Sidebar
DevOps
robindev.substack.com
Always call out Cloudflare for their bullshit. For those working for companies in devops, share this with your teams...
I'm looking forward to switch from Terraform to OpenTofu, but i have the impression that the ecosystem around it didn't catch up yet. Did any of you already did the switch? If so, what do you use as a replacement for Terraform Cloud, the VSCode extension and/or terraform-ls? For Terraform Cloud, the are many options: [scalr](https://www.scalr.com), [spacelift](https://spacelift.io), etc. Spacelift looks nice as it can also run Ansible, but Scalr seems to have a better and simpler UI. But on the editor side, there doesn't seem to be much... the VSCode extension [has been forked](https://github.com/gamunu/vscode-opentofu) but it still seem to be in its early days (cf. [this issue](https://github.com/gamunu/vscode-opentofu/issues/9): it still uses terraform-ls under the hood, which itself looks for the terraform binary).
Struggling with a problem that i just can't seem to figure out. When starting from scratch **self hosting** both the SCM and CI/CD server. Given that you can't use an existing setup to deploy/manage it, what is the best practice for deploying said services?
I can't seem to find any trace of comparison between these specific libraries. I'm planning on using Python for them. I just don't wanna write YAML. Pulumi seems more prone to the ["single vendor is the new proprietary"](https://opensource.net/why-single-vendor-is-the-new-proprietary) theory, because they're an actual business and shit, so might do a bait and switch here Terraform-style. But that's the only difference I can spot besides obvious API differences. Does anyone have an opinion?:)
Out of principle I refuse to put any type of analytics on my sites. I don't want to send user data to third parties and I don't want to rely on data that comes from JavaScript on the browser unless strictly necessary. But the thought recently occurred to me that I could use my server logs to create some basic data visualisation on Grafana. I'd like very basic stuff: - hits - common referrers - geo location by IP address - bounce rates per page What would be the recommended way to get this, assuming that I have traefik logs aggregates via Loki and Grafana installed?
Trying to do a couple things. I have 2 jump hosts I can use to get into my cluster login node. From my laptop to the jump hosts is password. From jump hosts to login node can be key-based, so if I do it all from CLI: ``` [me@home ~]$ ssh user@jump1 Password: [user@jump1 ~]$ ssh user@login1 [user@login1 ~]$ ``` Same process if I use jump2. So first thing I'm trying to do is set up my ~/.ssh/config to use the ProxyJump host and key file to get to login1. I have the following: ``` Host jump1 Hostname jump1.domain Host jump2 Hostname jump2.domain Host login1 Hostname login1.cluster ProxyJump jump1 #ProxyJump jump2 ``` I'm not sure how to configure the IdentityFile entries for each jump host. The user on the jump hosts has different id_rsa keys in ~/.ssh, but both are in the authorized_keys file on login1. Second thing I'm trying to do is join or start a tmux session. From CLI, I can run: ``` tmux has-session -t mysession || tmux new -s mysession && tmux a -t mysession ``` I've learned that to just join a running session (tmux a -t mysession), I need to include "RequestTTY yes" in my ssh config entry for login1. What I can't get working is the conditional statement that will fire up a new tmux session if it doesn't already exist.
What is the industry/production grade solutions or if you have already any experience please share it. Thanks
I have came across Percona xtrabackup but I am curious what is the best production deployment best practices and tools that are actually used by companies.
github.com
cross-posted from: https://lemmy.world/post/9143654 > Apologies in advance for sharing two link posts here two days in a row. Unemployment may be driving me a little nuts... 😅 > > I've been working on Satounki since I got laid off last month. It's the culmination of a lot of experience building similar ad-hoc internal tooling at various places throughout my professional career. > > Satounki already includes: > > * AWS support > * GCP support > * Cloudflare support > * Auto-generated Terraform providers from the Rust API > * Auto-generated Typescript client wrapper from the Rust API > * Slack bot for request notifications, approvals and rejections > * CLI for requests, approvals and rejections > * Dashboard for exploring policies, requests and stats > > The scope of this project is pretty big and I'm looking for contributors. > > The majority of the project is written in Rust, including the generated Go and TS code. The stack is pretty simple; Actix, Diesel, SQLite, Tera etc., so if you have experience with writing web apps in Rust it should feel familiar! > > Even if this is a totally new stack to you, this is a great project to develop some familiarity and experience with it, especially if you can help improve the quality of the generated Go and TS code at the same time!
thenewstack.io
I'm the author. With 5 years experience as a DevOps Engineer then Lead, I've wanted, for a very long time, to distill my critique and pave a way toward a healthier practice of DevOps. Before anyone jumps to tell me how DevOps Engineer is a misnomer, I address this in the article. I wrote this piece because DevOps has all too often been misunderstood as a practice. Here I attempt to examine successful DevOps practice as a sociotechnical solution that weds culture and tools (the DevOps most are familiar with) with radical agency and visibility. I reference some stupendous thinkers in this space, like Jabe Bloom and Andrew Clay Shafer who were the first to argue for a sociotechnical approach to our work as IT professionals.
I recently had to migrate my team's CI from Bors-NG to Github Merge Queues. In this post I share my experience in doing so.
Tryna get back to RSS. I currently love reading tonsky.me but that's about it, and it's not uhhh devopsy. So I'm all ears for anything interesting that you all like!
We need to deploy a Kubernetes cluster at v1.27. We need that version because it comes with a particular feature gate that we need and it was moved to beta and set enabled by default from that version. Is there any way to check which feature gates are enabled/disabled in a particular GKE and EKS cluster version without having to check the kubelet configuration inside a deployed cluster node? I don't want to deploy a cluster just to check this. I've check both GKE and EKS changelogs and docs, but I couldn't see a list of enabled/disabled feature gates list. Thanks in advance!
github.com
"Inform users that we might disable this forumula one day given there will be no more version updates in homebrew-core due to the license change"
We're using Terraform to manage our AWS infrastructure and the state itself is also in AWS. We've got 2 separate accounts for test and prod and each has an S3 bucket with the state files for those accounts. We're not setting up alternate regions for disaster recovery and it's got me wondering if the region the terraform S3 bucket is in goes down then we won't be able to deploy anything with terraform. So what's the best practice for this? Should we have a bucket in every region with the state files for the projects in that region but then that doesn't work for multi-region deployments.
opentofu.org
OpenTF project has been renamed to **OpenTofu**. * New homepage: https://opentofu.org/ * New Github organization: https://github.com/opentofu Personally, I feel happy to see this project geting form and I cannot wait to see what happens at the end.
Hoping you folks might be able to point me to the right things to Google. Our project has developed a very "business lead" (to put it politely) requirement to monitor and allow/block outgoing connections to other parts of the business. We live in a dedicated AWS account and have reasonable autonomy over our networking setup (NACLs, route tables, etc), but less freedom with what AWS services we can use, and deploying things from Marketplace. The basic requirements are as follows: - Default blocking for certain CIDRs. - Exceptions for certain IP/Host and port combos within those CIDRs. - Authentication and authorisation to use said exceptions (i.e. user tracking). - Detailed logging on connections; source, dest, request and response sizes, ports, protocols, whatever we can get out hands on. - All of the above for all (?) kinds of TCP connections (HTTPS, Postgres, Oracle DB, MongoDB, as examples). The security aspect of this is fairly minimal as it's mainly for usage tracking and making sure our users sign their life away before they access their services from our platform. As such, I was hoping to have something that could be rolled out fairly simply; a couple of EC2 instances, yum install foo, and some routing rules, but it looks like the feature set we want requires something more robust, like OPNsense or similar. Am I missing an obvious solution here, a forward proxy of some sort, any "light" firewalls that don't require a whole separate AMI? Thanks in advance!
I recently stumbled upon a problem: I wanted the stdout of a `command` task to be printed after execution, so I toggled the global `-v` flag. However, the `service` module is apparently verbose as shit and printed like a 100 lines and uhh.... that's a costly tradeoff O_o Seems like a PR for a task-level `verbosity` keyword [has been proposed, yet rejected](https://github.com/ansible/ansible/pull/74888). I'm aware it's possible to just register the stdout of the `command` and print it in a following `debug` task, but I wonder if there's a prettier solution. How would you go about this? Ever encountered such a feeling?
1. How much extra do you get paid for being on an call rotation? 2. Is the salary/benefits the same for inconvenience of being on call and working on an incident? 3. What other rules do you have? Eg. max time working on an incident, rota for highly unsociable hours? 4. How many people are on the same schedule with you? 5. Where are you based, EU/US/UK/Canada?
about.gitlab.com
A true story about how Arch Linux migrated its packaging infrastructure and tooling to GitLab.
github.com
GitHub only supports a single CODEOWNERS file in a repository, which is fairly limiting. This tool allows OWNERS files to be distributed throughout the code base, and provide more localized semantic meaning. Benefits of distributed files: The primary benefit, in my view, is around ownership of the CODEOWNERS file. Having a single file means that you either have a small number of people who own the CODEOWNERS file, through which all updates must pass, or you have the CODEOWNERS file open broadly, possibly to anyone's reviews. In the former, you have a bottleneck, and people approving changes they may not be familiar the implications of, especially cross team ownership. In the latter, people could add themselves as an owner without the current owners being aware. By having the distributed OWNERS files, the teams/people who own the code *also own the OWNERS file*. This means the right people will have to approve changes. It's easier to find who the experts on a group of code is, which is helpful when people have questions, or are otherwise seeking to engage more about it. It's generally better practice to have many smaller scoped files, rather than monolithic ones. This applies to code, of course, but it also applies to metadata, such as ownership. Feedback is welcome, I hope some find this helpful. :) https://github.com/andrewring/github-distributed-owners Note this includes support for [pre-commit](pre-commit.com).
cross-posted from: https://lemmy.ml/post/4593804 > _Originally [discussed on Matrix](https://matrix.to/#/!czpAhMQgXXiRMvhOef:libera.chat/$mXNVayx6HpJTjpZvQyCdfUT_jaM0xYVTuAs_5I9xsrc?via=ansible.com&via=libera.chat&via=matrix.org)._ > > --- > > **TLDR;** Ansible handlers are added to the global namespace. > > --- > > Suppose you've got a role which defines a handler `MyHandler`: > > ``` > - name: MyHandler > ... > listen: "some-topic" > ``` > > Each time you `import`/`include` your role, a **new** reference to `MyHandler` is added to the global namespace. > > As a result, when you `notify` your handler via the topics it `listen`s to (ie `notify: "some-topic"`), **all** the references to `MyHandler` will be executed by Ansible. > > If that's not what you want, you should `notify` the handler by name (ie `notify: MyHandler`) in which case Ansible will stop searching for other references as soon as it finds the first occurrence of `MyHandler`. That means `MyHandler` will be executed only once.
**OpenTF fork (prepare for alpha) is now available at the GH Repository here:** [https://github.com/opentffoundation/opentf](https://github.com/opentffoundation/opentf) Take a look at the issues tab to see some of the live RFCs and discussions happening. Lots of things like the [use of tf in the binary/name](https://github.com/opentffoundation/opentf/issues/273) and bring [their own registry](https://github.com/opentffoundation/opentf/issues/258).
TLDR: terraform bad, pulumi good