DevOps
-
EKS Dev environment?
Hi all! Not sure if this is the right place to ask this but here goes:
Currently working on a migration from ECS to EKS. I have one working environment that includes one namespace running some containerized services and an EC2 instance running some other services required for the environment to function.
Dev envs look like this today: One EC2 instance running all services, some through Docker and others through PM2.
My question is: Does it make sense to replicate this format for every developer? A namespace running services and an EC2 instance running some others? Or keep it as it is today and replace pm2 for local k8 orchestration?
Thanks in advance~
- robindev.substack.com Cloudflare took down our website after trying to force us to pay 120k$ within 24h
TL;DR: We've been on the Cloudflare Business plan ($250/month) for years. They suddenly contacted us and asked us to either pay them $120k up front for one year of Enterprise within 24 hours or they would take down all of our domains. While this escalated up our business we had 3 sales calls with th...
Always call out Cloudflare for their bullshit. For those working for companies in devops, share this with your teams...
-
OpenTofu ecosystem?
I'm looking forward to switch from Terraform to OpenTofu, but i have the impression that the ecosystem around it didn't catch up yet.
Did any of you already did the switch? If so, what do you use as a replacement for Terraform Cloud, the VSCode extension and/or terraform-ls?
For Terraform Cloud, the are many options: scalr, spacelift, etc. Spacelift looks nice as it can also run Ansible, but Scalr seems to have a better and simpler UI.
But on the editor side, there doesn't seem to be much... the VSCode extension has been forked but it still seem to be in its early days (cf. this issue: it still uses terraform-ls under the hood, which itself looks for the terraform binary).
-
Self Hosted SCM & CI/CD Chicken and Egg
Struggling with a problem that i just can't seem to figure out.
When starting from scratch self hosting both the SCM and CI/CD server.
Given that you can't use an existing setup to deploy/manage it, what is the best practice for deploying said services?
- github.com GitHub - airtasker/proxay: Proxay is a record/replay proxy server that helps you write faster and more reliable tests.
Proxay is a record/replay proxy server that helps you write faster and more reliable tests. - airtasker/proxay
-
Opinion on Pulumi vs cdk8s for provisioning Kubernetes?
I can't seem to find any trace of comparison between these specific libraries. I'm planning on using Python for them. I just don't wanna write YAML.
Pulumi seems more prone to the "single vendor is the new proprietary" theory, because they're an actual business and shit, so might do a bait and switch here Terraform-style. But that's the only difference I can spot besides obvious API differences.
Does anyone have an opinion?:)
-
Linux Foundation Launches Open Source Valkey Community (Alternative to Redis)
www.linuxfoundation.org Linux Foundation Launches Open Source Valkey CommunityCommunity maintainers, contributors, and users will continue collaborative development of an open source, in-memory data store under the new Valkey name.
-
Grafana dashboard as alternative to Google Analytics?
Out of principle I refuse to put any type of analytics on my sites. I don't want to send user data to third parties and I don't want to rely on data that comes from JavaScript on the browser unless strictly necessary.
But the thought recently occurred to me that I could use my server logs to create some basic data visualisation on Grafana.
I'd like very basic stuff:
- hits
- common referrers
- geo location by IP address
- bounce rates per page
What would be the recommended way to get this, assuming that I have traefik logs aggregates via Loki and Grafana installed?
-
SSH through ProxyJump w/ conditional RunCommand
Trying to do a couple things. I have 2 jump hosts I can use to get into my cluster login node. From my laptop to the jump hosts is password. From jump hosts to login node can be key-based, so if I do it all from CLI:
[me@home ~]$ ssh user@jump1 Password: [user@jump1 ~]$ ssh user@login1 [user@login1 ~]$
Same process if I use jump2.So first thing I'm trying to do is set up my ~/.ssh/config to use the ProxyJump host and key file to get to login1. I have the following:
Host jump1 Hostname jump1.domain Host jump2 Hostname jump2.domain Host login1 Hostname login1.cluster ProxyJump jump1 #ProxyJump jump2
I'm not sure how to configure the IdentityFile entries for each jump host. The user on the jump hosts has different id_rsa keys in ~/.ssh, but both are in the authorized_keys file on login1.Second thing I'm trying to do is join or start a tmux session. From CLI, I can run:
tmux has-session -t mysession || tmux new -s mysession && tmux a -t mysession
I've learned that to just join a running session (tmux a -t mysession), I need to include "RequestTTY yes" in my ssh config entry for login1. What I can't get working is the conditional statement that will fire up a new tmux session if it doesn't already exist. - cep.dev (Almost) Every infrastructure decision I endorse or regret after 4 years running infrastructure at a startup
Assortment of technology startup infrastructure recommendations
-
How to scale MySQL horizontally?
What is the industry/production grade solutions or if you have already any experience please share it. Thanks
-
Is there any tool for incremental backup for MySQL to s3 for production usage.
I have came across Percona xtrabackup but I am curious what is the best production deployment best practices and tools that are actually used by companies.
-
Satounki - Temporary elevated access management as a self-hosted service
github.com GitHub - LGUG2Z/satounki: Temporary elevated access management as a self-hosted serviceTemporary elevated access management as a self-hosted service - GitHub - LGUG2Z/satounki: Temporary elevated access management as a self-hosted service
cross-posted from: https://lemmy.world/post/9143654
> Apologies in advance for sharing two link posts here two days in a row. Unemployment may be driving me a little nuts... 😅 > > I've been working on Satounki since I got laid off last month. It's the culmination of a lot of experience building similar ad-hoc internal tooling at various places throughout my professional career. > > Satounki already includes: > > * AWS support > * GCP support > * Cloudflare support > * Auto-generated Terraform providers from the Rust API > * Auto-generated Typescript client wrapper from the Rust API > * Slack bot for request notifications, approvals and rejections > * CLI for requests, approvals and rejections > * Dashboard for exploring policies, requests and stats > > The scope of this project is pretty big and I'm looking for contributors. > > The majority of the project is written in Rust, including the generated Go and TS code. The stack is pretty simple; Actix, Diesel, SQLite, Tera etc., so if you have experience with writing web apps in Rust it should feel familiar! > > Even if this is a totally new stack to you, this is a great project to develop some familiarity and experience with it, especially if you can help improve the quality of the generated Go and TS code at the same time!
- thenewstack.io Thinking in Systems: A Sociotechnical Approach to DevOps
We need a holistic approach to DevOps, one that treats tools, workers who use them and the wider organizations as contributing parts of an interdependent whole.
I'm the author. With 5 years experience as a DevOps Engineer then Lead, I've wanted, for a very long time, to distill my critique and pave a way toward a healthier practice of DevOps. Before anyone jumps to tell me how DevOps Engineer is a misnomer, I address this in the article.
I wrote this piece because DevOps has all too often been misunderstood as a practice. Here I attempt to examine successful DevOps practice as a sociotechnical solution that weds culture and tools (the DevOps most are familiar with) with radical agency and visibility. I reference some stupendous thinkers in this space, like Jabe Bloom and Andrew Clay Shafer who were the first to argue for a sociotechnical approach to our work as IT professionals.
-
I recently had to migrate my team's CI from Bors-NG to Github Merge Queues. In this post I share my experience in doing so.
-
Any interesting blogs to follow?
Tryna get back to RSS. I currently love reading tonsky.me but that's about it, and it's not uhhh devopsy. So I'm all ears for anything interesting that you all like!
-
Continuous Deployment Fundamentals with GitHub Actions - Resources Hub - GitHub Resources
resources.github.com Continuous Deployment Fundamentals with GitHub Actions - Resources HubIn this on-demand webinar, we’ll dive into the world of continuous deployment (CD) and how DevOps teams can use GitHub Actions to set up their applications for CD, from code check-ins to production, and all through various pre-production environments.
- grafana.com Grafana 10.2 release: All the latest features to know
Grafana 10.2 delivers exciting new visualization capabilities, AI assistance with dashboard titles, and more
-
Introducing Grafana OnCall shift swaps: A simpler way to exchange on-call shifts with teammates | Grafana Labs
grafana.com Introducing Grafana OnCall shift swaps: A simpler way to exchange on-call shifts with teammates | Grafana LabsThe new Grafana OnCall shift swaps feature makes it easier than ever for engineers to coordinate with teammates and exchange on-call shifts.
-
Question: how to check GKE and EKS default enabled/disabled feature gates
We need to deploy a Kubernetes cluster at v1.27. We need that version because it comes with a particular feature gate that we need and it was moved to beta and set enabled by default from that version.
Is there any way to check which feature gates are enabled/disabled in a particular GKE and EKS cluster version without having to check the kubelet configuration inside a deployed cluster node? I don't want to deploy a cluster just to check this.
I've check both GKE and EKS changelogs and docs, but I couldn't see a list of enabled/disabled feature gates list.
Thanks in advance!
-
Homebrew to deprecate and add caveat for HashiCorp
github.com hashicorp: deprecate and add caveat by iMichka · Pull Request #139538 · Homebrew/homebrew-coreInform users that we might disable this forumula one day given there will be no more version updates in homebrew-core due to the license change Have you followed the guidelines for contributing?...
"Inform users that we might disable this forumula one day given there will be no more version updates in homebrew-core due to the license change"
-
Forgejo – a alternative to github
forgejo.org Forgejo – Beyond coding. We forge.Forgejo is a self-hosted lightweight software forge. Easy to install and low maintenance, it just does the job.
-
Best practice for Terraform state?
We're using Terraform to manage our AWS infrastructure and the state itself is also in AWS. We've got 2 separate accounts for test and prod and each has an S3 bucket with the state files for those accounts.
We're not setting up alternate regions for disaster recovery and it's got me wondering if the region the terraform S3 bucket is in goes down then we won't be able to deploy anything with terraform.
So what's the best practice for this? Should we have a bucket in every region with the state files for the projects in that region but then that doesn't work for multi-region deployments.
-
OpenTF is now OpenTofu
OpenTF project has been renamed to OpenTofu.
- New homepage: https://opentofu.org/
- New Github organization: https://github.com/opentofu
Personally, I feel happy to see this project geting form and I cannot wait to see what happens at the end.
-
Not sure if I need a firewall, forward proxy, or some gross hybrid...
Hoping you folks might be able to point me to the right things to Google.
Our project has developed a very "business lead" (to put it politely) requirement to monitor and allow/block outgoing connections to other parts of the business. We live in a dedicated AWS account and have reasonable autonomy over our networking setup (NACLs, route tables, etc), but less freedom with what AWS services we can use, and deploying things from Marketplace.
The basic requirements are as follows:
- Default blocking for certain CIDRs.
- Exceptions for certain IP/Host and port combos within those CIDRs.
- Authentication and authorisation to use said exceptions (i.e. user tracking).
- Detailed logging on connections; source, dest, request and response sizes, ports, protocols, whatever we can get out hands on.
- All of the above for all (?) kinds of TCP connections (HTTPS, Postgres, Oracle DB, MongoDB, as examples).
The security aspect of this is fairly minimal as it's mainly for usage tracking and making sure our users sign their life away before they access their services from our platform. As such, I was hoping to have something that could be rolled out fairly simply; a couple of EC2 instances, yum install foo, and some routing rules, but it looks like the feature set we want requires something more robust, like OPNsense or similar.
Am I missing an obvious solution here, a forward proxy of some sort, any "light" firewalls that don't require a whole separate AMI?
Thanks in advance!
-
What's your approach with Ansible verbosity?
I recently stumbled upon a problem: I wanted the stdout of a
command
task to be printed after execution, so I toggled the global-v
flag. However, theservice
module is apparently verbose as shit and printed like a 100 lines and uhh.... that's a costly tradeoff O_oSeems like a PR for a task-level
verbosity
keyword has been proposed, yet rejected.I'm aware it's possible to just register the stdout of the
command
and print it in a followingdebug
task, but I wonder if there's a prettier solution.How would you go about this? Ever encountered such a feeling?
-
What benefits do you get for being on-call?
- How much extra do you get paid for being on an call rotation?
- Is the salary/benefits the same for inconvenience of being on call and working on an incident?
- What other rules do you have? Eg. max time working on an incident, rota for highly unsociable hours?
- How many people are on the same schedule with you?
- Where are you based, EU/US/UK/Canada?
- about.gitlab.com Migrating Arch Linux's packaging infrastructure to GitLab
Arch Linux developer Levente Polyak explains how the project recently migrated its packaging infrastructure to GitLab and what Arch Linux gained as a result.
A true story about how Arch Linux migrated its packaging infrastructure and tooling to GitLab.
-
[Tool Anouncement] github-distributed-owners - A tool for managing GitHub CODEOWNERS using OWNERS files distributed throughout your code base. Especially helpful for monorepos / multi-team repos
github.com GitHub - andrewring/github-distributed-owners: A tool for auto generating GitHub compatible CODEOWNERS files from OWNERS files distributed through the file tree.A tool for auto generating GitHub compatible CODEOWNERS files from OWNERS files distributed through the file tree. - GitHub - andrewring/github-distributed-owners: A tool for auto generating GitHub...
GitHub only supports a single CODEOWNERS file in a repository, which is fairly limiting. This tool allows OWNERS files to be distributed throughout the code base, and provide more localized semantic meaning.
Benefits of distributed files:
The primary benefit, in my view, is around ownership of the CODEOWNERS file. Having a single file means that you either have a small number of people who own the CODEOWNERS file, through which all updates must pass, or you have the CODEOWNERS file open broadly, possibly to anyone's reviews. In the former, you have a bottleneck, and people approving changes they may not be familiar the implications of, especially cross team ownership. In the latter, people could add themselves as an owner without the current owners being aware. By having the distributed OWNERS files, the teams/people who own the code also own the OWNERS file. This means the right people will have to approve changes.
It's easier to find who the experts on a group of code is, which is helpful when people have questions, or are otherwise seeking to engage more about it.
It's generally better practice to have many smaller scoped files, rather than monolithic ones. This applies to code, of course, but it also applies to metadata, such as ownership.
Feedback is welcome, I hope some find this helpful. :)
https://github.com/andrewring/github-distributed-owners
Note this includes support for pre-commit.
-
[TIP] Including/Importing an Ansible role w/ handlers more than once
cross-posted from: https://lemmy.ml/post/4593804
> Originally discussed on Matrix. > > --- > > TLDR; Ansible handlers are added to the global namespace. > > --- > > Suppose you've got a role which defines a handler
MyHandler
: > >> - name: MyHandler > ... > listen: "some-topic" >
> > Each time youimport
/include
your role, a new reference toMyHandler
is added to the global namespace. > > As a result, when younotify
your handler via the topics itlisten
s to (ienotify: "some-topic"
), all the references toMyHandler
will be executed by Ansible. > > If that's not what you want, you shouldnotify
the handler by name (ienotify: MyHandler
) in which case Ansible will stop searching for other references as soon as it finds the first occurrence ofMyHandler
. That meansMyHandler
will be executed only once. -
Increase your security governance with CAA - Let's Encrypt
letsencrypt.org Increase your security governance with CAA - Let's EncryptAccording to Cloudflare’s Merkle Town, 257,036 certificates are issued every hour. We at Let’s Encrypt are issuing close to 70% of those certs. Being a Certificate Authority that operates as a nonprofit for the public’s benefit means we are constantly considering how we can improve our Subscribers' ...
-
The OpenTF fork is now available!
OpenTF fork (prepare for alpha) is now available at the GH Repository here:
https://github.com/opentffoundation/opentf
Take a look at the issues tab to see some of the live RFCs and discussions happening. Lots of things like the use of tf in the binary/name and bring their own registry.
-
DSLs are a waste of time
leebriggs.co.uk DSLs are a waste of time | lbr.If you’ve read this blog before, or are unfortunate enough to have an actual personal relationship with me, you’ll know that I have strong opinions and can be, shall we
TLDR: terraform bad, pulumi good
-
OpenTF announces a fork of Terraform
https://opentf.org/announcement