare_servers = 5

pm.max_spare_servers = 35

php_admin_value[error_log\] = /var/log/php-fpm/www-error.log

php_admin_flag[log_errors\] = on

php_value[session.save_handler\] = files

php_value[session.save_path\] = /var/lib/php/session

php_value[soap.wsdl_cache_dir\] = /var/lib/php/wsdlcache

&#x200B;

So would deleting this www.conf file solve every problem? Because I am thinking there are additional steps. I just don't have the full picture to know what are the things that I can check and what are the things that are wrong.

https://redd.it/qhxtin
@r_devops

DevOps Bootcamp

Hello!

Anyone took that Bootcamp below?

https://www.techworld-with-nana.com/devops-bootcamp

I saw some of her videos on YouTube and she seems very knowledgeable. I was wondering if anyone could recommend her Bootcamp.

Thanks

https://redd.it/qi2w9z
@r_devops

Open-source Wireguard VPN automation with Wiretrustee

Hey folks,

I've been making a few posts about Wiretrustee on Reddit (mostly channels related to self-hosting), but for some reason never did it here :)

We got lots of positive feedback about the project from individuals that are self-hosting the solution and using a free managed version for private use cases (e.g. connecting RPis, building home networks, private Minecraft servers, etc).

I'd love to hear your opinion about the project. Maybe you'd have some cool use cases or maybe point out something that is missing. I'm also curious about the VPN needs of small/medium IT/Engineering teams.

Your feedback will help to further develop the project.

Shortly about Wiretrustee. The details can be found on Github.

Wiretrustee is an open-source VPN platform built on top of WireGuard® making it easy to create secure private networks for your organization or home.

It requires zero configuration effort leaving behind the hassle of opening ports, complex firewall rules, VPN gateways, and so forth.

Wiretrustee automates Wireguard-based networks, offering a management layer with:

Centralized Peer IP management with a UI dashboard.
Automatic Peer discovery and configuration.
UDP hole punching to establish peer-to-peer connections behind NAT, firewall, and without a public static IP.
Connection relay fallback in case a peer-to-peer connection is not possible.
Open Source.
Could be self-hosted.
Works on Linux, Mac, Windows, ARM devices.

Future plans:

Multitenancy.
DNS
Client application SSO with MFA.
Access Controls.
Activity Monitoring.

Let me know what you think. Thank you!

Disclaimer

I'm the author and contributor to the project.

https://redd.it/qi9hej
@r_devops

100 days plan to learn and upskill for job opportunities in DevOps ( CICD Tools, Docker, Kubernetes, Ansible, Cloud, Terraform, Grafana & more! ).

Are you looking for Job in DevOps career?. Did you decided to upskill yourself and start looking for jobs in Devops roles!. I have created a study plan for you. Check this one let me know if it is feasible for you.

Study 2 hrs a day for next 100 days. The main area of focus would be system administration, programming, devops tools and cloud platform. Most of these below topics are covered in video series . You will find this learnings from introductory to advanced knowledge and is better than books and paid lectures

The breakup is as follows

System Administration : Focused on RHCSA/RHCE -- 15 mins per day

Programming: Learn enough for scripting on Python, Go, Ruby . -- 1 hour per day

DevOps Tools: Jenkins/GitLab, Docker,Ansible, Kubernetes, Terraform -- 20 mins per day

Cloud: AWS/Azure/GCP -- 15 mins perr day

Monitoring: Prometheus, Splunk, Grafana -- 10 mins per day

&#x200B;

If you are capable, it be wise to learn these 5 topics in parallel or you can concentrate one at a time, complete it and then move to the next one.

Suggestions, feedback, criticism all are welcome.

Ask yourself, Are you serious to become DevOps enginner in 2021 ? If yes, then click the Subscribe button now! and spend quality and consistent time for developing your skills.Finally good luck, well no it's not about luck, more about discipline ...

https://redd.it/qid6ap
@r_devops

Move on or stay?

So, recently got into a DevOps role with a company I've been with 2 years(only devops engineer) . I'd say I'm a strong 3rd line/Senior Sysadmin/light dev, I'm in charge of two companies platforms(which is odd I know but we're in that growing phase) , both fully cloud based, 1 with hilarious amounts of microservices/pipelines etc which I build/maintain. As part of an overall strategy we want to implement more automation with our environments etc which is great. So we got some outside consultantency from a DevOps group and they are planned to be coming in to do the work.

So my thing with each company I go to is I like going in at the time where they're growing very quickly and becoming quite large, I end up with way more responsibility and experience than I would have had being at a giant company. This has worked great over the past couple years and I've reached the point where I would cash out again in terms of experience with the big DevOps push strategy. But I'm thinking that with the 3rd party guys coming in. Is there any point in me being there if they're going to do everything anyway?

https://redd.it/qicpqx
@r_devops