Web app security bugs, who's responsibility to test and alert?

Hi, found a relatively simple bug in a shop I'm using, and as an OPS/SEC guy I went down the rabbit hole and shared it with the shop.
Tried to make a story out of it and would love any kind of feedback from professionals:
https://dev.to/omerxx/hacking-your-application-may-be-easier-than-you-think-4g4c

Was wondering what kind of checks (or whether at all) devops engineers are running against the systems in their domain?

Is that the developer's responsibility or dev"sec"ops ?

https://redd.it/llpt6e
@r_devops

What open-source tools to use to create easily sharable and deployable configured VMs with custom software installed?

I need to create sharable IaC configs for Windows and Linux VMs that will: install the OS, configure them, and install custom software on them. I'm looking for a way to do this in a easily sharable manner such as Dockerfile/Vagrantfile where a client can download the script/config, maybe tweak the software installed, run it, and have it deployed as a VM locally.

Should I just go with Vagrant or do I look at other tools like Packer, Terraform, or Ansible?

https://redd.it/llmfkh
@r_devops

Seamless Deployment to External Linux? (not hosted on AWS or gcloud)

I'm a dev making a golang/python application that needs to be deployed to a server I'm renting.

The server is a regular VPS ubuntu machine and not part of AWS/google cloud. I have worked at several companies that had their devops set up such that once their circleCI/gitlab pipeline completes, a new image with the changes is automatically built and deployed. All the developer had to do was push, and several minutes later the changes would appear on production.

What is the process for deploying to any server of your choice? would I upload the image to dockerhub and then pull it on my rented server? wouldn't have to log into the server to do that step?

I'm fairly new to devops, and have no experience deploying my code to docker environments. Are there tools that help make this process more seamless? I'd be looking for a setup where I could commit to github/gitlab and the code would be deployed on my server automatically once the pipeline completes.

Code is currently on github but I have no attachment to circleCI and would be happy to use other tools.

https://redd.it/ll9iru
@r_devops

Using liquibase-percona on kubernetes migration (via job)

Hey all.

we're using RDS MySQL

We want to have smooth migrations without locking tables, so we can avoid downtimes.

Any guide on how to use liquibase-percona in kubernetes job?

please assist.

https://redd.it/ll130a
@r_devops

How to build complex Well-Architected serverless infrastructures?

Article covers:

\- How and why did the AWS Well-Architected Framework come to be?

\- Why should you even care about it?

\- Well-Architected serverless lense

\- Design principles

\- Challenges and solutions for serverless teams

https://dashbird.io/blog/building-complex-well-architected-serverless-architectures/

https://redd.it/lnldck
@r_devops

Salary range for DevOps Engineer at Netherlands

Hi Team,

Just wanted to get a figure on the average salary for devops engineer at Netherlands, for below experience and skillset.

Experience - 10 years in release engineering and devops together
Skillset - AWS, Azure,Docker, Kubernetes, Terraform, Prometheus, Grafana, Jenkins, Azure Devops, GitHub, GitLab, Nodejs, Python,.NET, IoT platform services


Any pointers will be much appreciated. Thanks much!

https://redd.it/ll0bvg
@r_devops

Should Dev Rels ever report to marketing teams?

I've been looking for an evangelist for months and I'm struggling. I find great people but many are not a good fit because

* Our product is used by dev teams internally to work together better (not by developers to build things) which is different for most dev rels
* The role reports to the VP of Marketing (me) because the primary goal of the role is to grow awareness of our company through speaking and writing and to manage our Discord community (which marketing maintains) and they candidates don't want to work in marketing
* The candidates are good at helping devs build things but aren't great at writing and speaking

I need help! Can you look at this job description and tell me if the title is wrong or if I'm doing something else wrong. Thank you :-)

We are a hot start-up (11X growth last year), just closed series-A (not announced yet) and we have 1,000+ dev teams that LOVE our product. Just need to find someone with credibility to help get the word out.

[https://www.linkedin.com/jobs/view/2380356863/](https://www.linkedin.com/jobs/view/2380356863/)

https://redd.it/lno17j
@r_devops

I'm working on a software production risk model. Will it work in its current form?

The concept behind the model came about from thrashing on the burning question, "How do we deliver software with less production risk?".

There's already a baseline of teams working on production matters. But we want to develop an easier path to continuous improvement and resilient operations.

**So I broke production risk down into 4 sections**

These are reliability, availability, security and quality (RASQ).

Each section has a series of activities that offer a proactive approach. Here's an example for each section:

* Reliability - chaos engineering
* Availability - autoscaler config
* Security - threat modelling
* Quality - code review system

Nothing controversial yet, right?

**Now, how do we get better outcomes in these areas?**

Here's an idea that may spark up a *"Hmm, are you sure about this?"* response...

**Involve software engineers in the production risk culture.**

Yes, you heard me right. ¿Loco, no?

Here's the thing: [Google's DevOps culture expounds "risk-sharing"](https://cloud.google.com/solutions/devops/devops-culture-westrum-organizational-culture#how_to_implement_organizational_culture:~:text=Share%20risks.%20Along%20with%20this%2C%20encourage,right%20tool%20choice%2C%20can%20enable%20collaboration) as a virtue. I'd like to push this concept a smidge further. Have specialists run each section - perhaps SREs/DevOps for reliability, Infra for availability, AppSec for security and senior SWEs for Quality. Depends. SWEs could serve tours of duty throughout the risk space - [job rotation in a technical sense](https://arxiv.org/abs/1906.05365).

**Now, why would we want to get SWEs involved?**

1. Give SWEs an appreciation of what it takes to keep their code running
2. Pipeline our next lot of ultra-skilled Ops talent with coding backgrounds - I've heard from some SWEs keen on SRE but getting rejected due to lack of experience.
3. Ensure resilience - if someone goes on vacation or leaves and your Ops people are already hands-full, why not let a SWE take on some ops work with confidence?

Note: involving SWEs is not 100% necessary, especially if it makes for hostile manager negotiations. But it's worth considering for experimentation especially since we are not all hyperscale businesses and some of us crave polymath talent.

We could just run this RASQ model with Ops people alone.

**Even if SWEs don't get involved, it still would work**

You could keep this in-house as a single view of what typically becomes run by factions.

The key is to build resilience. I've seen before that great production systems often happen because of consistent teams. Hotshot APM expert leaves? No problem, you've had some people rotate through the APM post, so you'll know how each of them did. Put on the best one until you get another hotshot.

**Some principles to go by:**

* Assign activities but also let people self-select into work they are interested in
* Give the contributors constructive feedback - have scaffolds to prevent criticism or gushing
* Let anyone share something that learned fast "today's actions = tomorrow's lessons"
* Rotate gently - more frequently than once or twice a quarter can be jarring

**How could we make all this easier to manage?**

We could block out a huge wall for planning on this model, but it might get stale after a while. So why not use our software abilities and make a digital operations canvas? Maybe open-source it.

**So what benefit/s would a digital view of the model give?**

The first benefit would be that we could move contributors around a lot faster. The second benefit that we could automatically collect stats on who's doing well and where.

We could:

* employ microlearning techniques to share new technical ideas in the context of activities
* allow for senior staff and leaders to provide continuous, constructive feedback
* add runbooks directly linked to the activities if there is a demand for this

Ultimately, we will be able to strengthen our production muscles. What do you think?

I await your

intelligent critique.

https://redd.it/ll1bhz
@r_devops

Migrating to Gitlab from Jenkins: how?

We are thinking about moving to Gitlab from Jenkins because Jenkins has a lot of bugs recently and the plugin situation is chaotic. Questions we have:

\- we store our code in GitHub currently: can Gitlab work with code stored in Github or we have to migrate everything to Gitlab? Which is a misery, I guess. Not the process itself, but new tools, new environment for all the developers, etc.

\- how can we build a specific subfolder in a repository instead of building the whole repo? Let's say we have 10 products in a single github repo in 10 separate folders, we have 10 Jenkins jobs for these and if we change the code in a folder, only the associated Jenkins job is started, nothing else. Can we do the same in Gitlab? If yes, how?

Thanks for the answers in advance.

https://redd.it/ll04zb
@r_devops

New DevOps engineer

Hi, I am a new DevOps engineer with hands on experience on couple of volunteer projects in Ontario, Canada. I am currently working in QA domain and now looking for new opportunities in DevOps. Can you all please share your day to day typical activities as DevOps engineer and I'll really appreciate if someone could share interview questions/suggestions for DevOps. Thanks.

https://redd.it/lnp2c4
@r_devops

Data Base Automation - How or which tool are you using?

I am in charge for DevOps and Cloud in my Company, we already created all apps devops pipelines, but now we are stucking our velocity because changes in infrastructure, but Data Base Automation we are no Clue how to solve it (CI/CD with automatic Rollback)....

https://redd.it/lnq04g
@r_devops

The Four Key Metrics of Devops

We held a discussion with a Cloud Architect who outlined these as the four key metrics of Devops:

1. Deployment Frequency
2. Lead Time For Changes
3. Time To Restores Services
4. Change Failure Rate

The first two metrics measure velocity, the last two metrics measure stability. Here's the full discussion

https://youtu.be/ep-guKZK468

https://redd.it/lnokcc
@r_devops

Questions about 3 DevOps certificates.

Which of the following three certificates is the easiest and which is the hardest?

Which one is most useful in conjunction with AWS skills?

\- ITIL 4 Foundation certification

\- Certified Jenkins Engineer

\- HashiCorp Certified: Terraform Associate

https://redd.it/lnmov3
@r_devops

Is anyone here running Flockport in a production environment?

I've always found Flockport interesting but I've never taken the time to play with it.

Just curious if anyone here is using it or has used it in the real world. What is your experience with it?

https://redd.it/lnn9qk
@r_devops

Settting up a rate-limited docker repo?

I'm wondering if any of the current docker repository solutions currently have any built-in way to handle rate-limiting. I expect this is a unique case, but a growing one and I'm just brainstorming a solution to try to move it towards broader use by making a business case for further openness.


Ideally, checking if there is an updated container would not be rate-limited or at least limited differently from downloading layers of a container.

https://redd.it/lnm0o1
@r_devops

Anyone know how I can POST a Binary of JSON files (zip, tar) to API Gateway so Lambda can unzip and process those JSON files?

Id like to grab a group of JSON which can be mutated in Lambda and pushed into DynamoDB. Thanks :)

https://redd.it/lnuga9
@r_devops

Can I forward Nginx logs to an API - How can I do this?

I want to process nginx logs of multiple machines. I thought it would be nice to forward the data to an endpoint of an API where I can parse the log and save it to a databse. How would you tackle this?

https://redd.it/lnkc4l
@r_devops

I'm a junior DevOps Engineer at my company. How do I lose the Junior?

Basically the title.
Last position I had was a sysadmin where I did mostly everything there was to do. I have studied CS, but I don't like programming very much, unless we are talking about scripting. I use bash, PS and python for my scripts.

I am working in a team of two, myself included. My colleague claims he has 9+ years of DevOps experience, but I feel I can learn nothing from him (long story and I also don't like to focus on him now). We have an external consultant and that guy is awesome. I'd love to be like that one day.

Currently we are working on Azure and it is planned that this year we're getting the AZ-102 (developer) and AZ-400 (devops) certificates. This will help ofc, but I also need to gather some more exp. with Docker & Kubernetes. We don't yet use VM automation, so that's not a priority.

I have bought some courses for CKA and CKAD. I have started with CKA, but I feel that one is not the right for me, since what we mostly do has to do with helm, tls and k8s. I'd like to learn this stuff too. Some good sources are appreciated, maybe in connection to Azure, so that I may use the newly gained knowledge asap.

Thanks :D

tldr: need to be better at helm, azure and k8s and also lose my junior in the title. What do I do?

https://redd.it/lnazlq
@r_devops

SRE vs. Platform Engineering

Over the past decade, engineering and technology organizations have converged on a common set of best practices for building and deploying cloud-native applications. These best practices include continuous delivery, containerization, and building observable systems.

At the same time, cloud-native organizations have radically changed how they’re organized, moving from large departments (development, QA, operations, release) to smaller, independent development teams. These application development teams are supported by two new functions: site reliability engineering and platform engineering. SRE and platform engineering are spiritual successor of traditional operations teams, and bring the discipline of software engineering to different aspects of operations.

https://blog.getambassador.io/the-rise-of-cloud-native-engineering-organizations-1a244581bda5

https://redd.it/lnhwkb
@r_devops

Should DevOps Toolchain contain Azure KeyVault

Basically what the title says. In your opinion, should a tool like Azure KeyVault be in a DevOps Toolchain?

https://redd.it/lnh5er
@r_devops