I-ProHoster > Блог > Ukuphatha > I-DevOps vs DevSecOps: ukuthi yayibukeka kanjani ebhange elilodwa

I-DevOps vs DevSecOps: ukuthi yayibukeka kanjani ebhange elilodwa

I-DevOps vs DevSecOps: ukuthi yayibukeka kanjani ebhange elilodwa

Ibhange likhipha amaphrojekthi alo kosonkontileka abaningi. "Abangaphandle" bhala ikhodi, bese udlulisela imiphumela ngendlela engafaneleki kakhulu. Ngokuqondile, le nqubo ibukeka kanje: banikeze iphrojekthi ephumelele izivivinyo zokusebenza nabo, bese ihlolwe ngaphakathi kwe-perimeter yasebhange yokuhlanganiswa, umthwalo, njalonjalo. Kwakuvame ukutholakala ukuthi izivivinyo zazingaphumeleli. Khona-ke yonke into yabuyela kunjiniyela wangaphandle. Njengoba ungaqagela, lokhu kwakusho izikhathi zokuhola ezinde zokulungiswa kweziphazamisi.

Ibhange lanquma ukuthi kwakungenzeka futhi kudingekile ukuhudulela lonke ipayipi ngaphansi kwephiko lalo, kusukela ekuzibophezeleni ukuya ekukhululweni. Ukuze yonke into ifane futhi ingaphansi kokulawulwa ngamathimba abhekele umkhiqizo ebhange. Okusho ukuthi, njengokungathi usonkontileka wangaphandle wayesebenza endaweni ethile ekamelweni elilandelayo lehhovisi. Esitakini sebhizinisi. Lena i-devops evamile.

Uvelaphi uSec? Ukuphepha kwebhange kubeke izidingo eziphezulu zokuthi usonkontileka wangaphandle angasebenza kanjani engxenyeni yenethiwekhi, ikuphi ukufinyelela umuntu anakho, kanjani futhi ubani osebenza ngekhodi. Ukuthi nje i-IB ibingazi ukuthi uma osonkontileka besebenza ngaphandle, kulandelwa izindinganiso ezimbalwa zamabhange. Bese kuthi ezinsukwini ezimbalwa wonke umuntu aqale ukuzibona.

Isambulo esilula sokuthi usonkontileka ube nokufinyelela okugcwele kukhodi yomkhiqizo kwase kuvele kwawubhekisa phansi umhlaba wabo.

Ngalesi sikhathi, indaba ye-DevSecOps yaqala, engifuna ukukutshela ngayo.

Yiziphi iziphetho ezingokoqobo ibhange elafinyelela kuzo kulesi simo?

Kube nokuphikisana okuningi mayelana nokuthi konke kwenziwa ngendlela engafanele. Abathuthukisi bathi ukuphepha kumatasa kuphela ukuzama ukuphazamisa intuthuko, futhi bona, njengabalindi, bazama ukuvimbela ngaphandle kokucabanga. Ngokulandelayo, ochwepheshe bezokuphepha babaza phakathi kokukhetha phakathi kwamaphoyinti wokubuka: “onjiniyela badala ubungozi kumjikelezo wethu” kanye nokuthi “onjiniyela abadali ubungozi, kodwa yibo ngokwabo.” Ingxabano ngabe iqhubekile isikhathi eside ukube bekungengenxa yezidingo ezintsha zemakethe kanye nokuvela kwe-paradigm ye-DevSecOps. Bekungenzeka ukuchaza ukuthi yona kanye le nto yokuzenzakalela kwezinqubo ezicabangela izidingo zokuphepha zolwazi “ngaphandle kwebhokisi” kuzosiza wonke umuntu ukuthi ahlale ejabule. Ngomqondo wokuthi imithetho ibhalwe phansi ngokushesha futhi ayishintshi phakathi nomdlalo (ukuphepha kolwazi ngeke kuvimbele okuthile ngokungalindelekile), futhi abathuthukisi bagcina ukuphepha kolwazi kwaziswa ngakho konke okwenzekayo (ukuphepha kolwazi akuhlangabezani nokuthile kungazelelwe) . Ithimba ngalinye liphinde libe nomthwalo wemfanelo wokuphepha okuphelele, hhayi abazalwane abathile asebekhulile.

  1. Njengoba abasebenzi bangaphandle sebevele bekwazi ukufinyelela ikhodi kanye nenani lezinhlelo zangaphakathi, cishe kungenzeka ukususa kumadokhumenti imfuneko "ukuthuthukiswa kumele kwenziwe ngokuphelele kwingqalasizinda yebhange."
  2. Ngakolunye uhlangothi, kudingeka siqinise ukulawula okwenzekayo.
  3. Ukuvumelana kwaba ukwakhiwa kwamaqembu ahlukahlukene, lapho abasebenzi besebenza eduze nabantu bangaphandle. Kulesi simo, udinga ukuqinisekisa ukuthi ithimba lisebenza kumathuluzi kumaseva ebhange. Kusukela ekuqaleni kuze kube sekupheleni.

Okusho ukuthi, osonkontileka bangavunyelwa ukuba bangene, kodwa badinga ukunikezwa izingxenye ezihlukene. Ukuze bangalethi uhlobo oluthile lokutheleleka okuvela ngaphandle kungqalasizinda yebhange futhi ukuze bangaboni okungaphezu kwalokho okudingekayo. Well, ukuze izenzo zabo ungene. I-DLP yokuvikela ekuvuzeni, konke lokhu bekufakiwe.

Empeleni, wonke amabhange eza kulokhu ngokushesha noma kamuva. Lapha sehla ngendlela ehlukile futhi savumelana ngezimfuneko zendawo enjalo lapho “abangaphandle” besebenza khona. Kuvele inqwaba yamathuluzi okulawula ukufinyelela, amathuluzi okuhlola ubungozi, ukuhlaziywa kwe-anti-virus kumasekhethi, ama-assemblies kanye nokuhlola. Lokhu kubizwa nge-DevSecOps.

Kungazelelwe kwacaca ukuthi uma ngaphambi kokuthi ukuphepha kwebhange le-DevSecOps kungenakulawula okwenzekayo ohlangothini lomthuthukisi, khona-ke ku-paradigm entsha ukuphepha kulawulwa ngendlela efanayo nemicimbi evamile engqalasizinda. Kuphela manje kunezaziso zemihlangano emikhulu, ukulawula imitapo yolwazi, nokunye.

Osekusele wukudlulisa amaqembu kumodeli omusha. Hhayi-ke, dala ingqalasizinda. Kodwa lezi zinto ezincane, kufana nokudweba isikhova. Empeleni, sisizile ngengqalasizinda, futhi ngaleso sikhathi izinqubo zokuthuthukisa zazishintsha.

Yini eshintshile

Sinqume ukukusebenzisa ngezinyathelo ezincane, ngoba saqonda ukuthi izinqubo eziningi zizohlukana, futhi abaningi “abangaphandle” bangase bangakwazi ukumelana nezimo ezintsha zokusebenza ngaphansi kokuqondisa kwawo wonke umuntu.

Okokuqala, sakha amaqembu ahlukahlukene futhi safunda ukuhlela amaphrojekthi ngokucabangela izidingo ezintsha. Ngomqondo wokuhleleka sixoxe ngokuthi yiziphi izinqubo. Umphumela waba umdwebo wepayipi lokuhlanganisa nabo bonke abathintekayo.

  • IC: Git, Jenkins, Maven, Roslyn, Gradle, jUnit, Jira, MF Fortify, CA Harvest, GitlabCI.
  • CD: I-Ansible, i-Puppet, i-TeamCity, i-Gitlab TFS, i-Liquidbase.
  • Test: I-Sonarqube, i-SoapUI, i-jMeter, i-Selenium: i-MF Fortify, i-Performance Center, i-MF UFT, i-Ataccama.
  • Isethulo (ukubika, ukuxhumana): Grafana, Kibana, Jira, Confluence, RocketChat.
  • Operations (isondlo, ukuphathwa): Ansible, Zabbix, Prometheus, Elastic + Logstash, MF Service Manager, Jira, Confluence, MS Project.

Isitaki esikhethiwe:

  • Isisekelo Solwazi - I-Atlassian Confluence;
  • I-Task Tracker - i-Atlassian Jira;
  • Inqolobane ye-Artifact - "Nexus";
  • Uhlelo lokuhlanganisa oluqhubekayo - "Gitlab CI";
  • Uhlelo lokuhlaziya oluqhubekayo - “SonarQube”;
  • Uhlelo lokuhlaziya ukuphepha kohlelo lokusebenza - “I-Micro Focus Forify”;
  • Isistimu yokuxhumana - "GitLab Mattermost";
  • Uhlelo lokuphatha ukucushwa - "Ansible";
  • Uhlelo lokuqapha - “ELK”, “TICK Stack” (“InfluxData”).

Baqala ukwakha ithimba elizobe lilungele ukudonsa osonkontileka ngaphakathi. Kukhona ukuqaphela ukuthi kunezinto ezimbalwa ezibalulekile:

  • Konke kufanele kubumbene, okungenani lapho kuthunyelwa ikhodi. Ngoba babebaningi osonkontileka njengoba kwakunezinqubo eziningi zentuthuko ezinezici zabo ezihlukile. Kwakudingeka ukulingana wonke umuntu endaweni eyodwa, kodwa ngezinketho.
  • Baningi osonkontileka, futhi ukwakhiwa kwengqalasizinda ngezandla akufanelekile. Noma yimuphi umsebenzi omusha kufanele uqale ngokushesha okukhulu - okungukuthi, isibonelo kufanele sisetshenziswe cishe ngokushesha ukuze abathuthukisi babe nesethi yezixazululo zokuphatha amapayipi abo.

Ukuze kuthathwe isinyathelo sokuqala, kwakudingekile ukuqonda ukuthi yini eyenziwayo. Futhi kwadingeka sinqume ukuthi sizofika kanjani lapho. Siqale ngokusiza ukudweba ukwakheka kwesixazululo esiqondiwe kukho kokubili ingqalasizinda kanye ne-CI/CD automation. Sabe sesiqala ukuhlanganisa le conveyor. Sasidinga ingqalasizinda eyodwa, efanayo yawo wonke umuntu, lapho ama-conveyor afanayo azosebenza khona. Sinikeze izinketho ngezibalo, ibhange lacabanga, lase linquma ukuthi yini ezokwakhiwa nokuthi yiziphi izimali.

Okulandelayo ukwakhiwa kwesekethe - ukufakwa kwesoftware, ukucushwa. Ukuthuthukiswa kwemibhalo yokusatshalaliswa nokuphathwa kwengqalasizinda. Okulandelayo kuza ukushintshela ekusekelweni kwe-conveyor.

Sinqume ukuhlola yonke into kumshayeli wendiza. Kuyathakazelisa ukuthi ngesikhathi sokuhlola, kwavela isitaki esithile ebhange okokuqala ngqa. Phakathi kokunye, umthengisi wasekhaya wesinye sezixazululo wanikezwa ububanzi bomshayeli wendiza ukuze kwethulwe ngokushesha. Onogada bamazi njengoba eshayela indiza, futhi kwashiya umbono ongasoze wawukhohlwa. Lapho sinquma ukushintsha, ngenhlanhla, ungqimba lwengqalasizinda lwathathelwa indawo isisombululo se-Nutanix, esasivele sisebhange ngaphambili. Ngaphezu kwalokho, ngaphambi kwalokho bekungeye-VDI, kodwa saphinde sayisebenzisela izinkonzo zengqalasizinda. Ngezilinganiso ezincane ayizange ingene emnothweni, kodwa ngobuningi ibe yindawo enhle kakhulu yokuthuthukiswa nokuhlolwa.

Esinye isitaki sijwayeleke kakhulu kuwo wonke umuntu. Kwasetshenziswa amathuluzi ezishintshayo ku-Ansible, futhi ochwepheshe bezokuphepha basebenza eduze nawo. Isitaki se-Atlassin sasetshenziswa yibhange ngaphambi kwephrojekthi. Amathuluzi okuphepha e-Fortinet - ahlongozwa abantu bezokuphepha ngokwabo. Uhlaka lokuhlola lwakhiwe yibhange, akukho mibuzo ebuziwe. Isimiso senqolobane saphakamisa imibuzo; kwadingeka ngijwayele.

Osonkontileka banikezwe isitaki esisha. Basinike isikhathi sokuyibhala kabusha ku-GitlabCI, nokuthuthela i-Jira engxenyeni yamabhange, njalonjalo.

Igxathu emvakwe gxathu

Isigaba 1 Okokuqala, sisebenzise isisombululo esivela kumthengisi wasekhaya, umkhiqizo uxhunywe engxenyeni entsha yenethiwekhi ye-DSO edaliwe. Ipulatifomu ikhethelwe isikhathi sayo sokulethwa, ukuguquguquka kwesikali kanye nokwenzeka kokuzenzakalelayo okugcwele. Ukuhlolwa okwenziwe:

  • Amathuba okuphatha okuguquguqukayo nokuzenzakalelayo ngokugcwele kwengqalasizinda yesikhulumi se-virtualization (inethiwekhi, i-disk subsystem, i-subsystem yezinsiza zekhompyutha).
  • Ukuzenzakalela kokuphathwa komjikelezo wokuphila komshini (izifanekiso, izifinyezo, izipele).

Ngemva kokufakwa nokucushwa okuyisisekelo kweplatifomu, yasetshenziswa njengephuzu lokubekwa kwezinhlelo ezingaphansi zesigaba sesibili (amathuluzi e-DSO, izinhlaka zokuthuthukiswa kwezinhlelo zokuthengisa). Kwadalwa amasethi adingekayo wamapayipi - ukudalwa, ukususwa, ukuguqulwa, isipele semishini ebonakalayo. Lamapayipi asetshenziswe njengesigaba sokuqala senqubo yokusatshalaliswa.

Umphumela uba ukuthi impahla enikeziwe ayihlangabezani nezidingo zebhange zokusebenza nokubekezelela amaphutha. I-DIT yebhange yanquma ukwakha inkimbinkimbi esekelwe kuphakheji yesofthiwe ye-Nutanix.

Isigaba 2. Sithathe isitaki ebesichaziwe, futhi sabhala ukufakwa okuzenzakalelayo kanye nemibhalo yokulungisa yangemuva kwawo wonke amasistimu angaphansi ukuze yonke into idluliswe kusuka kumshayeli wendiza kuya kusiyingi okuhlosiwe ngokushesha okukhulu. Wonke amasistimu asetshenziswe ekucushweni okubekezelela amaphutha (lapho leli khono lingakhawulelwe izinqubomgomo zokulayisensa komthengisi) futhi lixhunywe kumamethrikhi namasistimu angaphansi okuqoqwa kwemicimbi. I-IB ihlaziye ukuhambisana nezidingo zayo futhi yanikeza ukukhanya okuluhlaza.

Isigaba 3. Ukufuduka kwawo wonke amasistimu angaphansi kanye nezilungiselelo zawo ku-PAC entsha. Izikripthi zokuzenzakalela kwengqalasizinda zabhalwa kabusha, futhi ukuthuthwa kwezinhlelo ezingaphansi ze-DSO kwaqedwa ngemodi ezenzakalelayo ngokugcwele. I-contours yokuthuthukiswa kwe-IP idalwe kabusha ngamapayipi amathimba okuthuthukisa.

Isigaba 4 I-automation yokufakwa kwesofthiwe yohlelo lokusebenza. Le misebenzi ibekwe ngabaholi beqembu bamaqembu amasha.

Isigaba 5 Ukuxhashazwa.

Ukufinyelela kude

Amaqembu okuthuthukisa acele ukuguquguquka okukhulu ekusebenzeni nesekethe, futhi imfuneko yokufinyelela kude kuma-laptops omuntu yaphakanyiswa ekuqaleni kwephrojekthi. Ibhange selivele linokufinyelela kude, kodwa lalingabafanele onjiniyela. Iqiniso liwukuthi uhlelo lusebenzise uxhumano lomsebenzisi ku-VDI evikelekile. Lokhu bekufanele labo ababedinga iposi nephakethe lehhovisi kuphela endaweni yabo yokusebenza. Onjiniyela bazodinga amaklayenti asindayo, ukusebenza okuphezulu, nezinsiza eziningi. Futhi-ke, bekufanele bame, njengoba ukulahleka kweseshini yomsebenzisi kulabo abasebenza ne-VStudio (isibonelo) noma enye i-SDK akwamukelekile. Ukuhlela inani elikhulu lama-VDI aqinile aqinile awo wonke amaqembu okuthuthukisa kunyuse kakhulu izindleko zesixazululo esikhona se-VDI.

Sinqume ukusebenza ekufinyeleleni ukude ngqo kuzisetshenziswa zengxenye yokuthuthukiswa. I-Jira, Wiki, Gitlab, Nexus, ukwakha nokuhlola amabhentshi, ingqalasizinda ebonakalayo. Onogada bafuna ukuthi ukufinyelela kungatholakala kuphela kuncike kulokhu okulandelayo:

  1. Ukusebenzisa ubuchwepheshe osebuvele butholakala ebhange.
  2. Ingqalasizinda akufanele isebenzise izilawuli zesizinda ezikhona ezigcina amarekhodi ezinto ze-akhawunti ezikhiqizayo.
  3. Ukufinyelela kufanele kukhawulelwe kulezo zinsiza kuphela ezidingwa ithimba elithile (ukuze ithimba lomkhiqizo elilodwa lingakwazi ukufinyelela izinsiza zelinye iqembu).
  4. Ukulawula okuphezulu phezu kwe-RBAC kumasistimu.

Ngenxa yalokho, kwadalwa isizinda esihlukile sale ngxenye. Lesi sizinda sigcine zonke izinsiza zengxenye yokuthuthukiswa, kokubili imininingwane yomsebenzisi nengqalasizinda. Umjikelezo wempilo wamarekhodi kulesi sizinda uphethwe kusetshenziswa i-IdM ekhona ebhange.

Ukufinyelela okukude okuqondile kwahlelwa ngesisekelo semishini ekhona yebhange. Ukulawulwa kokufinyelela kwahlukaniswa ngamaqembu e-AD, lapho imithetho yezingqikithi ihambisana khona (iqembu elilodwa lomkhiqizo = iqembu elilodwa lemithetho).

Ukuphathwa kwesifanekiso se-VM

Ijubane lokudala i-loop yomhlangano nokuhlola ingenye ye-KPIs eyinhloko ebekwe yinhloko yeyunithi yokuthuthukiswa, ngoba isivinini sokulungiselela imvelo sithinta ngokuqondile isikhathi sokwenza sonke sepayipi. Kucatshangelwe izinketho ezimbili zokulungiselela izithombe eziyisisekelo ze-VM. Owokuqala ubuncane bosayizi bezithombe, okuzenzakalelayo kuyo yonke imikhiqizo yesistimu, ukuhambisana okuphezulu nezinqubomgomo zebhange mayelana nezilungiselelo. Esesibili isithombe esiyisisekelo, esiqukethe i-POPPO enzima kakhulu efakiwe, isikhathi sokufakwa kwayo esingaba nomthelela omkhulu esivinini sokwenziwa kwepayipi.

Izidingo zengqalasizinda nezokuphepha nazo zacatshangelwa ngesikhathi sokuthuthukiswa - ukugcina izithombe zisesikhathini samanje (amapheshana, njll.), ukuhlanganiswa ne-SIEM, izilungiselelo zokuphepha ngokuvumelana nezindinganiso zasebhange.

Ngenxa yalokho, kunqunywe ukuthi kusetshenziswe izithombe ezincane ukuze kuncishiswe izindleko zokuzigcina zisesikhathini samanje. Kulula kakhulu ukubuyekeza i-base OS kunokunamathisela isithombe ngasinye ezinguqulweni ezintsha ze-POPPO.

Ngokusekelwe emiphumeleni, kwakhiwa uhlu lwesethi encane edingekayo yezinhlelo zokusebenza, ukubuyekezwa okwenziwa ithimba lokusebenza, futhi imibhalo evela epayipi inesibopho ngokuphelele sokubuyekeza isofthiwe, futhi uma kunesidingo, shintsha inguqulo. yesofthiwe efakiwe - vele udlulisele umaka odingekayo epayipini. Yebo, lokhu kudinga ithimba lomkhiqizo we-devops ukuthi libe nezimo zokuthunyelwa eziyinkimbinkimbi, kodwa kunciphisa kakhulu isikhathi sokusebenza esidingekayo ukuze kusekelwe izithombe eziyisisekelo, ezingase zidinge izithombe ze-VM ezingaphezu kwekhulu ukuze zigcinwe.

Ukufinyelela ku-inthanethi

Esinye isikhubekiso ngokuvikeleka kwamabhange kwaba wukufinyelela ezinsizeni ze-inthanethi ezivela endaweni yokuthuthukiswa. Ngaphezu kwalokho, lokhu kufinyelela kungahlukaniswa izigaba ezimbili:

  1. Ukufinyelela kwingqalasizinda.
  2. Ukufinyelela konjiniyela.

Ukufinyelela kungqalasizinda kwahlelwa ngokuthumela amakhosombe angaphandle nge-Nexus. Okusho ukuthi, ukufinyelela okuqondile okuvela emishinini ebonakalayo akuzange kunikezwe. Lokhu kwenze kwaba nokwenzeka ukuba kufinyelelwe esivumelwaneni ngokuvikeleka kolwazi, okwakumelene ngokuqondile nokunikeza noma yikuphi ukufinyelela emhlabeni wangaphandle kusukela engxenyeni yokuthuthukiswa.

Onjiniyela babedinga ukufinyelela ku-inthanethi ngezizathu ezisobala (stackoverflow). Futhi nakuba yonke imiyalo, njengoba kushiwo ngenhla, yayinokufinyelela okukude kumjikelezo, akulula ngaso sonke isikhathi uma ungakwazi ukwenza okuthi ctrl+v endaweni yokusebenza yonjiniyela ebhange ku-IDE.

Kwafinyelelwa esivumelwaneni ne-IS sokuthi ekuqaleni, esigabeni sokuhlola, ukufinyelela kuzonikezwa ngommeleli wasebhange osuselwe ohlwini lwabamhlophe. Ngemva kokuphothula iphrojekthi, ukufinyelela kuzodluliselwa ohlwini lwabamnyama. Kwalungiswa amathebula amakhulu okufinyelela, abonisa izinsiza ezinkulu kanye nezindawo zokugcina okwakudingeka ukufinyelela kuzo ekuqaleni kwephrojekthi. Ukuxhumanisa lokhu kufinyelela kuthathe isikhathi esifanelekile, okwenze kwaba nokwenzeka ukugcizelela ekushintsheni okushesha ngangokunokwenzeka ohlwini lwabavinjelwe.

Imiphumela

Lo msebenzi waphela esikhathini esingaphansi kancane konyaka odlule. Ngokudabukisayo, bonke osonkontileka bashintshele kusitaki esisha ngesikhathi futhi akekho noyedwa ohambile ngenxa yemishini entsha. I-IB ayijahile ukwabelana ngempendulo eyakhayo, kodwa ayikhonondi futhi, lapho singaphetha ngokuthi bayayithanda. Ukungqubuzana kudambile ngoba ukuphepha kolwazi kuphinda kuzwakale kulawula, kodwa akuphazamisi izinqubo zokuthuthukisa. Amaqembu anikezwa umthwalo owengeziwe, futhi isimo sengqondo jikelele mayelana nokuphepha kolwazi saba ngcono. Ibhange laqonda ukuthi ukushintshela ku-DevSecOps cishe kwakungenakugwenywa, futhi lenze, ngokubona kwami, ngendlela emnene nelungile.

U-Alexander Shubin, umakhi wesistimu.

Source: www.habr.com

Engeza amazwana