When I mention "systems administration" to younger coworkers, they look at me like I'm a crusty old relic out of touch with modern engineering. People have no sense of history and little understanding of where the devops role came from and what it really means. I had a CTO tell me he hadn't heard the term "system administration" in ten years.
What were our devops people doing? Running web servers, managing networks, configuring DNS, managing backups, configuring cloud services. Absolutely none of it in support of the dev team I was on. The developers were responsible for managing their own CI/CD pipeline and deployments. The people called the "DevOps Team" were responsible for managing production. In this case, they were systems administrators and were not in any way a devops team, but the terminology is so skewed now that they were labeled as such, and I was labeled an out of touch old greybeard.
This isn't to demean devops in any way; it's a valuable role, an evolutionary step in software team organization, but by no means is it new and by no means is systems administration a dead role.
I'm not sure where I picked up this impression from.
1) "DevOps teams" are just rebranded operations teams
2) "DevOps teams" are teams that are responsible for both development and operations for their app
I think the first one is the one you're frustrated with, and I agree it's a completely useless label when used like that, but it's not definitely not the only way it's used.
But the roots can be traced to the 70's (the PDP-11 had the compile-link process).
If you were really smart and could program in Assembler they called you a "Systems Programmer".
In the 80's, the PC revolution fostered debates over how much centralized control IT should have.
There was a long-standing debate in computing as to where the software should live (that is on a server or at the client level).
So the modern situation is server=cloud and client=browser. This creates a demand for people who understand how software is built/deployed/maintained in this environment.
So we slap the Devops label on it and pretend we understand what's going on.
But it's really a debate about how long the current status quo will last before it's subsumed by something else.
(Speaking pithily as a sysadmin-turned-DevOps-turned-SRE doing vaguely the same work for far more money...)
1. Developers learning that running code is not the same thing as reliable code. Certain things must be put in at design time to allow for operations.
2. Operations people supporting development by formalizing/streamlining the deployment process to have changes occur faster, safer, and more often.
3. Aligning goals and attitudes in such a way that prevents conflict between teams. Development doesn't get to shift the costs of outage prone unmaintainable code onto an ops team. Or that ops doesn't roadblock/veto all changes.
In the bad old days, it was common for developers to act with little care for operational outcomes. The responsibility was far removed, and bugfixes didn't win many accolades. Managers want wish fulfillment and pushed developers to toss new features into the mix as fast as possible, resulting in tremendous pressure against ops teams to deploy despite increasingly crufty and debt laden code bases causing unpredictable problems. Ergo, ops teams who blocked all changes for trivial issues because they were judged only based on outages, not feature delivery.
So basically it comes to having devs, test, ops, sec, persons in one team with common goal of delivering featuers.
Because most friction was on boarders like dev | test | ops | security, all those people being on role specific teams would do what is important for their team. So test people would blame devs, sec people would blame ops, test or devs. When you are in one team that has common goal of delivering feature X and you are measured by delivering feature X, everyone is willing to take pragmatic approach instead of "code has to be perfect", "tests have to be perfect", "security has to be perfect".
I read somewhere "magic happens if you seat testers and developers in the same room", I belive it was "Project Phoenix" book. But I despise from the start having those devs vs test people or test people beeing happy about finding bugs. They should be sad because what matters is delivering feature, so they should be happy when they don't find anything. That said, thay should do all they can to find bugs, because we have common goal: "working software".
Provisioning servers, databases, load balancers, etc and other resources use to involve someone driving down to the colo and installing hardware. Often now, it's a yaml file you run through Cloud Formation.
Devops is just as much development and software engineering when you are working in a cloud environment -- it's an API call.
Certainly, in other engineering fields, visits to the installation sites by (designing) engineers, or even running pilot programs to debug the system as designed and implemented is a norm. However, the notion that 'an engineers job is to be responsible for x-widget from design to operation' is entirely foreign to any notion of "Engineering" that I am familiar with.
How many hardware based Kickstarter projects have failed because they didn’t understand the complexity of actually manufacturing there product at scale.
It’s analogous to software engineers who don’t appreciate ops. Writing software for a company is useless if you can’t ship it or deploy it. You can’t imagine the number of bright eyed bushy tailed “software engineers” I’ve dealt with that thought they were smart because they knew leetCode and learned algorithms who couldn’t troubleshoot performance issues or understand why they couldn’t get shipping products because they didn’t understand the ops side of things.
Of course I am not diminishing the role of software engineering, I’ve been developing software actively professionally or as a hobby for over 30 years. But, I know enough in theory to talk to the ops guys for on prem/colo/hybrid architectures and I could easily be competitive on the ops side for jobs dealing with fully “cloud native” solutions for a small to medium size implementation.
I think you are missing the point.
This attitude is the ultimate reason for dysfunctional development teams and the source of the barrier between operations and development.
It’s also toxic.
Tell me that is not software engineering, the only difference is that my ability to test before deployment is much more costly and limited, I have to get it right the first time around..
And if that’s not “real programming” sometimes you actually do end up writing custom resources in a “real programming language” that get called from CF to create resources.
I’m very much up and down the stack any given week going from the front end, middleware, databases and infrastructure not to mention building out CI/CD pipelines.
Does anyone spend any time thinking, researching, planning, designing or communicating?
Creating these strict barriers between teams, especially with the condescension you elicit is exactly how problems arise.
Suppose software engineers write an O(N^2) algorithm because they didn't think the data would grow large. It does. DevOps then launches many more dozens of computers to handle the algorithm. If no one speaks to eachother, everyone thinks things are going smoothly when in reality it's a complete disaster. The DevOps team has much more visibility into the usage, performance, and cost of apps than many developers. Talk to your breathen wisely.
Probably most importantly, my experience on DevOps has been a bit like hurried product management and software engineering work--I have to identify problems and opportunities to improve software development efficiency, uptime, etc and find/build technologies that solve those problems, and all of these technology choices are really complicated because they are interdependent. How you structure your CI/CD pipeline depends a lot on your orchestration platform (and vice versa). It also depends on whether you use micro services or a monolith, and whether your platform is mono/bi-lingual or fully multilingual. And unlike product management or software engineering, you have to deliver value in a much tighter timeframe (you don't get to spend a year building out a solution with budget and resources for user testing, QA, etc). Further, if you think the frontend web stack is changing fast, the DevOps world will make your head spin!
Regarding YAML, it's just the (currently popular) interface; it doesn't say anything about the amount of complexity. It was originally YAML/JSON because everyone thought it would be super simple configuration, but virtually every infrastructure-as-code (IaC) tool is moving away from YAML to something more powerful.
AWS has CloudFormation which began as JSON/YAML with features hacked on to support things like referencing other nodes in the document, defining and calling functions and macros, evaluating conditionals, looking up values in maps, etc. Now they're building the Cloud Development Kit (CDK) to let developers write IaC in languages like Python and TypeScript, because even the extensions to CloudFormation are insufficient (no ability to pass around parameters, pass structured data, perform computations, etc).
I don't use Terraform, but I understand HCL started out a lot like YAML but is also becoming increasingly powerful with each release.
Helm also started with YAML but is adding in Lua.
The argument that DevOps is easier than SE because it's just using tools created by SEs is silly on its face. First of all, those tools were _implemented_ by SEs but created by much larger teams, including product managers. Secondly, "SEs" are also just using tools created by SEs--compilers, interpreters, VMs, build tools, etc. Not to mention all of the tools and processes built and/or assembled by DevOps engineers.
I use to think that all “true” developers needed to know the ins and outs of assembly because every time I went to a new platform that’s the first thing that I did - learn assembly language (65C02, 68K, x86), but then I grew up.....
CloudFormation takes a text file and generates API calls much like any code compiled down to assembly.
I believe you would benefit from a different perspective because this vision is partial at best. The distinction between who builds system and tools and who uses them is subtle and often these roles are interchangeable. Both have dignity and purpose and contribute to the goal, regardless of the collar color, which is a remnant of the last century.
Galileo built his own telescopes.
People who are really serious about software should make their own hardware.
That is no different from people who call themselves “software architects”. You can’t build great software architectures if you don’t know how to build and optimize the underlying architecture it runs on and how to build the pipelines that put the code on those systems.
i deploy all our cloud instances using Ansible (yml files) and I wouldn't have a hope of doing that if I didn't understand the OS I'm configuring with it (Linux).
I might see your point if you're talking about the yml that is used to configure 'value added' products from cloud vendors, but I avoid those like the expensive handcuffs that they are.
This leaves me in complete control and keeps prices low because I only ever use vanilla instances.
I'm not on Amazon right now, but when I was I used to use ansible to configure networking on it and security groups etc, but I would always try to keep the vendor specific stuff to a minimum.
But I never said I was using Amazon.
I'm using an internal cloud service at my company. It does not offer any managed services.
Also when I do use AWS for clients, I _sometimes_ use managed services¹, but most of those lock you in to Amazon. Some clients don't care, some do. They are paying, so I don't care either way.
In either case, I spend very little time babysitting infrastructure, just FYI, even when I use bare instances.
And in my opinion² if people aren't careful about managed services, then they won't have any OS knowledge anymore, and will just be left with product knowledge.
Sure, managed services make things easier, but they also make your sysadmin muscles weak.
1: Aurora DB for example. That one I like because there's no lock in. I can always move my tables to a standalone MySQL.
2: As someone who is 100% comfortable using bare Linux without having to use containers, managed services, control panels or even google searches to keep my stuff running, and have been doing so since the early 90s.
I want my sysadmin muscles to be weak. I’m not saying that sysadmin isn’t important, but why spend time managing servers and doing the “undifferentiated heavy lifting” instead of adding value and dealing more with strategy?
In all the places I've worked I've been expected to do everything from setting up servers (originally physical servers, later cloud servers), hardening them, installing software, optimizing the software, installing and optimizing the database, creating database schemas and related objects, writing untold number of sql queries, writing server side code, writing front end code, etc.
I was hoping that the article would explain what devops really means today and how I can jump on the devops wagon to hopefully make my job of doing all of the above easier.
That’s the dream… the reality in my experience is that you have to describe, in detail, the exact steps that you would perform if you were doing it yourself so that somebody else can perform them, verbatim. But you have to describe those steps, exactly, without any access to the target platform where they’ll be performed.
I feel like I'm on thin ice whenever I deploy. Granted, I now try to make sure the SAs have to do as little as possible (because now I "understand" the infrastructure, I can build a postinstall that handles all the environment configuration I am allowed under an FID), it still feels nerve wracking to know that a single fuck up means I have to spend another 4-5 hours trying to get tickets to deploy.
I was hired as development team member partially as I was a sysadmin on the hardware we were using, our team both wrote the code but also the entire JCL infrastructure that managed the compilation linking, deployment and the running of code across the cluster of 16 or 17 systems.
On of my friends, an IBM guy from the operations side was shocked that we as developers where allowed to deploy and run our own code.
"Devops" means not fighting with those people??? haha
Just because you are “throwing it over a wall” doesn’t mean the team on the other side doesn’t exist.
The company doubtlessly has a CEO, too, even if you are so compartmentalized as to never speak with her.
> I was hoping that the article would explain what devops really means today and how I can jump on the devops wagon to hopefully make my job of doing all of the above easier.
1. Use AWS Fargate for all of your backend services. Keep the architecture simple enough that complicated service discovery issues etc don’t come up. If you need coordination between services, do it through Redis or similar.
2. Use RDS unless you really need to save money or use unavailable extensions.
3. Use terraform for initially provisioning the above
4. Set up CI/CD such that merges to master automatically update your services. (I like CircleCI’s aws-ecr and aws-ecs orbs for this.)
Pretty simple recipe, but it means no setting up servers, no hardening servers, no installing or optimizing software (other than by adding it to the Dockerfile), no installing or optimizing the database.
This recommendation reflects what modern devops means to me; opinions differ. To me it means:
- Infrastructure as code (terraform rather than clicking buttons in the AWS console then later forgetting which buttons you clicked)
- Immutable infrastructure (aka cattle not pets). Never SSHing into a server again.
- Automated testing and deployment cleanly integrated with existing dev workflow
Obviously there’s a scale at which you have to do something more complex, but I’d say that’s the scale at which you previously would have had an operations team.
Getting rid of the “writing server side code” and “writing front end code” parts is beyond the scope of devops, but you can skip a lot of the “writing server side code” part by using PostgREST. In exchange you may have to write an even-more-untold number of SQL queries, depending on your current practices.
Edit: Someone helpfully pointed out that I forgot to mention anything about logging or monitoring, which is a pretty glaring omission. On that front I strongly recommend Honeycomb. To set it up with Fargate you may need to run it in a sidecar container, but it’s fairly straightforward.
All of these things are fine for companies to do. How you run your org is on you. But I wish companies would go deeper than "DevOps" when putting up job posting requirements.
That's like saying they do "security". There's a lot of different ways that can be interpreted. I (as an applicant) only know a handful of those interpretations really well, so it's important that companies clarify these terms in their job descriptions. This way they have the right candidates applying.
As long as no-one is knocking on my door asking if I have five minutes to discuss Agile development methodologies.
I could reasonably defend most of what people attach to the "DevOps" buzzword as sane practices most of us were already doing before the hoopla.
Agile (with a capital A) is the absolute worst thing that has ever happened to the software industry. Kill off that cult and you can DevOps my work with containerized OWASP Gitflows until the end of days for all I care.
Snark aside, Dave Thomas makes a compelling argument for trying to choose terms that are as hard as possible for others to co-opt for selling snake oil (anecdotally, I encounter people on a weekly basis who are self-described Agile or DevOps experts, but have no technical background whatsoever).
They made some of the dumbest technical decisions I have ever seen, were perpetually rewriting things, changing core APIs, breaking other parts of the system. The stuff barely worked, and this was after 5 years and dozens and dozens of developers.
The place was so dysfunctional, you could not even create your own branch in source control. You had to request it from the IT group that maintained the "enterprise" SCM server. The IT groups were doing their own form of Agile, so these requests could take weeks.
Bloated IT organizations. Reminds me of working in the energy industry. Made up jobs, unmotivated workers, and incompetent management including the CTO. C level exec magazines says to literally eat shit? Here, let’s eat warm turds everyone.
With Agile being constant, the experiences were wildly different between them.
The key variable to whether they were dysfunctional or not wasn't Agile. It was the quality of the people in management.
Take a look at original agile folks who discuss this extensively on twitter.
Look at John Cutler's incredible blog posts: https://medium.com/@johnpcutler
In the former camp, the people tend to like "Agile" because of the doctrine of writing code over doing planning. Often you will find PGMs/PMs who will write a story like "Make the site awesome!" with no other details. They usually want an estimate of how long that's going to take, but will refuse to add any more details -- because that's over-complicating the issue. They really just want to take credit for anything good that happened and punish people for anything bad that happened, all while doing absolutely no work. Usually they are actually deluded enough to think that their role is vital.
In the latter camp, usually there is a feeling that the programmers are stupid and this is why everything is in a complete mess. In order to fix things, they want to take control over everything and throw things over the wall at the programmers. Often the people in these camps used to be programmers (or may still think of themselves as programmers) and have always thought, "If only I could make everyone do what I want, then I can fix all the problems". So they spend their days dictating what everyone will do. It gets even more fun when similar people band together to form elite troops of specifiers -- that's where you get the endless meetings.
We've had this since programming in groups began. This is nothing to do with Agile. It wasn't any better at all before Agile. After Agile was introduced, nothing changed at all except now these guys have another name to incorrectly describe what they are doing.
My biggest problem with Agile is that it says nothing at all about how to accomplish the stated goals. That's why it is so attractive to people who don't have a useful methodology for producing software.
Do I want to continuously deliver software? Tick. Do I welcome changes to requirements? Tick. Do I want to deliver software frequently? Tick. Do I want business people working with software developers? Tick. Do I want motivated developers? Tick. Do I want to have face-to-face conversations? Tick. Do I want working software? Tick. Do I want to sustain a constant pace indefinitely? Tick. Do I want excellent software and design? Tick. Do I want simplicity? Tick. Do I want self organising teams (as long as "self" means myself)? Tick. Do I want the team to tune itself to get better? Tick.
Wow! I'm Agile! Whoo hoo! How do I accomplish the above? To quote someone I worked with in a previous job: "Most of this stuff is common sense. We're all the best in the industry and so this should be second nature to us. If anyone can't do these things then they really don't belong on this team". Now that's a strategy!
Mark my words: within the next 10 years there will be a new word for people to rally behind. At first it will make sense and some people will do cool things. But then the people who want to do nothing and the people who want to force others to do their bidding will grab the word and crush any meaning it ever had.
There also is bullshit Agile of course, which you describe well, but that’s no different from any old software process that’s more bureaucracy than content.
My point is that the cynicism ignores actual differences in practice and process that can have an order of magnitude impact on performance, and its not always “obvious” for smart people to adopt such practices.
Consider Lean manufacturing: the Japanese thought it was just a common sense extrapolation of Henry Ford’s system of organization. It still took decades for the US auto manufacturers (including Ford!) to wrap their heads around it.
There were plenty of crooks and charlatans in that field too. It didn’t negate the importance of what Toyota had figured out.
Whatever gets the work done and doesn't cause unnecessary burdens while adding no measurable value is good with me at this point.
I'd make do with anything but Agile, which needs to be shot.
Out of a cannon.
Into the Sun.
Especially in the enterprise world, agile has been overran by worthless certifications and so-called "Agile" consultants/experts, who broadly fall into 1 of 2 groups: project managers looking to cash in, and technically inept "senior developers" looking to cash in by turning consultant.
Every one of which has their own incredibly dogmatic view of what it means to be Agile. And all of whom are skilled bullshit artists, adept at gaining the ear of upper management, proficienct at indoctrinating them into "the one true way"TM. Every one proficient at making developers miserable - all while charging exorbitant fees, and leaving just in time so management is convinced the failures are down to the heathen devs not following The Agile Way.
Standups where you literally have to stand up (simultaneously, even if spread across 3 continents and numerous time zones) and invariably go on for an hour, constant complaints (and of course meetings) about stories not finished before the sprint ends, endless meetings about the line on the bastard burndown chart, backlog refinements that last days or even weeks (invariably followed by story refinements that last days), telling the devs "decisions are up to the team... but you will choose my way", meaningless identikit retrospectives when the devs just want out so they can actually ship something...
Honestly, I'm not sure whether these "consultants" actually believe the dogmatic, quasi-religious snake-oil BS they are selling, or they know full well, but know just as well how much money they make from it.
All I know, is these people give agile a bad reputation, and bring absolute misery to many a developer.
This is true. Not long ago (about six months) a project I was working on was assigned a scrum-master (tip: You can just be the person saying "any blockers?" and "next". You don't need to be master of anything.)
Genuinely nice person, it's anecdotal, but just making it clear I'm not bashing them. Regardless, after a stand-up in the very first week they just volunteered that they had no technical background whatsoever, and couldn't write a line of code. They were at the same time actively making architecture decisions outside of the stand-ups and relaying this to the P/O.
It was a nightmare.
The above is right, Agile (with a capital A) has become little more than a way for non-technical people to have lucrative careers in software by destroying the otherwise promising careers of technical people in software.
Read the manifesto. It literally says handful of almost completely meaningless, unimplementable things.
Any attempt to actually take that and turn it into something is destined to be sharply divorced from reality.
But the real fun comes when you do "white water rafting" style development. This is when there is all the ceremony of "Agile" (read: a "fast paced environment") with all the planning of waterfall and absolutely everything is top priority. You and your coworkers are constantly thrown around trying not to smash into rocks or capsize the boat, meanwhile being pulled violent in every direction. Somehow you continue to make your way down the river eventually with fewer and fewer co-workers as she casualties mount.
The actual methodology is completely irrelevant. Working under terrible management is terrible. Working under terrific management is terrific.
But in even those cases, it was largely replaced by Spiral, which is similar to agile and pre-dates it.
Edit: Spiral is like going down the Waterfall two or more times. Similar to agile, but formally documented, with management and customer sign-off up the line, and with a much longer cycle time.
Not to plan, or even think too much, definitely not to document (sometimes not write anything down at all), often not to test except in a token form and sometimes not even that.
Is that agile? That's how 'agile' has been done where I work anyway. Maybe I've been unlucky but 'agile' like that is a loathsome, unprofessional practice that can't produce good results.
It’s sad. Just recently had an experience like this with developers I manage. I do loathe the brogrammer culture more than anything...
Picking the right process for where each project fits on that continuum is surprisingly difficult. Cowboy coding can be anything from a horrific idea to the most efficient setup, unfortunately people are rarely flexible enough to know the difference.
I think that’s a healthy way of doing it, but sadly many almost have to be pushed to do it, even with bigger things.
Beautiful description! That is so on the nail.
I’m actually proud of the parts of agile we work with, which primarily enables us to react changing needs and priorities quickly (unlike heavy waterfall).
After 22+ years in the industry I’ve come to realize that any new concept or concept that gets traction (CQRS, Event storming, AI) will produce a religious following. It’s kinda sad, because causes as lot of noise and friction.
everything that comes after that: pipelines, testing, release engineering, migrations, post-mortems, whatever -- it's all a result of your infrastructure engineers having a stake in the thing your company is building. I have yet to see a definition of DevOps that invoked some sort of tech stack that made any sense to me. the processes and tools emerge from a cooperation between stakeholders and a shared responsibility for the delivered product.
But yeah I'm with you on the wild definitions, it can be anything from some overnight IT grunt, to something far more respected and involved depending on how the company did things.
I am not sure this problem is limited to DevOps. Once I applied for a job thinking I understood the job description. During the interview, I had to find out that they put only half the job in the description (the good parts).
Afterward, I took a look on the job description again asking myself if I misinterpreted the description but came to the conclusion that they just didn't want to write about the downsides of the job (not even in management speak like 'You love a challenge?').
In short, to anyone reading this. Now is the time to make your move.
Not sure if this is the same thing (with "ghosted"), but I have 3 rock-bottom criteria before I'll respond to a recruiter's email:
* Send to the email on my resume, not my personal one.
* Show that they've read (or at least keyword-matched) my resume.
* Something in the job description should at least be vaguely enticing, such as a technology I have on my resume. The same thing can hit both points 2 and 3, the depending on how the email is structured.
In nearly 10 years, a grand total of one recruiter got all these points. Half of them failed on the first one.
This seems to be the most common interpretation, but I largely agree with you on no hard and fast rule here.
I mean, sure, if we're being pedantic about it, devops is about the silos coming closer together, cross learning, culture and what have you, etc.
But the outcome of that the cross learning is pretty much release engineering, that includes the above and the products giving more data for helping run them, and simplicity leading to being easier to fix, and do the aforementioned things.
I also think we should just get over it and probably just adopt SRE, Release Engineer and Product. Not because I <3 google, just because the split makes a tad bit more sense.
I've been in that spot many times. In my last job, I did engineering (networking, server, etc) / support for 7 data centers. We started to support of 3rd party "cloud" products, and then they dropped the DCs they gave me the title of DevOps Engineer IV. When they did that, I didn't have any Dev or Ops responsibilities.
The rest of the story is just about the tooling and management decisions that support getting out of those pits. You use micro services because it allows developers to use whichever tools they want as long as they solve the task. You use automated tests and deployment pipelines so the team and organizational procedure to be confident in releases shifts from becoming “talk to Tom and get his blessing after he’s spend a week probing everything” to “well if it passed all tests and deployed then it’s a go.
It’s not like the technical issues suddenly disappear. You need to set up your tests to a level where you are confident in the pipeline. You still need to spend the time and resources making sure your microservice infrastructure is working.
But at the end of it you’ve removed the power of the gits who where previously controlling the techs allowed and the releases, and your letting teams move forwards through proving their work rather than constant audiences with individuals who are gatekeepers because they spend 20 years in the same organization and feel that everything invented in the last decade is scary.
What does that have to do with DevOps? Clearly that's not an ideal situation, but that has nothing to do with CI/CD pipelines, developers handling operations work, etc.
Interestingly, your question of illustrative of the "DevOps has no clear, standard definition" problem.
Given how large the gap between any two given DevOps positions, I wonder how valuable it is to have "DevOps" job reqs or conferences or other "DevOps" things.
I also got a chance to work in such an organization in the 00's, where dev and ops closely aligned with each other's work to produce truly reliable, repeatable, fast, quality products, often. It was fantastic. Nobody would say "oh but you can't do that, that's not Infrastructure as Code!" They would say, "what can we all do to make this better?"
Usually I can just revert to an earlier version and file a bug report, sometimes I have to cherry pick.
Having developers "fix" things in production under time-stress at 3am without proper code review sounds like extremely poor practice.
And reverting part way through a monthy telco billing run might not be the best idea.
And in my case they also looked after online services and other systems.
The devs can do all of this on their own, teach ops how to use it, and then they'd only be called when it was a code issue. But as a dev, you probably don't know all of the above, so ops has to go to dev and be like, "hey y'all, if you don't want to be called, this is what we need."
And this is what DevOps is intended to fix: get everyone in a room, talk about problems, find solutions among everyone. If your org isn't doing this, you can start the change.
We need more of this.
DevOps is NOT…easily achieved nor implemented
Debatable, at least IMO. DevOps isn't easily achieved nor implemented if you're trying to implement ALL THE THINGS to say you did and check-off a series of "We did DevOps thing x" boxes as so many companies appear to want-at least from reading various DevOps-y job descriptions lately.
It is easier implemented if, like Gene Kim tells us in "The DevOps Handbook"-we start our DevOps transformations with a small, sympathetic team and iterate outward.
I appreciate the self-reflective views on this "new" job role, but they often seem to miss the rather basic market forces at work. More systems, more automation, new skills and demands.
Good thing it was a non public app instead of a blog
My favorite is how in the Microsoft toolchain you can build a CI pipeline in a visual UI on the right that automatically updates the YAML file on the left. “We know you don’t want YAML, but we also know your boss says you need infra-as-code...”
OTOH, I kind of hate Terraform now, because you can use it in a way that will surprise you and blow up, leaving a mess that you have to clean up manually. It's more "infrastructure as code" than Ansible, but Ansible will at least attempt to fix things that aren't "right". So everything that has a certain label is not by definition superior to all alternatives. (I actually hate both tools for different reasons, but they have their uses)
Infrastructure-as-verisonable-flat-configuration-files should not be thought of as infrastructure-as-code.
While true, the process is closer to a variable name refactor than to a complete re-write. With Terraform, you have the stack described in code and the resource names translate cleanly across cloud vendors. Certainly more so than a word doc describing infrastructure setup steps.
It supports "providers", which are interfaces to the different vendors (aws, foogle cloud, etc), and "provisioners", which are frameworks for configuring a running instance (chef? Docker? Zookeeper?)
It was also responsible for the build servers, the SCM, and checking and prioritizing all the different parts and fixes of the various dev teams, and checking back with the PM and testers. Only hackers did cowboy coding, companies preferred processes and best practices. That's it was called "Software Engineering" and not hacking.
I heard Margaret Hamilton coined that term in the 60ies for the Apollo project, which she managed.
DevOps is about how CTO organizes engineering.
Is there an Infra team that supports everyone, maybe a separate Ops/security/etc teams that supports everyone. Then a bunch of App/Service dev teams. This is not devops.
Or is there only* a bunch App/Service teams, each wholly self-supporting and independent. Each doing their own infra, dev, ops. Maybe some teams' "Service" is used by only other internal teams (point being you can break up scope as fine grained as you want). The key is teams are self-supporting, taking care of the entire life-cycle of an App/Service.
Most "devops" sort of isn't or fails cause it's not "deployed as an organizational system, top-down (from CTO) across the whole organization.
All the things people typically bike shed over re: devops don't matter. Are you independent and self-contained? Are you responsible for entire life-cycle of Product/Service/App/Etc? Does the buck stop with you? Then you are devops.
Internet is widely considered to have started in 1969. Although I'd consider something between 1982-1986 as the years when it truly became an international network.
I've been in this business only for less than 25 years, you make me feel so young. :-)
During that time, internet has just always existed. Ah, those loong boolean logic web search (hxxp://altavista.digital.com/) queries during my early years.
devops means Developer/Operations.
means, the sysadmin/sysops/ops guy now has to know things about development to center his daily-doing around code (ideally the code dictates what is going on [Infrastructure as Code]).
a very simple example to this:
back then the ops guy or sysadmin did everything by hand. today, he uses code to get things done. bash vs. a HTTP JSON API. manually by hand vs. ansible [markup language yaml], etc.
so many people just dont know or understand what devops means. but it is so easy.
it is the fusion of development and operations.
thus, while you need two people back then, now you only need one person to do the same job.
a devops is a sysadmin who ideally knows how to code.
a devops is a developer who evolved into a sysadmin or is doing both because he learned it.
devops is development/operations.
it has nothing to do with agile, waterfall or a "mindset".
In which case DevOps as it exists in the real world is roughly on a par with 'agile' practices in the real world. Nothing like they were originally conceived, and nothing like the wildly optimistic descriptions of them that are shared amongst practitioners.
DevOps: We don't have admins, so you are reponsible to run the systems you develop.
This is at least how I perceive it. But the second point is not the worst thing that could have happened. I hate to write configs as much as anyone, but it has given me a better perspective on how to design systems that actually... you know... run.
For me, a tight feedback loop is cycling between repl/ide/compiler/tests as quickly as possible.
A loose feedback loop is pull requests, docker, CI, terraform. Don't get me wrong - I appreciate a fast, smooth 'release' pipeline. I just hate that it's now become the 'development' pipeline.
1. Waterfall is a cycle time of weeks
2. Agile is a cycle time of days
3. DevOps is the same cycle time as agile but delivering the the user instead of just showing a demo at the end of a sprint.
Some of the best open source projects have CI included- thats the right approach to DevOps -- its not an alien, bolt-on after the fact practice, its code that takes care of code.
heck we had versioned openpkg scripts in 200something to quickly rotate servers during upgrades, that wasn't called with fancy names and wasn't a standalone role but the seed was there.
Hmmm, I like the ring to that, might put it on my linkedin profile.
On the article itself, can't say I disagree.
Windows is/was often bashed for being insecure. Lots of that stems from the decades of development related to centralized management solutions. A default windows workstation in a domain setting will open a bunch of ports, a bunch of which can be used for command execution. The attack surface for this system includes, but is not limited to:
- Remote access with local admin users via tools such as SMBExec, wmiExec, DCOM, Psexec, Powershell remoting
- Remote access domain admin users access via the same
- Local/domain admin access via RDP
- Remote domain admin access via group policy
All these have had their own associated vulnerabilities over the years. Examples are SMB relay attacks, which enabled an attacker to abuse flaws in NetNTLM and obtain access to machines by relaying other people's credentials. And then we're not even talking about the 'real' exploits, Eternal Blue, Eternal Romance, Blue Keep, MS14-068, MS08-067, and on and on.
Pentesters, researchers and Microsoft have been hammering away the kinks for years now. The 'fixes' and root causes for each individual issue are well understood and each new domain functional level increases the security of a default windows Domain by leaps and bounds.
When you look at the Unix/Linux side you'd see that no such attack surface ever existed. You manage your systems over SSH, and this can still be bad, an easily guessable root password shared between Dev, testing and production is still a death sentence. But by default there were no tier0 systems in your network, apart from those of sysadmins.
But now with DevOps things are changing on that side. With Ansible, Puppet, Terraform, your various container management systems, the CI pipeline, jenkins and numerous development teams able to push both to infra repositories and your actual products this has changed:
You use an automated CI pipeline? Any system in the chain is a tier0 system.
Your developers are maintainer status or higher in your source repositories? Then they are domain admin or equivalent. They can disable protected branches, push a backdoor, and watch their attack propagate through the pipeline.
Did you make it inconvenient for your developers to access various build systems? Then they are sharing credentials to these systems over your company chat.
It seems, from what I've seen so far, that while the 'architecture' of modern mass centralized IT management and development is more secure. You can't relay an SSH key for example, like you can in NetNTLM. But the institutional knowledge isn't there yet. New attack surface has opened up, and infosec people have not yet completely caught up with the new 'eggs' in the basket, even if they are aware.
I've talked that this idea of "devops" is terrifying. It turns a whole bunch of devs whose security mindsets are in "eh password1! is great" because of convenience. And it turns them into domain admins. Gates are good... Although that means in having "Dev" and "Sysad" as 2 different groups. And I as a sysad can and will actively say "NO" with a reason, because something didn't pass a sniff test.
And with the whole AWS push on everything, do you know what else it does? It gives the devs an unlimited line of credit that company has to pay for. Nowhere before did sysads, devs, or other non-manager and non-C-level have unfettered access to the company wallet. And right now, if you have IAM access in AWS, you do.
That captures the gist of it imho.
Unfortunately, it’s incredibly dangerous if everyone involved doesn’t know what they’re doing.
Then kubernites and docker turn up. To make things easy?
No. They’re making the infrastructure more difficult to manage so that the developers can deploy things easier.
Developers should not be deploying. Large businesses should not be doing very regular deploys to live - it’s simply too risky without a shitload of testing.
Everyone praises startups with a few million customers that are open about their fuckups/downtime, but they are almost always because of their shitty modern deployments and lack of testing.
Crikey, look at Monzo. “We use a shit database and fucked up scaling it, but sorry your transactions failed and you looked like a twat buying your coffee”.
Try and revolutionise industries, fine. But ....
As a former employee it isn't clear to me that Monzo couldn't have used boring stuff for a while and switched to C* or some equivalent later when it was genuinely needed, but it's worked well enough for them that I'm not inclined to critique the decision post hoc.
Monzo... It's very hard to say. I think based on the contents of the blog post they acted reasonably and competently (yeah, the test rollout was a badly designed test, but that's easy to say post hoc). The only fair basis for critiquing Monzo would be if they had notably more averages than is 'typical', and we don't have the data or conceptual framework required to do that. As a customer, I can't think of risks that Monzo exposes you to that aren't also present with other banks. I bank with them ¯\ _(ツ)_/¯