DevOps Topeaks

#32 - Your first day as a DevOps engineer

September 29, 2023 Omer & Meir Season 1 Episode 32
DevOps Topeaks
#32 - Your first day as a DevOps engineer
Show Notes Transcript Chapter Markers

This weeks we discussed how to approach a new position / consultation gig. What do you tackle first? How do you map things out?
This is based both on our experience (naturally), with the important aspect of us being consultants for quite a few years before moving into fulltime positions on larger companies.


Leadership Lessons From The Great Books
Because understanding great literature is better than trying to read and understand...

Listen on: Apple Podcasts   Spotify

Meir's blog:
Omer's blog:
Telegram channel:

Yes, yes, I am ready and action action action yeah, oh, there's office He's back. So hello everyone and welcome to DevOps topics We've lost count and less on the nose which episode we are wow I think it's the first time I don't remember we'll put 28 27 25 something 30 maybe 30 maybe 30 but we'll know when we finish the episode. We'll know that the one thing I know for sure that it's been it's been a minute I think we took like a three four weeks because of holidays Maybe COVID we don't know Stop happened. It's it's been a month something like that. Yeah, I think But we're back today. Oh, no. We are going to talk How to get into a new job as a DevOps engineer? This is today's topic. What do you do? What do you do when you get to a new job as a DevOps engineer? How do you get into that? What do you? Research for what you ask for and I wanted I wanted to ask to talk about what do you do on your first day? But knowing startups today your first day is probably full of balloons and chocolates and here's your new screen And there's your new iPhone cable and whatever whatever you're given on your first name in co-operates. What do you do? You're a lunch card. No, I think you do a lot of videos. Well, you need to sell Yeah, the regulations stuff. Yeah, regulation stuff. Yeah, you should not sexual harassment Yeah, you should not sexual harass anyone in the office thing. Yeah, don't eat in the toilets Maybe there's a world against that. I don't know. Maybe you can eat it the toilets. Maybe you can Okay, I'm also ready for the first question after a very long time. Yes Let's go. Okay, so what's the first thing in the terms up to your mind when I tell you. Oh, no You get a new job on your project. What do you do? Okay You and I would we're both consultants for quite a while. So I think we have a protocol in mind Which is why I think we can give somewhat of a more I don't I don't want to sound like you know Especially snowflake because I'm not but I think our edge here is to provide the protocol of what do you do on your first day on the job Because as consultants our first day on the job was literally this. We had none of this Regulative stuff. We're not really accepted to a new company You're just you're the first day as a consultant. You were hired to do a job Your job is do sometimes it's configured. I mean you have a scope You know what you're going to do sometimes it's your job is to DevOps our stuff which basically means everything and nothing at the same time So I remember this and I think we talked about it multiple times to remember what was what was the first Questions you ask let's say it's a client. It's not a first job although it is. What's the first question? You ask a client To understand what their needs are Do you remember ask for what's your pain? Exactly. That's it. What's your biggest pain? So you start from there and I think that has Two major values first of all you go for what we call the low-hanging fruits That's the first and the other one you're new to the job. Nobody knows you you want to gain trust You want to gain even if you're a senior and you have a huge record On your LinkedIn and multiple companies and you've been speaking on worldwide events. I don't know what you did Nobody knows you at the moment. Most of them don't know you you need to gain the trust for you to be able to then Proceed to more interesting stuff. So yes, what are your biggest pains? Pick the low-hanging fruits and this can be maybe the pain is something like we pay too much on our cloud bill Maybe the pain is we deploy from our machines Maybe the pain can be we do have everything working like See I pipeline and everything's in place, but it's so slow. We cannot be the pain can be we have only one production Environment and that's it we deploy to production immediately totally totally everything. I mean something breaks We don't know if it breaks until it's in production. Yeah, that the casual scenario And one important additional thing. I have to say about it is sometimes they won't actually know what their biggest pain is I mean you can ask the questions and if they have to think too much that means that they don't have they don't have something off the top of the mind Surely they have pains. Maybe they're not aware of them for example All of their secrets are committed into one get repository that is then being cloned into the application They don't even know it's a pain until it will be right because then it gets fixed somewhere or they have to pass some kind of certificate What I'm saying is if you don't have an immediate answer you may have to find it yourself It's not a good enough answer does that make sense to begin with? It's a lot of things that comes up to your mind when I tell you like hey, oh man You got a new job or a project, but yeah, I think it's okay. I think so so I want to move on okay So let's focus on the stuff that you said you said Let's catch the low-hanging fruits So what would you consider as a low-hanging fruit when you don't really know the organization? So I'm new I have no idea. I like I know what the organization does I know what the product does. I know but and they have maybe an AWS account okay to make our life easier so there is an AWS account and Now how do you figure out which are like what are the low-hanging fruits? Okay, I'm going to say something pretty obvious which is going to happen to anyone But I'm going to take someone be that the VPR and D or your team leader if you have one if there's if you're just What a jar teams like to call a one-man show when you're just starting the thing You'd have to realize things and find figure them out on your own But if you have someone to show you around because there are limited stuff that are already deployed Maybe the city. Oh, maybe the first engineer hired take them and have them Please sit with me and show me around around everything infrastructure It doesn't have to be infrastructure as code Maybe you're so early to the game that there's nothing there, but there is some kind of infrastructure I'm assuming there's maybe a Python process running in a server somewhere in their machine in the cloud Whatever just show me around show me everything you've got the GitHub repository is the way you deploy the way you upload new versions What's the infrastructure like is there some kind of a security perimeter that you're in charge of or anything You know any actions you need to secure stuff. That's it, etc And then then they'll just start speaking. I feel like it's you know It reminds me like a TV shows where you were you interrogate someone like a criminal or a suspect And you interrogate them just tell me what happened Okay, then you what happened and then on your own you take notes and you start figuring out I'm sure that just by that you'll have like two empty different ideas of what you can do You'll see especially if you have a little bit of experience in the field. You'll see okay That shouldn't happen like that I mean it tells you okay. I'm a messaging into servers to upload new New versions. There's no production. There's just one server. I'm just keep doing that I'm doing that through my computer. There's nothing in the cloud except for that server It's deployed publicly the secrets are already there as an environment verbal I mean you'll see so many wrong. I'm saying wrong with Eric was because it's not kind of their job to do But you'll see a lot of stuff that needs improvement and then you need from that to filter What are the biggest pains or the low-hanging fruits? For example a low-hanging food can be The running a huge server for just one process that is not even it is a production service But it's not really serving clients yet because again, it's a small startup. You're so early to the game It's not doing anything right? Just tell the other story you can Find yourself coming into maybe on your own or into a team of people that are already working there for a year And it's a grown company and they do have clients and customers, but you'll find something like Again instances that are way too big for what they're doing because There's a sentence in Hebrew. I'll try to translate it so that it makes sense But if you're I think you know the sentence that I'm trying to translate But if you're a visitor in some place, it's easier for you to see the the pains Right if you're just a visitor as opposed to someone who's been there for a long while like a year or two or three It's easier for you to spot the problematic areas Because you're just seeing that Tabula rasa right your mind is clean you don't have any Prejudgments or anything that you're coming with there's no context I'm just seeing things at the way they are and so it's easier for you to judge and understand So that's I think where you start you have someone work you through you find the biggest pains now I do have a scenario in mind So I can share it with you and then we can talk about what What you'll be doing if you you heard about that do you want to go there? So the summary just the summary for the low-hanging fruits I think I can just say just ask Well, it's also like thought the best ask is if it be R&D the developer steamy deals just ask the pains and then you'll get your low-hanging plants I have a political tip for you also there's a I think it's more of an enterprise world Terminology, but you know the term stakeholders. You have a stakeholders, right? If you're a consultant, it's pretty obvious who they are because they brought you into the company if you've been hired That could be your Manager your manager doesn't have to be your team leader again It can be a city or or maybe a CEO because it's just a founder that hired you The first engineer whoever you need to understand who's the stakeholder and then what interests them because you can find Many many pains to many different people right the developer's pain is how long it takes to deploy to production The city owes pain is how large the cloud bill is the VPR in these pain is and I'm getting into a little bit into the salesmine but the VPR in these What he's thriving is to be good at his job and please whoever above them and then from there You derive what's important to him. So maybe he's his actual First priority in line would be to please the city. Oh and then to cut off cloud bill You know what I'm trying to say so yeah, make sense be political about it Understand the pains and I'm just speaking about the first day on the job here You need to gain trust pick the easy stuff that have the biggest twins if you go to Poreto The 20% tasks that will have the 80% impact. That's what we're looking for So also quick wins, you know when you get started just how get the first quick wins easy wins So you gain trust and exactly exactly. Yes. I also like to add that I like to think of it that when I'm in new in an organization or in a new place So I don't know if you'll remember this show But I like to think of myself as like I are baboon, you know, so before I become I am weasel You know, so first I are baboon so big to become a weasel I love to map everything. So when I come to a new place usually what I do is ask like I want to pinpoint like how to ask the questions So usually I think of the of the DevOps You know concepts and how to apply them to my questions So I ask okay, how do the developers develop their stuff? So then they tell me we use VIM visual studio code on their machines blah blah blah all right How do you build the code then they tell me native beyond the machine or with Docker? All right, how do you push it to the you know, which Registry do you use to store how what's your autifactory? How did you build your infrastructure? So what I'm what I'm saying here is I'm trying to map it from code To client, you know from the code to the client and I try to understand the whole chain in that Process so as a human I think it's easier for us for at least for me, you know as a baboon, okay? I like to understand processes So when I come I ask okay, what's your process for development? What's your process for deployment? What's your process for CI CD like how do you build test and deploy? What's your disaster recovery plan? So I and when you map it suddenly realize all of the missing Places like the dark places So then you start digging, but I also give you a tip about it, okay? But the dark places as You said oh, man Politically you don't always want to go to the dark places, okay? So make sure when you step into dark places You don't step into those. Yeah, you don't step or anyone still especially the CTO vpl in the old whoever hired you as you said Because sometimes something that can be maybe unless it's security breach or I don't know You shouldn't like pick on everything. So make sure you don't discover things that should be kept maybe a bit quietly and Only maybe if you discover them and you see that there's a slightest resistance don't push too hard don't push Slowly don't push we only push with heat don't push people push it Okay, I a small feedback what you said now is That's the golden essence of what you should do in in my eyes. I mean you brought so many things to my mind now totally So maybe scratch everything I said listen What mayor said and make a list not your shining people should see the video your shining right now your glittering Yeah, you flicked a switch in my brain. I think okay, so come with a list. That's the first of topics that you think It doesn't have to be very specific stuff I mean you said very high-level things what's your CI CD process like do you have a disaster recovery plan? What's your cloud costs like let's look at the whatever the build the environments the CI process the pipelines whatever Walk it through take notes over everything it'll take a couple of days, but take notes and It'll come from there I mean I don't have to keep talking for you to understand that as you take notes You'll see things that you want to fix, but from there you'll be able to derive the fixes or the low-hanging fruits or the stuff that you want to fix That's the next day You want to move on to a really? Yeah, you said you have a scenario real-life scenario moving on. Yeah, so I kind of I kind of had it and Recently I've seen something similar from a friend So I'm going to just put it out there and as is and let you play the role of this new engineers We're talking about and telling me what you're going to do. So I'm the developer I'm playing the part of the developer. You're now meeting me. Let's take a scenario where there are a founders of a small startup I'm the first engineer and the only You're now to help me you're brought into help me with both infrastructure and security sounds familiar, right? You have too many hats when you come into a small startup This is a scenario I've built an algorithm right you don't care what it is. It's a good. Let's see you. Yeah, I built an algorithm The only language that I know and I'm a senior engineer. I've been working in the industry for years I have nothing to do with operations. Nothing to do with ops. I know how to work with AWS I can set up a database in a server if I know it that's pretty much it from there on I say into places and just do stuff on the server. So I write in Java. I wrote a process at the end of the day I have a jar and that jar is uploaded into a production system. I don't have any customers reaching out It's an algorithm that does stuff with APIs of What was it? It was trading APIs, right? Okay, stock trading APIs and this algorithm is basically a bot that's trying to trade It's uploaded in production into production every time there's a new version the way I do that is I SSH into an instance I just clicked on I went to EC2 a new instance set up that a la la Exactly. There is kind of pointing with a gun to his brain I set up everything with the defaults. I SSH into it. I upload a new version. That's it. Okay, that's the essence of it That's what I do day to day now the context We talked about how this is an algorithm that is building a bot that trade stocks It's not actually using real money at the moment. We're just We're testing the waters. We want to see what happens. That's the context for that now My vprnd I have someone above me the founder of the company He's really anxious about security and not security The security prism that he's looking through is his algorithm It's very important them that this is kept safe. This is the IP of the company That's what we're building if that is IP. Oh, no, it's nothing. It's also an internal protocol Ah It would be the intellectual property of the company. Oh, all right So as a company what we normally want to protect other than customers data is the intellectual property because we were building something If that something can be easily Mimicked or copied let alone. It's linked to somewhere in someone else can run it on their own systems and provide that as a service We're basically dead unless we can sue them and make money off of that. I'm not a legal person. So sorry So we want to protect our IP if our IP is the algorithm and if the algorithm is this one Java process? That's it in one instance pretty easy right if you gain access to that instance or you can Understand what it's doing by reverse engineering it because you have some type of access We missed the point That's the context. That's the basics. What do you do? Do you ask me if you want to know anything? Let me know I'll answer your questions if you don't what's the first thing you're going to do First like as we said in the beginning I'll ask you okay. I'm glad that I'm here. Thank you for bringing me What's your biggest pain? All right, so first what you said you SSH to a machine I can just assume you hate your deployment part But what's what's your biggest pain to be honest? No, I don't have my deployment. It's very easy to me That's all I know I'm accessing honestly. I'm totally serious now. I'm SSH into it It takes one second no VPN no nothing. There's no pain in the process, right? Just SSH into the instance. I take my Localable jar. I throw it there. I don't wait for a CI pipeline When I worked in an enterprise There was this CI pipeline it took like 45 minutes and tests and whatever in the process There's none of that. I just SSH in I it's not drag and drop because it's SSH I scp I literally scp which stands for secure, right? So I'm secured I take this jar file. I put it on the instance. I You know restart the process. That's it. I have so many questions. So I'll buy the wedding First yeah, go ahead I want to read the logs. That's mainly why SSH the logs are already there. I pick them up. It's not good go ahead Okay, okay, so the application itself do does it only access the internet and does stuff? Or do you also expect end customers to access your internet like is it supposed to be exposed to the public? Or is it only a back-end server that accesses the internet? It's a back-end server that accesses Stock trading API markets No customers are expected. No. Nobody's going to access the word the face How do you know what the bot does? Do you only see the logs and that's it? Yeah, I mean at the end of the day. I'm going to see my profits in the markets. Um Yeah, basically that it that's it and oh yeah, I forgot the measure I do have a database so when I you know when I have profits and stuff like that I update it into the database and obviously I'm signed into multiple You know stock trading marketplaces so I can log into there and see my profits or losses Okay, so so let's start from the beginning you said you SSH. How do you secure you make sure that you securely connect to the instance So let's say you have an easy to instance you said. Yep. Okay, so if your seller is accessing the internet and I assume that you You said you I you know how to use AWS, but you don't sound like a DevOps engineer So I assume your instance is in a public subnet, which means it is routed to through the internet gateway So it means you have a public IP to your easy to instance. Yeah, and How do you make sure that only your IP or maybe the other employees I think the company have access to the instance? How do you protect it from the world? How do you make sure that only you can deploy to their all SSH to them? I mean it's only me logging into there because I'm the only engineer other people are not technical and I have an SSH key shouldn't that be enough? Yes, there's a public IP, but I'm the only one with the key So I'm the only one that can literally authenticate with the instance got it But my friend Omar told me about the 12 a factor thingy Where you gotta have a lot of layers of protection because you never know when your key is going to get leaked for some reason You will commit it to your I don't know get repository or Maybe someone hacks your computer and can have access from somewhere around the world I don't know so it's best also to protect the EC2 machine To restrict it to specific IP addresses like known IP addresses. Okay, I can do that. I know how to do that. How do you do it? With a security group, right? You can you can add the rules and kind of Okay, and what happens now? Okay, so that sounds good for you But now I also want to see the logs and get into business. How can I do that? You mean you want someone else? Oh, yeah, you can take my key if you want or I'm pretty sure that you can I can add your key to the instance you can bring your own public in and add it and then you can SSH Right, and then if our IP addresses change we always have to update the security group with our new IPs You say yeah, yeah, I think I think there's a script for that. But basically, yes, you're right. Yeah Okay, so I can tag along and like really join your You're creating craziness if you want or do you want to start say like talking about? Okay, so what about Managing versions of the applications because right now it sounds that you manage it like directly on your production Cellver and if something goes wrong and you want to roll back to a previous version You'll have to do the whole thing manually and no one knows but you so everything is very centralized instead of having I mean I I run the development process locally. There's no one else running There's no no one else working on the same code base So I run it even if there are no exceptions I just upload but we hope we'll have more developers and more people touching the code So if we did if we record one more person then the whole process is bad So we need to know how the process can scale with more people. Yeah, you're right. I agree by the way I heard about DevOps topics whether they had like sc auto scaling Episode about how to auto scale a team. That's also what's what's DevOps topics? So yeah, that's also a thing. Okay, so on Instead of getting into we can get a lot of technical stuff over here I want you to tell me like the things that up so now you moved you moved away from the You know cool algorithm developer thingy And I want you to share with me like what's on your mind like where do you want to dig because I can like have a full on talk with you for Hours about the infrastructure how to migrate from the ec2 to pull me in terraform or cloud formation or whatever And we can have a long session of it about it before I'm going there Don't you think how crazy it is that I can say a sentence like hi? I'm a developer I have a jar on an public ec2 and just from these three words We can start an hour conversation on what's going wrong with your environment, right? Yes, I have a jar on a public ec2. That's it. That's all I have Yeah, and then you can just ask okay, so what else what happens if you want to add another application For if you want to have another so so you're not isolated What happens if the process dies? What happens then simplest thing there's an exception and the but I mean the usual answer is I don't know. I ran it locally. There wasn't an exception Yeah, but what happens if there is an exception you probably did not debug everything to every point in every you know Edge case that there may rise in the future So what happens then and then the answers is it probably won't happen But what if it will and if the process dies, you know that as a DevOps engineer I don't know I'm sure you all are well of it, but we also got to have this soft skills of being Being able to provide services without getting mad or laugh or you know It's like serviceability, you know Do you know to know how to to Offer our DevOps services without making the other side feeling ridiculous because usually when I understand what they're doing They're like, oh my god. We're doing ridiculous stuff. So you need to make sure like no, no, you're okay We can just make it better, but you're doing fine. I think you're tapping into the The biggest pain of DevOps engineers ever the soft skill. I think that deserves you know what that deserves an episode of its own We'll we'll have an episode an episode dedicated to soft skill is we can add we can add it here We can add it here like a bit of it here because it's the first day of the job And you also got to have those soft skills not to step on anyone's toes You said that right so communication is everything and communication is not only communicating the thing Expanding it. It's also how you explain and more often than not. I think The majority of time like seven out of 10 engineers. I've seen and I've also been it's a sin I once took upon myself I was the the one kind of The condescending engineer trying to explain to the developer the the 20 year Experience and developer how they're working wrong and what's so bad with their info. You remember you Yeah, like two minutes ago. You were pointing a gun to your head while I was speaking how frightening is that as a developer I'm the algorithm I'm for real the algorithm engineer and I'm speaking to you in a video conference And I'm telling you yeah I have a jar on a public EC2 and you're I mean you're doing that move Which in your mind makes sense because it is really the pointing a gun to my head scenario But to them. That's the perfect thing. They've started an EC2 it runs everyone's happy the algorithm works It's all good and then you kind of you communicate to them that everything they're doing is a pile of shit And they should quit right away, right? So when it comes to the ops part right Yeah, only when it comes to the ops part No, totally you didn't dive into the code and told them you're you're also a shitty developer That's another another layer that I've also seen by the way more than once But we're not going there. We're not telling that you're doing your job wrong with and that's something that's probably you do want to convey It's not your job that you're doing wrong. It's the peripheral stuff that are not part of your job Which they are but I'm just saying that to Make things sound nicer It's the peripheral stuff that are you're you can probably improve you're not doing it wrong It's not wrong. It's perfect. You you're a special snowflake But you can do a little bit better and that'll help you with deployment and don't tell them That's because everyone's going to hack and you're gonna kill everyone and you're going to get your I don't know boss suit It's because you want to improve your process. It'll make you better It'll help you don't like to scale if you also want to talk about soft skills And maybe a new day in a job don't get into a new organization and call them Listen everything over here. You can get hacked like in five seconds if you don't fix this and that because people can also Do like DevOps engines can do that can come I honestly listen all your secrets are leaked You know all your secret now when you see a secret committed in a git repository And if it's a private repository so seriously I mean the secret can't leak that fast the organization can exist for 10 years With a committed secret in a git repository and no it's not gonna get leaked Okay, it's not a good practice. It's best to avoid it, but it's not like the end of the world right it takes It takes not even a bad engineer just so much even even for example me which I think I do have a little bit of experience It takes me five seconds without paying too much attention to push it to a public repository and that's it It's leaked from that moment There's no way back even if you delete it it was already part of a public repository So you need to assume that your things were out there and then you need to rotate everything And that's why you want to secure system So yes, it can work for 10 years And I've seen too many organizations that do work for a very long while and they're fine For the most part we think they're fine, right? We don't know someone can be inside your systems doing stuff for years without you knowing That's another aspect of cyber security not getting into that But yes, it you need to understand it can take five seconds for something to go Like very very wrong So I want to ask you like a job interview question or mail Yeah, so let's say we let's talk specifically about what we just said like about secrets leaking because they are committed to a git repository Okay, how are we always we always end up with secrets leaking? It doesn't make it really talk about first day on your job How to get into DevOps Every time every time everything leaks So let's say you come to any places We've just said and then you spot that you have a committed secret in a private repository against basically private repository So it's bad, but not Like extremely super bad. Let's say the company exists for five years. Everything is good And when you say listen, there is a thing The secrets can get leaked you explain whatever and then you get a resistance Yeah saying listen This is how we work around here This is how we are used to work around here I don't need that so you got the resistance by the way it happens all around right as you as you just play the role of the Engineer who deploys with SSH. I don't mind. I have my IP. I don't mind. I can secure it. So what do you do when you see resistance? Like what's your way of dealing with resistance? By the way, that's most of the part is an interview You know is a question from interviews So what do you do? I think I want to save a lot for our episode over of Stop skills, but what do you do with resistance is a great answer. Let's start with the natural human Resistance you bring an axe a breath an axe in a sword and you break the resistance Exactly, that's not by stick or poking the person that either has the resistance Everyone is people human beings are resistant to changes. All of us. We all of us We do it the same. We don't even always Kind of show it or feel it. It's not in our in the top of our our mind But where is this to changes? That's why you have this step out of your comfort zone kind of cliche For a good reason because we like our comfort zone We like to be comfortable and comfortable. I think is the key word here. For example, the engineer I talked about earlier That's his comfortable. He knows how to SSH. He knows how to SCP. He knows how to read logs by Probably running less or cut on the server He doesn't know how easy it is to work with CloudWatch when you have a thousand servers Just querying whatever you need that be that cloud to zone and another aggregator But machines can die and processes can go up and down He doesn't know how easy it is to work in scale when you have systems taking care of stuff for you Because he just hasn't had the pleasure air quotes of dealing. So how do you deal with it? He doesn't know how do you deal with the resistance? What do you say? What do you do? So I think there are many approaches mine is to just put another thing aside It doesn't always work but for example here put another thing aside Show them how I work and then one of two things can happen I can help them move or I can just show them how I work and then they'll say oh, that's nice I want that too Right because it works faster because it's easier to see if you're used to Run less on a server to see logs and now you have he has one server And tomorrow he's going to have two or three because they go live in production and then you have to have you know Resiliency so you at least you have two or three. It's not easy. I mean that that's where the friction starts You need to split your screen or have multiple terminals and it's all black and white and I'm going to show them Here's colorful logs in an aggregated service that shows you everything where you can actually query Your logs and understand what's going on and then let's say oh, that's nice I want that too, and then the one that too is your gate to moving them to something better that goes for secrets See I change management everything everything so That's my go to for dealing with resistance and so show them I like to pin like to to Scrape what you say and then get like two words of it So I'd say show them examples of a better way to do stuff Yeah, okay, so usually what you do to you know deal with resistance is shows them examples of how to deal with I don't know bad practices that they don't and you know by the way It doesn't have to be like put it like in their nose. It's not look how mine is better No, that's not the idea Put your own system aside and then ask them like a casual question I want you to can you help me do something? Can you help me do something with my thing that I've deployed? Here are the logs But instead of showing them the logs by cutting them on the server I'm going to show them the logs on Cloud watch because it's pulled there and I'm going to run like this fancy query to only query the exact error lines that I was facing And then they will start The cockwills in the brain will start rotating and thinking even if they're not going to say that it's going to start rotating I think that's pretty cool why I don't have anything like that That's a nicer way to work and then they'll casually bring it up maybe in this conversation or another But you'll see them Kind of being attracted to something that's better. You remind me of the movie Inception, you know, where you plant an idea in someone's head without them knowing it You know like oh wait Maybe the logs that I've seen earlier are better solution to what I'm doing right now I don't know I don't I don't know if you remember but we had this conversation on that when we were working in the consultancy You know, what's the best way to make someone do something you want them to do? I think I can answer that. Do you want me? I think try is that to make them think they had the idea in the first place Exactly Now it's so hard to do but that easy if you want someone to do something that you want which is like I mean That's our everyday life as DevOps engineers or as managers If you want someone to do something and it's not only to do you can give a command like right like being an army commander and then you're To embrace that's what you know. Yeah, do this and maybe they'll like you or you have good communication They'll do it But if you want them to do it with passion and with quality and to keep doing it over time Make them think it was their idea So kind of pouring them that it's like a toddler trying to walk Okay, I have a baby trying to walk now You have to you have to give them a little nudge Just push them in the direction without actually telling them like move your feet here and then move the next foot in front of the other Give them a little nudge make them think that it's a frustrating process because it doesn't happen right away It takes a little bit of a walk it takes a while But if you do it over time and you don't give up and you make them think it was their idea They live and come up with it sometimes. I've seen people then you go to a meeting next week And then they say whoa, I have an idea. Why don't we do this and that and that's literally what you said them in other words A week earlier and then you say yeah, perfect. Let's do that. That's great That's an amazing and then you smile to yourself, you know a little smile like yeah I did that you know what would be the wrong move which we all tend to do the wrong move the that's exactly what I told you last week That's exactly yeah, that's the wrong move. No, that's that's very bad. That's about when you say that I think oh it's not an original idea. Maybe I'll think of something else because people like to feel I mean, I know why do we like to feel that we're original and we're the special snowflake that we are we're not nobody is So yeah, don't do that. No, I am. I am. Yeah. Yeah. Yeah, you're the only special I'm talking about the rest of us. Ah, the rest of you. Okay. Yeah, I'm sorry. I had to say that Yeah, okay. I just given a little push, but don't push too much. Okay. Oh, I do have one more thing to say you you told me about What was it when we talked about the the scenario brought up you talked about how things can leak right Secrets whatever and we could talk about my scenario nothing's facing like through the app Nothing's facing to the outside board. There's no API. So there's kind of in my developer brain nothing to scrape or to kind of Try and brute force. There's none of that. So I can keep going even if it's a public instance However, what I don't remember especially with Java, but not only of course I'm running some kind of third-party libraries. My code was never tested for static code analysis Yes, it's just a simple algorithm enough company of three people. So we're not there yet However, I there's probably at some point. I'm going to have some kind of a nobility This vulnerability might already have an exploit in the outside world I don't know what kind of libraries you use to run the algorithm probably lots of them The moment you have one with an exploit. Maybe that exploit can be an RCE a remote code execution You don't have to have an API if this exposes something your application exposes something And someone remotely can access your IP. They don't have to use your SSH key to Try and extract data. It doesn't mean they have they'll have a full-blown shell to your machine See how you did this Word's play where you did access your IP stick it is Access to IP. Yeah, I was actually talking about the IP. Yeah, I know I know in terms of protocol and intellectual property Through the internet protocol. They're going to extract your Introduction reporting. It doesn't have to be that they can extract other data that you care But then have to be the literally the code right? They can try and extract your Environment variables sometimes the remote code execution doesn't necessarily mean you have a reverse shell and you can access the shell In the instance it means that you can run what we call arbitrary commands So if you can type env send that to the computer to the server and for some reason it answers back with the answer of env Meaning print the environment variables and part of your environment variables are API keys to use the stock exchange market. I can now start trading with your key Doesn't have doesn't mean I'll get the profits, but if I'm a what we call a malicious actor I can start running a process that will very quickly bring you down to your needs because you don't have any more money Because I was just making bad trades on your behalf That's just an example. It's a doomsday example, but it can happen and it's not that Out of a friend of mine a few years ago. His name is Omar I don't know if you know him No, told me that you can also access the valent environment variables if you have access to the file system I was shocked and he told me go ahead and Google it And I was shocked it even you have a run if you if you have a running process that has environment valvers with secrets If I have access to the file system, you're talking about dedicated you're talking about dedicated environment Variables for the process. Yeah, yeah dedicated environment valves for the process because sometimes people say but the post is already running You can't access Environment variables of a running process. No, no, if you have access to the file system. Yeah, you can I mean, it's it's also very easy to do that. I know it's getting me easy Let me explain to the casual listener that wasn't sure what you just said Sometimes we put environment variables Then natural ways to put environment variables on the machine even if you're running a Python or Java or go code And you're using the OS Get environment or write to the environment. It's usually going to the in usually going to the environment of the instance If you're trying to we talked about 12 factors up you want to provide environment variables Especially with the containers. You don't bother into injecting them into a single process You're putting them on the instance So wherever you are whoever the process might be even if they're multiple processes They can run it from the they can read the story environment variables from the instance However, what you can do to kind of secure the process is to inject them into a process if you run My environment equals mail and then space running a Python process The only one that will be exposed to that environment variable It would be the the process that I just ran No other process will be able to read that environment variable because it's kind of a local one However, that doesn't mean it's encrypted or secure it because if I go to the instance to slash Prok slash the process ID and then go to the environment variable. I can literally read them from the disk Not getting into the Linux world, but in Linux everything is a file everything the processes Links everything is a file so you can leave it away. We are files on that is a file. I am a file We are all files. Yeah, you're microphone to file. We're all in the matrix Okay, okay on them. We already been to the 41 minute now Yeah, let's go for a soft-scale episode. I'm really So let's think about getting Like to be a DevOps in a new job And so you want to touch another topic before we move to the corner of the week I Think we covered the essence of it. I think we can go into a hundred like you said We can keep talking an hour on new things. I think that's the essence So instead of going into a new thing as I'll try to summarize Be prepared with a list. Hopefully it's not a must but hopefully you're come with a plan Do come with a notebook your first day on the job. You'll get a notebook that one thing I know you'll get from a company is a notebook and a pen use them to write the things that you ask ask your first of I'll go to the stakeholders Something we didn't say don't only ask the stakeholders go to other people go to Developers QI engineers anyone else on the team doesn't have to be even R&D engineers Ask people around what are their pains? What's going on for example? You can go to the finance department and ask them What's going on with the cloud bill? Is there something that is a pain to them is something that they don't? They're not able to manage sometimes. They'll be able to Spot things that you as an engineer can't see for example And exponentially growing bill of one of your cloud services like I don't read this or mongo or atlas or whatever that may be and then you can Go to that pain and try to relieve it. So you said notebook understand the pain points understand the We said low-hanging fruits a low-hanging fruit can be finding all the waste that lies around within your AWS account And killing huge instances that are not doing anything or EBS volumes or a snapshot whatever That and then we moved on to something you brought up which was actually you brought all of that up to You talked about the soft skills Learn how to communicate that it's not easy But learn how to communicate things to the stakeholders or to whoever you're working with don't tell them that they're doing an ash Like the rest of their life and you're going to get everyone sued One step at a time build it up tell them they're doing doing a great job And you're only there to help to do certain stuff that will improve their day-to-day work What else did we say oh and then the tip that if you want to make them do something Make them think it was their idea like lead them to the point instead of of feeding them with a spoon I think that's the essence I can also add another tip that we also talked about is the Process or flow so I think people Okay, as human beings is easier for us to talk about flows. It's hard when somebody asked me what's your pain? I'd be like Like if I don't have anything in it, I'll be like but if someone tells me can you tell me what do you do when you wake up in the morning? So I'll say okay, I wake up. I fix my bed. I brush my teeth It's easier for us as human beings to talk about a process So if you ask like how do you deploy the code? How do you build the code? So try to ask like when you ask questions? Try to ask about processes. It's easier than asking like that That's how you'll get into the pain points. Okay, so when you say something about that shoot You you again you spark my mind to me You said something which is essential in I think in psychology There's a book called Atomic Habits. Have you heard about it? It's quite famous A book that talks about how you break down your habits and how to build up new habits in any case It's easy to build up habits if you attach them into something that you normally do For example, you said you talked about waking up in the morning. The first thing I do is brush my teeth What if you want to build up a habit of Meditating after your brush your teeth. Oh, sorry meditating every day not necessarily then The easiest thing to do was to attach it into the process that's already happening That would work exactly the same in your day to do work as an engineer That they are not an engineer any type of work You do if you attach it into something that already is there. It's like it's already ingrained into your process You are one container It's a side container, you know, Eric like so you have a container That's in charge of your brushing your teeth and another side container that will now be Once I am done brushing my teeth. I wake you up. That's what I do. I brush my teeth I can't take it out in my mind until my teeth are brushed If now I attached that to something else like meditating or I don't know taking a shower or whatever If I do that over and over and over I don't remember for how long you need to read the book today. I think 21 21 days to embrace into habit It takes you 21 days at least. That's what I remember. It sounds nice I had the number of 40 something Regardless if you do that enough times your brain has no flake so for me. It's 20 when you're right. I go up people It's for I forgot the little star that says not for mayor and that's different. Yeah Essentially, that's how you build up so totally people think in process said the their your brain Has easier time attaching things to existing processes that he already doesn't even know about it's just the usual thing That it's it does. You don't need to think about brushing your teeth. It just happens. You wake up. That's your first thing you think about So I like it by the way I really like what you said like attaching new processes to existing process makes the stuff it makes your work easier All I feel sounds good. Do you want to move to the corner? I do. I don't care. Are you ready for the corner? Yeah, yeah, this time we'll give Elvis to say it. Okay. Are you ready? But I don't know we don't we barely publish to YouTube So I doubt if anyone will see it, but that this one is for you. So maybe we don't start I will I will upload to YouTube. I just see that we have many more, you know Our audience loves to hear us but doesn't like to see us You know as far as I can see Maybe we should invest in the visual people. Okay, go back then. Okay, so ready? Yes. So corner of the week Okay, special effects with Elvis. Okay, so email Which experience did you have last week or maybe in the past month that you want to share about a tool experience knowledge Project or whatever that you want to share about? Okay, go I'm going to share something. It's so niche that I need to give a little bit of a context before I do that So a few sentences of context There's the notion that we all know about of taking notes Right taking notes is very easy. You can take a pen and paper and write something to yourself. Nobody Guarantees that you remember to do the task that you wrote down or nobody guaranteed that if you remember We listed a few tips right from our experience Maybe someone's listening to that and they just listened. They didn't take notes It'll either completely vanish from their brain or maybe they took notes in a notebook Who guarantees that they'll ever read that or that it'll have some kind of a link to something existing? so on that On in that regard there's there are different systems to how you build your system of notes One of them is called the second brain. It's very nerd in nerdy. I'm sorry Building a second brain is a book of its own if you're interested go read that It basically helps you build the system of how you build different notes helps you understand how to take good notes And then how to get back to your notes. For example me and you we start a new project And we're writing a frontend framework. Maybe I have a set of notes from previous stuff that I heard in podcast or read in blog post and now I can Access them if I want to do that. I can maybe access my notes through the system That's just a gist of it in the context So I was using notion for the logins time to do that notion the app and The thing about notion is that it's an app that forces you to work within it If you want to write notes somewhere else and import them you can do that by copypasting not that easy And of context Now if you know me I like a vim and I like new of him for everything not only code I like to write text in the vim because the text editing is so much ingrained into my fingers and brain that If I can do the mind notes there, that would be perfect. There are many projects that can help you with that one of them Which is pretty I'll call it in its early days. It's called new org and that's coming from neo New them and org organization if I'm not mistaken and basically new org helps you build a note-taking system That's not based on markdown by the way because they say that markdown is a little bit slow as a parser They like to work with something else that they've invented and it's really really cool. I won't get into that New org it's a open-source project on github if you like new of him and you like taking notes and you read that nerd about productivity Go check it out. I live a link. That's it New org New right sounds cool. Yeah, I think mine is more embarrassing. Okay, my experience cuz This week I've discovered. Are you ready for it? Don't pull me Did you hear my drum roll? That was the lamest drum roll ever Yeah, you harmed using them all I did So pull me have you heard of pull me? Yeah, of course. Have you used pull me for a very short while So I've just used pull me this week. Okay, I didn't know anything about pull me like I didn't know anything about the syntax Anything about how it works and it took me maybe just a couple of hours to you know provision infrastructural in Minutes, okay, so it was super easy at it with TypeScript, you know a TypeScript project and I just enjoyed it and I felt like okay, this is the way I would like to manage infrastructural This is the way it would be easier for me to delegate my DevOps work on infrastructural to developers because When they see YAML files, you know YML files developers are usually like oh configuration file That's what they've up some genial But when they see a TypeScript file and that's like a culture thing I think but it's more of a perception thing When when someone sees something they're familiar with they're more capable of getting it. So even the world of SDK, right? Yeah, yeah, the CDK. Yeah, so when when a developer sees the font and developer back and developer of node Okay, no, yeah, whatever sees the TypeScript file They won't be that terrified when they see okay const new object blah blah because they know the syntax The only missing part now is the infrastructure itself, you know the like how it works in AWS or Google Google Cloud or whatever. So Pulumi is amazing. It also has this AWS cost walk which is a dedicated Library that you can just like if you want to provision a Fargate service Okay, you just create a new object of Fargate and it does everything for you. It creates the test definition Fargate service cloud watch logs everything. So besides Pulumi having Pulumi as a great framework for provisioning infrastructure It also has this you know built-in modules like terraform and there is and I moved was because remember like our last episode I think or maybe the previous one about how terraform changed its You know license to be a set whatever every time I think of BSL. I'm like a bullshit license I don't know why it's like a bullshit license. I've read the blog post. I've read the blog post about Yet another blog post about the terraform changing everything in the future. It makes it makes sense a bullshit license. Yeah, and they wrote BSL and they opened like Parenthesis and they said yeah, you know the bullshit license Yeah, I mean they reset his first It just makes sense So Pulumi is amazing if you want to create new infrastructure I'm not saying migrate because I didn't migrate a project I really created new infrastructure from scratch But if you're a new startup or trying to provision new infrastructure and you don't mind trying a new tool Pulumi is amazing and I'm gonna keep on working on that and developing it and I'll see how it goes So Pulumi amazing. That's for me. Amazing I think that's it. I think that there's all there's one more thing that I keep forgetting to say I think I remembered only twice and that's the thing We have a Facebook group if you have answers or questions or whatever you want to share with us Please go there. It's called DevOps topics and just leave a note. We'll see that It's not really up to date. We're not living stuff there I hope we'll do a better job in the future, but if you need to contact us You know the other places and you can find us online. That's one of them So I think we'll we're next time We should start with that in the episode because I'm not sure all the audience are really getting into this point of the recording Because it's like 53 minutes So maybe if we do this part in the beginning I'll somewhere might actually listen to it. You have a good point. Okay. Let's do that Okay, sorry. Thank you for now. I'm not sure will I meet next week? Maybe it will be in two weeks. We'll talk about it I've got thank you for now and see you next time. Okay. Thank you. See you. Okay. Yeah, bye. Bye

Pains, Low hanging fruits
Mapping things out
(Cont.) Mapping things out
Soft skills
Hidden risks
Our weekly mentions