DEV Community: Saad Fazal

Exploring DevOps: A New Adventure

Saad Fazal — Fri, 05 Jul 2024 20:31:36 +0000

Introduction

Hey everyone! As you know, I've always been a data guy, diving deep into the realms of data science. But recently, I've decided to give DevOps a try. Why, you ask? Well, thanks to the amazing DevOps community and a special shoutout to "kubeden" for enlightening me on how fascinating this field can be, I thought, why not explore it? So, I decided to take a detour from my data journey and spend some time in the DevOps world.

My Background

I’ve been a developer for three years now, with some experience in cloud computing and AWS. So, I figured learning DevOps might be a bit easier given my background. Here’s a rundown of what I’ve learned in the past four days during my free time:

AWS

IAM

Users: Managing user accounts and permissions.
Groups: Organizing users into groups for easier management.
Policies (Permissions): Defining and assigning permissions to users and groups.

Amazon Elastic Container Service (ECS) and ECR

Deploy Docker Container:
- Create Cluster: Setting up a new ECS cluster.
- Service API:
  - Tasks: Running individual containers.
  - Load Balancer: Distributing traffic among containers.
  - Health Checker: Monitoring container health.

Elastic Beanstalk

Deploying and managing applications without worrying about the underlying infrastructure.

Docker

Basics

Installation of Docker CLI and Desktop: Getting Docker up and running on my machine.
Understanding Images vs. Containers: Learning the difference between Docker images and containers.
Running Ubuntu Image in Container: Starting a container with Ubuntu.
Multiple Containers: Managing multiple containers simultaneously.
Port Mappings: Mapping container ports to host ports.
Environment Variables: Setting environment variables for containers.
Dockerization of Node.js Application:
- Dockerfile: Creating a Dockerfile for a Node.js app.
- Caching Layers: Using caching to speed up builds.
- Publishing to Hub: Pushing images to Docker Hub.

Advanced

Docker Compose:
- Services: Defining multi-container applications.
- Port Mapping: Configuring port mappings for services.
- Env Variables: Setting environment variables for services.
Docker Networking:
- Bridge: Default network driver.
- Host: Using the host’s networking stack.
Volume Mounting: Persisting data using volumes.
Efficient Caching in Layers: Optimizing Dockerfile for caching.
Docker Multi-Stage Builds: Using multi-stage builds to reduce image size.

Nginx

Setting Up

Launching an EC2 Instance:
- Create and configure a virtual machine using EC2: Choosing an instance type and region.
- Assign a static IP: Ensuring consistent access.
- Set up security groups: Allowing HTTP and HTTPS traffic.

Configuration

Accessing the EC2 Instance: Connecting via SSH.
Updating and Installing Necessary Packages: Keeping everything up-to-date.
Cloning the Project Repository: Downloading my Node.js app.
Installing Project Dependencies: Using npm install.
Running the Node.js Application: Managing with pm2.
Setting Up a Domain: Registering and pointing a domain to my Elastic IP.
Configuring Nginx: Proxying requests to the Node.js app.
Setting Up SSL with Let's Encrypt: Using Certbot for SSL certificates.

Kafka

Key Concepts

High Throughput and Less Storage: Optimized for large data streams.
Components:
- Producers and Consumers: Sending and receiving messages.
- Topics and Partitions: Organizing messages.
- Consumer Groups: Managing multiple consumers.

Models

Queue and Pub/Sub: Handling different messaging patterns.
Zookeeper: Managing Kafka infrastructure.
Admin, Producers, and Consumers: Setting up and using Kafka.

Serverless

Overview

No Server Management: Focusing on code, not servers.
Event-Driven Execution: Functions triggered by events.
Automatic Scaling: Scaling based on load.
Pay-per-Invocation: Billing based on function usage.

Practical Example

Creating a Lambda Function: Deploying a function to AWS Lambda.
Trigger Setup: Using API Gateway to invoke the function.
Testing: Verifying with a browser and Postman.

What's Next: My Learning Plan for the Next 4 Days

In the next four days, I plan to dive deeper into the following areas:

More AWS Services: Expanding my knowledge of various AWS services beyond the basics.
Azure: Getting familiar with Microsoft's cloud platform and its unique features.
Terraform: Learning infrastructure as code to manage cloud resources efficiently.
Ansible: Exploring configuration management and automation.
CI/CD: Strengthening my understanding of continuous integration and continuous deployment practices.
GitHub Workflows: Refining my skills in creating and managing workflows on GitHub.

Conclusion

So in these days, my free time goes to learning about DevOps and I will be sharing more about what I have learned, and in a new post, I will share the resources too.

For the DevOps community: Do let me know your thoughts and what should I need to put more focus on in this DevOps realm?

Stay curious, keep learning, and happy coding!

I lost $93 while testing the newly released Open AI vision

Saad Fazal — Tue, 02 Jul 2024 18:38:17 +0000

Introduction

Hey everyone! It's Saad Fazal here, and today I want to talk about something that I've been noticing more and more on GitHub: the alarming lack of security awareness among some developers. As much as I love the collaborative spirit of open-source, it's crucial that we all take security seriously.
I was messing around on GitHub, just doing some casual searches, and guess what I found? Yep, OpenAI API keys scattered around in public repos like confetti at a New Year's party. If you're thinking, "Oh no, not me!"—think again. Here's the search query I used:

(path:*.xml OR path:*.json OR path:*.properties OR path:*.sql OR path:*.txt OR path:*.log OR path:*.tmp OR path:*.backup OR path:*.bak OR path:*.enc OR path:*.yml OR path:*.yaml OR path:*.toml OR path:*.ini OR path:*.config OR path:*.conf OR path:*.cfg OR path:*.env OR path:*.envrc OR path:*.prod OR path:*.secret OR path:*.private OR path:*.key) AND (access_key OR secret_key OR access_token OR api_key OR apikey OR api_secret OR apiSecret OR app_secret OR application_key OR app_key OR appkey OR auth_token OR authsecret) AND ("sk-" AND (openai OR gpt))

Why This is a Big Deal

Financial Risks

Exposing your API keys is like leaving your wallet on the sidewalk. Sure, someone might just ignore it, but chances are, someone’s going to pick it up and go on a spending spree with your hard-earned cash. And trust me, those OpenAI bills can rack up fast!

My Funny Mishap with OpenAI Vision

So, I was once testing the newly released OpenAI Vision using the API, and in a classic "whoops" moment, I accidentally put my Python code in a loop. It kept taking screenshots of my desktop and sending POST requests to the OpenAI Vision API. Within just 5 minutes, I was charged $93. Talk about an expensive lesson in debugging!

Security Breaches

Leaving your keys out in the open can lead to unauthorized access to your systems. It’s not just about the money—you could be giving hackers the keys to your kingdom. They can wreak havoc, steal data, or worse.

Professional Reputation

Imagine a potential employer or client stumbling upon your exposed keys. Awkward, right? It doesn’t exactly scream “I’m a responsible developer.” Keeping your credentials secure is a must for maintaining your professional image.

Steps to Secure Your API Keys

Use Environment Variables

Store your keys in environment variables instead of hardcoding them in your files. This keeps them out of your source code and reduces the risk of accidental exposure.

Git Ignore

Make sure your .gitignore file is properly configured to exclude sensitive files like .env. This prevents them from being committed to your repository.

Secrets Management

Use secrets management tools provided by cloud providers or services like AWS Secrets Manager, Azure Key Vault, or HashiCorp Vault. These tools help you manage and access your secrets securely.

Regular Audits

Regularly audit your repositories for accidental exposures. Use tools like TruffleHog, GitGuardian, or similar to scan your codebase for sensitive information.

Private Repos Aren't Safe Either

Just because a repository is private doesn't mean it's safe to store your credentials there. If your account gets compromised, so do all your private repos. Treat them with the same level of security as you would a public repo.

Conclusion

Let's all take a moment to reflect on our security practices. It's easy to overlook these details, but the implications can be severe. By taking proactive steps, we can protect our projects, our finances, and our reputations.

I hope this blog post helps raise awareness about the importance of security on GitHub. Let's work together to make our projects safer and more secure. If you have any thoughts or additional tips, feel free to share them!
Stay secure, stay vigilant, and happy coding!