DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks

DevOps and CI/CD

The cultural movement that is DevOps — which, in short, encourages close collaboration among developers, IT operations, and system admins — also encompasses a set of tools, techniques, and practices. As part of DevOps, the CI/CD process incorporates automation into the SDLC, allowing teams to integrate and deliver incremental changes iteratively and at a quicker pace. Together, these human- and technology-oriented elements enable smooth, fast, and quality software releases. This Zone is your go-to source on all things DevOps and CI/CD (end to end!).

icon
Latest Refcards and Trend Reports
Refcard #387
Getting Started With CI/CD Pipeline Security
Getting Started With CI/CD Pipeline Security
Refcard #084
Continuous Integration Patterns and Anti-Patterns
Continuous Integration Patterns and Anti-Patterns
Trend Report
DevOps
DevOps

DZone's Featured DevOps and CI/CD Resources

Cloud-Native Application Security
Refcard #375

Cloud-Native Application Security

Continuous Delivery Patterns and Anti-Patterns
Refcard #145

Continuous Delivery Patterns and Anti-Patterns

Why Does DevOps Recommend Shift-Left Testing Principles?
Why Does DevOps Recommend Shift-Left Testing Principles?
By Navya Manoj
A Guide To Successful DevOps in Web3
A Guide To Successful DevOps in Web3
By Alvin Lee CORE
Secrets Management
Secrets Management
By Niranjan Limbachiya CORE
Dockerizing an Ansible Playbook, Part 2
Dockerizing an Ansible Playbook, Part 2

This is a two-part article series. This is part 2 of the series, where we will create a GitLab pipeline to register the Docker image of the Ansible playbook to a Docker registry and deploy it to Kubernetes. In Part 1, we created an Ansible playbook and Dockerized it to create a Docker image and run it as a Docker container. We logged in to that container to run the ansible playbook. Why GitLab Pipeline? In the technology world of efficiency, we tend to automate everything possible to reduce repetitive manual tasks and effort. The GitLab pipeline plays a vital role in this journey. At a basic level, the GitLab pipeline gets used to build, test and deploy code in stages. It helps In reducing the chances of human error as it is implemented as an automated scripted In creating faster iterations through continuous integration, delivery, deployment In better quality code by leveraging GitLab stages such as pre-check, testing, post-validation, logging, and tracing job execution path Create a Gitlab Pipeline In this article, we will create a simple GitLab pipeline with two stages, as below: Create a Repository in Docker Hub To create a repository in the Docker Hub, you need to log in to the Docker Hub. If you do not have an account, then sign up to create an account. Once you log in to the Docker Hub, create a repository named "demo": Check-In Codebase Create a GitLab project and check in all the files created under "playbook" in folder Part 1 of this GitLab project: Find CI/CD on the left-hand side navigation bar. The pipelines can be viewed from that menu option. At this point, there will be no pipeline displayed as we have not created any yet. Now we will have to find a runner where we can run our pipeline. On the right-hand panel, scroll down to find runners available. Use a runner which provides a Linux environment. If there is none exists, then create one by following Registering runners | GitLab. Save the runner's name to refer to it later. On the same page, scroll to find the "Variables" section. Add two variables, UserID, and password, saving the Docker Hub account and credential. Check-in Kubernetes config file. This file has to be retrieved from your K8s environment to log in to K8s. Checking below code snippet as Deployment.yamlfile. This file will be executed by pipeline to deploy to K8s. apiVersion: apps/v1 kind: Deployment metadata: name: helloworld-ansible labels: app: helloworld-ansible spec: replicas: 1 selector: matchLabels: app: helloworld-ansible template: metadata: labels: app: helloworld-ansible spec: containers: - name: helloworld-ansible image: hub.docker.com/<docker-hub-user-id>/demo:hwa1.0 ports: - containerPort: 80 Replace the <docker-hub-user-id> with your Docker Hub UserID. Create .gitlab_ci.yml File This is the key file to the pipeline. It is a YAML file that needs to be created under the project's root folder. This file automatically runs whenever you push a commit to the server. YAML stages: - build - deploy image: ubuntu:16.04 build: stage: build tags: - <runner-name> script: # login to docker - docker login -u $userid -p $password # build docker image - docker build . -t hwa - docker tag hwa:latest hub.docker.com/<docker-hub-user-id>/demo:hwa1.0 # push docker image to docker hub - docker push hub.docker.com/<docker-hub-user-id>/demo:hwa1.0 deploy: stage: deploy tags: - <runner-name> script: - kubectl --kubeconfig=<kubeconfig file> apply -f deployment.yaml Please make sure to replace <runner-name> with your runner name <docker-hub-user-id> with your Docker Hub UserID. Committing this file will trigger the CI/CD pipeline. You can view and debug by accessing pipelines from CI/CD->Pipelines Some of the common issues can be mitigated by making sure: The runner has access to the K8s container to deploy You have the correct K8s config file to log in to the K8s container Docker Hub repository URL is correct in your deployment.yaml file and GitLab config file. You may check the URL by logging in to the Docker Hub and lick on the repository. Scroll right to find the URL below "Docker commands"

By Gitanjali Sahoo
Differences Between Site Reliability Engineer vs. Software Engineer vs. Cloud Engineer vs. DevOps Engineer
Differences Between Site Reliability Engineer vs. Software Engineer vs. Cloud Engineer vs. DevOps Engineer

The evolution of software engineering over the last decade has led to the emergence of numerous job roles. So, how different is a software engineer, DevOps engineer, site reliability engineer, and cloud engineer from each other? In this article, we drill down and compare the differences between these roles and their functions. Image Source Introduction As the IT field has evolved over the years, different job roles have emerged, leading to confusion over the differences between site reliability engineer vs. software engineer vs. cloud engineer vs. DevOps engineer. For some people, they all seem similar, but in reality, they are somewhat different. The main idea behind all these terms is to bridge the gap between the development and operation teams. Even though these roles are correlated, what makes them different is the scope of the role. What Is Software Engineering? The traditional role of a software engineer is to apply the principle of engineering to software development. This includes the use of programming languages to create, analyze, and modify the existing software and design and test the user application. A person doing the job of a software engineer usually has a bachelor’s degree in science or software engineering and has experience in computer systems and languages (like Python, C, Go, JavaScript, etc.). This is what the typical day of a software engineer looks like: Analyze the user requirement. Do coding based on the user requirement. Perform maintenance tasks and integrate the application with the existing system. Doing Proof of Concept (POC) on new technology before implementing it. Executing and developing the project plan. So, at a high-level, a software engineer’s role is to architect applications, develop code, and have processes in place to create solutions for customers. Now you understand what a software engineer is and what their role is. In the next section, let’s try to understand the difference between software vs. DevOps engineers. Software Engineer vs DevOps Back in the day, software engineers and operations had a lot of contention. Software engineers pass their code to the system admin, and it’s the system admin’s responsibility to keep that code running in production. The software engineer had little knowledge of the operation practices, and the system admin had little knowledge about the codebase. Software engineers were concerned with shipping code, and the system admin was concerned about reliability. On the one hand, software engineers want to move faster to get their features out more quickly. On the other hand, system admin’s want to drive slower to keep things reliable. This kind of misalignment often caused tension within the organization. Here enters DevOps, a set of practices and a culture designed to break down these barriers between software engineers, System admins and other parts of the organization. DevOps is made of two words of Dev and Ops, namely development and operations, and it’s the practice to allow the single team to manage the entire application development lifecycle, that is, development, testing, deployment, monitoring, and operation. They achieve that by frequently releasing small changes by using continuous integration and continuous deployment (CI/CD). DevOps is broken down into five main areas: Reduce organization silos: By breaking down barriers across teams, we can increase collaboration and throughput. Accept failure as normal: Computers are inherently unreliable, so we can’t expect perfection, and when we introduce humans into the system, we can expect more imperfection. Implement gradual changes: Not only are small incremental changes easier to review, but if a gradual change introduces a bug in production, it allows us to reduce the mean time to recover and make it simple to roll back. Leverage tooling and automation: Reduce manual work by automating as much as possible. Measure everything: Measurement is a critical gauge for success, and without a way to measure if our first four pillars were successful, we would have no way of knowing if they were. DevOps vs SRE If we think of DevOps as a philosophy, Site Reliability Engineering (SRE) is a prescriptive way of accomplishing that philosophy. So if DevOps were an interface in a programming language, then SRE is a concrete class that implements DevOps. In DevOps, when we talk about eliminating organization silos, SRE shares ownership of production with developers. SRE uses the same tools as DevOps to ensure everyone has the same view and exact approach to working in production. SRE has a blameless postmortem in accepting incidents and failure, which ensures that the failure that happens in production doesn’t have to be the same way more than once. SRE accepts the failures as normal by encoding a concept of an error budget of how much system is allowed to go out of spec. SRE follows the philosophy of canary release in terms of gradual changes, where the release changes only a small percentage of the fleet before it’s been moved to all the users. In terms of tooling and automation, the main idea is to eliminate manual work as much as possible. For measuring everything, SRE measures the health and reliability of the system. As an SRE, you must have a strong background in coding, but you should have the basics covered on Linux, Kernel, Network, and computer science. To sum up, SRE and DevOps are not two competing methods, but close friends designed to break down organizational barriers to deliver better and faster software. Both of them intend to keep the application up and running so that the user is not impacted. On the one hand, SRE is more applicable to production environments (as it’s the combination of software engineering plus system admin). In contrast, DevOps is more for non-production environments (sometimes in production). Their main task is to keep the environment up and running and automate as much as possible. What Skills Does DevOps or SRE Need? These are some of the technical skills companies are looking for when hiring DevOps or SRE. Operating system fundamentals: This mainly includes Linux as most of the server market is dominated by Linux (only a handful of companies use Windows as a server in the production environment). Programming skills: This is one of the must-have skills as you want to automate as much as possible, and the only way you can achieve that is using a programming language. Most engineers use Python or Shell for automation, but where speed is the key, GO language is the ultimate choice. Networking knowledge: As most companies migrate to the cloud and most of the heavy lifting is done by the cloud provider, you should have basic networking knowledge. Cloud knowledge: As mentioned earlier, as most companies migrate to the cloud, you should be familiar with at least one cloud provider like AWS, GCP, or Azure. Standard tools: This is job-specific, but with the current industry trend, you should be familiar with all the modern DevOps tools like GIT, Jenkins, Docker, Kubernetes, Terraform, and the list goes on and on. As mentioned earlier, this is job-specific and depends upon the current project requirement and scope. So in the modern context, an SRE/DevOps engineer is a software engineer whose focus area is infrastructure and operations. They take care of the operational tasks and automate it, which, in the past, was taken care of by the operations team, often manually. Cloud Engineer SRE and DevOps is standard practice, whereas the cloud engineer role is specific to the cloud, e.g., AWS, Google Cloud, Azure, etc. The cloud engineer role is delivery and optimization of IT service and workload running in the cloud. The advantages of using cloud in your organization are: Cost: As the number of public cloud providers increases and with the cutthroat competition, the organization benefits from it as all cloud providers try to slash their offering prices to compete. Maintenance: Also, the companies using the cloud need not worry about maintaining an expensive onsite network or system architecture. Instead, they can collaborate with the cloud service provider to get support for all servers and networking needs. Scalability: Using the cloud has other advantages like getting infinite storage and processing power; but obviously, it incurs costs. Cloud engineer roles can be specific to architecting (designing cloud solutions), administration (making sure the system is up and running all the time), or development (coding to automate cloud resources). Some of the responsibilities of a cloud engineer are as follows: Migrate on-premise application to the cloud Configuration of resources and components like security, databases, servers, etc. Deploying the application in the cloud. Monitoring the application in the cloud. Types of Cloud Engineers There are three main types of cloud engineers: Solution architect: The role of a solution architect is responsible for migrating organization applications to the cloud. They are responsible for the design and deployment of cloud applications and cost optimization. Cloud developers: A cloud developer is responsible for developing a cloud-native in the cloud. They are responsible for developing, deploying, and debugging applications in the cloud. SysOps engineer: A SysOps engineer role is similar to the system administrator, and they are responsible for deploying and maintaining the application in the cloud. A cloud engineer needs to combine SRE/DevOps/software engineer in an ideal situation but specialize in cloud services. But in reality, there is still a skill shortage in the cloud field. Cloud engineers specialize in one area, either they are good developers, or they know cloud services well. Due to this hindrance and skill shortage, some companies resist moving to the cloud and still have the workload running in the on-premise data center. The only way to fill this gap is for companies to train their employees in all aspects. Cloud engineers need to grasp programming skills and vice-versa. Wrapping Up Whatever practice you are following in your organization, the main idea is to break the silos, increase collaboration and transparency. Any practice you are following needs to find an innovative way to develop better and reliable software. As the IT field progresses, these practices will continue to evolve and new roles will be born.

By Vishal Padghan
What Is a Kubernetes CI/CD Pipeline?
What Is a Kubernetes CI/CD Pipeline?

Since organizations began migrating from building monolith applications to microservices, containerization technology has been on the rise. With applications running on hundreds and thousands of containerized environments, an effective tool to manage and orchestrate those containers became essential. Kubernetes (K8s)—an open-source container orchestration tool from Google—became popular with features that improved the deployment process for companies. With its high flexibility and scalability features, Kubernetes has emerged as the leading container orchestration tool, and over 60% of companies have already adopted Kubernetes in 2022. With more and more companies adopting containerization technology and Kubernetes clusters for deployment, it makes sense to implement CI/CD pipelines for delivering Kubernetes in an automated fashion. So in this article, we’ll cover the following: What is a CI/CD pipeline? Why should you use CI/CD for Kubernetes? Various stages of Kubernetes app delivery. Automating CI/CD process using open source Devtron platform. What Is a CI/CD Pipeline? Continuous Integration and Continuous Deployment (CI/CD) pipeline represent an automatic workflow that continuously integrates code developed by software developers and deploys them into a target environment with less human intervention. Before CI/CD pipelines, developers were manually taking the code, building it into an application, and then deploying it into testing servers. Then, on the approval from testers, developers would throw their code off the wall for the Ops team to deploy the code into production. The idea somewhat worked fine with monolithic applications when deployment frequency was once in a couple of months. But with the advent of microservices, developers started building smaller use cases faster and deployed them frequently. The process of manually handling the application after the code commit was repetitive, frustrating, and prone to errors. This is when agile methodologies and DevOps principles flourished with CI/CD at its core. The idea is to build and ship incremental changes into production faster and more frequently. A CI/CD pipeline made the entire process automatic, and high-quality codes were shipped to production quickly and efficiently. The Two Primary Stages of a CI/CD Pipeline 1. Continuous Integration or CI Pipeline The central idea in this stage is to automatically build the software whenever new software is developed by developers. If developments happen every day, there should be a mechanism to build and test it every day. This is sometimes referred to as the build pipeline. The final application or artifact is then pushed to a repository after multiple tests. 2. Continuous Deployment or CD Pipeline The continuous deployment stage refers to pulling the artifact from the repository and deploying it frequently and safely. A CD pipeline is used to automate the deployment of applications into the test, staging, and production environments with less human intervention. Note: Another term people use interchangeably when referring to Continuous Deployment is Continuous Delivery, but they’re not the same. As per the book Continuous Delivery: Reliable Software Releases Through Build, Test, and Deployment Automation by David Farley and Jez Humble, it’s the process of releasing changes of all types—including new features, configuration changes, bug fixes, and experiments—into production, or into the hands of users, safely and quickly in a sustainable way. Continuous Delivery comprises the entire software delivery process, i.e., planning, building, testing, and releasing software to the market continuously. It’s assumed that continuous integration and continuous deployment are the two parts of it. Now, let us discuss why to use CI/CD pipelines for Kubernetes applications. Benefits of Using a CI/CD Pipeline for Kubernetes By using a CI/CD pipeline for Kubernetes, one can reap several crucial benefits: Reliable and Cheaper Deployments A CI/CD pipeline deploying on Kubernetes facilitates controlled release of the software, as DevOps Engineers can set up staged releases, like blue-green and canary deployments. This helps in achieving zero downtime during release and reduces the risk of releasing the application to all users at once. Automating the entire SDLC (Software Development Lifecycle) using a CI/CD pipeline aids in lowering costs by cutting many fixed costs associated with the release process. Faster Releases Release cycles that used to take weeks and months to complete have significantly come down to days by implementing CI/CD workflows. In fact, some organizations even deploy multiple times a day. Developers and Ops team can work together as a team with CI/CD pipeline and quickly resolve bottlenecks in the release process, including re-works that used to delay releases. With automated workflows, the team can release apps frequently and quickly without getting burnt out. High-Quality Products One of the major benefits of implementing a CI/CD pipeline is that it helps to integrate testing continuously throughout the SDLC. You can configure the pipelines to stop proceeding to the next stage if certain conditions are not met, such as failing the deployment pipeline if the artifact has not passed functional or security scanning tests. Due to this, issues are detected early, and the chances of having bugs in the production environment become slim. This ensures that quality is built into the products from the beginning itself, and the end users get better products. Fig C: benefits of implementing CI/CD pipelines Figure C illustrates the benefits of implementing CI/CD pipelines. Now, let’s dive deeper into various stages of Kubernetes app delivery, which can be made a part of the CI/CD pipeline. Stages of Kubernetes App Delivery Below are the different stages involved in a CI/CD pipeline of Kubernetes application delivery and the tools developers and DevOps teams use at each stage. Fig D: Stages of Kubernetes App Delivery. Figure D represents the stages of Kubernetes app delivery. Code Process: Coding is the stage where developers write codes for applications. Once new codes are written, they’re pushed into central storage on a remote repository, where application codes and configurations are stored. It’s a shared repository among developers, and they continuously integrate code changes in the repository, mostly daily. These changes in the code repository trigger the CI pipeline. Tools: GitHub, GitLab, BitBucket Build Process: Once changes are made in the application code repository, it’s then packaged into a single executable file called an artifact. This allows flexibility in moving the file around until it’s deployed. The process of packaging the application and creating an artifact is called building. The built artifact is then made into a container image that would be deployed on Kubernetes clusters. Tools: Maven, Gradle, Jenkins, Dockerfile, Buildpacks Test Process: Once the container image is built, the DevOps team will ensure it undergoes multiple functional tests such as unit tests, integration tests, and smoke tests. Unit tests ensure small pieces of codes (units), like functions, are working properly. Integration tests look for how different components of codes, like different modules, are holding up together as a group. Finally, smoke tests check if the build is stable enough to proceed. After the functional tests are done, there will be another sub-stage for testing and verifying security vulnerabilities. DevSecOps would execute two types of security tests, i.e., Static application security testing (SAST) and dynamic application security testing (DAST), to detect problems such as container images containing vulnerable packages. After passing all the functional and security tests, the image is then stored in a container image repository. Tools: JUnit, Selenium, Claire, SonarQube All the above steps make up the CI or build pipeline. Deploy Process: In the deployment stage, a container image is pulled from the registry and deployed into a Kubernetes cluster running in testing, pre-production, or production environments. Deploying the image into production is also called a release, and the application will then be available for the end users. Unlike VM-based monolithic apps, deployment is the most challenging part of Kubernetes because of the following reasons: Developers and DevOps engineers have to handle many Kubernetes resources for successful deployment. As there are various ways of deployment, such as using declarative manifest files and HELM charts, enterprises rarely follow a standardized way to deploy their applications. Multiple deployments of large distributed systems every day can be really frustrating work. Tools: Kubectl, Helm Charts For interested users, we’ll show the steps involved in the simple process of deploying an NGINX image into K8s. (Feel free to skip the working example.) Deploying Nginx in Kubernetes Cluster (Working Example) Before deploying, you have to create resource files in K8s so that your application will run in containers. And there are many resources, such as Deployments, ReplicaSets, StatefulSet, Daemonset, Services, Configmap, and many other custom resources. We’ll look at how to deploy into Kubernetes with the bare minimum resources or manifest files: Deployment and Service. A Deployment workload resource provides declarative updates and describes the desired state, like replication and scaling of pods. A Service in Kubernetes uses the IP addresses of the Pods to load balance traffic to the pod replicas. For testing this, you should have a K8s cluster running on a server or locally using Minikube or Kubeadm. Now, let’s deploy Nginx to a Kubernetes cluster. The Deployment YAML for Nginx—let’s name it nginx-deployment.yaml—would look like this: apiVersion: apps/v1 kind: Deployment metadata: name: nginx-deployment labels: app: nginx spec: replicas: 10 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - name: nginx image: nginx ports: - containerPort: 80 The Deployment file specifies the container image (which is nginx), declares the desired number of Pods (10), and sets the container port to 80. Now, create a Service file with the name nginx-service.yaml and paste the below code: apiVersion: v1 kind: Service metadata: name: nginx-service spec: selector: app: nginx ports: - name: http port: 80 targetPort: 80 type: ClusterIP Once you configure the manifest files, deploy them using the following commands: # kubectl apply -f nginx-deployment.yaml # kubectl apply -f nginx-service.yaml The code will deploy the Nginx server and make it accessible from outside the cluster. You can see the Pods by running the following command: # kubectl get pods Also, you can run the following command and get the service’s IP address to access Ngnix from a browser. # kubectl get svc If you have noticed, there are multiple steps and configurations one needs to perform while deploying an application. Just imagine the drudgery of the DevOps team when they are tasked to deploy multiple applications into multi clusters every day. Monitoring, Health-Check, and Troubleshooting Process: After the deployment, it’s extremely important to monitor the health of new Pods in a K8s cluster. The Ops team may manually log into a cluster, and use commands, such as kubectl get pods or kubectl describe deployment, to determine the health of newly deployed Pods in a cluster or a namespace. In addition, ops teams may use monitoring and logging tools to understand the performance and behavior of pods and clusters. To troubleshoot and find issues, matured Kubernetes users will use advanced mechanisms like Probes. There are three kinds of probes: liveness probes to ensure an application is running, readiness probes to ensure the application is ready to accept traffic, and startup probes to ensure an application or a service running on a Pod has completely started. Although there are many commands and ways, it can be very difficult for developers or Ops teams to troubleshoot and detect an error because of poor visibility of a lot of components inside a cluster (node, pod, controller, security and deployment objects, etc.). Tools: AppDynamics, Dynatrace, Prometheus, Splunk, kubectl Progressive Delivery and Rollback Process: People use advanced deployment strategies like blue-green and canary to roll out their applications gradually and avoid degradation to customer experience. This is also known as progressive delivery. The idea is to allow a small portion of traffic to the newly deployed pods and perform quality and performance regression. And if the newly deployed application is healthy, then the DevOps team will gradually roll it forward. But in case there’s an issue in performance or quality, the Ops or SRE team instantly rolls back the application to its older version to ensure there’s a zero-downtime release process. Tools: Kubectl, Kayenta, etc. Feedback and Notification Process: Feedback is the heart of any CI/CD process because everybody should know what’s happening in the software delivery and deployment process. The best way to ensure effective feedback is to measure the efficacy of the CI/CD process and notify all the stakeholders in real-time. In case of failures, it helps DevOps and SREs to quickly create incidents in service management tools for further resolution. For example, project managers and business owners would be interested to know if a new feature has been successfully rolled out to the market. Similarly, DevOps would like to know the status of new deployments, clusters, and pods, and SREs would like to be intimated about the health and performance of a new application deployed into production. Tools: Slack, Discord, MS Teams, JIRA, and ServiceNow Note: All the stages—Monitoring, Progressive Delivery, and Feedback and Notification—fall under Continuous Deployment. If you’re large or mid-enterprise with tens or hundreds of microservices based on Kubernetes, then you need to serialize your delivery (CI/CD) process using pipelines.

By Jyoti Sahoo
Front-End Team Roles and Skills, Breaking the Silos and Borders
Front-End Team Roles and Skills, Breaking the Silos and Borders

About 15-20 years ago, web application developers had the knowledge and the technical skills necessary to create an application: HTML, CSS, JS, PHP/Python/ASP, Web Server Management, MySQL/Postgres (both data and service management), etc. With time the web applications became more complex with bigger requirements. New technologies, frameworks, and paradigms bounce into the development and pushed developers to specialize in some areas arising new roles from this specialization. Nowadays, the equivalent typical roles for a web application that cover the exposed tasks/skills and the typical requirements are Designer, Frontend developer, Backend developer, Platform engineer, and, in a data-oriented company: Data Engineer, Data scientist, etc. I want to focus this post on the first three roles: Designer, Frontend developer, and Backend developer. You can think I made a mistake because the title of the post says tech roles, and I added the designer's role. Well, for me, it's a technical role; maybe it's diffuse, but they are the nearest role to the application's user, and they are a kind of bridge between the users (and product) and the frontend team(s). Let me represent the roles or the teams by the distance to the application user (This representation can vary depending on the application, but it covers a lot of cases). I'm going to do some simplifications to explain this: The design team takes care of the first thing the user sees on an application: the visuals. The frontend team is in charge of implementing those visuals and user interaction. The backend manages the user interactions with the data and implements the business logic. DevOps (platform) creates the context (servers, databases, networking) for everything to work. Frontend Role Interfaces and Borders To define the frontend role (or team) responsibilities, let's start defining the borders: I'm going to do it on the right side of the image. The natural interface between the front end and the back end is a contract: an API. It could be a REST HTTP API, gRPC API, GraphQL API, or even an internal controller of the application. This border seems a hard border, but we'll see that it's not as hard as you might think. After defining the right border, let's do the same with the left border, the one with the design. This is typically a static design of the elements, layouts, and screens of the application, a Figma document, or something similar. This is a simplification; I'm aware there are other tools, ways to define the visual and functional requirements, etc. Frontend Team Responsibilities Knowing the borders, let's define the high-level responsibilities in the frontend team: Convert design to HTML/CSS App layouts Create and maintain the app's components Add and maintain animations to the components and transitions Handle use interaction Load and send data to API Manage and show backend error messages Form/entities validation Implement and maintain business logic Implement and maintain UI logic These responsibilities (and more) are quite different and require different skills to manage them. As I mentioned before, in the past, it was very common for a single developer to get all these and solve the related tasks without thinking about this separation; the same happened long before with the backend and frontend separation, which didn't exist and now is very common to have Frontend and Backend developers. Nowadays, we can have more specialized roles for each responsibility in the Frontend. We can group again into two subgroups: Frontend visuals and interactions and Frontend internals. I usually call this "the backend of the frontend." The "frontend visuals and interactions" takes the responsibility of converting the designs to a code the browser can understand (HTML and CSS), implementing the animations, the layouts, the user interaction (ex., emitting an event on user click), and rendering the data. All typically into a component of a framework like Vue, React, etc. This group of responsibilities requires more knowledge in HTML, CSS (SCSS), SVG, and browser events. The Frontend internals takes the responsibilities nearer to the backend: connect to the backend, get the data, prepare it for a view, validate the forms, implement the business requirements related to the data flow, constraints, etc. This group requires more knowledge in Typescript, browser API, HTTP, and async. It's important to say that the borders are not hard, and that is good as we will see as permits mobility, spread, and improvement. Both groups require to understand of the business domain, but in different ways, visuals team requires a better understanding of how the user will interact with the domain and how the domain reacts to those interactions, and the internals team requires a better understanding of data flows, domain, events, etc. Again, we should understand that the borders are diffuse. We could go even further and create more specialized groups inside the frontend visuals and inside frontend internals groups, but the logic behind this separation is the same as I exposed above. Roles Segmentation, Granularity, and Overlapping Going back to the simple scenario, we had a single role: frontend developer, but now, considering the previous grouping, we can define different roles in our frontend team, roles that cover the skills and responsibilities of multiple subgroups of responsibilities. This role segmentation makes it easy to find people that fit better on the team. As wider is the role as harder to find a person to cover the role with all the skills necessary for the position, and it's not about reducing the position's requirements; it's that the same position (ex: Frontend developer), today usually requires more knowledge than five years ago. For example, if the company needs a specialist in CSS/SVG animation, I think makes no sense to require knowledge in GraphQL for this position; if the person knows it, then perfect, but if not, she/he can learn it. It's important that she/he fits in the position at the beginning and starts to share knowledge about animation; she/he can expand her/his knowledge to other responsibility areas later, making the onboarding and adaptation processes smoother. Just another example, usually (not a general rule,) the people that came from a frontend boot camp have more skills and feel more comfortable in the visual roles than in the roles nearer to the backend. Should we discard that talent just because it doesn't cover all the frontend skills? I don't think so; as they get more experience, they will spread the knowledge areas and get tasks from other roles. Mobility Between Roles An advantage of not having hard borders between these roles makes easy mobility. The developers can start to be involved in new roles, increasing their knowledge organically; for example, a _visual's role_ developer could need to change a use case, solve a bug fix, or implement a minor feature but still be in its comfort bubble, just increasing it a bit at a time and after some time can start to do more and more tasks on the internals and the opposite, a developer in the internals group can do a task in the visuals. Another advantage is that the areas of overlapping make it easy to understand and empathize with others and others' tasks and understand what "I could do to make the other's work easy." Overlapping Roles In this situation of narrow and diffuse role definitions, to have developer skills that overlap with another one's skills, it's not an issue. It's an advantage; they can split the tasks, work together and share knowledge in the areas they don't overlap. Breaking the Borders But we still have hard borders between design, frontend, and backend; why don't break them? All I mentioned before about mobility, overlapping, and specialization apply to the borders with the design and the backend. Obviously, we can do this deep looking and segmentation in the roles for design and the backend. Who does not know a designer that learned HTML, CSS, and JS, maybe just curiosity to make her/his design real or looking for a better job opportunity, why ignore these design skills? Let she/he collaborate with the design team or just help them to understand the technical possibilities of the frontend. "Crossing" the right border is more common, we call them full-stack, but following the previous, there are different types of full-stack developers, depending on where they put their knowledge areas limits on left and right. In my opinion, let frontend developers, the ones whose roles or knowledge areas are more on right, "cross the border" and participate in the backend's tasks, at least in the ones more related to the frontend. It's always productive and increments the communication and collaboration between teams; this developer doesn't need to know all the details and internals of the backend; for example, if the backend uses hexagonal architecture, this person could implement or maintain controllers and application uses cases, using already implemented services and entities. And the opposite, a backend developer could implement the frontend repository that reads from the API and converts the data into domain entities without needing to know how the frontend framework works in deep. Getting Strengths of the Team Members This segmentation a wrote about is not about segmenting or dividing the teams to create more or about to create more structs in the organization; it's about identifying the strengths of the team members and taking advantage of that, empowering the work empathy with other teams and team members through a better understanding of other areas of knowledge and their needs and at the same time minimizing the knowledge silos via overlapping these areas. I believe that in the upcoming years, the knowledge necessary to create big web applications will be bigger, and probably we will see some kind of split between the frontend visuals team and frontend pure development, but I strongly believe this is an arbitrary division, and people with specialization but that can get into other roles' task will be very useful and productive for any organization.

By Sergio Carracedo
DevOps vs. SRE vs. Platform Engineer vs. Cloud Engineer: Substance or Semantics?
DevOps vs. SRE vs. Platform Engineer vs. Cloud Engineer: Substance or Semantics?

DevOps, as initially conceived, was more of a philosophy than a set of practices—and it certainly wasn't intended to be a job title or a role spec. Yet today, DevOps engineers, site reliability engineers, cloud engineers, and platform engineers are all in high demand—with overlapping skillsets and with recruiters peppering role descriptions with liberal sprinklings of loosely related keywords such as "CI/CD pipeline," "deployment engineering," "cloud provisioning," and "Kubernetes." When I co-founded Kubiya.ai, my investors pushed me to define my target market better. For example, was it just DevOps or also SREs, cloud and platform engineers, and other end users? More recently, I'm seeing lots of interest from job seekers and recruiters in defining these roles. From Reddit posts to webinars, this is a hotly debated topic. In this article, I offer my thoughts but recognize there's a great deal of room for interpretation. This is an inflammatory topic for many—so at the risk of provoking a conflagration, let's proceed! The Proliferation in DevOps Job Specs The practice of DevOps evolved in the 2000s to address the need to increase release velocity and reduce product time to market while maintaining system stability. In addition, service-oriented architectures allowed separate developer teams to work independently on individual services and applications, enabling faster prototyping and iteration than ever before. The traditional tension between a development team focused on software release and a separate, distinct operations team focused on system stability and security grew. This hindered the pace that many businesses aspired to. In addition, devs didn't always properly understand operational requirements, while ops couldn't head off performance problems before they had arisen. The DevOps answer was to break down silos and encourage greater collaboration facilitated by tooling, cultural change, and shared metrics. Developers would own what they built—they would be able to deploy, monitor, and resolve issues end to end. Operations would better understand developer needs; get involved earlier in the product lifecycle; and provide the education, tools, and guardrails to facilitate dev self-service. DevOps, as initially conceived, was more of a philosophy than a prescriptive set of practices—so much so that there isn't even common agreement on the number and nature of these practices. Some cite the "four pillars of DevOps," some the "five pillars," and some the six, seven, eight, or nine. You can take your pick. Different organizations have implemented DevOps differently (and many have not at all). And here, we can anticipate the job spec pickle we've found ourselves in. As Patrick Debois, founder of DevOpsDays, noted, "It was good and bad not to have a definition. People… are really struggling with what DevOps is right now. But, on the other hand, not writing everything down meant that it evolved in many directions." The one thing that DevOps was not was a role specification. Fast forward to today, and numerous organizations are actively recruiting for "DevOps Engineers." Worse still, there is very little clarity on what one is—with widely differing skill sets sought from one role to the next. Related and overlapping roles such as "site reliability engineer," "platform engineer," and "cloud engineer" are muddying already dim waters. How did we get here, and what—if any—are the real differences between these roles? DevOps and DevOps Anti-Types In my experience, realizing DevOps as it was originally conceived—i.e., optimally balancing specialization with collaboration and sharing—has been challenging for many organizations. Puppet's 2021 State of DevOps report found that only 18% of respondents identify themselves as "highly evolved" practitioners of DevOps. And as the team at DevOps Topologies describe, some of these benefits come from special circumstances. For example, organizations such as Netflix and Facebook arguably have a single web-based product, which reduces the variation between product streams that can force dev and ops further apart. Others have imposed strict collaboration conditions and criteria—such as the SRE teams of Google (more on that later!), who also wield power to reject software that endangers system performance. Many of those at a lower level of DevOps evolution struggle to fully realize the promise of DevOps, owing to organizational resistance to change, skills shortages, lack of automation, or legacy architectures. As a result, a wide range of different DevOps implementation approaches will have been adopted across this group, including some of the DevOps "anti-types" described by DevOps Topologies. For many, dev and ops will still be siloed. For others, DevOps will be a tooling team sitting within the development and working on deployment pipelines, configuration management, and such, but still in isolation from ops. And for others, DevOps will be a simple rebranding of SysAdmin, with DevOps engineers hired into ops teams with expanded skillset expectations but with no real cultural change taking place. The rapid adoption of public cloud usage has also fueled belief in the promise of a self-service DevOps approach. But being able to provision and configure infrastructure on-demand is a far cry from enabling devs to deploy and run apps and services end to end. Unfortunately, not all organizations understand this, and so automation for many has stalled at the level of infrastructure automation and configuration management. With so many different incarnations of DevOps, it's no wonder there's no clear definition of a DevOps role spec. For one organization, it might be synonymous only with the narrowest of deployment engineering—perhaps just creating CI/CD pipelines—while at the other end of the spectrum, it might essentially be a rebranding of ops, with additional skills in writing infrastructure as code, deployment automation, and internal tooling. For others, it can be any shade of gray in between, so here we are with a bewildering range of DevOps job listings. SRE, Cloud Engineer, and Platform Engineer—Teasing Apart the Roles So depending on the hiring organization, for better or worse, a DevOps Engineer can be anything from entirely deployment-focused to a more modern variation of a SysAdmin. What about the other related roles: SREs, cloud engineers, and platform engineers? Here's my take on each: Site Reliability Engineer The concept of SRE was developed at Google by Ben Traynor, who described it as "what you get when you treat operations as a software problem and you staff it with software engineers." The idea was to have people who combine operations skills and software development skills to design and run production systems. The definition of service reliability SLAs is central and ensures that dev teams provide evidence up front that software meets strict operational criteria before being accepted for deployment. In addition, SREs, strive to make infrastructure systems more scalable and maintainable, including—to that end—designing and running standardized CI/CD pipelines and cloud infrastructure platforms for developer use. As you can see, there's a strong overlap with how some would define a DevOps engineer. So perhaps one way of thinking about the difference is that. In contrast, DevOps originated with the aim of increasing release velocity, and SREs evolved from the objective of building more reliable systems in the context of growing system scale and product complexity. So to some extent, the two have met in the middle. Cloud Engineer As the functionality of the cloud has grown, some organizations have created dedicated roles for cloud engineers. Again, although there are no hard and fast rules, cloud engineers are typically focused on deploying and managing cloud infrastructure and know how to build environments for cloud-native apps. They'll be experts in AWS/Azure/Google Cloud Platform. Depending on the degree of overlap with DevOps engineer responsibilities, they may also be fluent in Terraform, Kubernetes, etc. With the forward march of cloud adoption, cloud engineer roles are subsuming what formerly might have been called an infrastructure engineer, with its original emphasis on both cloud and on-premises infrastructure management. Platform Engineer Internal developer platforms (IDPs) have emerged as a more recent solution to cutting the Gordian knot of balancing developer productivity with system control and stability. Platform engineers design and maintain IDPs that aim to provide developers with self-service capabilities to independently manage the operational aspects of the entire application lifecycle—from CI/CD workflows; to infrastructure provisioning and container orchestration; to monitoring, alerting, and observability. Many devs simply don't want to do ops—at least not in the traditional sense. As a creative artist, the developer doesn't want to worry about how infrastructure works. So, crucially, the platform is conceived of as a product, achieving control by creating a compelling self-serve developer experience rather than by imposing mandated standards and processes. Getting Comfortable With Dev and Ops Ambiguity So, where does this leave candidates for all these various roles? Probably for now—and at least until there is a greater commonality of DevOps implementation approaches—the only realistic answer is to make sure you ask everything you need to during an interview clarifying both the role expectations and the organizational context into which you will be hired. For recruiters, you may decide for various reasons to cast a wide net, stuffing job postings with trending keywords. But ultimately, the details about a candidate's experience and capabilities must come out in the interview process and conversations with references. From my perspective, whether you are a DevOps, Platform Engineer, Cloud Engineer, or even an SRE, ensuring you are supporting developers with all their operational needs will go a long way in helping them focus on creating the next best thing.

By Amit Eyal Govrin
Creating Self-Serve DevOps Without Creating More Toil
Creating Self-Serve DevOps Without Creating More Toil

My journey to co-founding Kubiya.ai was triggered by the very real pain of being a DevOps leader supporting both broader organizational goals along with the day-to-day support of software engineers and others. This is my story (or at least the somewhat interesting parts) of what it was like and how I found a productive approach to managing it all. DevOps Opening Hours: 2:45 p.m. until a Quarter to 3:00 p.m. It’s really not a joke. DevOps have no time. We need to make sure everything is running smoothly from development to production and often beyond. We are busy enhancing CI/CD processes, upgrading and configuring monitoring and alerting systems, and optimizing infrastructure for both cost and security, as well as sitting in lots of meetings. But on top of all that, we need to deal with endless and oftentimes repetitive requests from developers (and others). This was exactly my experience as the head of DevOps at my previous company. The repetitive requests were not only taking up around 70% of my team’s time and energy, it had them mouthing off RTFM every time a dev would ask them a question. In Search of DevOps Self-Serve that Works So I started exploring different solutions for enabling a self-service culture in the organization to reduce the burden of the DevOps team while empowering developers to do more on the operational side. But before exploring the solutions I explored, I want to mention several things that were constantly on my plate as head of DevOps: Planning, building, and managing multiple types of pipelines for the R&D teams which included CI/CD pipelines, self service automation, and infrastructure as code (IAC) Dealing with permissions requests from different personas in the organization while keeping the security team in the loop Taking care of the onboarding and offboarding process of engineers in the company And of course the maintenance of all the different tools to accomplish those tasks While doing all of this, my team had to keep an eye on several Slack channels to answer questions from the tech organization, such as: “Where are my logs?” “Why did my pipeline fail?” “Why did my service stop responding?” Kubernetes questions, cloud questions, and more So we tried several different approaches. Internal Developer Platforms: Loads of Development Internal developer platforms, typically created and maintained by a dedicated team, are a combination of common tools and technologies that can be used by software developers for easier access and management of complex infrastructure and processes. While we considered building a developer platform, there simply was too much planning required to make this a reasonable endeavor. For starters, we had so many tools in use and with a very dynamic organization the number and types of tools were constantly changing making ongoing curation a real challenge. But aside from bringing all these tools together into a single platform, training and adoption was not realistic with a software development team singularly focused on coding the next best thing. We found ourselves struggling to decide how to create such a platform and what features should be included. Naturally we worried about creating a new kind of toil. Even if we reduced the workload coming from developer requests, embracing an internal developer platform looked like it would bring fresh pain with managing the platform lifecycle, adding new features, and as always, supporting different users. Workflow Automation Is Not So Automatic Of course our industry’s standard solution — and one that our tech organization already understood — was to automate everything possible. So, utilizing tools that our developers were already familiar with, such as Jenkins, we created automation for nearly any issue you can think of. As soon as an issue occurred, we were able to create a dedicated pipeline to solve it. The main problem was that developers didn't know where to find these workflows. And even if they knew where to find the workflow, they did not usually know which parameters to fill in. So we were back to the same routine of devs approaching us for help. Permissions were another issue. It was very risky for us to allow large groups to trigger workflows. With so much potential for chaos, deciding who should have authority to run workflows was no easy task. Even granting permissions and approvals on an ad hoc basis with the security team took a lot of time and effort. Permission lifecycles were also problematic, as offboarding a user who left the company required special handling. New workflows required adding permissions and defining who would receive those permissions. Finally, each time an existing workflow was edited to include more actions, a fresh review of both the workflow and associated permissions was required. Chatbot to the Rescue In light of the fact that developer requests came to us via a chat interface (in our case it was Slack), whether by direct messaging me or my team members, or via the on-call channel, I decided to create a chatbot or Slackbot. For permissions management, I connected our chatbot to our company’s identity provider. This allowed the Slackbot to know the role of anyone who approached it. This made it easy to create unique policies for different user roles (defined by the identity provider) in terms of consuming the operational workflows via the Slackbot. For context gathering, the Slackbot would ask the relevant questions, guiding users to provide the details needed to fill in as parameters of the different workflows that already existed for CI/CD tools like Jenkins, cloud infrastructure, and more. Besides solving the lack of domain expertise and lack of interest in operations, our Slackbot acted as a proxy with guardrails for developers. This allowed them to do what they needed without over-permissioning. Most importantly, it reduced my team workload by 70% while eliminating long delays for end users, avoiding long waits in a virtual queue. Trouble in Chatbot Paradise While this was amazing, our Slackbot was still not 100% user-friendly. Users had to choose from a static list of workflows and use predetermined words or slash commands. Our Slackbot was also unable to handle anything not included in its rule-based, canned interactions. As a result, our Dev team would be left empty-handed in cases of "out of scope" requests. The Slackbot maintenance, however, was far worse. With so many workflows to create and so many DevOps cooks in the kitchen, I could not enforce a standard programming language. Whenever one workflow broke, figuring out all the dependencies to find a fix took way too much effort. If I wanted to add a brand-new workflow, it would also require very significant effort and domain expertises. Which brought us all the way back to the same problem of more toil in managing the Slackbot. AI-Driven Virtual Assistants Exploring and experiencing the pros and cons of the various solutions led me to understand that the key to success is finding a solution that benefits both the developers AND DevOps. A system that can ask the developer questions if context is missing, transforming context gathering (which DevOps would normally have to handle) into simple conversations. Using NLU to infer user intent from a phrase fragment and offer to execute the relevant workflows is another area where AI can improve the end-user experience — so even if a developer only knows, for example, a part of the name of a cluster or service, the virtual assistant can figure out what it is that they need. This combination of all of the features of a chatbot — plus the ability to understand or learn the user's intentions (on the fly) even if it’s something new and unfamiliar — keeps workflows flowing. In addition to all this, my conversations with Kubiya.ai customers made it clear that a self-service approach needs to be tied in with security as well. Being able to easily manage user permissions both upfront in the form of policy creation for different users and groups as well as with just-in-time, ad hoc approvals is key to a successful self-serve solution. In summary, my experience building a self-serve culture has shown me that having an efficient system in place is essential for companies who want to move fast as it ensures that all parties — operations, development, security teams — can get their work done with the least amount of toil and friction.

By Shaked Askayo
DevOps Best Practices for Effective Implementation in Your Organization
DevOps Best Practices for Effective Implementation in Your Organization

Innovation in the IT sector provides an opportunity to improve people's quality of life. Keeping up with developing consumer trends and rapidly shifting customer behavior have been big issues for IT organizations throughout the world as the business has grown dramatically. "DevOps" is one of the latest developments in the IT sector. Large and medium-sized companies have already pushed the DevOps movement to reap benefits like increased productivity, low risk, easy maintenance, greater quality, cost-effectiveness, and exceptional outcomes. The competitiveness of businesses will be increased through DevOps methods. It supports raising revenue, operational quality, and productivity. DevOps is undoubtedly not a fad that will soon fade away; it has the potential to take the place of conventional methods of software engineering. The use of DevOps Best Practices advances both the efficiency with which projects are completed and the level of cooperation between businesses and DevOps service providers or DevOps consulting services. As a result, there is now more concern about how to deploy DevOps methods best to generate maximum economic value rather than whether to adopt them at all. The following article focuses on how to implement DevOps for enterprises. Additionally, walk you through the benefits you may get with DevOps implementation. How to Implement DevOps for Enterprises The primary objective of DevOps implementation is to reduce time to market, improve teamwork, improve product quality, and maintain safety requirements. However, several organizations still struggle to deploy DevOps to meet their objectives. Here are a few ways to successfully deploy enterprise DevOps. Building a Collaborative Culture DevOps aims to increase communication and break down barriers between teams working on development, operations, and quality assurance. By doing this, the software development and customer delivery processes may be sped up. Achieving this degree of collaboration necessitates a shift in the engineering team's culture and mentality, as well as a shared goal or set of goals. To achieve client expectations, software developers and operations engineers must jointly control the software development process. Therefore, regardless of their team positions, everyone's duties in DevOps include development and operations. Priority to Customer Satisfaction Whether you select a full DevOps approach or the traditional waterfall process, the goal is to please your clients. For instance, regular upgrades and speedy delivery of new features are among the top requirements of modern SaaS consumers. DevOps provide the ability to streamline the release process. Since the same people are writing new code and handling code releases, It is easier to offer new features to customers more quickly. This results in a happy and satisfied consumer. Adopt Continuous Integration and Continuous Delivery (CI/CD) Routinely integrating small batches of code into a common code repository enables developers to work together effectively. Since we introduce small, manageable modifications using this method, the repository is always kept in good condition. Continuous Integration (CI) offers early mistake identification and increases code quality since these tiny batches of changes are evaluated each time using automated builds and tests. After integrating our code, the following step is to deploy it to our environment. For every tiny set of changes, continuous delivery (CD) involves getting the code into a deployable state. This streamlines our deployment processes and gives our developers a simple, automated way to send code into production. Automation of Testing and Environment Building Regular software testing by developers is necessary to generate high-quality code. DevOps provides developers with early testing opportunities to find and address problems. Unlike manual testing, automated testing leads to faster execution of the Software Development Life Cycle and is an important part of code development, middleware setups, and data and networking upgrades. When using virtual infrastructure, automation of the building environment is necessary since manual environment creation runs the risk of important needs being overlooked or implemented in a legacy fashion. Follow Agile Principles To get the best results, organizations must adopt both DevOps and Agile concepts. This will promote effective communication and enable analysts, developers, and testers to work together as a cross-functional team. DevOps approaches and Agile concepts can help you shorten the average time it takes to build a product and cut down on the number of faults it contains, thereby raising its quality. Agile methodologies make sure that software is given to consumers in iterations. For each iteration, Continuous Integration and Delivery of software should be used to collect customer input as soon as possible and ultimately achieve a quicker time to market. Application and Infrastructure Monitoring DevOps monitoring, which should focus on both your apps and the underlying infrastructure, enables teams to discover and respond to issues quickly and automatically. Thanks to rigorous monitoring that identifies issues during testing, teams can take corrective action and stop problems before they damage production. Effective monitoring lowers the impact of production failures since your operations staff can react right away or, even better, automate answers. Therefore, your CI/CD and test automation procedures should feed into your application and infrastructure monitoring and vice versa. Microservice Architecture Microservices are a recent development in the software industry. They are compact, deployable services that are based on sophisticated programs. A microservice is an improved version of service-oriented architecture (SOA). Microservices have the advantage of being independent of technology and utilizing several channels for communication. Use of the Right Tools DevOps tools are a collection of technologies that enable development and operations teams to collaborate on development, testing, deployment, and performance monitoring. Depending on how they interact with other tools, DevOps automation technologies should be picked. A DevOps toolchain needs the right tools for each stage of the DevOps lifecycle in order to improve software quality and delivery speed. Therefore, it is recommended that you choose a toolset that is suitable for your IT environment. Customer Feedback A client should be involved at every stage of the process, from gathering requirements to providing software. Additionally, businesses should take the utmost effort to modify client requirements and use sufficient care to implement such changes with minimal code changes. By using this feedback system, the company will be able to produce a higher-quality product while increasing client confidence. Benefits of DevOps Increased Automation To accelerate the whole development cycle, DevOps teams often automate many of the key activities. Many tedious and repetitive operations can be automated to eliminate the need for manual labor, giving developers more time to focus on new projects. Innovative Mindset DevOps streamlines operations, distribute efficient releases and assure high-quality builds. As a result, the deployment stages are more laid-back, the teams are more rested, and there is much room for creative problem-solving. Increased Customer Service With DevOps, businesses may double their deployment frequency, quadruple their recovery timelines, and adjust their failure rates. The stability and consistency of the application with each new update may be guaranteed by automating the delivery process. Customers are more satisfied with businesses when apps operate properly during development. Security DevSecOps is a method of infrastructure design that incorporates security throughout the whole IT lifecycle. Through gradual enhancements, automated compliance procedures, and granular controls, DevSecOps increases recovery speed. Quicker Deployment Additionally, automated operations are substantially faster than manual ones. Finally, as pipeline steps are standardized, the overall quality of the release process improves, providing predictable outputs. Encourages Flexibility in Your Company Increasing the flexibility of your company operations will undoubtedly help you remain ahead of the competition. In addition, it is now possible to achieve the scale required to transform the business thanks to DevOps completely. Minimal Production Costs By bringing both maintenance and new updates under one larger umbrella, DevOps assists in reducing the administration and production expenses of your departments with good coordination. Conclusion After reading this instructive article on DevOps best practices, we hope you can now make smart decisions on DevOps. DevOps ensures that your products are developed following the needs of your consumers by covering everything from quality assurance to customer feedback loops. Using DevOps for your organization can be useful if done effectively, including understanding the concept and depth of DevOps and instructing teams on How to Implement DevOps for Enterprises. Implementing DevOps would not only expedite the development of your products and save costs, but it would also improve quality. Get in contact with DevOps Consulting Services providers if you're considering using DevOps or if you want more information about it in depth.

By Shahid Mansuri
What Is DevOps Monitoring and How to Implement It in Your Organization
What Is DevOps Monitoring and How to Implement It in Your Organization

Software companies today often face two significant challenges — delivering at speed and innovating at scale. And DevOps helps address these challenges by imbibing automation throughout the software development lifecycle (SDLC) to develop and deliver high-quality software. Continuous Integration and Continuous Deployment (CI/CD) is the critical component of automation in a DevOps practice. It automates code builds, testing, and deployment so businesses can ship code changes faster and more reliably. However, one must continuously monitor their CI/CD pipeline to realize the DevOps promise. So, what is monitoring in DevOps, and how can businesses leverage it to tap optimal DevOps potential? Let's dig deep… What Is DevOps Monitoring? At its core, DevOps methodology is a data-driven approach. The ability to continuously improve the software quality completely relies on understanding how the code performs, what issues it introduces, and where to find improvement opportunities. This is where DevOps monitoring comes into the picture. DevOps monitoring is the practice of tracking and measuring the performance and health of code across every phase of the DevOps lifecycle, from planning, development, integration, and testing to deployment and operations. It facilitates a real-time, easy-to-consume, single-pane-of-glass view of your application and infrastructure performance. You can find significant threats early and fix them before they become a headache. DevOps monitoring gleans valuable data about everything from CPU utilization to storage space to application response times. Real-time streaming, visualizations, and historical replay are some key aspects of DevOps monitoring. What Is the Importance of DevOps Monitoring for Business Organizations? DevOps monitoring empowers business organizations to track, identify, and understand key metrics such as deployment frequency and failures, code error count, the cycle time of pull requests, rate of change failure, mean time to detect (MTTD), mean time to mitigate (MTTM), and mean time to remediate (MTTR). These valuable insights enable you to proactively identify the application or infrastructure issues and resolve them in real-time. Monitoring also optimizes the DevOps toolchain by identifying opportunities for automation. Here are some of the key benefits that highlight the importance of DevOps monitoring for business organizations: 1. High Visibility The Continuous Integration/Continuous Deployment (CI/CD) facilitated by DevOps enables frequent code changes. However, the increased pace of code changes makes the production environments increasingly complex. Moreover, introducing microservices and micro front-ends into the modern cloud-native ecosystem leads to various workloads operating in production, each with varying operational requirements of scale, redundancy, latency, and security. As a result, greater visibility into the DevOps ecosystem is crucial for teams to detect and respond to issues in real-time. This is where continuous monitoring plays a key role. DevOps monitoring gives a real-time view of your application performance as you deploy new versions of code in various environments. So you can identify and remediate issues earlier in the process and continue to test and monitor the subsequent code changes. Monitoring helps you validate new versions in real-time to ensure they are performing as planned, so you can confidently release new deployments. 2. Greater Collaboration The core principle of DevOps is to enable seamless collaboration between the development and operations teams. However, a lack of proper integration between the tools can impede coordination between different teams. This is where DevOps monitoring comes in. You can leverage continuous monitoring to get a complete, unified view of the entire DevOps pipeline. You can even track commits and pull requests to update the status of related Jira issues and notify the team. 3. High Experimentation The ever-evolving customer needs demand businesses to constantly experiment in order to optimize their product line through personalization and optimized conversion funnels. Teams often run hundreds of experiments and feature flags in the production environments, making it difficult to identify the reason for any degraded experience. Moreover, the increasing customer demand for uninterrupted services and applications can add vulnerabilities to applications. Continuous monitoring can help you easily monitor the experiments and ensure they work as expected. 4. Manage Changes Typically, most production outages are triggered by frequent code changes. Therefore, it is imperative to implement change management, especially for mission-critical applications, such as banking and healthcare applications. One needs to determine the risks associated with changes and automate the approval flows based on the risk of the change. And a comprehensive monitoring strategy can help you deal with these complexities. You only need a set of rich, flexible, and advanced monitoring tools. 5. Monitoring Distributed Systems Businesses often deal with distributed systems composed of many smaller, cross-company services. So, teams need to monitor and manage the performance of the systems they build and that of dependent systems. DevOps monitoring empowers you to deal with this dependent system monitoring with ease. 6. Shift-Left Testing Testing, when shifted left. i.e., when performed at the beginning of the software development lifecycle, it can significantly improve the code quality and reduce the test cycles. However, shift-left testing can be implemented only when you can streamline monitoring of the health of your pre-production environments and implement it early and frequently. Continuous monitoring also enables you to track user interactions and maintain application performance and availability before it is deployed to production environments. Benefits of Unified Monitoring and Analytics Unified monitoring and analytics help your DevOps teams to gain complete, unparalleled, end-to-end visibility across the entire software lifecycle. However, unifying monitoring data, analytics, and logs across your DevOps CI/CD ecosystem can be challenging and complex. Types of DevOps Monitoring Infrastructure monitoring Every IT business must set up and maintain an IT infrastructure in order to deliver products and services in a seamless and efficient manner. Typically, IT infrastructure includes everything that relates to IT, such as servers, data centers, networks, storage systems, and computer hardware and software. And DevOps monitoring helps in managing and monitoring this IT infrastructure, which is termed Infrastructure Monitoring. Infrastructure Monitoring collects the data from the IT infrastructure. It analyzes it to derive deep insights that help in tracking the performance and availability of computer systems, networks, and other IT systems. It also helps in gleaning real-time information on metrics such as CPU utilization, server availability, system memory, disk space, and network traffic. Infrastructure Monitoring covers hardware monitoring, OS monitoring, network monitoring, and application monitoring. Some of the popular Infrastructure Monitoring Tools are: Nagios Zabbix ManageEngine OpManager Solarwinds Prometheus Application Monitoring Application monitoring helps DevOps teams track runtime metrics of application performance, like application uptime, security, and log monitoring details. Application Performance Monitoring (APM) tools are used to monitor a wide range of metrics, including transaction time and volume, API and system responses, and overall application health. These metrics are derived in the form of graphical figures and statistics, so that DevOps teams can easily evaluate the application performance. Some of the popular application monitoring tools are: Appdynamics Dynatrace Datadog Uptime Robot Uptrends Splunk Network Monitoring Network monitoring tracks and monitors the performance and availability of the computer network and its components, such as firewalls, servers, routers, switches, and virtual machines (VMs). Typically, the network monitoring systems share five important data points, namely, discover, map, monitor, alert, and report. Networking monitoring helps identify network faults, measure performance, and optimize availability. This enables your DevOps teams to prevent network downtimes and failures. Some of the popular NMS tools are: Cacti Ntop Nmap Spiceworks Wireshark Traceroute Bandwidth Monitor Difference Between DevOps Monitoring and Observability DevOps teams often use monitoring and observability interchangeably. While both concepts play a crucial role in ensuring the safety and security of your systems, data, and applications, monitoring and observability are complementary capabilities and are not the same. Let's understand how both concepts are different: The differences between monitoring and observability depend on whether the data collected is predefined or not. While monitoring collects and analyses predefined data gleaned from individual systems, observability collects all data produced by all IT systems. Monitoring tools often use dashboards to display performance metrics and other KPIs, so DevOps teams can easily identify and remediate any IT issues. However, metrics can only highlight the issues your team can anticipate, as they are the ones that create the dashboards. This makes it challenging for DevOps teams to monitor the security and performance posture of the cloud-native environments and applications as the issues are often multi-faceted and unpredictable. On the other hand, observability tools leverage logs, traces, and metrics collected from the entire IT infrastructure to identify issues and proactively notify the teams to mitigate them. While monitoring tools provide useful data, DevOps teams need to leverage observability tools to get actionable insights into the health of the entire IT infrastructure and detect bugs or vulnerable attack vectors at the first sign of abnormal performance. However, observability doesn’t replace monitoring; rather, it facilitates better monitoring. The Best DevOps Monitoring Tools DevOps monitoring tools enable DevOps teams to implement continuous monitoring across the DevOps application development lifecycle and identify potential errors before releasing the code to production. However, you need to select the monitoring tools that best suit your business objectives so that you can achieve quality products with minimal costs. Here are some of the best DevOps monitoring tools available in the market: The Top 10 DevOps Monitoring Tools: 1. Splunk Splunk is the most-sought after monitoring tool when it comes to machine-generated data. In addition to monitoring, this popular tool is also used for searching, analyzing, investigating, troubleshooting, alerting, and reporting machine-generated data. Splunk complies with all the machine-generated data into a central index that enables DevOps teams to glean required insights quickly. The enticing aspect of Splunk is that it does not leverage any database to store its data; instead, it uses indexes for data storage. The tool helps in creating graphs, dashboards, and interactive visualizations, so your team can easily access data and find solutions to complex problems. Some of the key features of Splunk are: Real-time data processing. The tool accepts input data in various formats, including CSV and JSON. The tool allows you to easily search and analyze a particular result. The tool allows you to troubleshoot any performance issue. You can monitor any business metrics and make an informed decision. You can incorporate Artificial Intelligence into your data strategy with Splunk. 2. Datadog Datadog is a subscription-based SaaS platform that enables continuous monitoring of servers, applications, databases, tools, and services. This tool helps you foster a culture of observability, collaboration, and data-sharing, so you can get quick feedback on operational changes and improve development velocity and agility. Some of the key features of Datadog are: Extensible instrumentation and open APIs. Autodiscovery for automatic configuration of monitoring checks. Monitoring-as-code integrations with configuration management and deployment tools. Easily customizable monitoring dashboards. 80+ turn-key integrations. Get health and performance visibility of other DevOps tools. 3. Consul HashiCorp’s Consul is an open-source monitoring tool to connect, configure, and secure services in dynamic infrastructure. The tool enables you to create a central registry that tracks applications, services, and health statuses in real-time. The Consul's built-in UI or the APM integrations enable DevOps teams to monitor application performance and identify problem areas at the service level. The topology diagrams in the Consul UI help you visualize the communication flow between services registered in your mesh. Some of the key features of Consul are: The perfect tool for modern infrastructure. It provides a robust API. Easy to find services each application needs using DNS or HTTP. Supports multiple data centers. 4. Monit Monit is an open-source DevOps monitoring tool. It is used for managing and monitoring Unix systems. Your team can leverage Monit for monitoring daemon processes such as those started at system boot time from /etc/init/, For instance, Sendmail, apache, sshd, and MySQL. The tool can also be used for running similar programs, files, directories, and filesystems running on localhost and tracking the changes, such as size changes, timestamp changes, and checksum changes. Moreover, you can also use Monit for monitoring general system resources on localhosts, such as CPU usage, memory usage, and average load. Some key features of Monit are: The tool conducts automatic maintenance and repair. It also executes insightful actions during any event. The tool has built-in network tests for key Internet protocols, such as HTTP and SMTP. It is used to test programs or scripts at certain times. Monit is an autonomous system that does not rely on any plugins or special libraries to run. The tool easily compiles and runs on most flavors of Unix. 5. Nagios Nagios is one of the most popular DevOps monitoring tools. It is an open-source tool and is used for monitoring all mission-critical infrastructure components, including services, applications, operating systems, systems metrics, network protocols, and network infrastructure. The tool facilitates both agent-based and agentless monitoring, making it easy to monitor Linux and Windows servers. With Nagios, your DevOps teams can monitor all sorts of applications, including Windows applications, UNIX applications, Linux applications, and Web applications. Some key features of Nagios are: The tool supports hundreds of third-party addons so that you can monitor virtually anything, all in-house and external applications, services, and systems. Simplifies log data sorting process. Offers high network visibility and scalability. Provides complete monitoring of Java Management Extensions. 6. Prometheus Prometheus is an open-source monitoring toolkit primarily developed for system monitoring and alerting. The tool collects and stores the metrics information along with the timestamp at which it is recorded. Optional key-value pairs called labels are also stored with the metric information. The Prometheus tool ecosystem comprises multiple components, including the main Prometheus server for storing time series data, client libraries for instrumenting application code, a push gateway for handling short-lived jobs, and an alert manager for handling alerts. Some of the key features of the Prometheus tool are: The tool facilitates special-purpose exporters for services like StatsD, HAProxy, and Graphite. Supports Mac, Windows, and Linux. Facilitates monitoring of containerized environments such as Dockers and Kubernetes. Easily integrates with configuration tools like Ansible, Puppet, Chef, and Salt. The tool does not rely on distributed storage. The Prometheus tool supports multiple modes of graphing and dashboarding. 7. Sensu Sensu by Sumo Logic is a monitoring-as-code solution for mission-critical systems. This end-to-end observability pipeline enables your DevOps and SRE teams to collect, filter, and transform monitoring events and send them to the database of their choice. With a single Sensu cluster, you can easily monitor tens of thousands of nodes and quickly process over 100M events per hour. The tool facilitates enterprise-grade monitoring of production workloads, providing true multi-tenancy and multi-cluster visibility into your entire infrastructure. Some of the key features of the Sensu tool are: The tool supports external PostgreSQL databases, allowing you to scale Sensu limitlessly. Sensu’s inbuilt etc., handles 10K connected devices and 40K agents/clusters. The tool offers declarative configurations and a service-based approach to monitoring. Easily integrates with other DevOps monitoring solutions like Splunk, PageDuty, ServiceNow, and Elasticsearch. 8. Sematext Sematext is a one-stop solution for all your DevOps monitoring needs. Unlike other monitoring tools which offer only performance monitoring or only logging, or only experience monitoring, Sematext offers all the monitoring solutions that your DevOps team needs to troubleshoot their production and performance issues and move faster. With Sematext, your DevOps teams can monitor application performance, logs, metrics, real users, processes, servers, containers, databases, networks, inventory, alerts, events, and APIs. You can also do log management, synthetic monitoring, and JVM monitoring, among many other operations. Some of the key features of the Sematext tool are: The tool empowers you to map and monitor your entire infrastructure in real-time. Sematext provides better visibility for DevOps teams, System Admins, SREs, and Bizops. The tool offers fully managed Elasticsearch and Kibana, so you don’t need to spend on highly expensive Elasticsearch expert staff and infrastructure. The tool allows you to set up your free account in less than ten mins. Seamtext makes integration with external systems a breeze. 9. PagerDuty PagerDuty is an operations performance monitoring tool that enables your DevOps teams to assess the reliability and performance of the applications. The tool keeps your DevOps team connected with their code in production, leverages machine learning technology to identify issues, and alerts the team to address the errors as early as possible. That means your DevOps team spends less time responding to the incidents and has more time for building and innovating. Some of the key features of the PagerDuty tool are: PagerDuty comes with an intuitive alerting API, making it an excellent, easy-to-use incident response and alerting system. If an alert does not respond within the predefined time, the tool will auto-escalate by the originally established SLA. The tool supports data collection through a pull model over the HTTP. PagerDuty works as autonomous single server nodes with no dependency on distributed storage. It is a robust GUI tool for scheduling and escalation policy. The tool also supports multiple modes for dashboards and graphs. 10. AppDynamics AppDynamics is one of the most popular application performance monitoring tools available in the market. As a continuous monitoring tool, AppDynamics helps monitor your end users, applications, SAP, network, database, and infrastructure of both cloud and on-premises computing environments. With this tool, your DevOps team can easily gain complete visibility across servers, networks, containers, infrastructure components, applications, end-user sessions, and database transactions, so they can swiftly respond to performance issues. Some of the key features of the AppDynamics tool are: The tool seamlessly integrates with the world’s best technologies, such as AWS, Azure, Google Cloud, IBM, and Kubernetes. AppDynamics leverages machine learning to deliver instant root-cause diagnostics. The tool supports hybrid environment monitoring. Cisco full-stack observability with AppDynamics. The tool comes with a pay-per-use pricing model. DevOps Monitoring Use-cases: Real Examples of How Enterprises Use Monitoring Tools There’s no question the DevOps monitoring tools enable your DevOps team to automate the monitoring processes across the software development lifecycle. The monitoring tools enable your DevOps teams to identify code errors early, run code operations efficiently, and respond to code changes in usage rapidly. However, one must implement monitoring tools effectively to ensure complete success. Here are some prominent DevOps monitoring use cases that you can leverage to achieve DevOps success: Git Workflow Monitoring DevOps teams often encounter recurring codebase conflicts as a result of multiple developers working on the same project functionality simultaneously. Git enables your DevOps teams to manage and resolve conflicts, including commits and rollbacks. So, when you monitor your Git workflows, you can easily keep the code conflicts and ensure consistent progress in your project. Code Linting Code linting tools help your DevOps team analyze the code for style, syntax, and potential issues. With these tools, your DevOps team can ensure that they are adhering to the coding best practices and standards. Code linting enables you to identify and address code issues before they trigger runtime errors and other potential performance issues. With linting tools, you can ensure that your code is clean and consistent. Distributed Tracing Your DevOps teams need to be distributed tracing to streamline the monitoring and debugging processes of the microservices applications. Distributed tracing helps your team in understanding how applications interact with each other through APIs, making it easier to identify and address application performance issues. Continuous Integration/Continuous Deployment (CI/CD) Logs With CI/CD pipelines becoming the prominent element of the DevOps ecosystem, monitoring them is imperative for DevOps success. The continuous integration (CI) logs help ensure that your code builds are running smoothly. Otherwise, the logs inform you about the errors or warnings in your code builds. So, monitoring the CI logs helps identify the potential issues in your build pipeline and address them proactively. Likewise, the continuous deployment (CD) logs inform you about the overall pipeline health and status. So, monitoring the CD logs helps your DevOps teams easily troubleshoot any failed deployments and repair potential issues. Configuration Management Changelogs Configuration management changelogs help DevOps teams to gain deep visibility into the system’s health and important changes — both manual and automated. So, monitoring these logs empowers your team to track the changes made to the system, identify the unauthorized changes and rectify the issues. Code Instrumentation Code instrumentation is the process of adding code to an application. This process enables you to collect data about the application's performance and its operations route. This is crucial for tracing stack calls and knowing the contextual values. So, monitoring this code instrumentation results empowers you to measure the efficiency of your DevOps practices and gain visibility into the potential gaps, if any. It also helps you identify bugs and improve testing. Best Practices to Nail DevOps Monitoring Just like the adoption of DevOps itself, implementing a robust DevOps monitoring model needs a strategic combination of culture, process, and tooling. Though you can take inspiration from how your competitors are adopting DevOps monitoring, the right model you adopt must be on par with your unique organizational needs and SDLC. Here are some best practices that help you nail DevOps monitoring: Know What to Monitor Knowing what to monitor is half the battle won. So, even before you start implementing your DevOps monitoring strategy, it is crucial to know what needs to be monitored. Your monitoring objectives should focus on the server’s performance, vulnerabilities, user activity, and application logs. Define Development Goals Your DevOps monitoring strategy must be anchored with fixed development goals. These objectives help you understand how well your DevOps monitoring strategy is performing. A most sought-after method to ensure meeting the objectives is to track each sprint duration and measure the time taken to identify, document, and rectify the issues. Leveraging machine learning technology to automate configuration processes helps you save significant time and avoid manual errors. Monitor User Activity Monitoring user activity is one of the most important monitoring types. It helps you in tracking unusual requests, multiple login attempts, logging from unknown devices, and any suspicious user activity like a developer trying to access the admin account. By monitoring user activity, you can ensure that the right user is accessing the right resources. This process helps in preventing potential threats to the system and mitigate cyberattacks. Choose the Right Monitoring Tools Selecting the right set of DevOps monitoring tools from a rich choice of tooling available in the DevOps ecosystem is an arduous task. Picking the precise tool that is most suitable for your SDLC and your application’s infrastructure starts with an evaluation process. It primarily involves understanding the tool's features and functionality so you can easily assess whether it is best suited for application or infrastructure monitoring or not. So, here are some questions you need to ask to evaluate the DevOps monitoring tool: Does the tool integrate easily? Ensure that the monitoring tool easily integrates with your DevOps pipeline and your broader technology stack. This helps you atomate actions and alerts with ease. Does the tool offer something new? The DevOps monitoring tools that glean a rich amount of data are a cut above the rest. However, more data demands more attention, uses more storage and needs more management. So, select monitoring tools that pave way for new avenues of monitoring rather than those that provide normal benefits. Does the tool offer a unified dashboard? Your DevOps ecosystem comprises many services, libraries, and products working together. So, a DevOps monitoring tool that offers a unified dashboard helps you gain complete, real-time visibility across the DevOps lifecycle and make it easier to identify issues and gaps. Does the tool integrate alerts with your existing tooling? Your DevOps monitoring tools must enable your DevOps teams to respond quickly to alerts and notifications. Check whether the tool supports alerting directly or integrates with your existing notification tools. Also, ensure that the tooling you're evaluating integrates with your organization's existing reporting and analytics tools. What type of audit logs does the tool provide? Understanding the current state of your system is important, especially when something goes south. The action-by-action record provided by the audit logs enables you to understand what has happened, identify which process or person is responsible, analyze the root cause, and provide a basis for learning the gaps in the system. So, what type of audit logs does your tool provide, and how do they provide crucial information? What are the tool’s data storage needs? DevOps monitoring tools generate massive amounts of data. So, it is important to understand the storage needs of the tool and the cloud storage costs to keep useful history without storing data beyond its useful life. What types of diagnostics does the tool offer? Check whether the monitoring tool alerts you to symptoms or helps you in diagnosing the underlying issue. Choose comprehensive tools, such as application performance monitoring platforms, to understand what's happening in complex scenarios, such as several asynchronous microservices working together.

By Gilbert Martin
Microsoft Azure DevOps Service
Microsoft Azure DevOps Service

One of the earliest Azure cloud services to hit the market is this one. The Azure DevOps services are perfect for more intelligent planning and improved teamwork to achieve quicker delivery. Azure DevOps services may be the best option for those looking to build, test, and deploy using CI/CD. Any DevOps service can be chosen based on your business needs. Services Offered by DevOps Azure Repos This offers Team Foundation Version Control (TFVC) or Git repositories (TFVC). Azure Pipelines To assist in continuous integration and delivery of the application, this offers to build and release services. Azure Boards Using Kanban and Scrum methodologies, Azure Boards offers a set of tools to enable planning and tracking work, code bugs, and issues. Azure Test Plans This offers both manual testing and continuous testing resources for the apps. Azure Artifacts This enables package sharing and the integration of packages from both public and private sources. What Is DevOps? To overcome these difficulties, DevOps (development and operations) creates cross-functional teams that are responsible for the upkeep, support, enhanced feedback, and automation mechanisms for these systems. What Makes Azure DevOps Unique? Azure is a constantly growing collection of cloud services that can assist your company in overcoming its operational issues. Microsoft has released Microsoft Azure DevOps, which is a rebranded version of Visual Studio Team Services. The company is making this strategic step to establish itself as the industry leader in the DevOps field, not just a general rebranding. By transferring the source code from GitHub repositories all the way up to the deployment target delivered through virtual machines and containers, it is making every effort to guarantee that developers, operators, and testers have the greatest experience possible. They go beyond Windows and Visual Studio and have already made a statement by allowing anyone to use their public cloud, which has made them very popular with modern open-source developers. It doesn't end there; it has the resources necessary to go up against some of the industry heavyweights like CloudBees and Atlassian. Developing and Deploying Software Applications A complete DevOps toolchain is offered by Azure DevOps for creating and deploying software. As a Software-as-a-Service (SaaS) platform, it adopts a new collaborative culture and numerous combined practices for continuous software development. Collaboration, feedback loops, improved development frequency, the decreased failure rate of new releases, the shortened lead time between fixes, and continuous improvement are given significant weight. DevOps for Organizations DevOps accomplishes more than merely integrating teams and slimming down. We now have a lot more natural and user-friendly experience as a result. Any team that chooses to use DevOps methodology, tools, and culture is choosing to operate more effectively by creating better products for increased customer satisfaction. This increased productivity can be attributed to reaching important business objectives like: Shortened time to market for items. Flexibility in response to market conditions and competition. Maintaining the system's dependability and stability. Enhancing recovery in the interim. Why We Prefer Azure DevOps DevOps is simple to install and configure and can run many apps, paving the way for a seamless multitasking experience. It also runs in a matter of minutes. It may operate on a broad variety of platforms and frameworks. For programmers already proficient in Java, Node, PHP, .NET, and Python, the switch is natural. You have the freedom to start your own app or even import a new one from Git, thanks to DevOps projects. Instant application analysis is possible by utilizing built-in apps and cloud functionalities through Visual Studio Team Services. Start Your DevOps Journey Start your Microsoft Azure DevOps journey by following the given link. Conclusion The Azure DevOps services are ideal for better teamwork and more thoughtful planning to achieve faster delivery. The ideal choice for those wishing to build, test, and deploy using CI/CD may be Azure DevOps services. You can select any DevOps service based on the requirements of your company.

By Sardar Mudassar Ali Khan
4 Key DevOps Metrics for Improved Efficiency and Performance
4 Key DevOps Metrics for Improved Efficiency and Performance

We’re seeing an increasing number of organizations renew their focus on adopting and improving their DevOps practices to help optimize their software development life cycle and improve their delivery velocity to reach markets and customers faster. Here’s all you need to know about the four key DevOps metrics and how teams can use these metrics to improve dev efficiency and performance to build better and faster products for their customers. What Are DevOps Metrics? DevOps metrics are the data points used to measure the performance and efficiency of a team’s DevOps software development process. Since DevOps integrates the functions of both development and operation, the metrics should be able to measure and optimize the performance of both the processes and people involved. Measuring and gathering insights from DevOps metrics can help managers gather actionable insights into their team’s processes and bottlenecks and take swift remedial actions in case of blockers. Thus, DevOps metrics enable teams in the successful completion of goals. The Four Key DevOps Metrics Google's DevOps Research and Assessment (DORA) team has identified four crucial metrics that can indicate and optimize the health of DevOps performance. The DORA Four Keys project aims at generating valuable data and gathering insights to amplify engineering productivity surrounding DevOps practices. Below are the four core DevOps metrics, known more commonly as DORA metrics: Deployment Frequency: Measures how often a team successfully releases changes to production, indicating the speed with which the team delivers software. Change Lead Time: The time from when the work on a change request begins to when it is put to production and consequently given to the customer is known as Change Lead Time. Teams use lead time to determine the efficiency of the development process. Change Failure Rate: Measures the rate at which production changes cause a failure after release. It is an indicator of the quality of code produced by a team. Mean Time to Restore: Measures how long it takes for an incident or failure to be resolved through a production change. While the measures of Deployment Frequency and Change Lead Time calculate the velocity of a team, the Change Failure Rate and Mean Time to Restore metrics focus on the stability of the software. According to the 2019 Accelerate State of DevOps Report, this format of the DevOps metrics analyzes and categorizes teams into Low, Medium, High, and Elite performers, with the latter being twice as likely to meet or exceed their organizational performance goals. By employing these indicators, organizations can track and improve the teams' performance and effectiveness of the processes. Deployment Frequency The Deployment Frequency of a team directly translates into how fast it is in deploying codes or releases to production. This DevOps metric can vary across teams, features, and organizations. It also depends on the product and the internal deployment criteria. For instance, some applications may commit to only a few big releases a year, whereas others can make numerous small deployments in a single quarter. How Deployment Frequency Impacts Business A higher deployment frequency ratio might indicate that the teams are tracking or improving or rolling out new features to the market faster. A higher deployment frequency also paves the way for a constant feedback loop between the customers and the team that translates to better versions of the product being released to the end user. The research by Google on DORA also suggests that proactive teams have higher deployment frequencies, meaning they can deploy on-demand consistently. How to Measure It Tracking the deployment frequency over an extended period of time can help track the change in velocity, trace bottlenecks, and take corrective actions quicker. An effective way to measure Deployment frequency is by gathering data from GitHub, Jira, and others to identify if the codes planned are shipped. Doing this not only allows managers to track the deployment frequency, but also weed out blockers as the regular focus on Deployment Frequency shines a light on the missed deployments and understands the pattern and reason behind the same. Tips to Achieve Higher Deployment Frequency Automate repetitive tasks in the deployment process and set up and configure continuous delivery pipelines Make continuous improvements to the releases to optimize the end result Get constant feedback on improvements only when necessary Be clear on the requirements and expectations, leaving no room for unwanted scope creeps Optimize the cycle times to be more efficient to ensure the deployments occur at the regular intervals Change Lead Time Teams use change lead time (not to be confused with cycle time/lead time) to determine how efficient their development process is. Long lead times might be caused by an inefficient procedure or a bottleneck in the development or deployment pipeline. Teams often aim for shorter lead times, but a higher lead time may not always be a sign of trouble. Some releases can be complex and may require more time to deliver. How Change Lead Time Impacts Business The LTC metric helps track the inefficiencies in the process. One of the primary aims of lead time optimization is to increase deployment through automation, mostly the testing process, to shorten the overall time to deployment. Like deployment frequency, lead time can also vary across teams and products. Hence, organizations should track, set benchmarks, and compare individual team performances over time rather than compare them with other teams. How to Measure It Lead time is calculated by measuring the time between the initial commit and the date the release goes into production. Since lead times consist of multiple stages in the development cycle, teams should calculate the time at every stage of the development process to identify bottlenecks. Keeping track of the cycle time can help understand the different steps in the development process, identify the problematic areas, and perform RCA of the same. Doing this consistently helps uncover bottlenecks and strategize better in any future development cycles. Tips to Optimize Lead Time A crucial factor in arriving at a shorter lead time is improving the collaboration between the testing and development teams to improve quality assurance. This helps the manager to gain a better understanding of the DevOps cycle time. Automated testing can eliminate the duplicate effort and trivial changes that eat up the developer's time. Working in small increments to stay on top of the current module to ensure there are no errors that may require rework in the future. Make the changes to the duplicate version so that the primary code is not compromised. Change Failure Rate Change failure rate measures the percentage of deployments that fail in the production, requiring a bug fix or roll-back. This DevOps metric checks the number of deployments made against the number of failures to decode the efficiency of the DevOps process. How Change Failure Rate Impacts the Development Process Change failure rate metrics tracks the time spent on remedying problems instead of developing new projects. This helps managers understand where their teams are spending their efforts and helps to align teams and processes towards spending more time in writing new code rather than dealing with errors and rework. How to Measure It Dividing the number of deployment failures by the total number of deployments gives the CFR. Teams should ensure that changes failures rates are at a minimum. But this also does not mean spending too much time building and testing each module, as it could impact the delivery time. Tips to Optimize Change Failure Change failure does not always indicate that a code is executed poorly. Sometimes, external factors like unclear requirements or minor bugs can cause the program to fail. Ensure the codes are written, reviewed, and tested as per the sprint plan Keeping the sprint velocity and code churn metrics in check can provide insights into the changes made and the reason behind it Mean Time to Recovery (MTTR) MTTR is the measure of the time taken for counter-measures to resolve an issue after deployment. A team’s ability to quickly recover from a failure is dependent on their ability to recognize a failure (MTTD) as soon as it occurs and release a remedy or roll back any changes that caused the failure. This is normally accomplished by continuously monitoring system health and notifying operations personnel whenever a failure occurs. How MTTR Impacts the Development Process MTTR tests the speed at which a team is able to solve bugs or incidents. High-performing teams recover fast from incidents whereas lower-performing teams can take up to a week or longer to recover. Measuring the MTTR is a crucial practice to ensure resiliency and stability. How to Measure It MTTR can be measured by calculating the time between when the incident occurs and when it gets resolved. To resolve incidents, operations teams should be equipped with the right tools, protocols, and permissions. Tips to Optimize MTTR To achieve quick MTTR metrics, deploy software in small increments to reduce risk and deploy automated monitoring solutions to preempt failure. Building more robust systems that are tested before a release Better logging provides the data to diagnose and find the issue faster in case of failure This can be achieved by constantly checking for errors and blockers Strategies to Improve DORA Metrics Focus on the Framework Simply having the DORA metrics in place does not improve the development process. Managers should also draw up strategies on how to leverage and boost the DORA metrics. The best way to do this is to benchmark the team’s current standing and draw a roadmap of the goals and plans for the project. Two main factors to be focused on while defining goals and deadlines are Project Allocation and Project Planning Accuracy. Managers should identify the teams and allocate projects based on the business priority. An optimized project allocation process also helps ensure the engineering teams are working on the right project at any given time and make amendments if needed. Project Planning enables managers to stay on top of the timeline and ensure the target is met sprint on sprint. Measuring this consistently helps identify and tackle blockers that hinder progress. Here, metrics such as cycle time, code churns, and sprint velocity provide the support needed to hit the goal for every sprint and meet the deadlines. Foster Collaboration Defining goals and aligning the team towards the achievement of the goals can help achieve better outcomes. One effective way to do this is to conduct daily stand-up meetings to bring the team together and make the objectives clear. Stand-up meetings also keep everyone in the information loop of who is working on what, but more importantly, it helps teams identify blockers and plan roadmaps to resolve them. To make stand-up meetings efficient and effective, managers can adopt asynchronous stand-up meetings that not only serve the purpose but also preserves the focus time of the engineers and documents information for future reference. Build Better Workflows Managers should focus on creating data-based workflows. They should have the means to gather various software engineering metrics such as pull request metrics, developer focus time, team cycle time, code churn, and other metrics to devise a data-enriched process that is high on quality and has low chances of failure. A Call for CI/CD Continuous integration and continuous delivery combine the practices of both continuously integrating all written codes in a shared repository, triggering automated testing, and finally providing the means for continuous delivery. CI/CD automates most or all the manual intervention needed to get new code from a commit into production. This includes the stages of building, testing, and deployment. With a CI/CD pipeline in place, developers can rework and make changes to the codes, which are automatically tested and pushed for deployment. This promotes higher development frequency and lead time for changes while also limiting the room for change failures.

By Hamza Ghufran

Top DevOps and CI/CD Experts

expert thumbnail

Boris Zaikin

Senior Software Cloud Architect,
Nordcloud GmBH

Certified Software and Cloud Architect Expert who is passionate about building solutions and architecture that solve complex problems and bring value to the business. He has solid experience designing and developing complex solutions based on the Azure, Google, AWS clouds. Boris has expertise in building distributed systems and frameworks based on Kubernetes, Azure Service Fabric, etc. His solutions successfully work in the following domains: Green Energy, Fintech, Aerospace, Mixed Reality. His areas of interest Enterprise Cloud Solutions, Edge Computing, High loaded Web API and Application, Multitenant Distributed Systems, Internet-of-Things Solutions.
expert thumbnail

Pavan Belagatti

Developer Advocate,
Harness

DevOps influencer, tech storyteller and guest author at various technology publications.
expert thumbnail

Nicolas Giron

Site Reliability Engineer (SRE),
KumoMind

Information Technology professional with 10+ years expertise in application development, project management, system administration and team supervision. Co-founder of KumoMind, a company aiming to share his deep expertise of open source technologies and cloud computing.
expert thumbnail

Alireza Chegini

DevOps Architect / Azure Specialist,
Smartwyre

Alireza is a software engineer with more than 20 years of experience in software development. He started his career as a software developer, and in recent years he transitioned into DevOps practices. Currently, he is helping companies and organizations move away from traditional development workflows and embrace a DevOps culture. Additionally, Alireza is coaching organizations as Azure Specialists in their migration journey to the public cloud.

The Latest DevOps and CI/CD Topics

article thumbnail
Real-Time Stream Processing With Hazelcast and StreamNative
In this article, readers will learn about real-time stream processing with Hazelcast and StreamNative in a shorter time, along with demonstrations and code.
January 27, 2023
by Timothy Spann
· 1,908 Views · 2 Likes
article thumbnail
AWS Cloud Migration: Best Practices and Pitfalls to Avoid
This article post will discuss the best practices and common pitfalls to avoid when migrating to the AWS cloud.
January 27, 2023
by Rahul Nagpure
· 1,765 Views · 1 Like
article thumbnail
Fraud Detection With Apache Kafka, KSQL, and Apache Flink
Exploring fraud detection case studies and architectures with Apache Kafka, KSQL, and Apache Flink with examples, guide images, and informative details.
January 26, 2023
by Kai Wähner CORE
· 2,472 Views · 1 Like
article thumbnail
Why It Is Important To Have an Ownership as a DevOps Engineer
Having ownership as a DevOps engineer is essential to your job. It allows you to better understand and manage the entire software development and delivery process.
January 26, 2023
by Alireza Chegini CORE
· 1,698 Views · 1 Like
article thumbnail
DevOps Roadmap for 2022
[Originally published February 2022] In this post, I will share some notes from my mentoring session that can help you - a DevOps engineer or platform engineer, learn where to focus.
January 26, 2023
by Anjul Sahu
· 17,974 Views · 6 Likes
article thumbnail
What Is Policy-as-Code? An Introduction to Open Policy Agent
Learn the benefits of policy as code and start testing your policies for cloud-native environments.
January 26, 2023
by Tiexin Guo
· 3,072 Views · 1 Like
article thumbnail
Key Considerations When Implementing Virtual Kubernetes Clusters
In this article, readers will receive key considerations to examine when implementing virutal Kubernetes clusters, along with essential questions and answers.
January 25, 2023
by Hanumantha (Hemanth) Kavuluru
· 3,107 Views · 3 Likes
article thumbnail
Choosing the Best Cloud Provider for Hosting DevOps Tools
Discover the best cloud provider for your DevOps tools hosting needs. Also, learn which provider is best suited to help grow your business.
January 25, 2023
by Ryan Kh
· 2,362 Views · 1 Like
article thumbnail
How Do the Docker Client and Docker Servers Work?
This article will help you deeply understand how Docker's client-server model works and give you more insights about the Docker system.
January 25, 2023
by Eugenia Kuzmenko
· 3,067 Views · 1 Like
article thumbnail
The Future of Cloud Engineering Evolves
Central cloud engineering platform defines consistent workloads, architectures, and best practices.
January 25, 2023
by Tom Smith CORE
· 2,947 Views · 2 Likes
article thumbnail
A Brief Overview of the Spring Cloud Framework
Readers will get an overview of the Spring Cloud framework, a list of its main packages, and their relation with the Microservice Architectural patterns.
January 25, 2023
by Mario Casari
· 4,879 Views · 1 Like
article thumbnail
Spring Cloud: How To Deal With Microservice Configuration (Part 1)
In this article, we cover how to use a Spring Cloud Configuration module to implement a minimal microservice scenario based on a remote configuration.
January 24, 2023
by Mario Casari
· 3,880 Views · 2 Likes
article thumbnail
How To Check Docker Images for Vulnerabilities
Regularly checking for vulnerabilities in your pipeline is very important. One of the steps to execute is to perform a vulnerability scan of your Docker images. In this blog, you will learn how to perform the vulnerability scan, how to fix the vulnerabilities, and how to add it to your Jenkins pipeline. Enjoy! 1. Introduction In a previous blog from a few years ago, it was described how you could scan your Docker images for vulnerabilities. A follow-up blog showed how to add the scan to a Jenkins pipeline. However, Anchore Engine, which was used in the previous blogs, is not supported anymore. An alternative solution is available with grype, which is also provided by Anchore. In this blog, you will take a closer look at grype, how it works, how you can fix the issues, and how you can add it to your Jenkins pipeline. But first of all, why check for vulnerabilities? You have to stay up-to-date with the latest security fixes nowadays. Many security vulnerabilities are publicly available and therefore can be exploited quite easily. It is therefore a must-have to fix security vulnerabilities as fast as possible in order to minimize your attack surface. But how do you keep up with this? You are mainly focused on business and do not want to have a full-time job fixing security vulnerabilities. That is why it is important to scan your application and your Docker images automatically. Grype can help with scanning your Docker images. Grype will check operating system vulnerabilities but also language-specific packages such as Java JAR files for vulnerabilities and will report them. This way, you have a great tool that will automate the security checks for you. Do note that grype is not limited to scanning Docker images. It can also scan files and directories and can therefore be used for scanning your sources. In this blog, you will create a vulnerable Docker image containing a Spring Boot application. You will install and use grype in order to scan the image and fix the vulnerabilities. In the end, you will learn how to add the scan to your Jenkins pipeline. The sources used in this blog can be found on GitHub. 2. Prerequisites The prerequisites needed for this blog are: Basic Linux knowledge Basic Docker knowledge Basic Java and Spring Boot knowledge 3. Vulnerable Application Navigate to Spring Initializr and choose a Maven build, Java 17, Spring Boot 2.7.6, and the Spring Web dependency. This will not be a very vulnerable application because Spring already ensures that you use the latest Spring Boot version. Therefore, change the Spring Boot version to 2.7.0. The Spring Boot application can be built with the following command, which will create the jar file for you: Shell $ mvn clean verify You are going to scan a Docker image, therefore a Dockerfile needs to be created. You will use a very basic Dockerfile which just contains the minimum instructions needed to create the image. If you want to create production-ready Docker images, do read the posts Docker Best Practices and Spring Boot Docker Best Practices. Dockerfile FROM eclipse-temurin:17.0.1_12-jre-alpine WORKDIR /opt/app ARG JAR_FILE COPY target/${JAR_FILE} app.jar ENTRYPOINT ["java", "-jar", "app.jar"] At the time of writing, the latest eclipse-temurin base image for Java 17 is version 17.0.5_8. Again, use an older one in order to make it vulnerable. For building the Docker image, a fork of the dockerfile-maven-plugin of Spotify will be used. The following snippet is therefore added to the pom file. XML com.xenoamess.docker dockerfile-maven-plugin 1.4.25 mydeveloperplanet/mygrypeplanet ${project.version} ${project.build.finalName}.jar The advantage of using this plugin is that you can easily reuse the configuration. Creating the Docker image can be done by a single Maven command. Building the Docker image can be done by invoking the following command: Shell $ mvn dockerfile:build You are now all set up to get started with grype. 4. Installation Installation of grype can be done by executing the following script: Shell $ curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin Verify the installation by executing the following command: Shell $ grype version Application: grype Version: 0.54.0 Syft Version: v0.63.0 BuildDate: 2022-12-13T15:02:51Z GitCommit: 93499eec7e3ce2704755e9f51457181b06b519c5 GitDescription: v0.54.0 Platform: linux/amd64 GoVersion: go1.18.8 Compiler: gc Supported DB Schema: 5 5. Scan Image Scanning the Docker image is done by calling grype followed by docker:, indicating that you want to scan an image from the Docker daemon, the image, and the tag: Shell $ grype docker:mydeveloperplanet/mygrypeplanet:0.0.1-SNAPSHOT Application: grype Version: 0.54.0 Syft Version: v0.63.0 Vulnerability DB [updated] Loaded image Parsed image Cataloged packages [50 packages] Scanned image [42 vulnerabilities] NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY busybox 1.34.1-r3 1.34.1-r5 apk CVE-2022-28391 High jackson-databind 2.13.3 java-archive CVE-2022-42003 High jackson-databind 2.13.3 java-archive CVE-2022-42004 High jackson-databind 2.13.3 2.13.4 java-archive GHSA-rgv9-q543-rqg4 High jackson-databind 2.13.3 2.13.4.1 java-archive GHSA-jjjh-jjxp-wpff High java 17.0.1+12 binary CVE-2022-21248 Low java 17.0.1+12 binary CVE-2022-21277 Medium java 17.0.1+12 binary CVE-2022-21282 Medium java 17.0.1+12 binary CVE-2022-21283 Medium java 17.0.1+12 binary CVE-2022-21291 Medium java 17.0.1+12 binary CVE-2022-21293 Medium java 17.0.1+12 binary CVE-2022-21294 Medium java 17.0.1+12 binary CVE-2022-21296 Medium java 17.0.1+12 binary CVE-2022-21299 Medium java 17.0.1+12 binary CVE-2022-21305 Medium java 17.0.1+12 binary CVE-2022-21340 Medium java 17.0.1+12 binary CVE-2022-21341 Medium java 17.0.1+12 binary CVE-2022-21360 Medium java 17.0.1+12 binary CVE-2022-21365 Medium java 17.0.1+12 binary CVE-2022-21366 Medium libcrypto1.1 1.1.1l-r7 apk CVE-2021-4160 Medium libcrypto1.1 1.1.1l-r7 1.1.1n-r0 apk CVE-2022-0778 High libcrypto1.1 1.1.1l-r7 1.1.1q-r0 apk CVE-2022-2097 Medium libretls 3.3.4-r2 3.3.4-r3 apk CVE-2022-0778 High libssl1.1 1.1.1l-r7 apk CVE-2021-4160 Medium libssl1.1 1.1.1l-r7 1.1.1n-r0 apk CVE-2022-0778 High libssl1.1 1.1.1l-r7 1.1.1q-r0 apk CVE-2022-2097 Medium snakeyaml 1.30 java-archive GHSA-mjmj-j48q-9wg2 High snakeyaml 1.30 1.31 java-archive GHSA-3mc7-4q67-w48m High snakeyaml 1.30 1.31 java-archive GHSA-98wm-3w3q-mw94 Medium snakeyaml 1.30 1.31 java-archive GHSA-c4r9-r8fh-9vj2 Medium snakeyaml 1.30 1.31 java-archive GHSA-hhhw-99gj-p3c3 Medium snakeyaml 1.30 1.32 java-archive GHSA-9w3m-gqgf-c4p9 Medium snakeyaml 1.30 1.32 java-archive GHSA-w37g-rhq8-7m4j Medium spring-core 5.3.20 java-archive CVE-2016-1000027 Critical ssl_client 1.34.1-r3 1.34.1-r5 apk CVE-2022-28391 High zlib 1.2.11-r3 1.2.12-r0 apk CVE-2018-25032 High zlib 1.2.11-r3 1.2.12-r2 apk CVE-2022-37434 Critical What does this output tell you? NAME: The name of the vulnerable package INSTALLED: Which version is installed FIXED-IN: In which version the vulnerability is fixed TYPE: The type of dependency, e.g., binary for the JDK, etc. VULNERABILITY: The identifier of the vulnerability; with this identifier, you are able to get more information about the vulnerability in the CVE database SEVERITY: Speaks for itself and can be negligible, low, medium, high, or critical. As you take a closer look at the output, you will notice that not every vulnerability has a confirmed fix. So what do you do in that case? Grype provides an option in order to show only the vulnerabilities with a confirmed fix. Adding the --only-fixed flag will do the trick. Shell $ grype docker:mydeveloperplanet/mygrypeplanet:0.0.1-SNAPSHOT --only-fixed Vulnerability DB [no update available] Loaded image Parsed image Cataloged packages [50 packages] Scanned image [42 vulnerabilities] NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY busybox 1.34.1-r3 1.34.1-r5 apk CVE-2022-28391 High jackson-databind 2.13.3 2.13.4 java-archive GHSA-rgv9-q543-rqg4 High jackson-databind 2.13.3 2.13.4.1 java-archive GHSA-jjjh-jjxp-wpff High libcrypto1.1 1.1.1l-r7 1.1.1n-r0 apk CVE-2022-0778 High libcrypto1.1 1.1.1l-r7 1.1.1q-r0 apk CVE-2022-2097 Medium libretls 3.3.4-r2 3.3.4-r3 apk CVE-2022-0778 High libssl1.1 1.1.1l-r7 1.1.1n-r0 apk CVE-2022-0778 High libssl1.1 1.1.1l-r7 1.1.1q-r0 apk CVE-2022-2097 Medium snakeyaml 1.30 1.31 java-archive GHSA-3mc7-4q67-w48m High snakeyaml 1.30 1.31 java-archive GHSA-98wm-3w3q-mw94 Medium snakeyaml 1.30 1.31 java-archive GHSA-c4r9-r8fh-9vj2 Medium snakeyaml 1.30 1.31 java-archive GHSA-hhhw-99gj-p3c3 Medium snakeyaml 1.30 1.32 java-archive GHSA-9w3m-gqgf-c4p9 Medium snakeyaml 1.30 1.32 java-archive GHSA-w37g-rhq8-7m4j Medium ssl_client 1.34.1-r3 1.34.1-r5 apk CVE-2022-28391 High zlib 1.2.11-r3 1.2.12-r0 apk CVE-2018-25032 High zlib 1.2.11-r3 1.2.12-r2 apk CVE-2022-37434 Critical Note that the vulnerabilities for the Java JDK have disappeared, although there exists a more recent update for the Java 17 JDK. However, this might not be a big issue, because the other (non-java-archive) vulnerabilities show you that the base image is outdated. 6. Fix Vulnerabilities Fixing the vulnerabilities is quite easy in this case. First of all, you need to update the Docker base image. Change the first line in the Docker image: Dockerfile FROM eclipse-temurin:17.0.1_12-jre-alpine into: Dockerfile FROM eclipse-temurin:17.0.5_8-jre-alpine Build the image and run the scan again: Shell $ mvn dockerfile:build ... $ grype docker:mydeveloperplanet/mygrypeplanet:0.0.1-SNAPSHOT --only-fixed Vulnerability DB [no update available] Loaded image Parsed image Cataloged packages [62 packages] Scanned image [14 vulnerabilities] NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY jackson-databind 2.13.3 2.13.4 java-archive GHSA-rgv9-q543-rqg4 High jackson-databind 2.13.3 2.13.4.1 java-archive GHSA-jjjh-jjxp-wpff High snakeyaml 1.30 1.31 java-archive GHSA-3mc7-4q67-w48m High snakeyaml 1.30 1.31 java-archive GHSA-98wm-3w3q-mw94 Medium snakeyaml 1.30 1.31 java-archive GHSA-c4r9-r8fh-9vj2 Medium snakeyaml 1.30 1.31 java-archive GHSA-hhhw-99gj-p3c3 Medium snakeyaml 1.30 1.32 java-archive GHSA-9w3m-gqgf-c4p9 Medium snakeyaml 1.30 1.32 java-archive GHSA-w37g-rhq8-7m4j Medium As you can see in the output, only the java-archive vulnerabilities are still present. The other vulnerabilities have been solved. Next, fix the Spring Boot dependency vulnerability. Change the version of Spring Boot from 2.7.0 to 2.7.6 in the POM. XML org.springframework.boot spring-boot-starter-parent 2.7.6 Build the JAR file, build the Docker image, and run the scan again: Shell $ mvn clean verify ... $ mvn dockerfile:build ... $ grype docker:mydeveloperplanet/mygrypeplanet:0.0.1-SNAPSHOT --only-fixed Vulnerability DB [no update available] Loaded image Parsed image Cataloged packages [62 packages] Scanned image [10 vulnerabilities] NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY snakeyaml 1.30 1.31 java-archive GHSA-3mc7-4q67-w48m High snakeyaml 1.30 1.31 java-archive GHSA-98wm-3w3q-mw94 Medium snakeyaml 1.30 1.31 java-archive GHSA-c4r9-r8fh-9vj2 Medium snakeyaml 1.30 1.31 java-archive GHSA-hhhw-99gj-p3c3 Medium snakeyaml 1.30 1.32 java-archive GHSA-9w3m-gqgf-c4p9 Medium snakeyaml 1.30 1.32 java-archive GHSA-w37g-rhq8-7m4j Medium So, you got rid of the jackson-databind vulnerability, but not of the snakeyaml vulnerability. So, in which dependency is snakeyaml 1.30 being used? You can find out by means of the dependency:tree Maven command. For brevity purposes, only a part of the output is shown here: Shell $ mvnd dependency:tree ... com.mydeveloperplanet:mygrypeplanet:jar:0.0.1-SNAPSHOT [INFO] +- org.springframework.boot:spring-boot-starter-web:jar:2.7.6:compile [INFO] | +- org.springframework.boot:spring-boot-starter:jar:2.7.6:compile [INFO] | | +- org.springframework.boot:spring-boot:jar:2.7.6:compile [INFO] | | +- org.springframework.boot:spring-boot-autoconfigure:jar:2.7.6:compile [INFO] | | +- org.springframework.boot:spring-boot-starter-logging:jar:2.7.6:compile [INFO] | | | +- ch.qos.logback:logback-classic:jar:1.2.11:compile [INFO] | | | | \- ch.qos.logback:logback-core:jar:1.2.11:compile [INFO] | | | +- org.apache.logging.log4j:log4j-to-slf4j:jar:2.17.2:compile [INFO] | | | | \- org.apache.logging.log4j:log4j-api:jar:2.17.2:compile [INFO] | | | \- org.slf4j:jul-to-slf4j:jar:1.7.36:compile [INFO] | | +- jakarta.annotation:jakarta.annotation-api:jar:1.3.5:compile [INFO] | | \- org.yaml:snakeyaml:jar:1.30:compile ... The output shows us that the dependency is part of the spring-boot-starter-web dependency. So, how do you solve this? Strictly speaking, Spring has to solve it. But if you do not want to wait for a solution, you can solve it by yourself. Solution 1: You do not need the dependency. This is the easiest fix and is low risk. Just exclude the dependency from the spring-boot-starter-web dependency in the pom. XML org.springframework.boot spring-boot-starter-web org.yaml snakeyaml Build the JAR file, build the Docker image, and run the scan again: Shell $ mvn clean verify ... $ mvn dockerfile:build ... $ grype docker:mydeveloperplanet/mygrypeplanet:0.0.1-SNAPSHOT --only-fixed Vulnerability DB [no update available] Loaded image Parsed image Cataloged packages [61 packages] Scanned image [3 vulnerabilities] No vulnerabilities found No vulnerabilities are found anymore. Solution 2: You do need the dependency. You can replace this transitive dependency by means of dependencyManagement in the pom. This is a bit more tricky because the updated transitive dependency is not tested with the spring-boot-starter-web dependency. It is a trade-off whether you want to do this or not. Add the following section to the pom: XML org.yaml snakeyaml 1.32 Build the jar file, build the Docker image, and run the scan again: Shell $ mvn clean verify ... $ mvn dockerfile:build ... $ grype docker:mydeveloperplanet/mygrypeplanet:0.0.1-SNAPSHOT --only-fixed Vulnerability DB [no update available] Loaded image Parsed image Cataloged packages [62 packages] Scanned image [3 vulnerabilities] No vulnerabilities found Again, no vulnerabilities are present anymore. Solution 3: This is the solution when you do not want to do anything or whether it is a false positive notification. Create a .grype.yaml file where you exclude the vulnerability with High severity and execute the scan with the --config flag followed by the .grype.yaml file containing the exclusions. The .grype.yaml file looks as follows: YAML ignore: - vulnerability: GHSA-3mc7-4q67-w48m Run the scan again: Shell $ grype docker:mydeveloperplanet/mygrypeplanet:0.0.1-SNAPSHOT --only-fixed Vulnerability DB [no update available] Loaded image Parsed image Cataloged packages [62 packages] Scanned image [10 vulnerabilities] NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY snakeyaml 1.30 1.31 java-archive GHSA-98wm-3w3q-mw94 Medium snakeyaml 1.30 1.31 java-archive GHSA-c4r9-r8fh-9vj2 Medium snakeyaml 1.30 1.31 java-archive GHSA-hhhw-99gj-p3c3 Medium snakeyaml 1.30 1.32 java-archive GHSA-9w3m-gqgf-c4p9 Medium snakeyaml 1.30 1.32 java-archive GHSA-w37g-rhq8-7m4j Medium The High vulnerability is not shown anymore. 7. Continuous Integration Now you know how to manually scan your Docker images. However, you probably want to scan the images as part of your continuous integration pipeline. In this section, a solution is provided when using Jenkins as a CI platform. The first question to answer is how you will be notified when vulnerabilities are found. Up until now, you only noticed the vulnerabilities by looking at the standard output. This is not a solution for a CI pipeline. You want to get notified and this can be done by failing the build. Grype has the --fail-on flag for this purpose. You probably do not want to fail the pipeline when a vulnerability with severity negligible has been found. Let’s see what happens when you execute this manually. First of all, introduce the vulnerabilities again in the Spring Boot application and in the Docker image. Build the JAR file, build the Docker image and run the scan with flag --fail-on: Shell $ mvn clean verify ... $ mvn dockerfile:build ... $ grype docker:mydeveloperplanet/mygrypeplanet:0.0.1-SNAPSHOT --only-fixed --fail-on high ... 1 error occurred: * discovered vulnerabilities at or above the severity threshold Not all output has been shown here, but only the important part. And, as you can see, at the end of the output, a message is shown that the scan has generated an error. This will cause your Jenkins pipeline to fail and as a consequence, the developers are notified that something went wrong. In order to add this to your Jenkins pipeline, several options exist. Here it is chosen to create the Docker image and execute the grype Docker scan from within Maven. There is no separate Maven plugin for grype, but you can use the exec-maven-plugin for this purpose. Add the following to the build-plugins section of the POM. XML org.codehaus.mojo exec-maven-plugin 3.1.0 grype docker:mydeveloperplanet/mygrypeplanet:${project.version} --scope all-layers --fail-on high --only-fixed -q Two extra flags are added here: --scope all-layers: This will scan all layers involved in the Docker image. -q: This will use quiet logging and will show only the vulnerabilities and possible failures. You can invoke this with the following command: Shell $ mvnd exec:exec You can add this to your Jenkinsfile inside the withMaven wrapper: Plain Text withMaven() { sh 'mvn dockerfile:build dockerfile:push exec:exec' } 8. Conclusion In this blog, you learned how to scan your Docker images by means of grype. Grype has some interesting, user-friendly features which allow you to efficiently add them to your Jenkins pipeline. Also, installing grype is quite easy. Grype is definitely a great improvement over Anchor Engine.
January 24, 2023
by Gunter Rotsaert CORE
· 3,251 Views · 2 Likes
article thumbnail
How Observability Is Redefining Developer Roles
This article will explore observability and inform readers about the evolution of developer roles and how developers can stay ahead of the observability game.
January 24, 2023
by Hiren Dhaduk
· 3,564 Views · 1 Like
article thumbnail
Distributed Stateful Edge Platforms
As companies move to compute and apps closer to where the data is being produced, they need to make their platforms easier and more cost-efficient to manage.
January 24, 2023
by Tom Smith CORE
· 3,027 Views · 1 Like
article thumbnail
AIOps Being Powered by Robotic Data Automation
Data is the cornerstone of business conversions and bots are accelerating the transformation.
January 24, 2023
by Tom Smith CORE
· 2,747 Views · 1 Like
article thumbnail
How To Use Terraform to Provision an AWS EC2 Instance
Unleash the power of Terraform and AWS EC2. Learn how to provision AWS EC2 instances using Infrastructure as Code with Terraform.
January 24, 2023
by Saurabh Dashora CORE
· 2,399 Views · 3 Likes
article thumbnail
Using QuestDB to Collect Infrastructure Metrics
In this article, readers will learn how QuestDB uses its own database to power the monitoring system of QuestDB Cloud with guide code and helpful visuals.
January 24, 2023
by Steve Sklar
· 2,740 Views · 2 Likes
article thumbnail
Microservices Discovery With Eureka
In this article, let's explore how to integrate services discovery into a microservices project.
January 22, 2023
by Jennifer Reif CORE
· 4,534 Views · 6 Likes
article thumbnail
Differences Between Site Reliability Engineer vs. Software Engineer vs. Cloud Engineer vs. DevOps Engineer
The article compares how the roles of software engineers, DevOps engineers, site reliability engineers, and cloud engineers are different from each other.
January 20, 2023
by Vishal Padghan
· 3,947 Views · 4 Likes
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • ...
  • Next

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends: