Have an interesting issue and i am outta ideas…

So here I am.

Have a windows user in our internal app, not local she’s in another state. When making certain requests to a certain endpoint in the app, nothing happens. No network events, no console messages, nothing. Our API logs show 204/304 for those reqs, which isn’t unusual.

Cloudfront or ec2 logs aren’t showing anything abnormal.

Thought maybe it’s a machine issue.

So pulled network config things, nothing outta the norm there.

We’ve tried multiple browsers, machines, flushed DNS, ran network device cleanup, ran system file cleanupall w/ the same results of her not being able to make certain reqs to certain endpoints.

Checked Chrome HSTS settings, removed domain in question from HSTS.

Checked hosts file, nothing outta the norm there.

She tried on a personal machine, as I don't have another one to give to her (outta state).

She drove to a coffee shop, same result.

Host is pingable from the machine... Host is not accessible by IP.

VPN didn't change anything.

Request is initiated as a fetch.

​

Copied the xhr request as curl, had them run it on their machine and curl threw an error that it couldn't resolve any of the headers when she ran it.

​

So, here we are... Thoughts?

​

And this has only been happening since Tuesday. No new deploys, no changes to our DNS, no updates to user machine.

https://redd.it/10rz7ic
@r_devops

Discovering Six Critical Docker Desktop Privilege Escalation Vulnerabilities. (Bonus: New OSS Tool!)

https://www.cyberark.com/resources/threat-research-blog/breaking-docker-named-pipes-systematically-docker-desktop-privilege-escalation-part-1


Eviatar also put his new tool PipeViewer up on github as well.
https://github.com/cyberark/PipeViewer

https://redd.it/10rynk0
@r_devops

My predictions for the future of observability

What do you want to see when it comes to the future of observability?

For me, I think our biggest opportunity is greater visibility into third-party cloud dependencies, because they are so common in our stacks, have a huge impact on our reliability, and reliable data about service health is so hard to get. My #1 hope is that we can have distributed tracing that crosses boundaries between my environments and the environments of the cloud vendors we build on.

I wrote about what I want here, and I'd love to hear what everyone else thinks the future has in store for us when it comes to observability.

https://redd.it/10s261i
@r_devops

How to make sure that my company laptop isnt tracked in any way from them

Hello guys,

I am ready to take this big leap and make my dream true. To break the Matrix! So i am considering really serious to start working abroad instead of the country of my employer (both EU though). That would make it a bit easier on moving around as digital nomad or working from my home country and avoiding the nonsense expensive rent that i pay now for being close to office and going just 6-7 tims per year...

So, for what stuff i should check in my laptop?I have admin access so it shouldn't be problem to tweak stuff.

About the internet connection thing i know that even a VPN is not enough but isnt getting checked by the company and many people are also working abroad even temporary it shouldn't be a issue though i have come with a work around even for this...

Other useful tips/tools appreciated.

The only thing that i havent make sure how to cover yet its the issue if i use for months and months abroad my bank card from the employers country.

https://redd.it/10s68ux
@r_devops

Transport, finance and other high risk fields

Hello everyone, I wanted to know how do senior developers write safe code in fields such as transportation, finance and others, where code can lead to huge mistakes.

What are the best practices to follow? If there are no best practices what should a person be trained in before they can work in such fields before becoming a senior developer?

https://redd.it/10rwey9
@r_devops

Kubernetes, gcp and mutual tls

I want to be able to expose services on GKE with mutual TLS, which isn't handled by regular GCP HTTP(S) LoadBalancer

For now the architecture I have in mind would be something like this:

- create my services to be exposed (deployment and corresponding service)
- create a NGINX ingress in front of those (which is configured with mutual TLS)
- create a TCP LoadBalancer in front of the NGINX ingress

but I'm not sure exactly how to do this with Kubernetes, could someone show me?

https://redd.it/10rvl9v
@r_devops

What are the best SAST tool for Docker containers?

What are the best SAST tool for Docker containers? I think Checkov does some analysis, but I am wondering if there are better things out there for containers.

https://redd.it/10rqezq
@r_devops

Multiple AWS Accounts vs Multiple AWS IAM Users vs Multiple AWS IAM Roles

What do you mostly use for managing AWS in your organization? and why?

Please share your experience!

https://redd.it/10sc958
@r_devops

Has anyone done a comparison of Trivy vs Clair for container scanning?

If so, what did you find in your evaluation?

https://redd.it/10scdn3
@r_devops

Learnings from 17 years as a Google SRE

Companies have different ways of handling on-call. And Dave O'Connor has seen many different approaches. Dave is currently VP of SRE at Twilio. He also ran SRE at Elastic and spent 17 years as an SRE at Google. Here's an interview about Dave's on-call experience. Dave shared his learnings.

https://redd.it/10sehg5
@r_devops

Where do I search for DevOps internships?

Hello! I’m a Third year Computer Engineering student, learning to practise DevOps. Can anyone suggest me platforms to look up for internships which would be helpful for my DevOps career as it’s compulsory for Third year engineering students to do internship.
I’ve checked LinkedIn but, it’s just showing up local companies specific to India and there’s not a lot of remote internships available there.

I’m good at shell scripting, Linux CLI, Docker.
Also, can you suggest me what should I know theoretical and practical, to get and complete the internship successfully.

https://redd.it/10sdyhm
@r_devops

Broke the Kubernetes cluster, and asked ChatGPT to write me a poem about it in Shakespear style

"The cluster hath been shattered, the pods destroyed,
But fear not, for I shall repair it with joy.
Anon, 'twill be up and running with might,
And all shall be well in the morning light."

https://redd.it/10sfoie
@r_devops

How do you remodel Jenkins for a modern, container based environment?

Things in progress at our company:

Containerization of our large, mostly Windows based monolithic projects, making them modular and not dependent on Windows anymore
Slowly shifting to K8 for the projects, test-systems and tools that support it

But we are still using a 8 year old version of jenkins.
My task is to build everything anew in a better, modern and up-to-date way.

If you were in my shoes and Jenkins also a non-negotiable must-have for CI, how would you start?
Would you still use Jenkins for Continuous Delivery or something else?
Does Jenkins hinder the whole Kubernetes workflow?
Or is this the completely wrong way to start modernizing the toolchain?

What are your experiences with switching from old CICD & software architecture/design to full automation of modular/containerized applications?

https://redd.it/10sfknd
@r_devops

oAuth/OIDC: id token & access token issue

Following scenario:

I want a user to authenticate through a single page application to my plattform. Therefor I will use oAuth/OIDC. The platform contains several services, so I thought of passing around a token between them. All the authorization concerns are handled internally by the platform itself. A microservice only needs to know who a user is.

As far as I know, id-tokens always should remain at the client and not be passed around. The access token is used for authorization and should be passed to the API of my platform but should not be used for authorization.

How can I handle this?

​

BR and much thanks!! :)

https://redd.it/10rtfcn
@r_devops

In your company, which monitoring system do you use?

.

https://redd.it/10sicvz
@r_devops

What is the best redis client for mac out there?

I want to stop using redis-cli but can't find a client out there that's free or at least not too expensive. Would appreciate it if you know one

https://redd.it/10sjjih
@r_devops

EKS - managing SSL/routing through annotations and controller vs managing routing outside of EKS on the ALB/LB

I have a client, who is stubborn on trying to manage rules and routing and TLS on the ALB instead of letting the controller do the work through annotations. I am trying to convince them that this would be an anti pattern for Kubernetes deployments.

points for controller + cert manager etc.

\- reduce blast radius to the pod that annotated

\- let developers test faster by deploying and not worrying about rules getting added for something to work

\- all the neat features the LB controller brings

\- group workloads to use a certain LB

\- dynamically provision the LB

\- scaling will be easy as adding new pods and annotations

\- industry standard??

points for putting the SSL cert on the ALB and then managing target groups/rules either manually or through terraform.

\- will need to manage the target groups and rules outside of EKS

\- increases the blast radius to all the pods in the cluster

\- scaling will become tedius

\- ips on pods can change, so before every apply or change, will need to ensure the target groups point to the right ips etc

What other points might i have missed which can tip in favor of one or the other?

https://redd.it/10sl20e
@r_devops

Puppet Bolt: multilevel inventory file

Hey all,
We've been using puppet bolt for a while now. For our new deploymwnt strategy we would like to use a multilevel inventory file, however I can't find any examples of the file or the code to call the file correctly in a bolt command.

Can anyone help me and provide these examples?

https://redd.it/10rrzab
@r_devops

Why no dabases mentionned in Road to devops

I noticed that the Road to devops site that is very practical does not have any databases.

I would expect it to have at least Postgres and MySQL mentionned.

Any thoughts? Some DB knowledge seems like something important to acquire IMHO

https://redd.it/10ry1db
@r_devops

GitLab CI: How to run only after deployment?

Hi Reddit,

I am putting database deployment into the CI pipeline, and thanks to Liquibase, that is made simple by only having to run a single command.

The problem is every time a merge request is created in GitLab, the pipeline will run before the merge happens. I would like it to run after the merge has been completed, and not before.

I tried using $CI_MERGE_REQUEST_EVENT_TYPE == "merged_result" but it still runs at the merge request creation.

I do have GitLab premium and enabled the merge result pipeline, but I just couldn't figure out how to use it.

Does anyone know how to accomplish that?

https://redd.it/10spomx
@r_devops

From IT to DevOps

After 9 year of working as an IT Support finally got this first junior DevOps job offer after trying so hard to make this transition.

Learned for almost a year , i did so many courses and paid labs , also plan to take kubernetes and SAA exam soon and .
BUT i dont have any prior hands on experience in production with Kubernetes, Docker , CICD ,EKS .

Can someone give me some tips , advice or any self well documented step by step procedures on how to deploy apps in EKS etc, best practices and anything that could help in this difficult beginning period.

Thanks

https://redd.it/10sqxir
@r_devops