I saw FFDI. Not much better.

This is something docker promised, but never delivered.

It does. it does to this. That’s the docker image not the docker file. You are confusing the spec with the artifact. If you want reproducible dev envs you use a system like compose or any rad of other tools to launch images from your artifact store.

It should not, but artifacts never had problem with mutating before we had docker. If you generate an rpm package and store it in an artifactory it always was the same exact package (unless someone overwrote it, lol)

LOL. We always have this problem if you have people only using spec files and not the artifacts. You are comparing apples to oranges by comparing the dockerfile to a build rpm package. Let me help you:

An rpm package == docker image
An rpm .spec file == dockerfile

You if you only give people spec files and have them rebuild the package you will get different hashes of the rpm file. Similarly you would likely not change your spec file between releases and know your rpm file is going to be different.

The dockerfile does not guarantee this, but the docker image or any OCI image does. Dockerfile should not be confused with the artifact. Operationally we usually expect a dockerfile to be identical across many builds of different releases and know the artifact produced will have different code

Anything you are doing with nix to make the lock files perfect is the same amount of work you’d be doing to any method of producing an OCI artifact.

I do think your approach is interesting though. Certainly less effort than manually packing an OCI with something like buildpaks or trying to run through bazel to get your way through a distroless build (two other methods that don’t make massive images with a Debian base). And obviously ‘From:scratch’ in docker build land is a nightmare.

IIRC wifi6 added the option for backplaning to be a different frequency, but not everyone implemented it. 6e even added 7ghz but basically nobody implemented it. So even with brand new equipment, you were super at the mercy of your end user devices and whether or not your mesh was physical or wireless and whether or not the mesh nodes themselves supported the same backplaning channels.

This is exactly how ebpf was implemented for the Linux kernel. You can build watchdog processes that can see what’s happening in the kernel and build kernel interrupts but it’s actually all executed in user space and not rewriting the kernel itself. Since it’s a proper api, it also means it’s incredibly hard to fundamentally break the system, unlike when you’re just blowing away kernel code with your own shit like all these security products do.

Management: Our consultants don’t know what ebpf or what immutable filesystems are so obviously your wizard magic is not better than crowdstrike. Also IT will be in charge of that one component and clickops it bypassing the entire CICD pipeline and sanity checking system you have. It’s for compliance which is our word for shut up or we fire you.

You usually run into issues if you are trying to use off the shelf tools and git providers. IMO GitHub and GitHub actions sucks hard for monorepo. The fact that all actions have to be stored in a single directory for example almost certainly is unmanageable rats nest waiting to happen at any sufficiently large business with a sufficiently complex product or set of products.

This is why companies like google run their own forms of git with custom wrappers to let you do things like pull a segment of the terabyte sized repo or run partial builds with tooling that basically runs some kind of graph against the changes. Bazel for example had to be invented to help solve that problem at Google and pants similarly for twitter (who also has a monorepo)

If you are willing to invest in using tools like bazel and own building all these complex wrappers then it can be fine. But if you want to off the shelf gitlab or GitHub actions and use your IDEs built in git tooling it’s not going to be for you. That’s the difference between what’s possible or a good idea at a medium shop vs a company with 40k engineers

In my experience at a company that just moved away from monorepo, half the off the shelf vendors and foss tools out there balk at you if you expect monorepo support. We moved away specifically because at our current company size it is more tolerable to have our different products separate and eat the occasional pain of mass pattern adjustments across the repos than to build out a team to manage the custom tooling required for a gig plus sized monorepo

Plus, even google doesn’t have a true monorepo. Chrome and Android are not in the same repo as search for example. Find your seams and manage them appropriately

One could argue the requirements have changed because the security and compliance part of the world finally caught up to modern software delivery concepts. Even the most dinosaur apps at compliant orgs are being dragged kicking and screaming into new CI/CD tools where applying governance and custody chains and permissions and approvals are all self documented automated hooks.

If every single software a company licensed to produce a video game required this, you would be waiting an hour to see the start menu. Don’t let any company do this or they all will.

I was suggesting to do neither and run the container directly. Putting k8s on top of lxc is still completely stupid. Just run k8s bare metal to operate your containers.

There’s a building like this by MIT in Boston. It famously sucks to live in.

It turns out by making the surface area of the exterior extremely high compared to the internal volume, you massively increase the odds of a water leakage problem. The building may as well have no roof.

It also attracts birds, bats, and bees to nest in all the little nooks and crannies so it looks like shit now with bird spikes and metal mesh crammed into all the spots that were intended to be the places your eye is drawn to in the original design.

Run docker within lxc within proxmox. This gave me an aneurism. You’ve lost the whole point of not actually virtualizing with containers by putting in two layers deep in virtualization. At this point your shit is so convoluted why don’t you just run kubernetes

Yeah, via automated testing. Old school change management with a group of random managers who don’t know shit sitting in a room once a week running up a really expensive meeting never has and never will actually prevent issues from going to prod.

I devops for startups going through high tiers of compliance and basically half my job is killing change management boards/change control boards/release managers in organizations and replacing them with actual working processes that aren’t just smoke and mirrors for people with no critical thinking skills

Nobody seems to get this. Each time minimum wage goes up, employers balance that by splitting jobs over more people and make getting full time harder. They don’t have to provide benefits and they get more clout about how many jobs they create. It’s all upside for them.

Real work reform would be providing benefits to everyone. If people get benefits directly from the government, then they get more negotiating power with their employers because moving between jobs is lower risk when you aren’t losing benefits as part of that.

But pulling levers to raise wages is easier than redesigning the way we provide health, dental, vision, life, and retirement to our citizens so that’s what keeps happening and things just get more expensive in lock step.

Averages are fun. It’s likely Opsy roles do have the highest average. But it’s also very true that devs have the highest ceilings. There’s just very few devs making 600+ and the majority at 120-150. Then there is an absolute shit load of opsys making 160-200. So in ops you hit the ceiling super fast while the occasional dev just keeps rocketing to bullshit pay but the averages are what they are

(Hiring manager for devops. I get the raw data through a corporate data broker)

VPN is inherently not zero trust. You really should be moving to ZTN based tools

Seconding the other comment, lots of orgs picked .lan and then over the last few years have moved things into the cloud and .lan has become a meaningless soup since half the shit isn’t even on local network. Now it just means “needs a vpn or ztn to talk to”

Luckily my last three orgs finally bought a second domain for private dns. It’s quickly becoming a pattern that myorg.com owns myorg.tech or whatever for private traffic. Domains are cheap as fuck compared to everything else a business spends money on, it’s really silly how many people are using hacks for this

Meh, I bought an Apple TV on sale for $100 and don’t deal with ads and have all the shit you’ve laid out here ¯\(ツ)/¯

When you say it always has worked this way what is your frame of reference regarding time? I haven’t owned a chromecast in about 6 years. However prior to that chromecast had no ads whatsoever so the idea that there are ads at all is shocking to me. It certainly hasn’t always been this way. (I currently use an Apple TV)

This seems like a key indicator that federation in general might not be solved for correctly or can’t work out in the long run