Is there a more secure way to setup a CI pipeline for a FUSE Project That Does Not Involve Enabling Privileged Flag for Docker or Gitlab Runner?

I'm playing around with setting up a CI pipeline that runs e2e testing for work. This project involves having a FUSE mount and e2e testing for this project is done manually, which frankly sucks. I'm developing a script to automate this, but I'm thinking if I can do one step further and make this run in a CI pipeline on gitlab.

I tested that mounting fuse only works if the runner is priveleged, but my question is if there is a more secure way of doing this. It would be greatly appreciated if there are similar open source pipeline examples of doing this.

Thank you!

https://redd.it/1ip93ec
@r_devops

Looking for advice on understanding developer experience

Hey everyone,

Lately, there's been a lot of talk about how developer experience impacts productivity. Research shows that productivity isn’t just about metrics, it’s also about how developers feel about, think about, and value their work. In our team, we’ve been relying on developer feedback to uncover inefficiencies in our processes.

That’s why we’re considering a tool that could help teams better understand devex. The idea is to integrate surveys into Bitbucket with customizable templates and questions on the most common challenges developers face at work to gather their feedback on the whole working environment. You can find more details on the vision here: https://link.stiltsoft.com/dev-surveys

However, we're unsure if surveys are the best way to measure developer experience and would love to hear your thoughts:

Do you measure developer experience in your company?
What tools or methods do you use to track developer experience?

https://redd.it/1ip9r2q
@r_devops

I promise this will improve your chances of getting more interviews

I made a website that converts your cv to match the job description automatically without manually copying and pasting your CV. Visit https://cvconverter.replit.app/ to get started

https://redd.it/1ipbodj
@r_devops

SRE Interview Questions

I work at a startup as the first platform/infrastructure hire and after a year of nonstop growth, we are finally hiring a dedicated SRE person as I simply do not have the bandwidth to take all that on. We need to come up with a good interview process and am not sure what a good coding task would be. We have considered the following:

* Pure Terraform Exercise (ie writing an EKS/VPC deployment)
* Pure K8s Exercise (write manifests to deploy a service)
* A Python coding task (parsing a lot file)

What have been some of the best interview processes you have went through that have been the best signal? Something that can be completed within 40 minutes or so.

Also if you'd like to work for a startup in NYC, we are hiring! DM me and I will send details.

https://redd.it/1ipcn2i
@r_devops

Struggling with Docker Rate Limits – Considering a Private Registry with Kyverno

I've been running into issues with Docker rate limits, so I'm planning to use a private registry as a pull-through cache. The challenge is making sure all images in my Kubernetes cluster are pulled from the private registry instead of Docker Hub.

The biggest concern is modifying all image references across the cluster. Some Helm charts deploy init containers with hardcoded Docker images that I can’t modify directly. I thought about using Kyverno to rewrite image references automatically, but I’ve never used Kyverno before, so I’m unsure how it would work—especially with ArgoCD when it applies changes.

Some key challenges:

1. **Multiple Resource Types** – The policy would need to modify Pods, StatefulSets, Deployments, and DaemonSets.
2. **Image Reference Variations** – Docker images can be referenced in different ways:
* [`docker.io/distribution/distribution`](https://docker.io/distribution/distribution)
* `distribution/distribution`
* `alpine` (which actually maps to `library/alpine`, so I’d need to account for that).
3. **Policy Complexity** – Handling all these cases in a single Kyverno policy could get really complicated.

Has anyone tackled this before? How does Kyverno work in combination with ArgoCD when it modifies image references? Any tips on making this easier?

https://redd.it/1ipdwpo
@r_devops

Do you bump helm chart version manually?

So currently im bumping my helm chart versions manually, the version is the same as appVersion, and the appVersion is set also manually whenever i push to github; i have release-please creating a new PR and then i manually sync that version in my chart.

I feel like this can be automated but i don't know how? is there a tool that does this?

https://redd.it/1ipf8ca
@r_devops

Is yq available in Cka ?

So far, I’ve only used yq instead of jq or kubectl jsonpath, and it worked fine in KodeKloud labs, Killercoda, and Killer.sh.

I assumed it would be available in the exam as well, but after reviewing the guidelines, I noticed that only jq (and some other tools) are explicitly mentioned as configured—yq is not.

Can anyone who has taken the exam confirm whether yq is available?

Thanks!



https://redd.it/1ipgfeb
@r_devops

Deploying via GitHub code runner running on target server?

I'm taking over the lead on development of a node.js project at work and want to automate where I can to make things easier and less tedious for myself. The former lead had been manually updating the builds and restarting the pm2 service outside of work hours, and that is something I can't abide if there's any other way.

I was able to get automated deployment working on our demo server by making a batch script which runs as a cron job and does everything manually, but it's not very robust and I realize I probably shouldn't try to reinvent the wheel here. I've been looking into GitHub Actions, which until now I've only really used with GitHub's provided code runners, and I've seen some tutorials that say to have the code runner actually run on the deployment machine. I'm curious if this is an intended use case and good practice or if it's a hack, since these tutorials were all made by individuals and I didn't see any documentation on GitHub suggesting deployment this way.

I've also seen some tutorials that say to use ssh/scp actions to build via a runner from anywhere and then send the builds to the target server and have it run a script to restart services, but for my use case this would require sending about 1GB of dependency packages and also the target server does not have ssh access outside of a VPN so it wouldn't even be possible without having IT make some networking changes which they may not even approve.

So my question is, would it be an appropriate use of a code runner to have it run on the actual server the app runs on? Additionally, is there a way to have a workflow that is both triggered by a git push AND waits until a specified time to execute (our app is generally only used in our time zone and we want to update during a time where it is less likely to disrupt service), or if I go this route should I have the code runner instead run on a schedule and exit early if there are no new commits? Any feedback would be greatly appreciated!

https://redd.it/1ipim82
@r_devops

I am using GitHub actions to deploy Azure AppService for every PR that my dev team creates but can find a way to clean them up after the PR gets merged into main branch

Hi there…

I setup my GitHub actions to deploy appservice each time our dev ran creates a PR with their code and it is creating fine.

But after the pr gets merged those test appservices just stays there. I can’t find a way to automate the clean up.

Any takes on this one 🫡

https://redd.it/1ipsv2r
@r_devops

Terraform Certification

Hi, I am originally work as data scientist but I am leaning on DevOps recently, and is it worth to get terraform Certification these days?

https://redd.it/1ipxbxl
@r_devops

Best VPS hosting for Enterprise, more storage lower coat

Hello,

I have been using GCP for a while and never had any issues, however the pricing seems a bit extreme compared to other hosts.

What I'm looking for is a vps:
1gb ram
1-2 vcpus
300gb ssd or nvme

I see some hosts offering 100gb nvme for $4 monthly but with GCP, the price is 10 fold.

I need a stable connection, almost never goes down and redundancy in place.

This is for an application that just ping multiple endpoints and save massive data in a mysql database every minute. In one year, the dB size is 50gb

https://redd.it/1ipyjvq
@r_devops

Cloud sql - pay only for storage (db size)

Hello,

Is there any budget-friendly and reliable cloud sql providers that offer just cloud sql without requiring cpu or memory?

The only one I found was Azure with the DTU option but the pricing increases significantly above 100gb storage size.

I just need an online sql where I push data every minute, around 50gb worth per year.

Sometimes I can ping it from.another application to download 5k-10k rows.

https://redd.it/1ipzcy3
@r_devops

AWS SCP comparisons

Hello Experts, I have lot of SCPs attached to my OUs and accounts. I would like to find if my scps are not overlapping . Manual checks can be tedious , i would like to use some AI / automated way to find these repetative actions.
any advice ?

https://redd.it/1ipyzkw
@r_devops

CFG Degrees - Information Security Engineer (Full-Stack) or Software Engineering (Software)?

Has anyone completed the CFG Degree?

I just would like some clarification on the Degrees that CFG offers. I can see that for their most recent cohort they have the following available:

1. Software Engineer role with a Software stream for one company.
2. Information Security Engineer role with a Full-Stack stream for another company.

I aim to build my career as a DevSecOps Engineer but I’m unsure which route would be best.

From my understanding, the Information Security Engineer role may be a more direct path to DevSecOps, but the Full-Stack stream makes me question its security focus.

Meanwhile, the Software Engineer role might offer an easier pivot to DevSecOps than a typical Full-Stack role. However, it isn’t specifically a Full-Stack position.

Could anyone share their experience or advice on which path might better support my goal of becoming a DevSecOps Engineer?

https://redd.it/1iq3heh
@r_devops

Infrastructure as code with clever cloud: what are my options ?

Hi !

I'm not really used to DevOps, so I'm requiring some insight.

I need to deploy my stack on Clever Cloud, and deploy it several times as different environments. Though, terraform providers for Clever Cloud are very lacking and sometimes buggy.

What are my other choices when it comes to deploy a stack with most services needed to be run on Clever Cloud ?

https://redd.it/1iq542i
@r_devops

How much off-hours studying and skilling up do you do for yourself?

I mean this question specifically for people already hired in DevOps positions.

I got hired in a fairly junior DevOps-y role around 3 years ago (prior only had 1.5 yoe as a web developer since graduating) but I'm looking to move on to a new role sooner rather than later. However I think in that time I've fallen a little bit behind where I should be with my experience, mostly because I don't have any of the damn certs that every job ad asks for (yes I know certs are worthless except for HR, but they are the gatekeepers of job ads).

I'm preparing to start the studying process now, while also applying for jobs, but I fear the encroachment of professional development on my personal life. I've had a few handfuls of on-call weekends which are fine but generally I do prefer to have a hard line between personal and work, and I feel like studying to up-skill and get certified does kind of blur that line. To that end I seek the wisdom of the greybeards to ask, how much studying do you allot for yourself and how do you make sure you are solidly logged off when you're done?

https://redd.it/1iq7qzw
@r_devops

What makes an app capable of dealing with high traffic?

I'm a full stack developer, but close to zero idea of anything DevOps.

I'm working on a service, and while looking at a competitor I can see that they claim to be able to deal with high traffic and spikes.

It's obviously something I've heard being said before but never really paid any attention to it.

So, what does it actually mean? Obviously it means it won't crash with high volume traffic, but what makes a service "that"?

I'll be even more precise. Currently, I don't even host my own database and server. I use railway for server and Supabase hosted for my database.
Clearly these two service can handle high volume traffic.
Does that mean that as long as I'm hosted there, my service can claim that as well?

https://redd.it/1iqab3g
@r_devops

Amazon AWS "whoAMI" Attack Exploits AMI Name Confusion to Take Over Cloud Instances

Cybersecurity researchers have revealed the "whoAMI" attack, a new Amazon AWS vulnerability that lets attackers take control of cloud instances by exploiting confusion around Amazon Machine Image (AMI) names.

By publishing a malicious AMI with a specific name, attackers can trick systems into launching their backdoored image. (View Details on PwnHub)

https://redd.it/1iqautn
@r_devops

Scaling open source Jenkins

Without buying CloudBees Jenkins or scaling up vertically, anyone have a strategy for scaling the main controllers?

https://redd.it/1iq9gu7
@r_devops

Technical Interview Design that is a great candidate experience

Hi all,

I'm helping to run interviews at a firm and am currently designing a technical interview for a DevOps position. We primarily use AWS. I've read a lot on this forum about people saying how they hate take-home exercises and I agree! They are such a time-sink.

I want to improve the candidate experience and minimise our own time too as interviewers.

This has been my journey through interview design thus far:

# First Design (Diagram & Discussion)

Our first attempt at doing technical interviews was to present the candidate with a set of requirements and ask them to diagram out an architecture on a shared whiteboard. No code, no take home, just a diagram and a chat. This was fine and low effort however we have had several successful candidates pass this who turned out to be very poor performers. All talk, no walk.

So we tried changing it up and introduced a take-home in an attempt to ensure that candidates really can do the job!

# Second Design (Diagram, Discussion, Take Home & Review)

Next, in the first technical interview they were asked to draw an architecture of their own choosing to solve the same problem from the first design. If they passed that interview, then they took their design and implemented as much of it as possible in a take home exercise. We asked them to limit themselves to what they could complete within a set amount of time - usually a few hours. We made it clear during the design interview that they would be asked to implement their design if they passed the first interview.

Then the candidate would mail in the submission a few days later and I would review it. Finally, the candidate would have a second short interview where they present the solution and we would critique it.

Your typical onerous take-home interview, right?!!

We also had a lot of problems with this - people dropped off (would not bother with the submission) and the other was it burned a lot of time for the candidate and our interviewers.

# Latest Design (Live Debugging & Discussion)

My latest idea is to have the candidate spend an hour or 90 mins with us (TBD), where we spin up a environment with a number of broken systems. We present the candidate with a high-level arch diagram of the systems to give them a starting point and then ask them to:

1. Share screen.
2. Log into our interview AWS account.
3. Resolve the problems one-by-one.

The problems would be relatively simple, e.g. basic IAM troubleshooting (e.g. missing permission), broken lambda (coding error) and a Kubernetes misconfiguration (e.g. incorrect service selector). If the candidate resolves the problems then they can move on to describing how they would improve the system.

The disadvantages I see are:

Being watched might put people off their game.
Designing and creating the Terraform which sets up the broken systems takes a lot of time.
Unless we set up their permissions correctly, it exposes us to a risk of AWS account takeover and serious financial loss. This has been seriously evaluated and considered.

The advantages I see are:

I'm hoping the right candidate would enjoy trying to solve the problems. We should assess very quickly how familiar they are with AWS and how they go about reading existing code and troubleshooting.
If they find the problems easy, then great! They can move on to the discussion and can take the opportunity to discuss how they would improve things in it (because it will be intentionally poorly designed).
We will quickly identify people who don't know AWS, cannot debug things or cannot work collaboratively.

So what do you guys reckon, am I on the right track or is there anything you would suggest I do differently?

https://redd.it/1iqe5t3
@r_devops

Changing career trajectory, is DevOps what I'm looking for?

Hi DevOps!

I'm hoping for some insight in terms of career advice. I'll start by listing some career experience and my background:

* I've spent a year working in the NOC at a local datacentre
* Spent 2 years working as a field technician for an internet & phone service provider
* Worked at a helpdesk for a large organization for 4 years
* Worked as a Vocera SysAdmin for the same organization for 2 years (technical operations, system upgrades)
* Have been working as a voice network analyst for the same org for the last 6 years, 5 of which has been in a senior technical position. Mostly supporting Cisco Collaboration infrastructure, but also have spent the last 6 months as our lead analyst for our AWS contact center and some custom integrations.

My degree is in network & telecommunications engineering and I have my CCNA, CCNP Collaboration, Collaboration DevNet Specialist, and some other minor certs. I'm 33 and live in Canada. I make about $100k CAD currently.

I really enjoy learning new technologies and understanding how things works, especially how different systems and technologies work together. I am an intermediate Python user and have done some other minor work in Powershell, VBA, etc, but more amateur in comparison to Python. I like the aspect of automation, leveraging APIs, and programmability.

My company lets me study on work time and pays for me to get certified. I'm currently studying for my AWS CCP and am looking at getting either my AWS SAA or AWS CDA afterwards. I've been gaining a lot more familiarity with AWS and cloud technology lately.

I honestly enjoy my job quite a bit, but it is a unionized position with a hard set salary that I cannot negotiate. My pay grid is the highest tier, so I have hit a glass ceiling. I could literally ask for a $.50 raise or threaten to quit, and they would have to let me go.

Cloud technology intrigues me, but so do the other things above, and I would like to set the rest of my career up for growth doing work that excites me. I'd say I'm far from a fully-fledged a software developer, but I like coding/scripting, being a tech, building things, and collaborating.

DevOps has struck me as a career path that embodies a lot of the things that fascinate, all while allowing for me to continue learning and set myself up for growth.

Does DevOps sound like the right choice for me? Why or why not? If not, any other suggestions?

https://redd.it/1iqkxq9
@r_devops