When I mention "systems administration" to younger coworkers, they look at me like I'm a crusty old relic out of touch with modern engineering. People have no sense of history and little understanding of where the devops role came from and what it really means. I had a CTO tell me he hadn't heard the term "system administration" in ten years.
What were our devops people doing? Running web servers, managing networks, configuring DNS, managing backups, configuring cloud services. Absolutely none of it in support of the dev team I was on. The developers were responsible for managing their own CI/CD pipeline and deployments. The people called the "DevOps Team" were responsible for managing production. In this case, they were systems administrators and were not in any way a devops team, but the terminology is so skewed now that they were labeled as such, and I was labeled an out of touch old greybeard.
This isn't to demean devops in any way; it's a valuable role, an evolutionary step in software team organization, but by no means is it new and by no means is systems administration a dead role.
I'm not sure where I picked up this impression from.
1) "DevOps teams" are just rebranded operations teams
2) "DevOps teams" are teams that are responsible for both development and operations for their app
I think the first one is the one you're frustrated with, and I agree it's a completely useless label when used like that, but it's not definitely not the only way it's used.
But the roots can be traced to the 70's (the PDP-11 had the compile-link process).
If you were really smart and could program in Assembler they called you a "Systems Programmer".
In the 80's, the PC revolution fostered debates over how much centralized control IT should have.
There was a long-standing debate in computing as to where the software should live (that is on a server or at the client level).
This debate was settled when Google invested heavily in making the browser a powerful and stable platform (think about Javascript in the 90's vs. today).
So the modern situation is server=cloud and client=browser. This creates a demand for people who understand how software is built/deployed/maintained in this environment.
So we slap the Devops label on it and pretend we understand what's going on.
But it's really a debate about how long the current status quo will last before it's subsumed by something else.
(Speaking pithily as a sysadmin-turned-DevOps-turned-SRE doing vaguely the same work for far more money...)
1. Developers learning that running code is not the same thing as reliable code. Certain things must be put in at design time to allow for operations.
2. Operations people supporting development by formalizing/streamlining the deployment process to have changes occur faster, safer, and more often.
3. Aligning goals and attitudes in such a way that prevents conflict between teams. Development doesn't get to shift the costs of outage prone unmaintainable code onto an ops team. Or that ops doesn't roadblock/veto all changes.
In the bad old days, it was common for developers to act with little care for operational outcomes. The responsibility was far removed, and bugfixes didn't win many accolades. Managers want wish fulfillment and pushed developers to toss new features into the mix as fast as possible, resulting in tremendous pressure against ops teams to deploy despite increasingly crufty and debt laden code bases causing unpredictable problems. Ergo, ops teams who blocked all changes for trivial issues because they were judged only based on outages, not feature delivery.
So basically it comes to having devs, test, ops, sec, persons in one team with common goal of delivering featuers.
Because most friction was on boarders like dev | test | ops | security, all those people being on role specific teams would do what is important for their team. So test people would blame devs, sec people would blame ops, test or devs. When you are in one team that has common goal of delivering feature X and you are measured by delivering feature X, everyone is willing to take pragmatic approach instead of "code has to be perfect", "tests have to be perfect", "security has to be perfect".
I read somewhere "magic happens if you seat testers and developers in the same room", I belive it was "Project Phoenix" book. But I despise from the start having those devs vs test people or test people beeing happy about finding bugs. They should be sad because what matters is delivering feature, so they should be happy when they don't find anything. That said, thay should do all they can to find bugs, because we have common goal: "working software".
In all the places I've worked I've been expected to do everything from setting up servers (originally physical servers, later cloud servers), hardening them, installing software, optimizing the software, installing and optimizing the database, creating database schemas and related objects, writing untold number of sql queries, writing server side code, writing front end code, etc.
I was hoping that the article would explain what devops really means today and how I can jump on the devops wagon to hopefully make my job of doing all of the above easier.
That’s the dream… the reality in my experience is that you have to describe, in detail, the exact steps that you would perform if you were doing it yourself so that somebody else can perform them, verbatim. But you have to describe those steps, exactly, without any access to the target platform where they’ll be performed.
I feel like I'm on thin ice whenever I deploy. Granted, I now try to make sure the SAs have to do as little as possible (because now I "understand" the infrastructure, I can build a postinstall that handles all the environment configuration I am allowed under an FID), it still feels nerve wracking to know that a single fuck up means I have to spend another 4-5 hours trying to get tickets to deploy.
Fuck this.
I was hired as development team member partially as I was a sysadmin on the hardware we were using, our team both wrote the code but also the entire JCL infrastructure that managed the compilation linking, deployment and the running of code across the cluster of 16 or 17 systems.
On of my friends, an IBM guy from the operations side was shocked that we as developers where allowed to deploy and run our own code.
> I was hoping that the article would explain what devops really means today and how I can jump on the devops wagon to hopefully make my job of doing all of the above easier.
1. Use AWS Fargate for all of your backend services. Keep the architecture simple enough that complicated service discovery issues etc don’t come up. If you need coordination between services, do it through Redis or similar.
2. Use RDS unless you really need to save money or use unavailable extensions.
3. Use terraform for initially provisioning the above
4. Set up CI/CD such that merges to master automatically update your services. (I like CircleCI’s aws-ecr and aws-ecs orbs for this.)
Pretty simple recipe, but it means no setting up servers, no hardening servers, no installing or optimizing software (other than by adding it to the Dockerfile), no installing or optimizing the database.
This recommendation reflects what modern devops means to me; opinions differ. To me it means:
- Infrastructure as code (terraform rather than clicking buttons in the AWS console then later forgetting which buttons you clicked)
- Immutable infrastructure (aka cattle not pets). Never SSHing into a server again.
- Automated testing and deployment cleanly integrated with existing dev workflow
Obviously there’s a scale at which you have to do something more complex, but I’d say that’s the scale at which you previously would have had an operations team.
Getting rid of the “writing server side code” and “writing front end code” parts is beyond the scope of devops, but you can skip a lot of the “writing server side code” part by using PostgREST. In exchange you may have to write an even-more-untold number of SQL queries, depending on your current practices.
Edit: Someone helpfully pointed out that I forgot to mention anything about logging or monitoring, which is a pretty glaring omission. On that front I strongly recommend Honeycomb. To set it up with Fargate you may need to run it in a sidecar container, but it’s fairly straightforward.
"Devops" means not fighting with those people??? haha
All of these things are fine for companies to do. How you run your org is on you. But I wish companies would go deeper than "DevOps" when putting up job posting requirements.
That's like saying they do "security". There's a lot of different ways that can be interpreted. I (as an applicant) only know a handful of those interpretations really well, so it's important that companies clarify these terms in their job descriptions. This way they have the right candidates applying.
As long as no-one is knocking on my door asking if I have five minutes to discuss Agile development methodologies.
I could reasonably defend most of what people attach to the "DevOps" buzzword as sane practices most of us were already doing before the hoopla.
Agile (with a capital A) is the absolute worst thing that has ever happened to the software industry. Kill off that cult and you can DevOps my work with containerized OWASP Gitflows until the end of days for all I care.
Snark aside, Dave Thomas makes a compelling argument for trying to choose terms that are as hard as possible for others to co-opt for selling snake oil (anecdotally, I encounter people on a weekly basis who are self-described Agile or DevOps experts, but have no technical background whatsoever).
They made some of the dumbest technical decisions I have ever seen, were perpetually rewriting things, changing core APIs, breaking other parts of the system. The stuff barely worked, and this was after 5 years and dozens and dozens of developers.
The place was so dysfunctional, you could not even create your own branch in source control. You had to request it from the IT group that maintained the "enterprise" SCM server. The IT groups were doing their own form of Agile, so these requests could take weeks.
Truly awful.
In the former camp, the people tend to like "Agile" because of the doctrine of writing code over doing planning. Often you will find PGMs/PMs who will write a story like "Make the site awesome!" with no other details. They usually want an estimate of how long that's going to take, but will refuse to add any more details -- because that's over-complicating the issue. They really just want to take credit for anything good that happened and punish people for anything bad that happened, all while doing absolutely no work. Usually they are actually deluded enough to think that their role is vital.
In the latter camp, usually there is a feeling that the programmers are stupid and this is why everything is in a complete mess. In order to fix things, they want to take control over everything and throw things over the wall at the programmers. Often the people in these camps used to be programmers (or may still think of themselves as programmers) and have always thought, "If only I could make everyone do what I want, then I can fix all the problems". So they spend their days dictating what everyone will do. It gets even more fun when similar people band together to form elite troops of specifiers -- that's where you get the endless meetings.
We've had this since programming in groups began. This is nothing to do with Agile. It wasn't any better at all before Agile. After Agile was introduced, nothing changed at all except now these guys have another name to incorrectly describe what they are doing.
My biggest problem with Agile is that it says nothing at all about how to accomplish the stated goals. That's why it is so attractive to people who don't have a useful methodology for producing software.
Do I want to continuously deliver software? Tick. Do I welcome changes to requirements? Tick. Do I want to deliver software frequently? Tick. Do I want business people working with software developers? Tick. Do I want motivated developers? Tick. Do I want to have face-to-face conversations? Tick. Do I want working software? Tick. Do I want to sustain a constant pace indefinitely? Tick. Do I want excellent software and design? Tick. Do I want simplicity? Tick. Do I want self organising teams (as long as "self" means myself)? Tick. Do I want the team to tune itself to get better? Tick.
Wow! I'm Agile! Whoo hoo! How do I accomplish the above? To quote someone I worked with in a previous job: "Most of this stuff is common sense. We're all the best in the industry and so this should be second nature to us. If anyone can't do these things then they really don't belong on this team". Now that's a strategy!
Mark my words: within the next 10 years there will be a new word for people to rally behind. At first it will make sense and some people will do cool things. But then the people who want to do nothing and the people who want to force others to do their bidding will grab the word and crush any meaning it ever had.
everything that comes after that: pipelines, testing, release engineering, migrations, post-mortems, whatever -- it's all a result of your infrastructure engineers having a stake in the thing your company is building. I have yet to see a definition of DevOps that invoked some sort of tech stack that made any sense to me. the processes and tools emerge from a cooperation between stakeholders and a shared responsibility for the delivered product.
But yeah I'm with you on the wild definitions, it can be anything from some overnight IT grunt, to something far more respected and involved depending on how the company did things.
I am not sure this problem is limited to DevOps. Once I applied for a job thinking I understood the job description. During the interview, I had to find out that they put only half the job in the description (the good parts).
Afterward, I took a look on the job description again asking myself if I misinterpreted the description but came to the conclusion that they just didn't want to write about the downsides of the job (not even in management speak like 'You love a challenge?').
In short, to anyone reading this. Now is the time to make your move.
This seems to be the most common interpretation, but I largely agree with you on no hard and fast rule here.
I mean, sure, if we're being pedantic about it, devops is about the silos coming closer together, cross learning, culture and what have you, etc.
But the outcome of that the cross learning is pretty much release engineering, that includes the above and the products giving more data for helping run them, and simplicity leading to being easier to fix, and do the aforementioned things.
I also think we should just get over it and probably just adopt SRE, Release Engineer and Product. Not because I <3 google, just because the split makes a tad bit more sense.
I've been in that spot many times. In my last job, I did engineering (networking, server, etc) / support for 7 data centers. We started to support of 3rd party "cloud" products, and then they dropped the DCs they gave me the title of DevOps Engineer IV. When they did that, I didn't have any Dev or Ops responsibilities.
The rest of the story is just about the tooling and management decisions that support getting out of those pits. You use micro services because it allows developers to use whichever tools they want as long as they solve the task. You use automated tests and deployment pipelines so the team and organizational procedure to be confident in releases shifts from becoming “talk to Tom and get his blessing after he’s spend a week probing everything” to “well if it passed all tests and deployed then it’s a go.
It’s not like the technical issues suddenly disappear. You need to set up your tests to a level where you are confident in the pipeline. You still need to spend the time and resources making sure your microservice infrastructure is working.
But at the end of it you’ve removed the power of the gits who where previously controlling the techs allowed and the releases, and your letting teams move forwards through proving their work rather than constant audiences with individuals who are gatekeepers because they spend 20 years in the same organization and feel that everything invented in the last decade is scary.
What does that have to do with DevOps? Clearly that's not an ideal situation, but that has nothing to do with CI/CD pipelines, developers handling operations work, etc.
Given how large the gap between any two given DevOps positions, I wonder how valuable it is to have "DevOps" job reqs or conferences or other "DevOps" things.
I also got a chance to work in such an organization in the 00's, where dev and ops closely aligned with each other's work to produce truly reliable, repeatable, fast, quality products, often. It was fantastic. Nobody would say "oh but you can't do that, that's not Infrastructure as Code!" They would say, "what can we all do to make this better?"
We need more of this.
DevOps is NOT…easily achieved nor implemented
Debatable, at least IMO. DevOps isn't easily achieved nor implemented if you're trying to implement ALL THE THINGS to say you did and check-off a series of "We did DevOps thing x" boxes as so many companies appear to want-at least from reading various DevOps-y job descriptions lately.
It is easier implemented if, like Gene Kim tells us in "The DevOps Handbook"-we start our DevOps transformations with a small, sympathetic team and iterate outward.
I appreciate the self-reflective views on this "new" job role, but they often seem to miss the rather basic market forces at work. More systems, more automation, new skills and demands.
Good thing it was a non public app instead of a blog
My favorite is how in the Microsoft toolchain you can build a CI pipeline in a visual UI on the right that automatically updates the YAML file on the left. “We know you don’t want YAML, but we also know your boss says you need infra-as-code...”
OTOH, I kind of hate Terraform now, because you can use it in a way that will surprise you and blow up, leaving a mess that you have to clean up manually. It's more "infrastructure as code" than Ansible, but Ansible will at least attempt to fix things that aren't "right". So everything that has a certain label is not by definition superior to all alternatives. (I actually hate both tools for different reasons, but they have their uses)
It supports "providers", which are interfaces to the different vendors (aws, foogle cloud, etc), and "provisioners", which are frameworks for configuring a running instance (chef? Docker? Zookeeper?)
devops means Developer/Operations.
means, the sysadmin/sysops/ops guy now has to know things about development to center his daily-doing around code (ideally the code dictates what is going on [Infrastructure as Code]).
a very simple example to this: back then the ops guy or sysadmin did everything by hand. today, he uses code to get things done. bash vs. a HTTP JSON API. manually by hand vs. ansible [markup language yaml], etc.
so many people just dont know or understand what devops means. but it is so easy.
it is the fusion of development and operations.
thus, while you need two people back then, now you only need one person to do the same job.
a devops is a sysadmin who ideally knows how to code.
a devops is a developer who evolved into a sysadmin or is doing both because he learned it.
devops is development/operations.
it has nothing to do with agile, waterfall or a "mindset".
https://kevin.burke.dev/kevin/circleci-is-hopelessly-insecur...
It was also responsible for the build servers, the SCM, and checking and prioritizing all the different parts and fixes of the various dev teams, and checking back with the PM and testers. Only hackers did cowboy coding, companies preferred processes and best practices. That's it was called "Software Engineering" and not hacking. I heard Margaret Hamilton coined that term in the 60ies for the Apollo project, which she managed.
1. Waterfall is a cycle time of weeks
2. Agile is a cycle time of days
3. DevOps is the same cycle time as agile but delivering the the user instead of just showing a demo at the end of a sprint.
DevOps is about how CTO organizes engineering.
Is there an Infra team that supports everyone, maybe a separate Ops/security/etc teams that supports everyone. Then a bunch of App/Service dev teams. This is not devops.
Or is there only* a bunch App/Service teams, each wholly self-supporting and independent. Each doing their own infra, dev, ops. Maybe some teams' "Service" is used by only other internal teams (point being you can break up scope as fine grained as you want). The key is teams are self-supporting, taking care of the entire life-cycle of an App/Service.
Most "devops" sort of isn't or fails cause it's not "deployed as an organizational system, top-down (from CTO) across the whole organization.
All the things people typically bike shed over re: devops don't matter. Are you independent and self-contained? Are you responsible for entire life-cycle of Product/Service/App/Etc? Does the buck stop with you? Then you are devops.
Internet is widely considered to have started in 1969. Although I'd consider something between 1982-1986 as the years when it truly became an international network.
I've been in this business only for less than 25 years, you make me feel so young. :-)
During that time, internet has just always existed. Ah, those loong boolean logic web search (hxxp://altavista.digital.com/) queries during my early years.
In which case DevOps as it exists in the real world is roughly on a par with 'agile' practices in the real world. Nothing like they were originally conceived, and nothing like the wildly optimistic descriptions of them that are shared amongst practitioners.
DevOps: We don't have admins, so you are reponsible to run the systems you develop.
This is at least how I perceive it. But the second point is not the worst thing that could have happened. I hate to write configs as much as anyone, but it has given me a better perspective on how to design systems that actually... you know... run.
For me, a tight feedback loop is cycling between repl/ide/compiler/tests as quickly as possible.
A loose feedback loop is pull requests, docker, CI, terraform. Don't get me wrong - I appreciate a fast, smooth 'release' pipeline. I just hate that it's now become the 'development' pipeline.
Some of the best open source projects have CI included- thats the right approach to DevOps -- its not an alien, bolt-on after the fact practice, its code that takes care of code.
heck we had versioned openpkg scripts in 200something to quickly rotate servers during upgrades, that wasn't called with fancy names and wasn't a standalone role but the seed was there.
Hmmm, I like the ring to that, might put it on my linkedin profile.
On the article itself, can't say I disagree.
Windows is/was often bashed for being insecure. Lots of that stems from the decades of development related to centralized management solutions. A default windows workstation in a domain setting will open a bunch of ports, a bunch of which can be used for command execution. The attack surface for this system includes, but is not limited to:
- Remote access with local admin users via tools such as SMBExec, wmiExec, DCOM, Psexec, Powershell remoting
- Remote access domain admin users access via the same
- Local/domain admin access via RDP
- Remote domain admin access via group policy
All these have had their own associated vulnerabilities over the years. Examples are SMB relay attacks, which enabled an attacker to abuse flaws in NetNTLM and obtain access to machines by relaying other people's credentials. And then we're not even talking about the 'real' exploits, Eternal Blue, Eternal Romance, Blue Keep, MS14-068, MS08-067, and on and on.
Pentesters, researchers and Microsoft have been hammering away the kinks for years now. The 'fixes' and root causes for each individual issue are well understood and each new domain functional level increases the security of a default windows Domain by leaps and bounds.
When you look at the Unix/Linux side you'd see that no such attack surface ever existed. You manage your systems over SSH, and this can still be bad, an easily guessable root password shared between Dev, testing and production is still a death sentence. But by default there were no tier0 systems in your network, apart from those of sysadmins.
But now with DevOps things are changing on that side. With Ansible, Puppet, Terraform, your various container management systems, the CI pipeline, jenkins and numerous development teams able to push both to infra repositories and your actual products this has changed:
You use an automated CI pipeline? Any system in the chain is a tier0 system.
Your developers are maintainer status or higher in your source repositories? Then they are domain admin or equivalent. They can disable protected branches, push a backdoor, and watch their attack propagate through the pipeline.
Did you make it inconvenient for your developers to access various build systems? Then they are sharing credentials to these systems over your company chat.
It seems, from what I've seen so far, that while the 'architecture' of modern mass centralized IT management and development is more secure. You can't relay an SSH key for example, like you can in NetNTLM. But the institutional knowledge isn't there yet. New attack surface has opened up, and infosec people have not yet completely caught up with the new 'eggs' in the basket, even if they are aware.
I've talked that this idea of "devops" is terrifying. It turns a whole bunch of devs whose security mindsets are in "eh password1! is great" because of convenience. And it turns them into domain admins. Gates are good... Although that means in having "Dev" and "Sysad" as 2 different groups. And I as a sysad can and will actively say "NO" with a reason, because something didn't pass a sniff test.
And with the whole AWS push on everything, do you know what else it does? It gives the devs an unlimited line of credit that company has to pay for. Nowhere before did sysads, devs, or other non-manager and non-C-level have unfettered access to the company wallet. And right now, if you have IAM access in AWS, you do.
That captures the gist of it imho.
Unfortunately, it’s incredibly dangerous if everyone involved doesn’t know what they’re doing.
Then kubernites and docker turn up. To make things easy?
No. They’re making the infrastructure more difficult to manage so that the developers can deploy things easier.
Developers should not be deploying. Large businesses should not be doing very regular deploys to live - it’s simply too risky without a shitload of testing.
Everyone praises startups with a few million customers that are open about their fuckups/downtime, but they are almost always because of their shitty modern deployments and lack of testing.
Crikey, look at Monzo. “We use a shit database and fucked up scaling it, but sorry your transactions failed and you looked like a twat buying your coffee”.
Try and revolutionise industries, fine. But ....
As a former employee it isn't clear to me that Monzo couldn't have used boring stuff for a while and switched to C* or some equivalent later when it was genuinely needed, but it's worked well enough for them that I'm not inclined to critique the decision post hoc.
