severe grafana CVE: patch now or forever hold your peace (CVE-2025-4123 Grafana)

there's a pretty significant cross-site scripting vulnerability in many versions of grafana...

'''
A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not require editor permissions and if anonymous access is enabled, the XSS will work. If the Grafana Image Renderer plugin is installed, it is possible to exploit the open redirect to achieve a full read SSRF. The default Content-Security-Policy (CSP) in Grafana will block the XSS though the connect-src directive. This vulnerability is fixed in v10.4.18+security-01, v11.2.9+security-01, v11.3.6+security-01, v11.4.4+security-01, v11.5.4+security-01, v11.6.1+security-01, and v12.0.0+security-01
'''

https://nvd.nist.gov/vuln/detail/CVE-2025-4123
https://grafana.com/security/security-advisories/cve-2025-4123/
https://www.bleepingcomputer.com/news/security/over-46-000-grafana-instances-exposed-to-account-takeover-bug/

https://redd.it/1ldsg2x
@r_devops

I addressed the Fatal Mistake in my resume I got roasted for yesterday. Ty for 100+ responses

Hi everyone.

https://i.imgur.com/seBld3F.jpeg < - My new streamlined resume

---

Thank you for the 100+ constructive comments I got on my post yesterday.

Here -> What fatal mistake do you see in my resume? I am getting 0 ( ZERO ) response to any job applications


I think I've addressed most of it. I agree with the comments about it being an essay. We live in a weird time where I expect the AI machine to process my resume well before a human gets to it so I was trying to load as much info as possible in a 2 page resume. Devops is a field where we are doing new things basically everyweek and i feel like 50% of the stuff ive worked with isnt even on the resume lol.

BUt yes you guys are correct. Hope my new resume is better.

Is it a bit too light? looking forward to feeback thank you

https://redd.it/1ldu6tp
@r_devops

DB scripts! How do you handle that?

Hi guys good day. Hope you're doing well.

So I have worked in multiple projects and it seems that db scripts are the one thing that requires a lot of attention and human intervention. Would love to know -

1. How do you hadle db scripts using pipelines?
2. What are the most challenging part of implementation?
3. How do you take care of rollback of required?
4. What's the trickiest thing that you have ever done while designing db scripts pipelines?

https://redd.it/1lduujd
@r_devops

Anyone else feel like you’re “learning” but not actually making progress?

Lately I’ve been thinking that i spend hours watching tutorials, taking notes, and following along with code .....but when i try to build something from scratch, i freeze.
Like i understood it while watching, but didn’t really absorb anything.

That’s when I realized.....learning isn’t just about consuming info, it’s about making stuff, even if it’s bad or tiny or full of bugs.

Now I’ve started focusing more on building little tools, scripts, and weird automations ........ just to apply what I learn as I learn it.

Anyone else going through this phase?
How do you make sure you're actually learning instead of just binging tutorials?

https://redd.it/1ldtejw
@r_devops

Recruiter/Headhunter Recommendations?

I was wondering if any of you have any recommendations for recruiters/headhunters you may have hired to help you find a new position? I have 15 YOE in tech, 10 of which have been in senior/lead devops roles, and my biggest challenge right now is finding the time to apply with all the associated accoutrement; to the point where I'd like to hire someone to help.

Anyone have any good experiences they can share?

https://redd.it/1le0eoc
@r_devops

IaC Platforms Complexity

Lately I've been wondering, why are modern IaC platforms so complex to use?

It feels like most solutions (Terraform, Pulumi, Crossplane, etc.) are extremely powerful but often come with steep learning curves and unintuitive workflows
Is this complexity necessary due to the nature of infrastructure itself? Or is there a general lack of focus on usability in this space?

Are there any efforts or platforms that prioritize simplicity and better user experience? Or has the industry kind of accepted that complexity is just the norm, and users are expected to adapt??

https://redd.it/1le14t4
@r_devops

Advice Needed! Transition from Senior desktop support analyst to DevOps engineer????

Hey Reddit,

I work for a large enterprise and I'm currently a Senior I.T. Technical Lead (basically Senior Desktop Support Analyst) supporting a department of around 200 users mostly Mac users, with some accountants using Windows 11. I have no directive port report so I'm Solo Dolo in this shit lol

Unfortunately, there's a chance that my department may be laid off in 12 months. So I want to take the one year to figure out what I'll enjoy, lock in and upskill.

But the problem is that I'm stuck deciding on what to explore next, and I'd love to get y'all thoughts on which career path I should look into based on my background and interests????

>Current Day to Day: (Outside basic end user support)

>Microsoft Power Automate (I'm comfortable with Expressions + JSON)

>Microsoft Power Apps (comfortable with PowerFX and Model Driven Apps)

>Microsoft Dataverse (Also PowerFx formula columns + Relational Databases)

>Microsoft Excel (Pivot Tables, Power Query, Data Array Function)

>Very basic HTML (For Building Reports within Power Automate)

>Managing SharePoint sites

>Managing user permissions in Active Directory and Microsoft Entra

>White glove VIP Executive Support

>Paths I'm Considering:

>Cloud Engineering

>DevOps Engineering

>Data Engineering

>System Admin (If all else fails)

>My Approach & Resources:

>I'm comfortable diving into intensive study, Python, R, SQL, whatever it takes.

>My current company is a large enterprise, and I have access to various tools and tech department contacts, so I'm not too worried about getting the chance to practice what I learn and to get hands-on experience.

>My plan is to solve a real business problem before I leave the job so it gives me some experience and stories to tell in my next interview.

So based on all of that, which path do you think aligns best with my skills, interests?

https://redd.it/1le9sy0
@r_devops

Snapshot vs backup

In my previous company we would always make snapshots before system or package upgrades, but it got me thinking whether it’s actually sufficient. What are the chances for upgrades to cause persistent metadata corruption on the disk that would be irreversible for the snapshot and make backups necessary? Are snapshots actually enough for maintenance procedures?

https://redd.it/1leaxkx
@r_devops

AI is flooding codebases, and most teams aren’t reviewing it before deploy

42% of devs say AI writes half their code. Are we seriously ready for that?

Cloudsmith recently surveyed 307 DevOps practitioners- not randoms, actual folks in the trenches. Nearly 40% came from orgs with 50+ software engineers, and the results hit hard:

42% of AI-using devs say at least half their code is now AI-generated
Only 67% review AI-generated code before deploy (!!!)
80% say AI is increasing OSS malware risk, especially around dependency abuse
Attackers are shifting tactics, we're seeing increased slopsquatting and poisoning in the supply chain, knowing AI solutions will happily pull in risky packages

As vibe coding takes a bigger seat in the SDLC, we’re seeing speed gains - but also way more blind spots and bad practices. Most teams haven’t locked down artifact integrity, provenance, or automated trust checks in their pipelines.

Cool tech, but without the guardrails, we're just accelerating into a breach.
Does this resonate with you? If so, check out the free survey report today:
https://cloudsmith.com/blog/ai-is-now-writing-code-at-scale-but-whos-checking-it

https://redd.it/1lecppz
@r_devops

Help planning workers

Hey, I am building an App, I need to create jobs and workers for this jobs to update my database.

I do not have experience with jobs, so here is my approach:
- I will use redis to create a job queue
- I will use workers to consume that job queue

What would be better for workers and redis, use my own VPS (starting with 15 dollar month) with docker swarm or k8, or use any Container as a service provider like Fly.io or Railway??

https://redd.it/1lecs0e
@r_devops

Hackathon challenge: Monitor EKS with literally just bash (no joke, it worked)

Had a hackathon last weekend with the theme "simplify the complex" so naturally I decided to see if I could replace our entire Prometheus/Grafana monitoring stack with... bash scripts.

Challenge was: build EKS node monitoring in 48 hours using the most boring tech possible. Rules were no fancy observability tools, no vendors, just whatever's already on a Linux box.

What I ended up with:

DaemonSet running bash loops that scrape /proc
gnuplot for making actual graphs (surprisingly decent)
12MB total, barely uses any resources
Simple web dashboard you can port-forward to

The kicker? It actually monitors our nodes better than some of the "enterprise" stuff we've tried. When CPU spikes I can literally cat the script to see exactly what it's checking.

Judges were split between "this is brilliant" and "this is cursed" lol (TL;DR - I won)

Now I'm wondering if I accidentally proved that we're all overthinking observability. Like maybe we don't need a distributed tracing platform to know if disk is full?

Posted the whole thing here: https://medium.com/@heinancabouly/roll-your-own-bash-monitoring-daemonset-on-amazon-eks-fad77392829e?source=friends\_link&sk=51d919ac739159bdf3adb3ab33a2623e

Anyone else done hackathons that made you question your entire tech stack? This was eye-opening for me.

https://redd.it/1ledzu9
@r_devops

Reading Material

Hello DevOps community,

Im new here but thought it would be a good place to start. Lately I've realized that reddit being my default time filler is not as appealing as it used to be. Many times I thought, I wish I was reading something actually beneficial to my life.

I am a cloud engineer, I mostly focus on automation at scale. Do you all have any staple books that still hold weight today, even if they were written years ago? I dont read a lot, especially in tech, but my brain defaults to "if it was published 10 years ago, its probably out of date". So I came to ask which books you think held up and maybe where you go to "learn more by reading more".

Thanks!

https://redd.it/1lehcav
@r_devops

A quirky, fun and gamified Wordle for hard-core Devops pals! 🎮

Helloo!

I just built a gamified version of Wordle, but exclusively with words related to DevOps, Observability and Monitoring.

There will be a five-letter word, and you have five guesses. The score is based on the time taken to crack it. There's also a hint (maybe slightly cryptic) that can help you guess right.

Soo be on your toes and think right!

Try it out here at - https://signoz.io/todaysdevopswordle

Play ON! 🎮 🎲



https://redd.it/1lej0bu
@r_devops

What’s the best tooling stack your company uses for logging?

I work at a large bank and am responsible for handling a massive volume of logs every day. In banking, it’s critical to trace errors as quickly as possible because it involves money and customers. We use the ELK stack as our solution, and it’s very effective thanks to its full-text search. ELK is great, but it has one drawback: its compressed log volume is huge, which drives up maintenance and storage costs. We’ve looked into Loki and ClickHouse as alternatives, but neither can match ELK’s log-tracing speed with full-text search. Do you have a more balanced solution? What logging system are you running at your company?

https://redd.it/1lekk07
@r_devops

People looking for a career in Network Engineering, Telecom or Cloud Network Engineering and don’t know where to start…just hit me up!

People who are looking to or are interested to work in the Networking Automation, or Cloud Computing field. Just hit me up.

To be more specific, some job roles from this field include

1. SDN Engineer / SDN Developer
2. NFV Engineer / VNF Integration Engineer
3. Network Automation Engineer
4. Cloud Network Architect
5. Telecom Network Engineer (5G Core)
6. DevOps / NetDevOps Engineer
7. Network Security Engineer (Virtualized Environments)
and many more…

If you’re looking to build up your skills in these and get placed….just hit me up asap!!

Strictly for people in India

If you’re a fresher who’s stuck and confused to do what next, I have a great opportunity for you. DMMM!!!

https://redd.it/1lem3wm
@r_devops

SaltStack vs Puppet or something else

Hi,


We still deploy a ton of virtual machines in all sorts of environments, and Ansible has done a great job so far during deployments. But we're seeing more and more cases where Ansible isn’t a good fit — usually because the machines aren't reachable during deployment, or the setup is just weird.

So now we’re looking at alternatives that can live on the VM and pull configs themselves. SaltStack and Puppet are the two I’m looking at. We’re not planning to go all-in with config management - the main goal is just to kick off some Microsoft DSC stuff once the VM is up and running. This includes installing some software or so during the deployment.

I’ve used Puppet before, but only as a “consumer” - writing manifests and modules (beginners level), but never setting up or running the backend.

Anyone using Salt or Puppet like this? Especially curious about the pull model - having the agent phone home is a big plus for us.

SaltStack is Open Source - but its backed by Broadcom - given their previous actions, should we even consider them?

https://redd.it/1len93f
@r_devops

As someone who already knows Other cloud providers, how long does it take me to learn Azure?

I'm a senior software engineer, a devops engineer and a sysadmin, my career is 20yrs+, so depending on the company I'm working on, I do the role asked from me.


I used Azure a bit in 2015 and 2018, currently there's a company that might hire me but needs an Azure expert, I'm already familiar with AWS, Google cloud, Oracle cloud and Hetzner, to name a few.

I didn't work much with Azure simply because the companies I worked in prefered to use other cloud providers.

How hard is it for someone like me to pick up Azure? Is it a deal breaker? Can I learn it in 2 weeks to get through the interview or not?

https://redd.it/1lep4wl
@r_devops

I built a free visual Kubernetes YAML generator – would love your feedback!

Hey everyone!
I just released an open-source tool called Kube Composer — it’s a browser-based visual editor that helps you build Kubernetes YAML without writing it by hand.

🧩 Drag-and-drop UI for defining resources
📄 Clean YAML export
🌐 No login, no install — runs entirely in the browser
🔗 https://kube-composer.com
💻 GitHub: https://github.com/same7ammar/kube-composer

I built this to reduce the pain of manually writing and validating YAML over and over again. Still early stage, so I’d love your feedback, suggestions, or even bug reports.

Happy to answer any questions!


https://redd.it/1leqxf8
@r_devops

Interview Question, Is the Interviewer Wrong?

Had an interview recently at a large financial firm with their Director of DevOps.

One of the questions was regarding my experience with monitoring/logging tools, where I was asked to explain examples of my use along with what I have used.

The interviewer seemed to scald me on the fact our company use both Prometheus and Loki. I politely explained the differences between Prometheus (metrics) and Loki (logging), however the interviewer seemed adament that we should be down-selecting one of the two as they are apparently the same.

Answered all his other questions well I think otherwise, but am I going mad? We have used Loki as a logging tool and Prometheus as part of our monitoring stack. That was the final question twenty minutes into my thirty minute interview.

I would have thought a person in this position, in all of his wisdom, would have known the difference between the two.

https://redd.it/1lesiem
@r_devops

How do you justify your salary expectations

Hi, so this is my first time looking for a switch after landing my first job as a DevOps Engineer. I have finally started to get some interview calls.
Recently I gave an interview for an early stage startup (team of about 15-20 people). They had a 6 days working policy and the work hours were also not that flexible so I wasn't sure that I would want to join because suddenly work pressure would get 2-3x for me. I still gave it for the interview experience.
The interview had 2 rounds, it went well but i struggled answering 2 questions.
1. My biggest professional achievement
2. How would you justify the salary ask (50% raise)
Now I only have 1.5 years of experience and that too 5 months in training/learning doing very basic things.Only since the last 8-9 months they've started giving me some substantial work.

How do you guys generally answer these questions.

https://redd.it/1lezh3p
@r_devops

Does anyone use Docker Compose in production? I do, and here are my thoughts.

I work with a few clients, building, deploying, and maintaining internal business software tailored to each of their needs. These apps typically solve very specific operational problems and are deployed on VPS instances, running with docker compose. The setup is simple and works like a charm.

One of the biggest advantages of using docker compose in production is how straightforward it makes managing multi-container applications. Instead of juggling dozens of commands or configuring complex orchestration tools, everything stays in a single docker-compose.yml file. That means your entire environment, from databases to web servers to caches, can be spun up or updated with a single command.

For deployments, I use a simple manual workflow (shell script): run tests, check lints, build the Docker image, export it, and transfer it to the server. It’s intentionally minimal, no CI/CD tools involved, just a few reliable terminal commands.

The challenge I’ve faced is monitoring containers across multiple servers, especially logs. To deal with that, I set up a lightweight solution that collects logs from different machines into one place, where I can search and filter as needed.

So far, I haven’t had any problems using docker compose in production. I like it, and I’ll probably keep using it as long as it continues to fit my needs.

What’s your experience with docker compose in production?

https://redd.it/1lezx8h
@r_devops