Comment by 0xbadcafebee

Comment by 0xbadcafebee 3 days ago

70 replies

View on Hacker News

Here's 12 Sysadmin/DevOps (they're synonyms now!) challenges, straight from the day job:

  1.  Get a user to stop logging in as root.
  2.  Get all users to stop sharing the same login and password for all servers.
  3.  Get a user to upgrade their app's dependencies to versions newer than 2010.
  4.  Get a user to use configuration management rather than scp'ing config files from their laptop to the server.
  5.  Get a user to bake immutable images w/configuration rather than using configuration management.
  6.  Get a user to switch from Jenkins to GitHub Actions.
  7.  Get a user to stop keeping one file with all production secrets in S3, and use a secrets vault instead.
  8.  Convince a user (and management) you need to buy new servers, because although "we haven't had one go down in years", every one has faulty power supply, hard drive, network card, RAM, etc, and the hardware's so old you can't find spare parts.
  9.  Get management to give you the authority to force users to rotate their AWS access keys which are 8 years old.
  10. Get a user to stop using the aws root account's access keys for their application.
  11. Get a user to build their application in a container.
  12. Get a user to deploy their application without you.
After you complete each one, you get a glass of scotch. Happy Holidays!
cobertos 2 days ago

Re: 6. ... Github Actions

Github Actions left a bad taste in my mouth after having it randomly removed authenticated workers from the pool, after their offline for ~5 days.

This was after setting up a relatively complex PR workflow (always on cheap server starts up very expensive build server with specific hardware) only to have it break randomly after a PR didn't come in for a few days. And no indication that this happens, and no workaround from GitHub.

There are better solutions for CI, GitHub 's is half baked.

Reply View 23 replies
  • paulddraper 2 days ago

    This is documented currently (supposed to be 14 days). [1]

    That said, I have found runners to be unnecessarily difficult.

    But Jenkins and its own quirks, and when I used GitLab, it used ancient docker-machine and outdated AMIs by default.

    I think Buildkite has been the only one to make this easy and scalable. But it is meant for self hosted runners.

    [1] https://docs.github.com/en/enterprise-cloud@latest/actions/h...

    Reply View 1 reply
  • swyx 2 days ago

    bugs happen to all of us. whats your better solution - gitlab?

    Reply View 20 replies
    • shoo 2 days ago

      Roll 2d6, sum result. Your CI migration target is:

        2. migrate secret manager. Roll again
  3. cloud build
  4. gocd
  5. jenkins
  6. gitlab
  7. github actions
  8. bamboo
  9. codepipeline
  10. buildbot
  11. team foundation server
  12. migrate version control. Roll again
      Reply View 6 replies
      • swyx 2 days ago

        somehow i am really liking the kind of people that comment in the comment sections of sysadmin posts. i wonder what personality type this is

        Reply View 3 replies
      • mroche 2 days ago

        Bump up to 2d10 and add:

            - Travis
    - CircleCI
    - Drone/Woodpecker
    - Tekton Pipelines
    - TeamCity
    - Zuul
    - Buildkite
    - Agola
        Reply View 1 reply
    • esseph 2 days ago

      GitLab pipelines are really good.

      Reply View 4 replies
      • Balinares 2 days ago

        Not in love with its insistence on recreating the container from scratch every step of the pipeline, among a bundle of other irksome quirks. There are certainly worse choices, though.

        Reply View 3 replies
    • sharts 2 days ago

      honestly jenkins really isnt that bad

      Reply View 6 replies
      • friendzis 2 days ago

        Hudson/Jenkins is just not architected for large, multi-project deployments, isolated environments and specialized nodes. It can work if you do not need these features, but otherwise it's fight against the environment.

        You need a beefy master and it is your single point of failure. Untimely triggers of heavy jobs overwhelm controller? All projects are down. Jobs need to be carefully crafted to be resumable at all.

        Heavy reliance on master means that even sending out webhooks on stage status changes is extremely error prone.

        When your jobs require certain tools to be available you are expected to package those as part of agent deployment as Jenkins relies on host tools. In reality you end up rolling your own tool management system that every job has to call in some canonical manner.

        There is no built in way to isolate environments. You can harden the system a bit with various ACLs, but in the end if you either have to trust projects or build up and maintain infrastructures for different projects isolated at host level.

        In cases when time-wise significant processing happens externally, you have to block an executor.

        Reply View 0 replies
      • bionsystem 2 days ago

        Yeah I was thinking of using it for us actually. Connects to everything, lots of plugins, etc. I wonder what the hate is from, they are all pretty bad aren't they ?

        Will test forgejo's CI first as we'll use the repo anyway, but if it ain't for me, it's going to be jenkins I assume.

        Reply View 4 replies
jagged-chisel 2 days ago

> … from Jenkins to GitHub Actions.

Oh, good lord why?

Reply View 5 replies
  • 0xbadcafebee 2 days ago

    Many, many reasons... the most important of which is, Jenkins is a constant security nightmare and a maintenance headache. But also it's much harder to manage a bunch of random Jenkins servers than GHA. Authentication, authorization, access control, configuration, job execution, networking, etc. Then there's the configuration of things like env vars and secrets, environments, etc that can also scale better. I agree GHA kinda sucks as a user tool, but as a sysadmin Jenkins will suck the life out of you and sap your time and energy that can go towards more important [to the company] tasks.

    Reply View 3 replies
    • maratc 2 days ago

      I really scratch my head when I read your comment, as nothing of this is a real issue in my Jenkins.

      > bunch of random Jenkins servers

      Either PXE boot from an image, or k8s from an image, have a machine or pod rebooted/destroyed after one job. Update your image once a month, or have a Jenkins job to do that for you.

      > Authentication, authorization, access control

      Either use LDAP or Login via Github, and Matrix security plugin. Put all "Devops" group into admins, the rest into users, never touch it again.

      > configuration

      CASC plugin and seed for jobs, and/or Helm for just about everything else.

      > env vars and secrets

      Pull everything from Vault with Vault plugin.

      > as a sysadmin Jenkins will suck the life out of you

      I spend about 1-2 hours a week managing Jenkins itself, and the rest of the week watching the jobs or developing new ones.

      Reply View 2 replies
      • 0xbadcafebee 15 hours ago

        Well one issue is, CasC isn't enough. You often have to write JobDSL to get around some limitation in CasC, and sometimes Groovy for limitations in the other two. If you want to manage access control (and you choose the correct Auth plugin, and figure out how to configure it), often you need an admin to make changes in both the Jenkins server and your backend AuthNZ system. Then there's the "seed job vs not-seed-job" weirdness that doesn't exist with GHA. And building the (hopefully containerized) Jenkins server, Jenkins build agents, etc will depend on your infrastructure provider, but still usually requires you to get your hands dirty. There are many, many more layers to the onion with Jenkins, and it's just not worth all that overhead for what should be "git clone && build && deploy" - which GHA does much simpler, right where your code lives, without you needing to maintain anything.

        And this is if you get to manage it! Often there's 5 different random Jenkins servers set up by different teams, all of which are EOL and rife with security holes, and they expect you to fix them when they break, nobody version controls their configs or backs them up (they haven't even heard of CasC and have no interest in using it), and your boss says you can't say no, and also you can't upgrade them/take them over. I've seen million-dollar products which are completely dependent on over a thousand Jenkins jobs on an out-of-date Jenkins server, so complex and intertwined it couldn't be replaced.

        If it were up to me, I would replace most CI with Drone.io (or Woodpecker CI if it ever gets feature parity). Now that's a dead simple CI system.

        Reply View 1 reply
        • maratc 5 hours ago

          My issue with GHA and other "dead simple" systems is that my CI is complicated. Having a real programming language for stuff like "calculate what date it was a week ago" or "concatenate these three strings but only under some conditions" or "parse the output and build an object out of it" is really helpful while a bastardised YAML-based Jinja template simply can't hold up.

          But yeah, if all there is to do is "git clone && build && deploy" then Jenkins is an overkill and it probably wasn't warranted in the first place.

          Reply View 0 replies
  • vachina 2 days ago

    Because sysadmim wants to outsource their responsibilities (and job).

    Reply View 0 replies
n4bz0r 2 days ago

> Sysadmin/DevOps (they're synonyms now!)

I've notified the authorities and social services.

Reply View 0 replies
betaby 2 days ago

5. and 6. are a matter of taste (trade-offs), the rest is spot on!

Reply View 0 replies
Waterluvian 2 days ago

Here’s the first step to all of these that I often see sysadmins stumbling on: communicate in written, non-abstract terms why each of these matter.

Most are obvious to most people. None are obvious to everybody.

Reply View 0 replies
daemonologist 2 days ago

You get me the permissions to do half of this stuff, and I'll do whatever you want.

Reply View 1 reply
  • [removed] 2 days ago
    [deleted]
    Reply View 0 replies
Nextgrid 2 days ago

> Get a user to stop logging in as root.

It really depends if the machine is hosting anything that you don't want some users to access. If the machine is single-purpose and any user is already able to access everything valuable from it (DB with customer data, etc) or trivially elevate to root (via sudo, docker access, etc) then it's just pointless extra typing and security theatre.

Reply View 1 reply
f1shy 2 days ago

>> Sysadmin/DevOps (they're synonyms now!)

Is this really like that? Isn't there any Unix/DBA anymore? I associate DevOps to what at my time we called "operations" and "development". We had 5 teams or so:

1) Developers, who would architect and write code, 2) Operations who would deploy, monitor and address customer complaints, 3) Unix (aka SYS) administrators, who would take care of housekeeping of well, the OS (and web servers/middleware), 4) DBA who would be monitoring and optimizing Oracle/Postgres, and 5) Network admins, who would take care of Load Balancers, Routers, Switches, Firewalls (well, there were 2 security experts for that also)

So I think DevOps would be a mix of 1&2, to avoid the daily wars that would constantly happen "THEY did it wrong!"

Can somebody clear my mind, please!? It seems I was out of it for too long?!

Reply View 6 replies
  • Wilya 2 days ago

    In full-cloud environments, in small/middle companies I've worked at:

    Developers handle 1). Devops handle 2)/3)/5). Nobody does 4)

    Reply View 4 replies
    • f1shy 2 days ago

      Thanks. That is an interesting insight into the current reality. I assume the developers take care of optimization of queries; set up indexes and development of schemas and DB backups is handled by devops.

      I must say, again I thought (I read it somewhere?) DevOps should take care of the constant battle between Devs and Operations (I've seen enough of that in my times) by merging 1 and 2 together. But it seems just a name change, and if anything, seems worst, as a (IMHO) critical and central component, like the DB, now has totally distributed responsibilities. I would like to know what happens when e.g. a DB crashes because a filesystem is full, "because one developer made another index, because one from devops had a complaint because X was too slow".

      Either the people are extremely more professional that in my times, or it must be a shitshow to look while eating pop-corn.

      Reply View 1 reply
      • friendzis 2 days ago

        > DevOps should take care of the constant battle between Devs and Operations

        In practice there is no way to relay "query fubar, fix" back, because we are much agile, very scrum: feature is done when the ticket is closed, new tickets are handled by product owners. Reality is antithesis of that double Ouroboros.

        In practice developers write code, devops deploy "teh clouds" (writing yamls is the deving part) and we throw moar servers at some cloud db when performance becomes sub-par.

        Reply View 0 replies
    • sgarland 2 days ago

      Nobody does 4 until they’ve had multiple large incidents involving DBs, or the spend gets hilariously out of control.

      Then they hire DBREs because they think DBA sounds antiquated, who then enter a hellscape of knowing exactly what the root issues are (poorly-designed schemata, unperformant queries, and applications without proper backoff and graceful degradation), and being utterly unable to convince management of this (“what if we switched to $SOME_DBAAS? That would fix it, right?”).

      Reply View 0 replies
  • rtp4me 2 days ago

    For 4) - consider PGHero[1] and PGTuner[2] instead of a full-time DBA. We use both in production and they work very well to help track down performance issues with Postgres.

    [1] https://github.com/ankane/pghero

    [2] https://pgtune.leopard.in.ua/

    Edit: For the record, I have worked at a few small companies as the "SysAdmin" guy who did the whole compliment of servers, OS, storage, networking, VMs, DB, perf tuning, etc.

    Reply View 0 replies
technion 2 days ago

I know its a common view that sysadmin/devops are the same these days, but witha current sysadmin role nothing youve mentioned sounds relevant. Let's give you my list:

1. Patch Microsoft exchange with only a three hour outage window 2. Train a user to use onedrive instead of emailing 50mb files and back and forth 3. Setup eight printers for six users. Deal with 9gb printer drivers. 4. Ask an exec if he would please let you add mfa to their mailbox. 5. Sit there calmly while that exec yells like a wwe wrestler about the ways he plans to ruin you in response 6. Debate the cost of a custom mouse pad for one person across three meetings 7. Deploy any standard windows app that expects everyone be an administrator without making everyone an administrator 8. Deploy an app that expects uac disabled without disabling uac 9. Debug some finance persons 9000 line excel function

Reply View 13 replies
  • hnlmorg 2 days ago

    That sounds more like Desktop Support than a SysAdmin role. My condolences if that's the job you landed when interviewing for a SysAdmin role

    Reply View 0 replies
  • 0xbadcafebee 2 days ago

    I used to have that job, but my title wasn't Sysadmin, it was IT Manager. For companies small enough that they don't have multiple roles, you do both... but for larger companies, the user-side stuff is done by IT, and the server-side stuff is done by a Sysadmin. (And my condolences; having done that combined role, it's not easy, and you don't get paid enough!)

    Reply View 0 replies
  • hansmayer 2 days ago

    What you describe sounds more like a MS "Modern Workplace" / IT support in a corporate environment.

    Reply View 8 replies
    • technion 2 days ago

      Are we arguing that corporate workers arent "real sysadmins"?

      Reply View 5 replies
      • jagged-chisel 2 days ago

        Pretty sure they mean “general IT support isn’t sysadmin work.”

        Reply View 0 replies
      • hansmayer a day ago

        No. There are plenty of corporate sysadmins. I am arguing that MS Workplace Sysadmins are not the ones this advent was meant for.

        Reply View 0 replies
      • jabroni_salad 2 days ago

        HN culture as a whole doesnt really recognize the validity of business that buy software vs build software.

        Reply View 2 replies
  • stackskipton 2 days ago

    Former Exchange Admin here: 1 is easy, I used to do 70k mailboxes in middle of the day only but it requires spare hardware or virtualization with headroom.

    Deploy new Server(s), patch, install Exchange, Setup DAGs, migrate everyone mailbox, swing load balancer over to new servers, uninstall Exchange from old, remove old from Active Directory, delete servers.

    BTW, Upgrades now suck because Office365 uses method above so upgrade system never gets good Q&A from them.

    Reply View 1 reply
    • EvanAnderson 2 days ago

      Same feeling here re: migrations being easy if the Customer isn't a cheapass. Small business Customers who had the competing requirements of spending as little money as possible and having as much uptime as possible were the stressor.

      Reply View 0 replies
athrowaway3z 2 days ago

  9.  Get management to give you the authority to force users to rotate their AWS access keys which are 8 years old.
Saying "keys which are 8 years old" implies you're worried about the keys themselves, which is just wrong. (Their security state depends on monitoring)

You can definitely make a strong argument that the organization needs practice rotating, so I would advise reframing it as an org-survivability-planning challenge and not a key-security issue.

Reply View 0 replies
alberth 2 days ago

I’d be super interested to see solutions to each, just to learn from.

Reply View 1 reply
  • philipwhiuk 2 days ago

    You can deploy tooling (e.g. BeyondTrust / CyberArk for 1&2), but ultimately there's a conversation and a migration plan to be done for each.

    Reply View 0 replies
DoctorOW 2 days ago

> Get a user to use configuration management rather than scp'ing config files from their laptop to the server.

Damn, this one I'm guilty of. Though, I'm not real Sysadmin/DevOps, I'm just throwing something together and deploying it on a LAN-only VM for security reasons (I don't trust the type of code I would write)

Reply View 0 replies
infogulch 2 days ago

Q: 3. Get a user to upgrade their app's dependencies to versions newer than 2010.

A: Calculate the average age in years of all dependencies calculated by: (max(most recent version release date, date of most recent CVE on library) - used version release date). Sleep for that many seconds before the app starts.

Reply View 0 replies
AstroJetson 2 days ago

I think the BOFH answer would be “They ride Elevator #2 to sub-basement 3.” Plot twist, there is only sub-basement 2.

Two pints of ale please!

Reply View 0 replies
JuniperMesos 2 days ago

A lot of these problems seem pretty solveable, if you're the admin of the machine (or cloud system) and the user isn't.

If you don't want a user to log in as root, disable the root password (or change it to something only you know) and disable root ssh. If you want people to stop sharing the same login and password across all servers, there's several ways to do it but the most straightforward one seems like it would be to enforce the use of a hardware key (yubikey or similar) for login. If people aren't using configuration management software and are leaving machines in an inconsistent state, again there are several options but I'd look into this NixOS project: https://github.com/nix-community/impermanence + some policy of rebooting the machines regularly.

If you don't like how users are making use of AWS resources and secrets, then set up AWS permissions to force them to do so the correct way. In general if someone is using a system in a bad or insecure way, then after alerting them with some lead time, deliberately break their workflow and force them to come to you in order to make progress. If the thing you suggest is actually the correct course of action for your organization, then it will be worthwhile.

Reply View 3 replies
  • philipwhiuk 2 days ago

    None of them are technically hard. All of them are bureaucracy-hard.

    If you just do any of this list without the proper migration plan/time, someone senior in the org will complain and you will lose.

    Reply View 1 reply
    • jakeydus 2 days ago

      > If you just do any of this […], some senior in the org will complain and you will lose.

      More accurate statement imo.

      Reply View 0 replies
  • skywhopper 2 days ago

    It’s not as easy as “I can technically change this”. If you think it is, you don’t understand the job of a sysadmin.

    Reply View 0 replies