• Ask AI First
• Search for Solutions
• Communicate the Problem
  • In Public
  • Shorten the Feedback Loop
  • What Are You Trying to Achieve?
  • Communicate Priority, Urgency, and Impact
• Provide Context
  • Provide the Exact Command or Link
  • See as Much as You Can at Once
  • Output
  • Code as Code Blocks
  • Screenshots
  • Logs
• Isolate the Problem
• Solve the Problem Loudly
• Related Work
• Coda

Ask AI First

Before asking a human, try an AI (e.g. ChatGPT, Claude, Gemini). For well-defined problems with known solutions, it’s is fast and available 24/7. Reserve human help for context-heavy, relationship-specific, or genuinely novel problems where lived experience and judgement matter.

Give the AI the same quality of context you’d give a human. A vague prompt gets a vague answer. A specific, well-framed question with relevant details gets a useful one. The sections below apply equally to prompting a Gen AI as they do to asking a colleague.

Search for Solutions

Maybe it goes without saying but searching for a solution yourself is a must.

Try to find a unique string in any error messages you’re getting and use that in your search terms.

Some targets for your search:

• source code if it’s available
• product documentation
• chat history (Slack/Teams/IRC)
• good ol’ stackoverflow.com
• good ol’ google.com

Communicate the Problem

In Public

I’m passionate about sharing knowledge and problem solving in public is an essential piece of that.

If someone asks me for help in a direct message (DM) in chat, I often reply like this.

Please ask these kinds of questions in a public channel (like #X or #Y) and I’ll answer you there. That way the knowledge is shared widely, more people get on the same page, and it gives others the chance to chip in with answers.

Always encouraging people to ask questions in public normalises the behaviour and works to remove any stigma associated with seeking help publicly. If you need help with something, there’s an excellent chance someone else needs that exact same help. In my opinion, confining the help to DMs hinders the growth of the person and the organisation as a whole.

That’s my general rule of thumb. However, if there are people who will only ask for help in private or not at all then of course go ahead and help them in private. Continue to encourage them to open up for their own benefit and the benefit of everyone else.

And if the same problem requires help time and time again, it’s probably time to document it or solve the problem permanently!

Shorten the Feedback Loop

Every round trip costs time, yours and theirs. When you ask a question, ask yourself: what will the helper ask next? Then answer it pre-emptively.

If you ask “is this working?” without saying what “this” is, the helper has to ask. That’s one round trip wasted before any real help begins. If instead you say “I ran kubectl get pods -n prod and the pod is in CrashLoopBackOff. Here’s the log output,” the helper can skip the preamble and get straight to the problem.

This principle extends to how you open a conversation. Don’t just say “hi” and wait for a response. Say hi and ask your question in the same message. nohello.net captures this well. The helper doesn’t need to stop what they’re doing to say hi back before you’ve even asked anything, that’s friction you introduced for no reason.

What Are You Trying to Achieve?

When someone is trying to help you, understanding what you’re trying to achieve can make all the difference. Sometimes you might be asking a hyper-specific question about a solution you’re attempting but if someone understands what you’re trying to achieve, they can look at the whole problem and potentially suggest a better solution. This is often referred to as the XY Problem.

For example

1. Helpee: Why am I getting a ZeroDivisionError when I run my rate function?
2. Helper: What are you trying to achieve?
3. Helpee: I’m try to calculate the rate of water flow in this function in litres/minute.
4. Helper: Can the time in minutes ever really be zero?
5. Helpee: Not really …
6. Helper: Validate the input at the top of the function and return an error message if time <= 0. Please write some unit tests too. :)
7. Helpee: Sounds good to me.

The more relevant information you can give them about the whole problem, the better.

Communicate Priority, Urgency, and Impact

Helpers triage. If you don’t say how urgent something is, they’ll guess and they may guess wrong.

Tell them if you’re blocked entirely. Tell them if there’s a deadline. Tell them what the blast radius is. Is this affecting one user, one team, or every customer in prod? That context shapes how quickly they’ll respond and what kind of solution they’ll reach for.

“This is blocking our release tomorrow” and “just curious if this is the right approach” are very different asks. Make it easy for the helper to understand which one you’re bringing them.

Provide Context

Providing context is crucial to getting help effectively.

Said another way, there are no dumb questions but there are incomplete questions.

Provide the Exact Command or Link

Precision matters. Don’t describe what you ran, share the exact command with all flags and arguments. Don’t describe where the code is, share the exact URL to the file and line number. Don’t paraphrase the error, paste the exact log entry.

“I ran the deploy script and got an error” leaves the helper guessing. “I ran ./deploy.sh --env prod --region us-east-1 and got Error: connection refused on port 5432” gives them something to work with immediately.

Whenever possible, share a link to the exact thing you need help with (e.g. source code, logs, documentation). A direct link saves time and reduces ambiguity. That said, share the link but also include a relevant excerpt in your message so they don’t have to navigate somewhere just to read two lines.

See as Much as You Can at Once

Put everything relevant in one message. Think about it from the helper’s perspective: what would they need to see in order to help you without asking anything back? Try to give them that upfront.

A fragmented conversation where context trickles in over many messages is much harder to help with than a well-composed single message. Be succinct but be complete.

Output

When sharing the output of a command, always include the full command (including host info). Knowing the input that generated the output is another huge time saver.

[etoews@jenkins.example.com ~ ]$ ping example.com
PING example.com (93.184.216.34) 56(84) bytes of data.
^C
--- example.com ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 2999ms

Code as Code Blocks

When sharing code, always share the code as a code block in your chat tool.

In most chat tools you can start a code block using 3 backticks like so ```.

Resist the temptation to share code as a screenshot but there are other good reasons to share screenshots too.

Screenshots

When sharing screenshots, follow these guidelines.

• Share the maximum amount of screen that you reasonably can.
• If appropriate, screenshot the entire screen because that will conveniently show the date and time as well, which is valuable info.
• If you can only screenshot the browser, include the location bar at the top, which is valuable info.
• Redact any sensitive information.
• Annotate the screenshot to be explicit about what you need help with.

Logs

Logs are usually fundamental to problem solving. Remember that you can often increase logging verbosity in many systems and tools to get more output. It can be a double-edged sword because it can make it harder to find signal in the noise, but usually more info is better. And if you’ve increased the logging verbosity in a running system, remember to decrease it after the debugging is done!

Isolate the Problem

Isolating the problem can severely reduce the time it takes to help you.

Let others know what you’ve tried already. That gives them more information and can stop them from chasing a red herring.

If you can reproduce the problem reliably and provide the steps to do so, you’re already most of the way to solving it. Those steps will help others get up to speed quickly and get you the help you need. It’s best if you can provide code or commands that can be executed to reproduce it.

Even isolating the problem at a coarse level can be beneficial. Providing information about whether it’s the database, network, API, or some other layer or component can save time.

Solve the Problem Loudly

Others may not be able to help right away but if you keep writing out the debugging steps you’re doing in chat, it can be a big benefit to yourself (you’re basically rubber duck debugging) and others when they have time to help. You might even solve the problem yourself and be the one who helps whoever comes along next! The more text you provide, the more likely you are to find the issue when searching back through chat history.

Whatever happens, make sure the resolution gets recorded. Don’t leave the debugging thread dangling. There’s a good chance your future self will thank you.

Don’t be afraid to post to stackoverflow.com if you can’t find the answer within your four walls.

Related Work

• Julia Evans: How to ask good questions
• Jon Skeet: Writing the perfect question
• Eric S. Raymond: How To Ask Questions The Smart Way
• Myself: Write That Request For Help, But Don’t Send It…Yet
• StackOverflow: How do I ask a good question?
• Wikipedia: rubber duck debugging
• nohello: nohello.net

Coda

The throughline here is respect for the helper’s time. Every question you ask is an addition to someone else’s cognitive load. Making it a good question is how you make that worthwhile. The effort you put into asking well is directly proportional to the quality of help you’ll receive. And when you’re on the other side of the table, you’ll appreciate it all the more.

• Choosing an AWS Account Cleaner
• Using AWSweeper
• Installation
• Configuration
• Dry Run
• Tag Filters
• Tag Filters Example
• Including More Resources
• Coda

I have a corporate sandbox AWS account with a pre-determined budget that I can use for experimentation. As I was studying for the AWS Solution Architect Associate certification, I used this sandbox account for the hands-on labs that I was doing as part of my study. After completing just a couple of labs, I already noticed there were numerous resources that I had forgotten to delete or wasn’t even sure where they came from. Wanting to be a tidy Kiwi, I immediately went on the hunt for a tool that could help.

Choosing an AWS Account Cleaner

There are a number of tools that can do the job to keep an AWS account clean. I won’t go into an exhaustive comparison but I was primarily looking for a tool that met the following requirements.

• Works well with AWS resource tags (important for accounts following the best practices for Tagging AWS resources)
• Supports a majority of AWS resources
• Reasonably well maintained

In the end, I chose AWSweeper. It is flexible in how it works with resources tags, supports many AWS resources by leveraging the AWS Terraform provider, and is reasonably well maintained with many thanks to its maintainer and contributors!

Using AWSweeper

AWSweeper has good documentation so I’ll just provide my experience with using it.

Installation

By far, the fastest way to start using it is via CloudShell. In a CloudShell session, follow the installation instructions. Double check that you’re using the most recent release.

[cloudshell-user@ip-10-0-189-11 ~]$ curl -sSfL https://raw.githubusercontent.com/jckuester/awsweeper/master/install.sh | sh -s v0.12.0
jckuester/awsweeper info checking GitHub for tag 'v0.12.0'
jckuester/awsweeper info found version: 0.12.0 for v0.12.0/linux/amd64
jckuester/awsweeper info installed ./bin/awsweeper

[cloudshell-user@ip-10-0-189-11 ~]$ awsweeper --version
version: 0.12.0
commit: 09952ce
built at: 2022-02-08T22:59:30Z
using: go1.17.3

Configuration

AWSweeper requires a YAML file to configure it. Keep it simple to start and begin with exactly one resource type.

Create a file called awsweeper.yaml and add this one line.

aws_instance:

Dry Run

Always do a dry-run of AWSweeper first before you do anything else. That gives you a baseline of what resources are already in your account.

[cloudshell-user@ip-10-0-182-207 ~]$ awsweeper --dry-run awsweeper.yaml

   • SHOWING RESOURCES THAT WOULD BE DELETED (DRY RUN)

        ---
        Type: aws_instance
        Found: 3

                Id:             i-0250d2cd1c2640b16
                Tags:           [Name: Important] [Purpose: Prod]
                Created:        2022-09-02 04:56:30 +0000 UTC

                Id:             i-0221ae44df26eba10
                Tags:           [Name: Temporary] [Purpose: Experiment]
                Created:        2022-09-02 04:56:30 +0000 UTC

                Id:             i-0958016c7117fe5df
                Tags:           [Name: No Purpose]
                Created:        2022-09-02 23:08:49 +0000 UTC

        ---

   • TOTAL NUMBER OF RESOURCES THAT WOULD BE DELETED: 3

We see that there are a couple of EC2 instances in this account. They would be deleted if we weren’t doing a dry-run but even when you’re doing a real-run, there’s a confirmation step before anything is actually deleted.

Tag Filters

Using tag filters lets us control what AWSweeper deletes. The tag filters are pretty good but they take some getting used to. When a tag matches, that means the resource(s) are to be deleted. I found I had to do an example table like the one below for a resource to get a feel for how the “NOT” operator works for tag filters.

The “Purpose” table headers below mean the EC2 instance has that tag or not.

- tags:
    Purpose: Experiment

- tags:
    Purpose: NOT(Experiment)

- tags:
    NOT(Purpose): Experiment

- tags:
    NOT(Purpose): NOT(Experiment)

Tag Filters Example

To use a tag filter, include it below the resource type you want to filter in awsweeper.yaml.

For example.

aws_instance:
- tags:
    Purpose: Experiment

That tag filter would delete any EC2 instance tagged with Purpose: Experiment.

[cloudshell-user@ip-10-0-182-207 ~]$ awsweeper --dry-run awsweeper.yaml

   • SHOWING RESOURCES THAT WOULD BE DELETED (DRY RUN)

        ---
        Type: aws_instance
        Found: 1

                Id:             i-0221ae44df26eba10
                Tags:           [Name: Temporary] [Purpose: Experiment]
                Created:        2022-09-02 04:56:30 +0000 UTC

        ---

   • TOTAL NUMBER OF RESOURCES THAT WOULD BE DELETED: 1

Including More Resources

Add more resources to your awsweeper.yaml file one by one or in small batches between dry-runs. This enables you build up your understanding of how AWSweeper will affect the resources. As you go, add tags to your resources and your awsweeper.yaml file as necessary to ensure nothing important gets deleted accidentally.

For example.

aws_instance:
- tags:
    Purpose: Experiment
aws_key_pair:
- tags:
    Purpose: Experiment
aws_security_group:
- tags:
    Purpose: Experiment

These tag filters would delete any of those resources with tag Purpose: Experiment.

[cloudshell-user@ip-10-0-182-207 ~]$ awsweeper --dry-run awsweeper.yaml

   • SHOWING RESOURCES THAT WOULD BE DELETED (DRY RUN)

        ---
        Type: aws_instance
        Found: 1

                Id:             i-0221ae44df26eba10
                Tags:           [Name: Temporary] [Purpose: Experiment]
                Created:        2022-09-02 04:56:30 +0000 UTC

        ---


        ---
        Type: aws_key_pair
        Found: 1

                Id:             EC2 Tutorial
                Tags:           [Purpose: Experiment]

        ---

   • TOTAL NUMBER OF RESOURCES THAT WOULD BE DELETED: 2

After many rounds of adding resources from the list of Supported resources, you’ll wind up with a file that looks like awsweeper.yaml.

Coda

AWSweeper is a very useful tool but can be quite dangerous too. Take care to always do a dry-run before executing it for a real-run.

Personally I find running AWSweeper fascinating. It gives you some real insight into what AWS is doing and how its services are stitched together. Of course it also does an excellent job of keeping your AWS Account free of cruft and helps keep costs down to boot!

• Edit a Diagram
• Save an Editable Diagram
• Share an Editable Diagram
• Deploy app.diagrams.net
• Integrations
• Coda

In software development and architecture, diagrams are enormously valuable as they can communicate an amazing amount of information at a glance. Nothing gets everyone on the same page like a good diagram. Like any documentation, diagrams can rapidly go out of date so it is absolutely essential that diagrams are conveniently editable.

Most of the time, diagrams are embedded in other documentation, whether it’s a wiki, website, markdown, or something else. The version that is embedded is a rendered version of the diagram (e.g. png or jpg) so it can be displayed in any browser. Rarely is the editable version included alongside the rendered version. The editable version has to be hunted down as it is typically stored elsewhere. You’re lucky if you can find it, find a version of the diagramming tool to edit it, and acquire a license to even open the diagramming tool at all. With so many barriers, it’s often impossible to update a diagram and most of its value is lost.

drawio.com has solved that problem by embedding the editable version of a diagram within the rendered version and making it convenient and free to edit it in app.diagrams.net (you can find the docs at drawio.com/doc/).

Edit a Diagram

Imagine you’ve come across the diagram below in some documentation. Note that it’s a png file being displayed in your browser. You can edit it right now using the instructions below.

Instructions

1. Right-click on the diagram and choose “Save Image As…” (or equivalent in your browser)
2. Open app.diagrams.net
3. You’ll be greeted with a dialog to “Save diagrams to:”, choose Device
4. Choose Open Existing Diagram
5. Choose the diagram you just saved

You can now edit the diagram to your heart’s content.

Save an Editable Diagram

If your browser is capable and you’ve allowed it, app.diagrams.net will actually automatically save that diagram directly to your hard drive as you update it.

If you’ve created a diagram from scratch, you should know how to explicitly export a rendered version with the editable version embedded.

Instructions

1. Open app.diagrams.net
2. You’ll be greeted with a dialog to “Save diagrams to:”, choose Decide later
3. Edit the diagram to your heart’s content
4. You can save an editable version two ways:
   1. File > Save as …
      1. In the dropdown to the right of the filename, choose “Editable Bitmap Image (.png)”
      2. Click Download
   2. File > Export as > PNG …
      1. Fill in the properties however you like
      2. Check “Include a copy of my diagram”
      3. Click Export

You now have a diagram that can be displayed anywhere and easily edited.

Share an Editable Diagram

Because your diagram is already a rendered image, it is trivial to share. Just embed or send the image wherever you need to.

However, your diagram is already a rendered image, it is not obvious that it’s also editable!

When sharing the diagram, be sure to include some indication that the diagram is editable (e.g. a caption).

For example, in a website like the diagram above you can use an img title attribute and/or a caption.

<figure>
  <img class="img-centre"
       title="Save this diagram and open it in app.diagrams.net to edit"
       alt="Scaling Communication"
       src="/img/posts/scaling-communication.drawio.png"/>
  <figcaption style="text-align: center;">
    Scaling Communication
    <br/>
    <sub>
      Save this diagram and open it in app.diagrams.net to edit
    </sub>
  </figcaption>
</figure>

Deploy app.diagrams.net

“But what if app.diagrams.net goes down for any reason? Maybe permanently! I won’t be able to edit my diagrams!” I hear you say. It’s true that could be a problem but it’s definitely solvable.

The simplest solution for most people is to just download the Desktop version, save it somewhere, install it, and use that.

Another option is to deploy the app.diagrams.net web application yourself. It’s relatively easy if you already have a GitHub account.

Instructions

1. Go to github.com/jgraph/drawio
2. Click Fork (in the upper right corner)
3. In your forked repo, click Settings
4. Click Pages
5. In the Source section, choose Branch: dev
6. Click Save

A message will appear saying something like “Your site is published at https://etoews.github.io/drawio/”.

However, if you click the link, you’ll only see the README.md from the repo. You need to append src/main/webapp/ to the URL in your browser.

The full URL will be something like https://etoews.github.io/drawio/src/main/webapp/. An easily hosted version of app.diagrams.net!

Integrations

JGraph, the company behind app.diagrams.net, provides an amazing base feature set for free. They also offers many paid integrations to make using it easier for businesses. I wholeheartedly support this. If you belong to an organisation, I recommend looking these integrations to see if one fits your use case.

Coda

In my opinion, app.diagrams.net solves a long-standing and fundamental problem with diagramming. You’re able to embed an editable version of a diagram within the rendered version and it’s convenient and free to edit. Now there won’t be any excuses from keeping all diagram up to date!

Articles

• CALMS Framework
  • I’m actually quite partial to the CALMS framework for DevOps.
• Products Over Projects
  • Treating software as a product is a fundamental shift required for DevOps.
• What I Talk About When I Talk About Platforms
  • Technology platforms are crucial to the implementation of the technical aspects of DevOps.
• DevOps Enterprise Summit Forum Papers
  • A wealth of easily consumable knowledge and advice on all things DevOps.

Blogs

I use Feedly to subscribe to blogs. I hope RSS/Atom never dies.

• Martin Fowler
• Container Solutions
  • Not just containers, lots of good general posts about DevOps.
• zwischenzugs
• InfoQ on DevOps

Books

The first three books here are absolutely required reading.

• Accelerate
• The Phoenix Project
• The DevOps Handbook
  • If someone says “DevOps has no definition”, hit them over the head with this book.
• The Unicorn Project
  • I like to describe it as “one woman’s quest to build a development environment and unblock an entire organisation”.
• Site Reliability Engineering
• Cloud Native Transformation

Not DevOps but I highly regard these.

• Domain Driven Design Quickly
• Thinking, Fast and Slow
  • I think of it as a peek behind the curtain into what makes people think what they think and do what they do.
• The Information: A History, a Theory, a Flood

Events

• devopsdays
  • A global phenomenon of DevOps practitioners getting together to learn from each other. I can’t recommend these highly enough.
• DevOps Enterprise Summit

Courses

• The DevOps Foundation video courses on LinkedIn Learning
  • I know the instructors and they’re long-time practitioners of DevOps. I’d vouch for this training.
• There are also training and accreditation organisations. Opinion on their validity varies. I’ve never done any of these so cannot vouch for them but I do know some trainers.
  • DevOps Institute
  • ICAgile DevOps
  • DevOps Agile Skills Association

Distributed teams

• GitLab’s Remote Manifesto
• GitLab’s Handbook
  • The Communication section has some good tips on dealing with the signal-to-noise ratio in Slack.

Podcasts

• DevOps Cafe
• Arrested DevOps

Tools

Containers

• The Docker Book
  • A great starter book for Docker. Still relevant.
• Kubernetes The Hard Way
  • Working through this tutorial is a must if you’re at all serious about deploying Kubernetes.

Git

• Comparing Git Workflows
  • I’m a big proponent of the feature branch workflow, potentially with forks.

• Versions
• Install Jenkins
• Setup Jenkins
• Configure Global Pipeline Libraries
• Create Pipeline
• Configure Pipeline
• Run Pipeline
• Pipeline Results
• Coda

One popular type of versioning is known as semantic versioning (semver). Semantic versioning is “a simple set of rules and requirements that dictate how version numbers are assigned and incremented.” It allows people to communicate meaning using a particular format for the version they assign to the release of a component. Whether or not you’re a fan of semver, it’s very useful to have a well-known and commonly understood specification for your versions. It also makes it possible to compare one version with another of the same component.

Often times, the purpose of Jenkins pipelines is to deploy software. That is to say, to change the current version of a software component to the desired version. You may want to roll forward by increasing the version of the component, you may want to roll backward by decreasing the version of the component, or you may want to do nothing at all if the version hasn’t changed. Depending on the component being deployed, you may need to take different actions based on whether the desired version is greater than, equal to, or less than the current version.

I’ve written the small library method semver_compare that allows you to compare semantic versions in a Jenkins pipeline easily. What better way to learn how to use it than by trying it out right away!

Versions

At the time of writing, the versions of all of the software used in this post are:

• Docker Desktop: 4.1.1
• Docker: 20.10.8
• Jenkins: Long-Term Support (LTS)

Install Jenkins

To make it convenient to install Jenkins, I’m using Docker Desktop to get it up and running.

This command will run a Docker container in interactive mode (you’ll be able to see the log output in your terminal) and the container will be removed when you kill the command with a Ctrl+C. However, any changes you make to Jenkins while it’s running will be saved in the jenkins_home volume so you can always run it again and pick up where you left off.

docker run --interactive --tty --rm \
  --volume jenkins_home:/var/jenkins_home \
  --publish 8080:8080 --publish 50000:50000 \
  jenkins/jenkins:lts

Open Jenkins at http://localhost:8080/.

Note: If you want to start over from scratch, kill the command with Ctrl+C, delete the volume with docker volume rm jenkins_home, and run the command above again.

Setup Jenkins

You’ll need to go through a wizard to setup Jenkins.

1. On the Unlock Jenkins screen:
   • Find the password in the Jenkins log output under “Please use the following password to proceed to installation”
   • Enter the password into the Administrator password field
2. Click Install suggested plugins
3. On the Create First Admin User screen:
   • Username: [pick-a-username]
   • Password: [pick-a-password]
   • Full name: [pick-a-full-name]
   • E-mail address: [pick-an-email-address]
4. On the Instance Configuration screen:
   • Jenkins URL: http://localhost:8080/

Configure Global Pipeline Libraries

To make use of the method, you’ll need to configure a global pipeline library.

1. Click Manage Jenkins
2. Click Configure System
3. Scroll down to the Global Pipeline Libraries section and click Add
   1. Name: semver-compare-lib
   2. Default version: master
   3. Load implicitly: Unchecked
   4. Allow default version to be overridden: Checked
   5. Include @Library changes in job recent changes: Unchecked
   6. Retrieval method: Modern SCM
   7. Source Code Management: Git
   8. Git: https://github.com/etoews/jenkins-semver-compare.git
4. Save

Create Pipeline

Create a pipeline to run the example pipeline.

1. Click New Item
   1. Enter an item name: semver-compare
   2. Click Pipeline
2. OK

Configure Pipeline

Configure the example pipeline.

1. Scroll down to the Pipeline section
   1. Definition: Pipeline script from SCM
   2. SCM: Git
   3. Repository URL: https://github.com/etoews/jenkins-semver-compare.git
2. Save

Run Pipeline

On the Pipeline screen:

1. Click Build Now
2. Wait a moment for the pipeline to complete
3. Under Build History click #1
4. Click Console Output

Pipeline Results

The pipeline result is the output of running this Jenkinsfile.

First of all, notice how the Jenkinsfile itself is using a particular version of the global pipeline library with the line @Library('semver-compare-lib@1.0.0') at the very top. Version all the things!

Then the pipeline runs through successive version comparisons. Some output is printed based on whether the desired version is greater than, equal to, or less than the current version. If you were to use this in your own pipeline, you could take different actions depending on each case.

Finally, the last pair of versions don’t conform to the semver specification. Some error handling is invoked and a helpful error message is printed.

Coda

Versioning your software components is absolutely fundamental to running a stable and resilient system that can be reasoned about. Using semantic versioning has many advantages including the ability to compare one version with another of the same component. This post showed you how you can easily make those comparisons in a Jenkins pipeline. Go ahead and give it a try in your own pipelines.

Note: The library method uses SemanticVersion.groovy to do the comparison. The source code for that class was copied from How to implement a single class Java parser for semantic versioning with correct precedence ordering with my own alterations to make it work in a Jenkins pipeline. The source code was copied and modified as permitted by the MIT License. My thanks go out to the original author Patrick Ahlbrecht.

• Definition
• Use Cases
• Tooling
• Barriers
• Benefits
• Coda

Definition

GitOps is reconciling a desired state in Git with a runtime environment.

“But this is what we’ve always done!” you say. You’re right, application code in Git is eventually deployed (reconciled) to a runtime environment. However, operational code and state is another matter. Operational runtime environments are often not based on code, even if they’re in the cloud. Changes are made to those environments by one-time updates via a web interface or command line tool but the desired state is never stored anywhere, only the current state is stored in the runtime environment.

GitOps is the same general Git workflow we’ve known for years with one simple additional step.

1. Pull request
2. Review
3. Merge
4. Action

It’s that last step that distinguishes GitOps from the usual Git workflow. Automatically taking action when a commit is merged. That action takes place in a reconciliation system, which is triggered by a push or pull event. That reconciliation system then applies the desired state from Git to a runtime environment.

At a high level it looks like this.

Some examples of the various pieces (the table is meant to be read column-wise).

Git is not only the source of truth for your application code but it also becomes the source of truth for your operational code. The reconciliation system could also push commits into Git to reflect a new state due to automatic events in the runtime environment (e.g. auto scaling to 5 VMs).

There have been a number of definitions of GitOps offered. Most notably from WeaveWorks, the people who coined the term GitOps. However, I found that their definition and others are very Kubernetes centric and doesn’t capture the essential elements of a what is actually a more general technique.

Use Cases

Here are a handful of use cases where you could apply GitOps. Of course, it’s not limited to these and I’d be interested to hear if you’ve applied GitOps to any other use cases.

Deployment

Deployment is one of the most common use cases for GitOps. You need to deploy a new version of some software to an environment so you make a change in Git and that software is automatically deployed to your runtime environment. Flux is a Kubernetes operator for doing so. I also built a system for doing so that I wrote about in GitOps Driven Deployments on OpenShift.

Infrastructure

Infrastructure as Code (IaC) (e.g. Terraform, CloudFormation, etc.) is perhaps the canonical use case for GitOps. You need to change your infrastructure in some way (e.g. add a VM) so you update your IaC in Git and that change is automatically run on your infrastructure. This can be done by your reconciliation system executing commands that apply the configuration to the infrastructure.

DNS

I found the paper GitOps: A Path to More Self-service IT by Thomas A. Limoncelli really inspirational. The author does an excellent job of describing GitOps in much more general terms. The primary use case he offers as an example is for DNS.

In the author’s own words,

Initially the DNSControl configuration file (dnsconfig.js) is stored in Git. A CI system is configured so that changes trigger the test-and-push cycle of DNSControl, and updates to the file result in the changes propagating to the DNS providers. This is a typical IaC pattern. When changes are needed, someone from the IT team updates the file and commits it to Git.

This is exactly how I’ve been thinking about GitOps.

On/Off Boarding People

People come and go from teams all the time. When they arrive, you have to add them to Slack, GitHub, JIRA, and all of the other systems you use to get work done. Imagine a file full of user information like this.

users:
- name: Jack Burton
  active: true
  email: jack.burton@porkchopexpress.com
  slack: jack-burton-me
  github: jburton
- name: Gracie Law
  active: true
  email: gracie.law@porkchopexpress.com
  slack: girl-with-the-green-eyes
  github: glaw
- name: David Lo Pan
  active: false
  email: david.lo.pan@wingkongexchange.cn
  slack: lo-pan
  github: dlpan

When a user is added/removed to/from the list, they are added/removed to/from those systems by your reconciliation system.

Tooling

A lot of tooling already has Git integration so customising tools to do GitOps isn’t much of a stretch in many cases.

There is also tooling cropping up that supports the GitOps technique directly:

• Flux CD
• Jenkins X
• Argo CD
• Atlantis

Barriers

Naturally there are barriers to the adoption of any new technique.

ITIL

If you’re in a traditional ITIL shop, they likely have very particular processes you need to follow to implement a change. For GitOps to gain adoption, you may need to take the ITIL stalwarts along on the journey and show them how GitOps actually implements ITIL practices. And if there are parts of the process you can automate, such as opening/closing tickets, look for opportunities for your reconciliation system to integrate with ITSM systems (e.g. ServiceNow) in order to do so. I’d love to see these sorts of processes coalesce around the pull request and do away with any unnecessary ceremony.

Git as SPOF

If GitOps is driving your runtime environments, Git uptime is even more critical. Git can become a single point of failure (SPOF) for essential business processes. If you use a cloud based Git service and they have a bad day, you’re going to have a bad day. If you run Git on-premise, you’ll almost certainly want to configure it to be highly available. Either way, you’ll need to seriously consider the impact on your business of Git being down.

Secrets Management

Proper secrets management in any system is a tough nut to crack. Your reconciliation system needs to have access to a lot of credentials so it can update runtime environments. There are a lot of secrets management systems (e.g. Vault, CyberArk, etc.) that you can use to safely store the secrets that the reconciliation system needs to get its work done. And, of course, you want to follow best practices like only using service accounts that have exactly the permissions they need.

Benefits

In my experience I’ve found a number of benefits of GitOps.

Git System Features

There are many features of any modern Git system that we take for granted that are beneficial for GitOps. The role based access control (RBAC) can be used to grant access to those who can propose change and those who merge change (which implies automatic action). Being able to edit a file and propose a pull request directly from the web interface is amazingly powerful for those unfamiliar with Git. Even just getting email or Slack notifications when a pull request is proposed is helpful.

Versioning

Versioning absolutely everything that goes into your runtime environment provides many benefits. Perhaps you reconcile on every commit. In that case you may want to record the short SHA of the commit as the version of the runtime environment. Or perhaps you reconcile when a tag is pushed. In that case you may want to record the tag as the version of the runtime environment. Whatever you do, you want to know exactly what code is in your runtime environment and any point in time.

Audit

Even compliance and audit benefit from GitOps. Being able to use Git history to show how and why a runtime environment is in the state it’s in is helpful for compliance. Being able to use Git history to show who proposed a change, who reviewed and approved it, and who merged it is essential for audit. In one instance, an auditor interviewed me and we got through the session in half the time because I was able to show him how we were driving deployments with GitOps with all of the benefits above.

Self-service

The biggest benefit is self-service. Those that need to make the change are those that propose the change. Even if they’re not familiar with Git, they’re able to use the web interface to propose the changes they need. The whole system is transparent and you’re able to understand the state it’s in, even if you don’t have direct access to the runtime environment.

Coda

GitOps is a general technique that is applicable to many use cases. It’s far more than just Kubernetes. The barriers to adoption are relatively low and I think it has the potential to be a widely adopted way of working once people start to understand the benefits they can realise from it. Frankly, I just want to see more GitOps in the world.

• GitOps
• Users
• Git
• Pipelines
• Environments
• OpenShift
• Presentations
• Coda

GitOps

Another way to define GitOps is by applying a developer experience (DX) to operations. Developer Experience for APIs, SDKs, CLIs, and documentation tend to take up all of the oxygen in the room, however I propose DX for operations is an idea whose time has come. What speaks more to the experience of being a developer than interacting with Git all day. It’s natural to extend that interaction and apply it to operations as well.

GitOps follows this flow across four major actors to drive deployments on OpenShift:

1. Users
2. Git
3. Pipelines
4. Environments

Underlying the pipelines and environments is OpenShift. Conceivably you could also run Git on OpenShift but that was not the case at this client.

Users

The users of this system are the people either proposing or merging a change to an environment (env). For example, a developer has completed a feature and produced version 1.2.3 of an API service in a development environment. Once that feature is ready for testing, the developer proposes version 1.2.3 of that API service to a test env via a pull request. The test env owner reviews the pull request, approves it, and merges it. The merge fires a webhook that kicks off the pipeline run that deploys version 1.2.3 of that API service to the test env.

Git

Naturally, Git provides source control but it also provide excellent access control and audit capabilities. In Git we have two types of repositories (repos).

Environment repos contain the configuration and versions for the services in a particular env (e.g. prod). The env repos also contain all of the settings for the repo itself to enable GitOps. This is achieved by setting repository and branch permissions, pull request rules and reviewers, and webhooks.

Service repos container the source code of the services that compose the application(s) running in the env. Depending on how your platform creates conatiner images, the source code may be laid out in a certain structure (e.g. Source-to-Image). It can also contain deployment artifacts particular to the service such as a DeploymentConfig, ConfigMap(s), and Jenkinsfile.

Pipelines

Pipelines are a sequence of steps executed in Jenkins, running on OpenShift. As input, pipelines consume environment configuration and source code from Git. As output, pipelines produce container images and deployments of the EdPay application for an environment. For day to day development, the pipelines can be considered as your interface to the OpenShift Container Platform.

There are two types of pipelines and one type of build:

• Env Pipeline: Orchestrates the deployment of the entire EdPay stack and follows a deploy-<env> naming convention (e.g. deploy-dev-03-master).
• Service Pipeline: Builds and deploys a specific service from a container image and follows a deploy-<service> naming convention (e.g. deploy-edpay-services).
• Image Build: A build of a service produces a container image stored in the registry and follows a build-<service> naming convention (e.g. build-edpay-services).

Environments

An environment (an OpenShift project) is a combination of running services and configuration, primarily, specific versions of the running services and the DB to which they are configured to connect. Each environment contains its own instances of all of the services that make up the EdPay application.

There are two types of environments:

• Dev Envs: Build images and deploy services.
• Higher Envs: Deploy services from existing images (prod is just another higher env with the exception that the images must be copied to the prod cluster first).

The primary differentiator is that dev envs do the builds that create the container images for all of the services in the stack. Dev master and dev stable are where all application builds take place. All envs do deployments of these container images.

It’s worth noting that the environment itself is versioned. Ultimately, the environment is just another application dependency.

OpenShift

There are two OpenShift clusters, one for production and one for non-production. The production cluster only has a staging and a prod environment. The non-production cluster has all other environments, including dev, test, demo, and pre-prod. Again, the only difference between the staging/prod pipelines from the other higher env pipelines is that the images must be copied to the prod cluster first.

Presentations

The deck below is a walk-through of the concepts and components used to enable the GitOps driven deployments described above.

Because there are a fair number of concepts and components at play, I also did a screencast to explain the system.

And finally, my colleague Heather Cumberworth-Lane and I presented on this at the Cloud Native Summit 2019 in Wellington, NZ.

Coda

Note: Always set limits on compute resources. Always! We learned this one the hard way when we deployed Jaeger Tracing on OpenShift and it began to cause node instability. My solution was to add max traces and compute resource parameters to the Jaeger Tracing OpenShift all-in-one template.

The ideas and concepts for a system like this have been rattling around in my head for a long time. It’s been great getting the opportunity to build it out. I had assistance from a few people around me at the client that worked hard to bring this to life. Without their help and support this wouldn’t have been possible and my thanks go out to them.

Update: I’ve also written a general definition that GitOps is Reconciling a Desired State in Git with a Runtime Environment.

• Overview
• Norms
• Teams and Channels
• Tips ‘n Tricks
  • General
  • Threads
  • Message Formatting
  • Notifications
• Getting Help
• Coda

Overview

Here is a high level overview of those norms.

• Be mindful of people’s time and attention.
• Keep chats as public as possible.
• Use common courtesy. “Please” and “Thank you” still go a long way.
• Assume good intentions (tone doesn’t travel well over chat) and asynchronous comms.
• Management must take care when to intervene (like any medium).

Norms

These norms are shamelessly borrowed from the GitLab Communication Handbook on Chat. I recommend reading through that doc, picking and choosing the ones that make the most sense for your org, and fitting them to your purpose.

• If you use chat, please use a public channel and mention the person or group you want to reach. This ensures it is easy for other people to chime in, involve other people if needed, and learn from whatever is discussed. Only use direct messages if the discussion is truly private and of no interest to anyone else.
• If the subject is of value to the wider community, consider commenting on an existing user story or opening a new user story and linking to that story in a relevant channel.
• Despite the instantaneous nature of chat, it should be considered asynchronous communication. Don’t expect an instantaneous response; you have no idea what the other person is doing.
• If you must send a private message, don’t start a conversation with “Hi” or “Hey” as that interrupts their work without communicating anything. If you have a quick question, just ask the question directly and the person will respond asynchronously. If you truly need to have a synchronous communication, then start by asking for that explicitly, while mentioning the subject. e.g. “I’m having trouble understanding issue #x, can we talk about it quickly?”.
• Do not feel obligated to respond to chat messages when you are not working.
• Feel free to send a colleague a link to these guidelines if the communication in Teams should be done asynchronously.
• Please avoid using @General or @channel unless this is about something urgent and important. In chat try to keep the use of keywords that mention the whole channel to a minimum. They should only be used for pings that are both urgent and important, not just important. By overusing channel mentions you make it harder to respond to personal mentions in a timely manner since people get pinged too frequently.
• If something is important but not urgent - like complimenting or encouraging the entire team - use email or post in the channel without @-mentioning the team.
• If you are aware that your teammate is on vacation, avoid mentioning them in a high volume channel. It will be difficult to find the information or question when they return. If you need to ensure they refer back to the thread, ensure to send them a link to the relevant Teams message through a direct message.
• It’s not rude to leave a channel. When you’re no longer interested in the conversations happening in a channel, feel free to leave it so it won’t distract you anymore.

Teams and Channels

• Create a “random” channel. Naturally people feel chatty and that should be encouraged! The random channel is for discussing anything whatsoever: games, pets, kids, TV, haircuts, home repair, etc. It also helps keep the non-work chat in one place so it doesn’t clutter up work chat and make it harder to find signal in the noise.
• User lowercase only for Channels and Teams with words separated by hyphens as Teams sorts by case then alphanumeric.
• When deciding whether to create a Channel or a Team, always lean towards creating a Channel:
  • If it is the same/similar context as an existing Team and doesn’t need privacy then create a Channel within the existing Team.
  • If it needs a smaller more private group then consider creating a Team.

Tips ‘n Tricks

Like any tool, it’s necessary to learn at least some of the tip ‘n tricks to be effective with it (and have a little more fun too).

General

• Brief introduction to Microsoft Teams.
• General help can be found in Chat in Microsoft Teams.
• There’s a web app available at teams.microsoft.com.
• All keyboard shortcuts can be found under Profile > Keyboard shortcuts.
• Use Ctrl/Command + / to open the list of commands.

Threads

• Every chat in Teams starts in a thread. Be conscious of where you’re typing (especially if you’re in the mobile app) to make sure you’re responding to the right thread.
• If it’s going to be a long running thread, you’ll want to add a subject to it to make it easier to find when scrolling back through the chat history.
• If you hover your mouse over any message, a few icons appear in the top right corner. Use the thumbs up icon to agree with someone without sending another message/notification to the channel.
• When your cursor is in the reply textbox, you can press the Up Arrow to edit your last message.

Message Formatting

• When writing a message, you can Use Markdown formatting in Teams.
• To share code, use ``` to start a multi-line code block or ` to start an inline code snippet.
• Sharing code as a screen shot is grounds for mockery.
• Use Shift+Enter to start a new line in a message rather than sending every line as a message (and a notification).
• You can insert an emoji by typing a : and then typing the name of the emoji.
• Links expand to show a preview of the page. You can remove these previews by clicking the X in the top right corner of the preview.

Notifications

• If you’re only referring to someone, but don’t actually need their attention, and want to spare them from getting notified, spell out their name normally without @ mentioning them.
• You can manage your availability status under Profile.
• Manage your notifications (Profile > Settings > Notifications) carefully to avoid notification fatigue. Here’s one example of notification settings that can help you get started.

Getting Help

• Don’t just share the output of a command/process, include the command/process that generated the output. Context is crucial to debugging!
• Share direct links to things when possible rather than vaguely describing how to access something.
  • e.g. “read my answer on pytest” rather than “just go to that question on pytest and look around for my answer”

    Just link people to stuff please. It's the HT in HTTP and HTML.

    — Everett Toews (@etoews) April 21, 2016

• Asking for help is a common and natural thing that everyone does. You need help right away so if you can help others help you, everyone wins. Getting help from others is a bit different in chat so I wrote the guide Help Others Help You.

Coda

It’s easy to get started with chat. However, it’s also just as easy to use it the wrong way. If you establish and reinforce some norms, it can be enormously beneficial to the whole organisation.

Experiment

Get your hands dirty in a safe environment by using installing and using MiniShift. Or you can skip localhost and use the Starter plan for OpenShift online. These are good for developers but not as good for learning how to admin an OpenShift cluster.

If you want to get great idea of what’s going on under the hood, there’s no better way than learning from Kubernetes The Hard Way. It’s an excellent tutorial on building a Kubernetes (the foundation of OpenShift) cluster “by hand” so you understand how all of the components work together.

Training

• Interactive Learning Portal
• Red Hat Certified System Administrator
• Red Hat OpenShift Training

Docs

The official docs are quite good.

Note that if you’re Googling for results, most times you wind up at an older version of the docs. It’s usually just a simple matter of editing the URL in your location bar to get to the version you need.

Also note that you can use latest in place of the version (as I do in the links below) and you’ll be redirected to the latest version of the docs.

Developer

• OpenShift 3 Demystified. For Developers
• Developer Guide
• Container Security Guide
• Creating Images
• Using Images
• CLI Reference

Admin

• Cluster Administration

Ops

• Day Two Operations Guide
• Upgrading Clusters

Books

These books are a decent intro. However, they both focus heavily on the imperative approach and skip the declarative approach to Infra as Code. Meaning they focus on running a bunch of commands sequentially via the CLI vs declaring the infra as code (manifests) and applying them. The latter being a more mature approach to container management.

• Deploying to OpenShift
• DevOps with OpenShift

Blogs

To keep up with the rapid evolution I find it very valuable to subscribe to blogs. I’m old school and still use RSS/Atom for this sort of thing with Feedly.

OpenShift

• Red Hat’s official OpenShift blog
• Red Hat’s official Developer blog (Containers category)
• OpenShift category of the Open Sourcerer’s blog (it’s gone a bit quiet)

Kubernetes/Containers

• The New Stack
  • All the new and shiny. Vendor heavy. Yet still useful/informative.
• Kubernetes Blog
• Technology Conservations
• Container Solutions

The last few are Kubernetes related but it gives you a good idea where OpenShift is going.

Podcasts

• PodCTL
• Kubernetes Podcast

Specific Topics

Networking

• Understanding kubernetes networking: pods
• Understanding kubernetes networking: services
• Understanding kubernetes networking: ingress

Networking Deep Dive

I can’t recommend this series highly enough. The back-of-the-napkins diagrams alone are worth the read.

• Part 1: Container networking on a plain Docker host
• Part 2: Container networking on an OpenShift node
• Part 3: Container networking across OpenShift nodes
• Part 4: Container networking using OpenShift/Kubernetes services
• Part 5: OpenShift router
• Part 6: Controlling egress traffic

Ingress Traffic

• OpenShift Router Sharding for Production and Development Traffic
• Router Sharding

Egress Traffic

• Controlling Egress Traffic
• Accessing External Services Using Egress Router
• Enabling Static IPs for External Project Traffic
• How to enable static egress IP in Red Hat OpenShift Container Platform

DNS

• OpenShift 3.6 DNS In Pictures

AuthN

• Authentication
• Configuring Authentication
• Syncing Groups With LDAP

AuthZ

• Authorization
• Managing Role-based Access Control
• Managing Users
• Users and RBAC Cookbook

Disaster Recovery

• Disaster Recovery with Containers? You Bet!

The versions used in this post at the time of writing are:

• Minikube: 0.21.0
• VirtualBox: 5.1.22
• Kubernetes and kubectl: 1.7.0

Create a minikube and get the code

Setup the configuration

You need to get env vars into apps running on Kubernetes but, at least in your development environment, it can also be really convenient to have those env vars in your terminal session. For that reason, you can store your env vars as simple scripts that can be sourced.

Knowing that you’ll have multiple environments, it’s good to start with a template for that script. To avoid conflicts, prefix all of your env vars with some shorthand for your app.

Create a directory called envs for all of your config. Include a .gitignore to avoid committing any sensitive info and a README.md to let people (and your-later-self) know how to use the template.

envs/
├── .gitignore
├── README.md
├── dev.sh
├── staging.sh
├── template.sh
└── test.sh

Ignore everything except the few initial files in the dir.

Naturally you’d want to expand on these instructions in the README.md.

Setup a development environment

Create the Secrets and a Deployment

You can provide the config as key/value pairs using process substitution.

PS1 Context

If you’re working with many different app envs, it can be helpful to include some context in your PS1. Here’s one example of including a bit more context on your command line. For a more thorough PS1, checkout my .bash_profile.

PS1='(kubernetes:$(kubectl config current-context 2>&1) | foo:$(echo ${FOO_ENV}))\n\W $ '

Coda

Obviously this can be used in many more places than just database configuration. It’s a great way to configure your apps too. These environment variables can even be used in injected executable scripts, which makes for a pretty powerful way to configure containers on the fly.

One improvement I’d like to make to this setup is to always have the env var file encrypted on disk. Whenever you needed the env vars in a terminal session, you would decrypt the file and source it. All in-memory so the decrypted version is never stored on disk.