How to take an app from your laptop to production utilizing the future of container orchestration. It’s difficult to say with confidence that your app will work in production without testing it, many people today have very complex scripts which out outline deployment, testing and validation, and often rely on late night pager calls and very brittle rollback scenarios. Additionally, developers struggle with developing software on different platforms and SDK versions that are hard to make consistent which results in different builds and exceptions which are hard to resolve. We can finally stop saying, 'it works on my machine' phrase since it will work the same on every machine. Other processes in the past have attempted to solve the problem but are brittle and take time to build out environments.
This talk will outline the process of how to deploy an app locally in docker-compose, then scale it out to multiple servers running Kubernetes. From there, the audience will see how to scale the app to achieve performance, manage failures, debug, and understand best practices.
Containers are a great way to package, build, run and deploy apps and Docker has make that practice very simple, however, it’s only really works well on a single host. With the learnings from Google, Kubernetes is the open source container orchestration offering which builds on Google's current infrastructure learnings that we all can use in an Open Source model.
There are many stakeholders involved when you are creating or assembling a security toolchain. How do you satisfy the different, and sometimes conflicting, needs of these stakeholders in a responsive way?
We can use some of the concepts developed in the user experience domain to create better security tooling. User personas allow us to map out different roles that must interact with security to get their work done. These personas are living and provide a fast feedback loop when paired with user interviews. Giving direction while allowing freedom is a key tenet to integrating security into different parts of your organization.
Operating Systems. Where did they come from? Did your customer ask for one? Why do you bother with them at all?
Operating systems have traditionally played an enormous part in software development and operations. Most of us would find it difficult to imagine computing without one. They are certainly a source of religious contention.
Operating systems represent a maintenance and security burden; they have long been viewed by many as a necessary evil. They often bring more bulk and complexity than the systems we are producing; particularly in the case of microservices. They complicate security, greatly increasing the attack surface, and they require a significant expense and effort to maintain. But generally, operating systems are assumed to be required and we seldom consider a service environment without them. How well do you really even know what you're deploying when an OS is involved?
Operating systems introduce variation into a development workflow that can be difficult to manage. On a dev team, each individual's computing environment tends to stray apart. This divergence is a primary cause of Works-on-my-box syndrome. Things such as VM, libraries and general configuration are a source of drift.
Unless your product is, itself, an operating system, your customer is not generally concerned about your OS. A great deal of effort and expense goes to the operating system, without any direct ROI.
We will take a look at the ways emerging technologies will help you to reduce the liability of operating systems. We will consider how the minimization, or even elimination, of the operating system impacts development workflow; for better or worse. What would a CD pipeline look like? In particular, we would like to consider ways in which containers and unikernels or anykernels complement and can be used in combination.
Is your performance monitoring using real-time analytics in a way that will produce results or noise and frustration? Real-time analytics can improve the value of performance monitoring by enabling operations teams to pinpoint problems faster and proactively manage applications, but it’s notoriously difficult to harness its value. In this presentation, we will show you how to avoid the pitfalls of partial analytics implementation, and explain the value of a comprehensive monitoring analytics platform.
Once infrastructure becomes code it becomes testable as code (testing is generally considered a pretty good idea). It also becomes reviewable as code. Code review is a powerful complement to testing (and might just be the more effective of the two for finding bugs), spreading knowledge, and improving at the craft of programming
In this talk:
Government agencies are often hesitant to use open source tools out of concerns of security and compliance issues. This hesitancy to use open source deprives many government agencies from closely collaborating with others to create software that is finely tuned and widely available to scratch its own itch. The five-year old OpenSCAP community is helping to change that and re-imagining the US Governments role in open source through its NIST-Certified SCAP 1.2 scanning software and growing body of open source licensed SCAP content. By the OpenSCAP suite scanning and configuration management tools, government agencies looking to become high velocity organizations can automate the cumbersome process certifying a server has been properly hardened for production and begin to develop community resources for hardening of other popular open source tools. The OpenSCAP community is actively developing suite of software tools to make continuous monitoring in agile environments easier, especially for developers, who often do not realize they could be scanning their systems more collaboratively with Ops. OpenSCAP is not merely a secure piece of open source software, it is software that helps demonstrate security and compliance. The SCAP-Security-Guide Project is the only source of official configuration management SCAP and hardening content for Linux that is licensed open source and also directly reviewed by official government agencies. Initially started (and still significantly funded) by Red Hat, the OpenSCAP project has recently moved it's repository from the the Fedora Project to GitHub and has seen an increase in the pace of development.
In a quest to move faster, organizations can end up creating security vulnerabilities using the tools and products meant to protect them. Both Chris Gates and Ken Johnson will share their collaborative research into the technology driving DevOps as well as share their stories of what happens when these tools are used insecurely as well as when the tools are just insecure.
Technologies discussed will encompass AWS Technology, Chef, Puppet, Hudson/Jenkins, Vagrant, Kickstart and much, much more. This talk will most definitely be an entertaining one but a cautionary tale as well, provoking attendees into action. Ultimately, this is research targeted towards awareness for those operating within a DevOps environment.
Or, "Automation is hard and the enterprise is large."
Fewer steps, decreased time-to-production, faster iteration cycles... Devops practically sells itself - except when it doesn't. You can do all the right things but if you don't make it matter for Mission(tm), nobody will listen. We're very good at the first step toward excellence (doing great things) but we often forget about the follow-up - talk about it. But how? Where? Changing culture isn't easy, especially when you're a single person inside a huge government organization. We'll show a few tips we've learned along our journey toward making government work a little less painful. Speed of government? Red tape? Legions of bureaucrats with nothing better to do than slow you down? We know your pain. We're here to help.
We pursue increasingly rapid delivery cycles while acheiving previously unimaginable degrees of scalability, reliability, and raw performance. But there is obviously a growing and serious mismatch between our develoment and operations performance in securing our applications compared to our performance in other areas. I work at a company extensively involved in Drupal and other open source projects that concentrate on both DevOps and security, but continue to be plagued by serious security vulnerabilities. Organizations and individuals negatively affected by Heartbleed and other security flaws probably would have readily traded some delay in accessing new features or temporary access problems for better security. So, how can we better focus DevOps culture and practices on the concept of Continous Security to deliver this? Perhaps we need to look at ongoing advances in automated security testing, more rigorous and frequent manual code review, and paired/team programming practices, and work better on more fully integrating these all into DevOps.
Right-sizing your environment is one of the most stressful decisions to make when moving to the cloud. If you under-provision resources, systems are at risk of going down and you lose money. If you over-provision, you’re wasting money that could be used elsewhere. In this presentation, we’ll share with you 3 ways we’ve learned how to get capacity utilization wrong and how we eventually got it right.
The story of USPTO’s journey and struggles with implementing DevOps.
W. Edwards Deming offered 14 key principles for management to follow for significantly improving the effectiveness of a business or organization. Many of the principles are philosophical. Others are more programmatic. All are transformative in nature. The points were first presented in his book Out of the Crisis.