Did anyone test how rootless is a new docker rootless mode?

I think we could agree on that the docker security holes were highly related to that by default containers run with root privileges which is a bad practice.

I am wondering if somebody went to their new implementation of rootless mode and if it was a pain to update related images.

https://redd.it/kw0kyz
@r_devops

Suggested modern DevOps books?

Can anyone suggest a good modern DevOps book? I'm looking for a book that focuses on the overall architecture of a DevOps environment. For example, how to manage an environment at scale with DevOps.

The reason why I'm interested in such a book is I want to ensure that I'm practicing DevOps in a way that wont be hindered by the challenges that happen when the environment becomes large. We all can be very successful at a small scale but its different when the environment grows.

https://redd.it/kvz4m6
@r_devops

Deploying Software at GoCardless: Open-Sourcing our “Getting Started” Tutorial

My team at GoCardless have spent the last year rebuilding our infrastructure stack. Today, we've open-sourced our internal getting started tutorial, in hope it might help others understand how our tools (Kubernetes, ArgoCD, Jsonnet, etc) all work together:

https://medium.com/gocardless-tech/deploying-software-at-gocardless-open-sourcing-our-getting-started-tutorial-ab857aa91c9e

The work was motivated by an aggressive hiring target, and an increase in the frequency that application teams wanted to build new services/make infrastructure changes.

While we always tried for "you build it, you run it", our tools weren't very suited for it. Developers took a long time to onboard themselves to our dev tools, and it wasn't possible for a standard application engineer to deploy a new staging (pre-production) service without SRE involvement.

The new stack hinges on a framework we call Utopia, which is a combination of technologies. It is:

- The name of the directory in which we keep our organisation config files (anu/utopia)
- Jsonnet library of Kubernetes mixins that allow developers to write idiomatic Kubernetes deployments without boiletplate (anu/utopia/lib/utopia.libsonnet)
- Golang binary utopia, which has a number of common developer commands

And more useful for external readers, it leverages an opinionated mix of several tools like Kubernetes, Tekton, ArgoCD, and more.

This is not a batteries-included setup, but nor should it be a "draw the rest of the owl". It's intended to help others see how this stuff can work, and show people how we've enabled a route to hands-free service bootstrapping without compromising the security of our production environments.

It's also just out of the prototype stage, and we hope to kill several of the steps from the tutorial once we have smoother processes.

Either way, we hope it's useful!

https://redd.it/kvwxi3
@r_devops

How should i be storing usernames & passwords for file access?

I want to use MinIO to store temporary copies of files to deliver to clients via the web dashboard feature. But I need to put some kind of authentication on the file access. Minio ships with a user account & user groups feature, so I can easily make a random username/password for a client's files, and set the files to auto-delete after e.g. 7 days. But where and how should I be storing these passwords on the server?

There are plenty of articles about proper encryption of user passwords, but what does an implementation of something like this look like when I just want to give someone access to a resource like this file server?

The entire process of

- make bucket

- import files to bucket

- make user account

- give user access to bucket

- email user the login credentials for the bucket

is easy to automate with a simple script. I am just not sure where these user credentials should be saved.

Maybe I could even get away with not saving them, and using the email notification as the only record of the password? I am intending for this to be a temporary file storage location, not permanent.

https://redd.it/kvwbp5
@r_devops

Windows Monitoring Suggestions

Looking for good ways to monitor Windows. Particularly individual services.


We use Prometheus to monitor the overall system mem/cpu usage and several other things. We have come across an issue recently where _something_ is not letting go of memory, requiring us to restart the Server VM. I'm hoping to be able to monitor the the services so that we can identify what exactly is holding onto the memory. There are usually a couple of services that are running hot making identifying the exact one difficult.


Can Prometheus do this? Would you recommend a simple POSH script to report services exceeding x resources or what? Appreciate the help!

https://redd.it/kv6nm9
@r_devops

What are best Practices for SSH Key Management?

We have a Proxmox installation with some KVM VMs and host everything else in two Kubernetes Clusters built on Rancher, one internally hosted on a proxmox KVM instance, and the other one hosted on public cloud provider. As our team grows we are starting to look into ways of automating provisioning and configuring our machines/containers and are currently looking into Terraform and Ansible (but are open to other solutions as well).

One thing that I am unsure about is on how to handle SSH public keys in a good way. What would be great is to use Ansible or Terraform to configure the machines through cloud-init (proxmox has native support for this) so that when a new key needs to be added we do it in one place and it is added everywhere. More importantly, when someone leaves the team, we can just delete the key in one place and Ansible / Terraform would do the rest.

Anyway, all easy tasks in my eyes together with Gitlab CI, but what I am unsure about is security. Where would you store the public keys? And more importantly how would you make sure that no other person can edit the public keys and give themselves access to machines that they shouldn't have access to?

Would be great to hear some best practices on this!

https://redd.it/kv6exn
@r_devops

A pure bash clojureish CI pipeline

I thought the r/devops subreddit might be interested in this project I just found!

https://github.com/rosineygp/lines

If you like this, I do a weekly roundup of open source projects that includes an interview with one of the devs you can subscribe to.

https://redd.it/kwkdeh
@r_devops

Ory Hydra: Open Source OAuth2/OIDC Provider

Hey I hope it is ok, if I make a post promoting an open source project I have been contributing to for about a year now. We just saw a somewhat major release, and since the project is open-source and free I thought you might enjoy it. Please let me know if that goes against posting guidelines. Also feel free to ask me anything related to the project :)


ORY Hydra 1.9 has been released yesterday!

ORY Hydra is an OAuth 2.0 and Certified OpenID Connect Provider and implements all the requirements stated by the OpenID Foundation.

It issues OAuth 2.0 Access, Refresh, and ID Tokens that enable third-parties to access your APIs in the name of your users.

The open-source project has been built by the ORY community for about six years and we are proud to have handled more than 10 billion API requests in December 2020 from over 23.0000 different production environments.

ORY Hydra is written completely in Go, security first, high performance and developer friendly.

We value our community greatly and most development is driven by input from the community.

Check if ORY Hydra is the right fit for you!

ORY Hydra 5 Minute Tutorial: Set up and use ORY Hydra using Docker Compose in under 5 Minutes. Good for quickly hacking a Proof of Concept. (The same tutorial in video form)

Visit our Discussions on Github or our chat if you have any questions or feedback.

https://redd.it/kwe9ph
@r_devops

installed vault on mac, opened the zip file and then ran the binary(?) and it still is not showing vault

do I need to export my PATH variable or other? it did ask me to change my shell to zsh so I did, but still get this:

z@Mac-Users-Apple-Computer ~ % vault
zsh: command not found: vault

https://redd.it/kwgt5a
@r_devops

Preparation for Entry level DevOps coding interview (Python+Bash)

Hi there everybody,

I'm currently a SysAdmin/VMware cloud engineer at a small company and looking to do the move from System to DevOps.

I'm interviewing for a Junior DevOps role early next week.

The prep guide stated :

>" Practice pragmatic exercises to automate & solve problems efficiently and elegantly in the
>
>language you feel most comfortable with. No need for complex algorithms, just think of something
>
>you don’t want to do anymore and how you would automate it."

I don't have too many automation possibilities at my current role, and would like to get some ideas from you for tasks that might help me in get prepared.

Some of the tasks I've already practiced :

1. Creating a "Backup" of a folder using tar, making it run every day using crontab and naming the file with the date.
2. Deleting files older than X days from a log file

https://redd.it/kwftun
@r_devops

Automating the execution and reporting of JUnit 5 tests

Hey folks!

I hope this an appropriate post and that it is considered within the community post rules. If it is not I apologize in advance. For those of you who work on Java projects that utilize JUnit 5 for your testing framework, I developed a YouTube series on automating the execution and reporting of JUnit 5 test methods using the JUnit 5 Console Launcher utility, InfluxDB, Grafana, and Jenkins.

In the series I cover:

1. How to use the JUnit 5 Console Launcher to execute JUnit 5 test methods from the command-line
2. Developing a Jenkins pipeline that uses the Console Launcher to automatically execute the JUnit 5 test cases and report results within Jenkins
3. Publishing test results to an InfluxDB database
4. Finally, how to create a Grafana dashboard that displays useful test metrics such as test execution duration and test status over time (this section of the series will be published soon)

I hope that you find this series valuable if you're working with this tech stack!

https://www.youtube.com/watch?v=tF7iFi5xSAQ&list=PLrSqqHFS8XPb\_0zOxufQXllGL9Ta6GbC2&ab\_channel=TechandBeyondwithMoss

https://redd.it/kwr9b4
@r_devops

Possible to use IaC for AWS Directory Service (AWS Managed AD)?

I'm working on an environment that needs to be repeatable, and some part of it involves consistent Active Directory Objects (OUs, certain users/groups). So far all of my code is in Terraform, which does have an AD provider, but not one that works with AWS Directory Service, because WinRM is disabled. Aside from just shooting a PowerShell script at AD and hoping for the best, does anyone know of any other way to achieve what I need?

https://redd.it/kwqlrx
@r_devops

Proper linting (manual, on save, on commit, ...)

My experience is based on using lint in full-stack projects. Here I experienced 3 different ways of using lint - all with advantages and disadvantages. We mostly use default lint settings, specifically for the project (e.g. `eslint-plugin-vue` for Vue.js projects) - so maybe the problem is simply tweaking the default lint for each project.

Also, using more restrictive lint rules moves code management to team management. For example jurniors tend to have more "weird" problems to solve with the tradeoff they cannot commit (that) bad code

* **Manual lint:**
* ➕ No unexpected behavior as I have full control
* ➖ As all non-automation: I tend to forget about it and commit unlinted code
* **Lint on save** (imho most impracticable)**:**
* ➕ The code is ALWAYS properly linted
* ➖ Really annoying while developing. You experiment with a code section and nothing works because "unused variable", etc.
* **Lint on commit:**
* ➕ Fluent development - proper code in the repo
* ➖ I experienced CI causing problems, I did not have on my machine™

Can you relate to this problems and what is your opinion?

Do other projects/workflows also have these problems (for example C++, Desktop)?

https://redd.it/kwb75i
@r_devops

Using Istio with ALB on AWS EKS

I managed to configure AWS ALB to point to istio ingress gateway using what is described here https://stackoverflow.com/a/62463576/2429333 2

How I understand it works right now is:

Client -> ALB -> Istio ingress gateway -> application pods

and with an LB created with using serviceAnnotations on Istio service it is:

Client -> ELB/NLB -> application pods

Is that correct? If so how can I use ALB with Istio and get rid of that additional network hop?

​

PS This is actually my question from Istio's discuss https://discuss.istio.io/t/using-istio-with-alb-on-aws-eks/9429

https://redd.it/kwdolx
@r_devops

Making a possible switch to devops

Hello r/devops,

I have been working in software testing for about 6.5 years and I feel like I am reaching a plateau in terms of my growth and my ability to make an impact in software teams. The last few jobs I have had have all been the same in terms of the expectations of me and it all really boils down to "we have quality issues, now that we have someone who is here for that so we won't have them anymore. Oh and by the way we don't want to really change anything". Safe to say it gets a little old after hearing it a few times.

I have had a brief job working as part of an SRE/systems team and I am coming to a point where I think I want to change directions in my career and I find myself drawn to the DevOps movement/mindset and helping teams set up the systems they need to delivery high quality software at a rapid pace. My question for all of you is what kind of certifications/skills would you say are the ones that count for getting into a systems/DevOps/cloud group within an IT organization?

Specifically I'm not dead set on something like the above and other options like sysadmin/network are also something I would like to explore. Finally for people out there who have been working in positions like I have described above what would you say are the things you would tell your younger self if you could do it all over again?

Thank you,

IrateBuccaneer

https://redd.it/kwp0qe
@r_devops

Is kubernetes any good for hosting stuff that requires an FTP access?

I know that kubernetes works fine with apps that are designed in some microservice way (on example a file storage is hosted in separate S3 cloud, database is replicated somewhere else, etc. etc.), but some of the apps requires an FTP access (okay, its wordpress) to set some things up.

This would work like one master'ish node with FTP container that syncs filesystem to other nodes in case of HA right?

https://redd.it/kwrzfr
@r_devops

Choosing between Azure DevOps, Azure DevOps Server, and GHES Actions

Which do you use for your pipelines?

Any good/bad experiences?

Would you recommend any over the others?

https://redd.it/kwmp7a
@r_devops

Handling developer feature branches in cicd?

How is your organization currently handling pipelines for feature development? Is there an automated Jenkins pipeline that spins up temporary namespaces? Are you using cloud hosted options like Azure dev spaces? Are you using open source tools like scaffold?

https://redd.it/kwll45
@r_devops

Remote Debugging in AWS

Hi all,

As developers, we are losing our ability to debug after push our application to cloud. There are several workarounds to solve this issue. I wrote a blog post about this and wanted to discuss more here. On how are you debugging the compute on cloud? What's the practices that you've been following?

https://thenewstack.io/remote-debugging-in-aws-the-missing-link-in-your-debugging-toolset/

https://redd.it/kwc7z3
@r_devops

Who is running on bare metal?

Why?

How are you managing your data center?

What are the top five problems you face?

https://redd.it/kx0qy0
@r_devops

advice for local testing

I'm using MacOS catalina for local testing. I'm testing SDK's used for a NOSQL database.

I have a database cluster running in docker containers. This is working just fine.

I need to test SDK from 6 languages (Java, C, nodejs, python, C#, Go). Unfortunately I cannot simply run the code from my machine because there some test cases that won't work. Let's say I have two query nodes and need to run queries against both nodes. I have to open port 8093 which is used by the query service. Due to the way docker for Mac works, I can't expose the same port on multiple containers (otherwise I get a port is already allocated error).

What I've done for now is build my own docker image with runtimes for 6 languages. This is also working. However this image is large (almost 2GB). I feel like I'm doing it wrong. Shouldn't container images be small? How would you folks approach testing?

By the way, the only reason I'm using docker for the database as is it's very fast to spin up a cluster (I have a bash script that does this). I suppose one simple solution is to use vagrant instead of docker (then I wouldn't have port conflict issue), but it would be slow and I'm not sure how to do this. If vagrant (or anything else besides docker) is a simpler/better solution I'm willing to explore it.

https://redd.it/kwz312
@r_devops