SRE Newsletter

It's been a rough week for site reliability engineers and other IT groups. Fresh off of the AWS outage last week we get another AWS outage. Azure also reported issues and there was latency in Cloudflare. Maybe we should go back on-prem. Was that production server under my desk really such a bad idea? /s

Log4Shell probably has your IT department scrambling. If you're lucky, you're just responding to requests saying you're not affected. Those that are less lucky are busy updating their applications. In the worst shape are those that have no idea if they're at risk or how to find out.

National Vulnerability Database - Log4j: // nvd.nist.gov
The first of a few Log4Shell links. I couldn't think of anything more official than the NIST.
Log4Shell, the Bug that's Breaking the Internet: // techcrunch.com
On the opposite end of the NIST link is Tech Crunch. This is probably the Log4j article your CTO read.
Log4Shell Update: Second log4j Vulnerability Published: // lunasec.io
After the log4j maintainers released version 2.15.0 to address the Log4Shell vulnerability, an additional attack vector was identified and reported.
Log4j 2.15.0 and Previously Suggested Mitigations May Not Be Enough: // isc.sans.edu
While version 2.16.0 seems fine, version 2.15.0 would still be vulnerable when the configuration has a pattern layout containing a Context Lookup.
Lessons in Trust From us-east-1: // lastweekinaws.com
Corey Quinn balks at AWS's RCA saying he's unconvinced they even understand their outage. Don't use Route 53 because it relies too heavily on us-east-1.
AWS Misfires Once More, Just Days After a Massive Failure: // zdnet.com
This time, the issue was the US-West-1 & 2. The outage impacted Duo, Zoom, and Slack.
AWS Tools Suck: // cyclic.sh
As an Azure guy, I've complained about AWS developer experience for years. There are two types of people that push AWS: the people making money off the complexity (AWS Architects) or the CxOs who heard it will save them money.
Don't Start With Microservices - Monoliths Are Your Friend: // arnoldgalovics.com
I've shared similar articles a few times in the SRE Newsletter, but it's worth repeating... Fight against over engineering.
GitOps on Kubernetes: Deciding Between Argo CD and Flux: // thenewstack.io
Christian Hernandez compares two open source projects from the Cloud Native Computing Foundation: Argo CD and Flux.
Orchestration and Microservices - A Match Made in Heaven: // orkes.io
Instead of chaining all your services together, pass them through a centralized orchestrator for better observability and future abstractions.
Filtering Lessons: // tbray.org
Amazon announced event filtering for Lambdas reading from SQS, DynamoDB, and Kinesis. One of the coders gives a little history into its origins.