Stephen Thair and Raj Fowler, of DevOpsGroup, join a panel to discuss the future of DevOps, and what the next 12 Months of DevOps on Windows will look like.
Date: 16th November 2018 | Duration: 34:13
We didn’t actually have a wrap-up session last year, and it felt like everything ended without trying to get a consensus about how the day been and what you’ve learned. So we thought we’d wrap up with a little panel session.
The topic is the Future of WinOps, the future of DevOps and Windows. I’m happy to take questions, thoughts, anything you want to ask anyone on the panel? You yell out the question, I’ll repeat it for the video and then we’ll get an answer from the panel.
I’m going to let the panel introduce themselves because otherwise it’s going to be really dull. Just basically name, organisation, and job role and what’s one key thing you’ve taken away from today to introduce yourself?
And not be dull! Okay. So my name is Elton, I work for Docker. I did a couple of sessions on Docker today. My role in Docker is to teach people about containers in the Windows world. So I’m talking to the Windows community, telling them about how containers can run your 10-year-old .net framework apps and your brand new .net core apps and give you a common API to build and manage and deploy those things. I’ve been at WinOps now three times. I missed the very first.
So one of the themes that keep on coming up is there’s just this whole suite of technologies. I’m more on the technology side, a suite of technologies, and there’s increasingly an amount of overlap in what you can do with which tool. So a lot of the conversations I’ve had today have actually been, oh yeh, I saw your session on Docker, I can do a lot of that stuff on Terraform. Or I can do some of that stuff in Puppet. Where shall I draw the line? And you get a different answer from a Puppet person and a Terraform person and a Docker person. So, yeah, one of the things I think would be interesting is to see how much consolidation there is and where the line starts to be more clearly drawn as more people are doing this stuff.
Wow. I’ve got to keep up with that?
Sorry, if you give me a microphone, I’ll just keep talking until it’s taken away.
Don’t worry, I will shut you up!
I’m Phoummala Schmitt. I’m also known as Exchange Goddess on Twitter. I work for Microsoft. My background is in exchange, obviously, Windows server virtualization and storage.
The takeaway that I want to give everybody and also encourage is keeping your systems current. It’s great that, yes, you can run forever, but is that the best thing for you to do? Just because you can should you?
Who here is still running Windows Server 2008 workloads? Get out, get out now!
There is a Windows 3.1 out there.
Yeah. There’s one. There’s 3.1. That’s the gold star for today.
So I’m Raj Fowler. I work at DevOpsGroup. I’m the principal DevOps consultant.
My biggest takeaway from today is how mainstream DevOps and the DevOps movement has become. The number of people still standing up, in my little sit-down game that we played earlier, was quite amazing. The conversations I’ve heard today isn’t so much about should we or shouldn’t we be doing DevOps? It’s about how do we best apply principles, philosophies, technologies? The GDPR stuff from Alex earlier was amazing. How do we now go deeper into this and deliver things even more safely, even more quickly?
Managed to get Raj to finish shorter than you. That was a miracle!
I can keep going!
I’m Ian Margetts, platform lead for ALM at Asos.
I think my key takeaway really has been just the evolution of DevOps. I come here year on year on year. Even though we’ve got new challenges, we talk about the SRE role and that growing this year. We’ve got the evolution of new technology. Obviously Kubernetes and containers and becoming much, much more the thing within our industry and will be over next year, 18 months, I think. DevOps consistently seems to have, not an answer to it, but it’s keeping up pace with it. It’s constantly evolving. I think it means it’s got longevity. It’s got legs. I think it’s really good to see it is not just going to be a fad. It’s not just something that we’re going to move on to something new in the next couple of years. This is something that can help us in the long term. I think that’s really encouraging.
I’m going to kick off with the first question and then if anybody in the audience has a question, just put your hand up and then I’ll come around to you.
I was absolutely shocked in that session that you were talking about Raj. So, obviously we’ve been doing this for four years. The first session we asked who is using PowerShell? Only half the audience put their hand up. Let alone whether you’re using, PowerShell DSC wasn’t actually out then or had just launched. Using Terraform and ARM templates and all this other stuff. Then to have at least, I think was, a quarter of the audience saying they were deploying weekly, if not daily. That was such a change even from last year. It just seems like there’s been a massive shift like this. Why do you think this shift has happened? That’s open to anyone.
It’s an Agile world.
Did you think we’ve crossed over? It is mainstream now?
I believe so. I had just come from the customer world and one of our biggest focuses was to be more agile. In order to compete with other businesses, you have to be agile. The businesses are constantly evolving to make money. And if you’re still stagnant, you’re not improving. You’re not making money. I mean, at the end of the day isn’t it the dollar signs that really matter?
Show me the money!
And to get money. You’ve got to be moving. You have got to be constantly evolving.
I think the other side. It might be interesting to see who puts their hands up. Who has gone to the Cloud in the last year? Who has started that journey into the Cloud over the last year? Has anybody started that? So I think that’s kind of important as well. It’s a big enabler for DevOps. Not that you can’t do it on-prem but obviously when you go to the cloud, it makes life a lot simpler. As you go to the cloud it makes a lot of sense to pick up those practices as you go. For me, that would probably be another big driver for that uptake.
We definitely see that with our customer base. In the last year, our Cloud business has been growing and it’s pulling in that conversation. People are seeing their move to the cloud, their migration, as an opportunity to do things a better way. It’s that defining thing. I’m not going to keep doing this rubbish way again.
What about Elton? You are the more bleeding edge in the Docker and container world.
Absolutely. The interesting thing is that you mention about it being mainstream. I think that the uptake in DevOps is a lot about the fact that it has been validated in increasingly real companies.
So use the poster child of Netflix. Everyone knows Netflix is at the cutting edge of technology. Some great technologists at Netflix. No one has Netflix scale problem except Amazon. So you can’t just take all that Netflix stuff and run it in your company. But actually, the more and more use cases are taking this approach, this technology, this way of doing things.
When you go to conferences like this and any conference there will be a DevOps transformation story. But they are real companies. You have used their products. They’ve got the same problems that you have. So it is becoming validated and that’s why it’s becoming mainstream.
I actually have a friend of mine who works for Amazon retail in Seattle. He works in capacity planning. He’s the guy who actually has to go to AWS to have the conversation about how big they think Black Friday is going to be for Amazon. So AWS can do scale. So he’s working for Amazon, but he’s doing old school team capacity planning because he’s got the provision out the infrastructure because every year they don’t have enough.
Questions from the audience. Has anybody got questions for the panel? Anything about their presentations or any thoughts or takeaways? Just yell it out and I’ll repeat it.
That’s a good question. Just to quickly summarise, a lot of the technology is increasingly becoming cross-platform. We now have the operation to run these tools on both platforms. We now have increasing capability to run .net workloads cross-platform. Where do we think that evolution is going? What does it mean for the future of the Windows operating system? What are your thoughts?
So I think it depends a lot about the appetite of the company who are making that change. So a lot of our clients come to us. We’ve got three hundred .net applications. They’re running on Windows Server 2008 because an awful lot of people are. We want to move into the cloud and we want to move them to server 2019. We want to refresh our infrastructure if we’re running the data centre.
These three hundred apps, they’re on a scale of how well used they are. From this application here is running on a VM, two people use it. It’s never been updated for the last 10 years, but it’s still being regularly used. To this one here is our main active product with a huge backlog and a product team who are working on it. And somewhere in between that spectrum, you’re going to be able to carve out niches and say these apps are not going to change.
There is no value, business value or technological value in rewriting this .net framework, 3.5 application in .net core. There’s a huge business risk in doing that because it’s probably all the dependencies that it uses may or may not have been moved to .net core. Some dependencies may have been moved, but had structural changes. So you’ve got to regression test all that stuff as soon as you change it. So there’ll be a suite of applications where, yes, you can run them in .net core and run them in Linux on Kubernetes. And there are going to be some where it just doesn’t make any sense. So you just take those applications and package them and run them in windows containers.
Right now you can do that on swarm but by the by March next year, probably, Kubernetes will have GA support for windows. So you can have one cluster, a bunch of Windows servers, a bunch of Linux servers run all your applications in containers. You don’t care whether they are Windows or not. I think there will always be windows, obviously. There will always be Linux. I think the distinction will disappear.
I’m going to add on that. I think it just offers more flexibility for the end-users, for the business ultimately. You’ve got choice now rather than being pigeonholed into one operating system. It’s just flexibility. And now you can do oh, I can do everything and whatever suits your business requirements.
What about the management challenge complexity when we start to come into that world where we are running all these different workloads? Do you think that is going to make it harder to manage your estate?
We’re just starting that journey. Asos is largely a Windows-based organisation. Probably 99% Windows, I’d say. Except for retail that’s the 1%. But we’re just starting to take a look into Kubernetes and .net core. I can see over the next 18 months, a significant portion of Asos will go to Linux. I could see it being 40/50% of our workload would go to Linux, as a guess. But I can quite easily see it moving across to that kind of idea. So we’re just working out that story now as to what does that mean from a management point of view? I don’t think it necessarily needs to mean massive differences.
There’s a lot of tooling used to support this stuff that is also aligning. You’ve got the Linux DSC, the same with standard DSC. You can use Puppet in the same way. So a lot of those tools, you can use the same skill sets, the same disciplines to solve different problems. You are getting to the point where an engineer won’t care about what operating system they’re going to put it on. They’ll just say, give me a server and it will just give them a server. It almost won’t really matter to them what it’s going to be. I think we’re not far away from that.
I think that’s there are two sides to that complexity. There’s the complexity as we’re adopting this stuff. There are new things to learn. You’ll learn about Docker files. You’ll learn about Kubernetes manifest. You’ve got to understand what distributed computing means for these applications. So, there’s complexity there.
But then when everything is running in the same way, I think the complexity is a lot less because it’s just a consistent way of doing everything. So, the way I talk, the way I get logs out, the way I put the configuration in, the way I manage and deploy these things. It’s the same no matter what type of app it is. So I think the ops the ops become simpler long term.
Just to bring Raj into the conversation. We talked about when you were at BAE, you were doing SAP, Salesforce, ServiceNow, SuccessFactors and SharePoint. It was a 40 million pound portfolio that you were managing.
The reason I’m talking about this is that one of the things he was talking about is the consistency of patterns and practices. You weren’t doing a huge amount of DevOps automation technology stuff, but you were implementing consistent patterns and practices and getting huge returns out of that, in terms of the ways of working. Do you want to talk a bit about that?
Yeah. Sure. So I think a lot of this comes down to us taking the philosophies that underpin the Three Ways and Lean IT, and those sorts of things. And measuring the right things and having that kind of vision to goals. It didn’t matter about the teams as long as we were looking at how do we collaborate? How do we break the work down? How do we review and reflect on what we’ve done? Some teams had two-week sprints. Some teams had four-week sprints. SAP was slower. The business didn’t like to change as much but we could change SAP faster than the business could change.
The team were really encouraged to use the tools that were already in their platforms. So, SAP we encouraged the team to use Transports and to use Charm, which was kind of their orchestration capability. ServiceNow has got built-in capability for handling its own update sets and doing its own releases. We’d use Visual Studio for SharePoint, etc.
Part of that was just allowing our engineers to learn more about their product. Sending them on the product conferences, giving them training. Some of them hadn’t had training for 10 years and the products moved on. Giving them that training and then allowing that time for them to learn their tools, learn what their tools could do. Use the inherent capabilities of the platform whilst bolting on things like the visualisation of work. We used ServiceNow’s visual passports and best DLC engine rather than Jira and stuff like that.
What happened was we said this is the way and we started them off with daily standards, visualise flow, retrospectives, all that kind of stuff. And they adapted. They all deviated. They all had their own slightly different way of doing DevOps. Some did Kanban. Some did Scrum. But it worked for them. As long as they went on their path and they got better. When it came to integrating things where they all had to work together, we put some sort of framework over the top just to make sure everybody wasn’t heading off in the wrong direction. That really worked.
A quick question for the audience. Raj is talking about people learning this new technology. Could just put your hand up as to whether you agree with one of these two statements? I do most of my learning, about new tools and technologies and ways of working, during my company’s time and on my company’s money. Put your hands up if you agree with that statement.
Okay, I do the majority of my learning about new tools and technologies on my time and on my money. Wow.
Well, I believe in empowering your own career. It’s your journey. And yes, it’s great that your employer is going to pay for your education, but not everybody has that. Take it upon yourself to learn. There’s so much out there on the Internet and it’s free. So why not spend an hour or two? And it’s not like you have to do it every day. But it’s your journey, own it because you’re just I mean, I hate to say it, but a number. You can be replaced.
Prepare yourself in the event that does happen. Maybe it happens more often in the US where they’ll just come to you and say, OK, there’s a job cut. You have to be prepared for it. I think it’s a little different here where you are actually given a little bit more notice. Even so, always be prepared. Own your career. Take the time to learn some new technologies. Why not if it’s free?
Yeah. Plug for the Microsoft.learn platform. Make them happy!
Just go on blogs. There are forums. There are all sorts of ways to learn about different technologies. You don’t necessarily have to pay for it. While there are some great courses that you can take you can also learn from others as well. There’s plenty of forums out there.
Come along to the WinOps meetup on a monthly basis!
Did you have a question, Alex?
Hi. So one of the things I’ve noticed is people say things come in cycles, right? So we’re doing something one way and we go a different way for longer. Then we go back to the old way of doing things. One example that I’ve seen is we said that we want to give product teams responsibility for the entire stack and setting it all up. And now we have a situation where we end up having an operations team at the end of it, anyway, that now have to support all sorts of different stacks and they are causing problems. So now they’re saying, you can set up your way but within these constraints. So I see a bit of a cycle there.
What old problems do you see coming back to bite us? What old and possibly unfashionable solutions to those problems, that we might not talk about anymore, do you see us actually having to come back and revisit?
So we oscillate between the centre and the periphery. We have had an explosion of complexity because we just said here do whatever you want. Now you feel like we’re putting guardrails in and some more constraints on. Do you think this is a pattern? What other problems do you think that we’ve previously had, that we thought are gone away, are going to come back again?
I’m not convinced it’s a problem. I think it’s partially the way in which a lot of organisations have gone to the Cloud. They’ve kind of taken the Cloud as a licence to do a lot of other things. We talk about it may be a chance to do some DevOps, a lot of micro-service architecture, a lot of the platform stuff. You hear a lot of companies also adopt all those things at the same time.
The problem is I think, especially it was for Asos, and I’m sure it is for other companies, we tend to do that quite quickly and quite organically. You don’t necessarily bring your operations function along with you. So as a result, it’s like a pendulum effect. You swing right out, then you’ve got to come back. You’re going to end up somewhere in the middle. You’re going to find that balance. And it probably won’t be as more operation centric as it used to be. Where they own the servers and you couldn’t get anything through to production without going through an operations guy. But it will end up somewhere in the middle. It will just be a different balance, I think, going forward. We just haven’t got there yet for a lot of companies.
I was going to say something on that as well. I think, previously, organisations would aim for a fixed target. They would aim for a particular goal. To win a particular market or deliver a new transformation and kick off these huge programs, and aim that way. We’re gonna do ITIL, we’re gonna do Prince2. It was always with a very set deterministic way of thinking. Now it feels like we’ve been unleashed. All of a sudden the things that held us back, in a world where we’re trying to advance, where there is no fixed target the target’s moving.
Back to Jeff Bezos and his beautifully, wonderfully, dissatisfied customers. We’ve exploded. We’re not held back by storage constraints, or infrastructure power, or capacity, or all of those sorts of things. Even our ability to deploy and imagine new things is accelerating.
I think we need to now have a new set of guardrails that make sure that we can, rather than just go all over the place, aim for a particular target, but be able to pivot to be able to pivot. For me, this is a phrase I’m kind of banding about at the moment. I think the DevOps transformation, the transformation to dynamic learning organisations, is the last transformation. Once you can learn and adapt, then you won’t need to transform again to something new.
The cycling of patterns from a technical perspective is just definitely. Some things just don’t cycle. So the drive to make everything leaner, to make your runtime leaner, to make your applications leaner that’s not going to cycle making them big again because you see the benefits of it. The flipping between, oh, there’s a new way of doing things which seems to solve all our problems lets leap onto that. Then discover some new problems and then actually reflect back. I think what happens is the new set of problems get solved in a better way.
So look at microservices. People who’ve been in the integration space for a long time will say microservices is just a better way of doing SOA. That’s where we had a whole bunch of problems. And SOA was a better way, a leaner way, of doing ESP. So, actually there is a lineage there. There are similar problems. We need to break this stuff up, we need to distribute it, we need to make it reusable. But things got too hard. Whereas now, because everything is leaner anyways, it’s a little bit easier to piece those things together. So we’ve solved the problem in a similar way, but better. I would hope it would evolve rather than cycling back again.
Are we going to have the monolith strikes back? The return of the monolith!
Ace 400 lives! You can’t take away the Ace 400!
That’s how I started my career. On a great big black box like that.
Where does security sit in WinOps?
Where does security sit in WinOps? Everywhere is actually the right answer.
It should be everywhere.
It’s part of my role to run the SecDev function at Asos. We’re absolutely treating it the same way we treat our DevOps approaches. It’s about shift left, about culture. It’s about giving people the right guardrails and the right monitoring, alerting and the support they need to have.
I don’t see it as anything different, personally. You try and get it as early in the life cycle as possible. Get teams to think about it when they start to develop their code. You give them support as they’re developing their code. You give them good monitoring when they put into production.
I don’t actually know the answer to this question, but is there a DSL for security? Or a DSL for security policy? Because part of this shift left thing is we’ve created these domain-specific languages as a way to describe the problem. Like in BDD, it would be gherkin syntax, given, then, when type stuff.
I think part of the problem is in order to shift left, you’ve got to have that domain-specific language. I think if you were a spreadsheet risk I.T. security guy, first of all, my most sincere apologies. But you are going to have to learn whatever that equivalent of Gherkin syntax or inspec. You’re going to have to write code because the code is going to go into your pipeline.
I think there’s a couple of other things about the pipeline point of view. The more you’re automating, the easier it is to integrate security into your automation. So, if you’re manually deploying a package onto a server, you download it from the internet, you double click, you install it. You should get the file hash and check it is the same as the published hash. You’re never going to do it. If you’re writing a script, it’s easy to do that. So you can put those good practices in from the beginning. The rest of your pipeline is automating. The tooling now is fantastic. You can automate the scan of all your binaries. You know you have a problem before you even release your software.
Scan your supply chain, all your dependencies.
Exactly. Everything that you use and everything that’s in there. And then the other part is A.I. So when your applications are running, if they’re running into a platform that has the capability to do this, then there’s just things watching your application. If there is something behaving in a strange way then that’s something to flag up. You can automate all this stuff. Your applications have a similar pattern of behaviour. The A.I. component watches that and says, well, something’s gone wrong here. Why is this suddenly churning 100% CPU? Because someone’s installed a bitcoin miner on there. It finds that stuff out for you. So the tooling can make it easier to make it more secure.
The tooling makes it easier to be more secure. But it’s also the people. The people running the tools. If you have this mindset of thinking security first or adding security in with your deployment, it becomes natural. It should just be part of the deployment process.
I think some of the challenges we’ve had is some of our biggest security concerns have ended up in our dev/test environment, not in our production environment. Because teams still think dev/test is not as risky. Of course, in Azure, it’s the same. It’s the same VMs. It’s provisioned in the same place. You just conceptually treat them as something different. You might not have the same data in it. There might not be the data risk. Things like the crypto mining stuff, that could still be put on there, you can still get all that. Where we have had some security conversations it’s been largely around the dev/test space because teams conceptually don’t treat that the same.
I think that’s one of the big differences in the Cloud and how you treat securities. You’ve got to treat everything the same way and you can’t just have a front door security policy. If you get through that front door then quite often you’ve got connections all the way through your subscriptions, you may have not have secured your networks properly. People haven’t put NSGs on correctly. As a result, you can hop around and you can get to that production stuff from that non-production stuff. So you’ve really got to think about that in quite a different way.
Key loggers. That’s all you need. Insecure test or QA environment. Somebody RDPs onto the server and innocent DBA, developer, admin, whatever. They’re on their machine. They’ve got a key logger, RDP, boom in the test environment. They’ve got information. And from there they figure out where the QA environment is or the prod. So it’s not that hard.
It’s actually a lot of the latest big breaches in the past couple of years has been from key loggers. All it is is an innocent email that comes through that looks really authentic and next thing you know, you’ve got 80 million people’s data being exposed on the dark web!
And a 4 percent of total revenue, global revenue, fine.
Yes. But it’s happened.
So we’ve got 50 seconds left. So really quick.
I was just going to say, just considering the organisation I just came from, security was a really big thing.
Nuclear submarines, I would hope so!
And so I think our security department had a really big issue with the delivery of I.T. projects into service and stuff like that. As we formed the product organisation, we brought them into that conversation. One of the things that we found was because we had a more agile way of working and a more agile application and product, when there were patches and things needed, we could respond much faster. As opposed to traditional people who need to raise a CAB or whatever change note, and go through all the process. We could deploy much faster and respond quicker to those changes.
The second thing is we have product teams who are proud of this product. So if it came to an incident, whatever the incident, including security incidents, the product team would make sure that their application, their product, was secure. So they didn’t have to wake up in the middle of the night being embarrassed about their product.
So time to wrap up 30 seconds. Final thoughts on this from the panel and then will we wrap it up? Any final thoughts?
Make sure you come back next year and we’ll see if we were right!
Yeah, that sounds good to me!
Skynet. The future is Skynet!
Yeah, we just have to AI responsibly.
That’s another whole conference! Use AI responsibly.
That’s the future.
I think the maturity DevOps is awesome and 2019/2020, we’re just going to see more of this. It’s going to be mainstream. The people sat here are at the beginning, at the right place at the right time, basically. So really exciting.
I was going to say pretty much the same thing. It’s been good. I’ve been coming for three years and it’s been good to see more and more people adopting this. I think over the next couple of years, it’s going to create its own momentum. I think it’s brilliant.
Thank you. Everybody thank our panel. OK. So basically WinOps 2018 that’s a wrap. So thank you all for coming and being part of the journey. Obviously, we have our meet up. If you go to meetup.com/WinOpsLondon. Sign up. We have regular monthly sessions.
Obviously I want to say thank you to the team at Prism and Gaelle. She’s here in the room. She did all the organising and logistics. All the DevOpsGroup people who have done lots of social media tweeting and lots of organising and stuffing pamphlets into bags. We actually created a production line and used Lean principles to put all the stuff in the bags. We ran out of stuff, but that’s another whole subject.
So yeah, that’s basically it. So thank you very much, everybody. We’d love to see you back at the meetups. Love to see you back at WinOps next year. We’d love you guys to blog about your thoughts. We will send out a feedback survey to everybody who attended to get more detailed feedback. We’re always looking for speakers, whether it’s for the conference next year when the call for papers comes out, or whether it’s to speak at the monthly events. Thank you for being part of the community. It’s really important. You guys are going to be the ambassadors that are going to create that next-generation wave of people who are going to be adopting DevOps. So thank you very much.