Gitlab hero border pattern left svg Gitlab hero border pattern right svg

SRE Onboarding

On this page

Onboarding Template

SRE onboarding is mostly handled by an issue template that is assigned to the SRE when they start. This will guide them through different areas of the system, starting off with some simple tasks and help both the SRE and the SRE manager through various access issues.

GitLab.com Infrastructure Management

The SRE teams use Terraform and Chef for configuration management of GitLab.com infrastructure.

Terraform

Terraform configuration is currently divided into three environment:

There is shared terraform config for both staging and production to keep topology parity between these environments. Instance sizing, fleet sizes and other environment specific configuration is set in variable files for staging, production and ops.

The state for terraform is maintained in object storage, the master branch should always represent the current state of infrastructure. Changes should be applied after they are merged. There is ongoing work to improve terraform config management including automation using GitLab CICD. For more information about this see https://gitlab.com/gitlab-com/gl-infra/infrastructure/issues/5079.

Chef

Chef is a critical part of SRE infrastructure management. Currently it is used for OS patching, applying system level configuration and installing the omnibus package for releases. Here are a few notable cookbooks which will be a good starting-point for new SREs:

Releases

Releases candidates are deployed to GitLab.com until the official release on the 22nd. For information about how releases at GitLab.com read the release process documentation.

For information about GitLab.com deployments and patches see the following release docs:

Where to find things

Repositories

The following repositories are used for GitLab.com infrastructure management. These repository locations are the remotes that the SRE team uses for pushes, issues and MRs. Mirrors are setup in case that GitLab.com is unavailable. Repositories that are necessary for assets, configuration, infrastructure, releases and patch management use https://ops.GitLab.net as a remote.

  1. terraform: This is the repository that holds all terraform configuration for the GitLab.com staging, production and operations environments. There is a repository mirror on GitLab.com .

  2. chef cookbooks: These repositories are the cookbooks used for GitLab.com. Runlists for the fleets are configured in roles. There are repository mirrors for these cookbooks on ops.GitLab.com.

  3. chef: This repository contains all role and node attributes for GitLab.com infrastructure. It also has the environment configurations for production, staging and ops for cookbook version pinning. There is a repository mirror on GitLab.com.

  4. runbooks: This repository contains runbooks, howtos and alert definitions for GitLab.com. Alerts defined in this repository are automatically applied to the monitoring infrastructure when merged to master. For more information see the alert manual. There is a repository mirror on ops.GitLab.net.

Dashboards

It is useful to have the following dashboards bookmarked and easily accessible

  1. Grafana
  2. Google Cloud
  3. System Logs
  4. Fastly CDN

Cloud Providers

  1. Google Cloud
  2. Amazon Web Services
  3. DigitalOcean
  4. Azure

Monitoring tools

  1. PagerDuty Alerting
  2. Grafana Performance Monitoring
  3. Alert Dashboard
  4. AlertManager Production
  5. AlertManager Staging

Issue Trackers

It is useful to have the following issue trackers bookmarked and easily accessible

  1. On Call Issues
  2. Production Incidents Issues
  3. Change Management Issues

Yubikey

SREs should be using a YubiKey and should not have keys on their laptop.

Follow the yubikey runbook to set up

Credentials

The following is intended to be a comprehensive list of credentials and access that need to be set up, which are not covered above or elsewhere in the handbook. The list may not be up to date. If something is missing, please add it.

  1. SSH Key - this is provided to you by the yubikey setup
  2. GitLab.com account
  3. GitLab.com admin account
  4. dev.GitLab.org account
  5. ops.GitLab.net account
  6. Chef access
  7. Cloud Providers
    • Amazon Web Services
    • Azure
    • Digital Ocean
    • Google Cloud

Slack Channels

  1. #production (Say hello to @marvin to create an account)
  2. #infrastructure-lounge
  3. #alerts (There are several alerts channels)

Zendesk

Every SRE should register for a “Light Agent” account in ZenDesk. Often times incidents are generated from customer reports, and it’s useful to see their submission and the back and forth with support. You can also leave internal notes for support engineers so that they can gather more information for troubleshooting purposes. See 'Light Agent' Zendesk accounts available for all GitLab staff

PTO Ninja

We use PTO Ninja to notify and delegate for planned timeoff. When setting up your integrations with Slack, be sure to run the /ninja settings command and add the team's shared Google Calendar (ID: gitlab.com_oji6dki1frc8g8qq9feuu1jtd0@group.calendar.google.com) as an "Additional Calendar".

Suggested Software Tools

As production engineers we are allowed to utilize a linux workstation. The list below is mostly comprised of OSX tools. You'll need to find the linux equivalent to match the linux distro of your choice.

In addition to the standard tools for interacting with the rest of GitLab, the following tools help when working on production issues.

Required tools

  1. Homebrew
  2. SSH, properly configured
  3. chef, knife, berkshelf
  4. kubectl (brew install kubernetes-cli)

Nice to have

  1. iTerm (brew cask install iterm2) or kitty (brew cask install kitty) (bear in mind that kitty requires more configuration to get it up and running so it's targeted at more advanced users)
  2. macOS doesn't source ~/.bashrc file by default, so if you want it to be processed, you need to source it in your profile file (which you might need to create manually). Why to create the rc file at all instead of keeping everything in the profile? some tools default to rc so they will not process the profile at all. There are actually more differences, see: About bash_profile and bashrc on macOS
  3. macOS doesn't have bash completion feature by default, to install it: brew install bash-completion and enable it: echo "[ -f /usr/local/etc/bash_completion ] && . /usr/local/etc/bash_completion" >> ~/.bashrc"
  4. fzf used for fuzzy completion in shell, e.g. history search or filepaths, (brew install fzf + echo "[ -f ~/.fzf.bash ] && source ~/.fzf.bash" >> ~/.bashrc")
  5. the default length of bash history on macOS is 500, to extend the number of entries kept and save the timestamp you can add to your .bashrc for example:
    export HISTFILESIZE=2000000
    export HISTSIZE=1000000
    export HISTTIMEFORMAT="%d/%m/%y %T "
    
  6. helm - "k8s package manager" (brew install kubernetes-helm)
  7. minikube (brew cask install minikube) and virtualbox (https://www.virtualbox.org/wiki/Downloads)
  8. GCP cli gcloud quickstart macos
  9. Digital Ocean cli (brew install doctl)
  10. Azure cli (brew install azure-cli)
  11. AWS cli (pip3 install awscli --upgrade)
  12. A text editor such as Atom, Sublime, Textmate, MacVim, or neovim
  13. watch (brew install watch)
  14. tmux/tmate (brew install tmux tmate)
  15. A markdown editor such as macdown (brew cask install macdown)
  16. BitBar with GitLab Plugin
  17. To install gnu utils and replace mac utilities use the –with-default-names option.
  18. when using gpg, you will be asked for a password. Querying for passwords can be facilitated by different tools, but a fairly standard and widely supported one is pinentry-mac (brew install pinentry-mac). To tell your gpg agent to use it: echo 'pinentry-program /usr/local/bin/pinentry-mac' >> ~/.gnupg/gpg-agent.conf

Brew Files

There are sample brew files in the Infrastructure Project

iOS apps

  1. Slack
  2. Zoom
  3. PagerDuty
  4. Working Copy (Optional)

Reference Material

List of relevant reference material that an engineer may need to brush up on

  1. Chef
  2. Terraform Docs or getting started guide