Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 13 additions & 0 deletions .github/pull_request_template.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
## Goal
<!-- What does this PR accomplish? 1 sentence. -->

## Changes
-

## Testing
<!-- How did you verify it? -->

## Checklist
- [ ] Title is a clear sentence (≤ 70 chars)
- [ ] Commits are signed (`git log --show-signature`)
- [ ] `submissions/labN.md` updated
21 changes: 21 additions & 0 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
FROM golang:1.24.13 AS build

RUN groupadd -r appgroup && useradd -r -g appgroup -u 65532 nonroot

WORKDIR /app

COPY --chown=nonroot:appgroup app /app/

RUN go mod download

RUN CGO_ENABLED=0 go build -ldflags="-s -w" -trimpath -o /bin/qn .

FROM scratch

COPY --from=build /bin/qn /bin/qn

USER 65532

EXPOSE 8080

ENTRYPOINT ["/bin/qn"]
2 changes: 1 addition & 1 deletion app/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ func main() {
server := NewServer(store)
srv := &http.Server{
Addr: addr,
Handler: server.Routes(),
Handler: SecurityHeaders(server.Routes()),
ReadHeaderTimeout: 5 * time.Second,
}

Expand Down
17 changes: 17 additions & 0 deletions app/security.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
package main

import "net/http"

// SecurityHeaders wraps a handler and sets baseline security headers on every
// response. QuickNotes is a JSON API with no browsable UI, so the CSP is the
// strictest possible ('none') rather than a website-style allowlist.
func SecurityHeaders(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
h := w.Header()
h.Set("X-Content-Type-Options", "nosniff")
h.Set("Cross-Origin-Resource-Policy", "same-origin")
h.Set("Content-Security-Policy", "default-src 'none'")
h.Set("Cache-Control", "no-store")
next.ServeHTTP(w, r)
})
}
53 changes: 53 additions & 0 deletions app/security_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
package main

import (
"net/http"
"net/http/httptest"
"testing"
)

func TestSecurityHeaders_SetOnEveryRoute(t *testing.T) {
srv := newTestServer(t)
handler := SecurityHeaders(srv.Routes())

cases := []struct {
method, target string
}{
{"GET", "/health"},
{"GET", "/metrics"},
{"GET", "/notes"},
}

wantHeaders := map[string]string{
"X-Content-Type-Options": "nosniff",
"Cross-Origin-Resource-Policy": "same-origin",
"Content-Security-Policy": "default-src 'none'",
"Cache-Control": "no-store",
}

for _, c := range cases {
req := httptest.NewRequest(c.method, c.target, nil)
rec := httptest.NewRecorder()
handler.ServeHTTP(rec, req)

for name, want := range wantHeaders {
got := rec.Header().Get(name)
if got != want {
t.Errorf("%s %s: header %q = %q, want %q", c.method, c.target, name, got, want)
}
}
}
}

func TestSecurityHeaders_WrapsHandler(t *testing.T) {
inner := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(http.StatusOK)
})

rec := httptest.NewRecorder()
SecurityHeaders(inner).ServeHTTP(rec, httptest.NewRequest("GET", "/", nil))

if got := rec.Header().Get("X-Content-Type-Options"); got != "nosniff" {
t.Errorf("X-Content-Type-Options = %q, want %q", got, "nosniff")
}
}
45 changes: 45 additions & 0 deletions docker-compose.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
services:
quicknotes:
build:
context: .
image: quicknotes:lab6
ports:
- "8080:8080"
volumes:
- quicknotes-data:/data
environment:
ADDR: ":8080"
DATA_PATH: /data/notes.json
SEED_PATH: /seed.json
healthcheck:
test: ["NONE"]
interval: 30s
timeout: 5s
retries: 3
start_period: 5s
restart: unless-stopped

prometheus:
image: prom/prometheus:v3.5.4
volumes:
- ./monitoring/prometheus:/etc/prometheus:ro
ports:
- "9090:9090"
depends_on:
- quicknotes

grafana:
image: grafana/grafana:11.5.2
ports:
- "3000:3000"
environment:
GF_SECURITY_ADMIN_USER: admin
GF_SECURITY_ADMIN_PASSWORD: quicknotes-dev
volumes:
- ./monitoring/grafana/provisioning:/etc/grafana/provisioning:ro
- ./monitoring/grafana/dashboards:/var/lib/grafana/dashboards:ro
depends_on:
- prometheus

volumes:
quicknotes-data:
70 changes: 70 additions & 0 deletions docs/runbook/high-error-rate.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
# Runbook: QuickNotes High Error Rate

**Alert:** `QuickNotes High Error Rate`
**Severity:** page
**Condition:** HTTP error ratio (4xx + 5xx) > 5% sustained for 5 minutes

---

## What this alert means

More than 5% of requests to QuickNotes have been returning errors continuously for at least 5 minutes, meaning users are actively experiencing failures.

---

## Triage steps

1. **Check which status codes are spiking.**
Open Grafana → Golden Signals dashboard → Errors panel, or run:
```
curl -s http://localhost:9090/api/v1/query \
--data-urlencode 'query=quicknotes_http_responses_by_code_total' \
| jq '.data.result[] | {code: .metric.code, value: .value[1]}'
```
5xx = server-side fault. 4xx = client or routing issue.

2. **Check if the container is running and healthy.**
```
docker compose ps
docker compose logs quicknotes --tail=50
```
Look for panics, `listen` errors, or `store:` failures. If the container has restarted, check `docker compose logs --since=10m`.

3. **Check if the data volume is writable.**
QuickNotes writes `notes.json` on every `POST` and `DELETE`. If the named volume is full or permissions changed, writes return 500:
```
docker compose exec -it quicknotes df -h # won't work on scratch — check host instead
docker volume inspect quicknotes-data
```
On scratch images, check volume usage from the host: `df -h $(docker volume inspect quicknotes-data --format '{{ .Mountpoint }}')`.

4. **Confirm Prometheus is still scraping.**
Open `http://localhost:9090/targets` — verify `quicknotes` shows `UP`. If `DOWN`, the metrics themselves may be stale and the alert could be a false positive from a scrape gap.

---

## Mitigations

1. **Restart the container** — if logs show a transient fault (SIGPIPE, temporary lock contention):
```
docker compose restart quicknotes
```
Verify traffic normalises within 30 seconds by watching the Errors panel.

2. **Roll back to the last known-good image** — if the error spike started after a deploy:
```
docker compose down
# edit compose.yaml: change image: quicknotes:lab6 to the previous tag
docker compose up -d
```

---

## Post-incident

Once the alert resolves:

1. Record the incident timeline: when the alert fired, when it was acknowledged, when it resolved.
2. Identify root cause from logs and metrics.
3. Write a postmortem following the Lecture 1 postmortem template — focus on what failed, what detected it, and what prevents recurrence.
4. If the alert fired on noise (e.g. a deploy rollout that resolved in <5 min), consider tightening `for:` duration or excluding specific codes (e.g. `404` from static asset probes).
20 changes: 16 additions & 4 deletions labs/lab1.md
Original file line number Diff line number Diff line change
Expand Up @@ -91,9 +91,20 @@ git config --global commit.gpgsign true
git config --global tag.gpgsign true
```

Tell the platform your SSH key is a **signing key**:
- GitHub: Settings → SSH and GPG keys → **New SSH key**, key type **Signing Key**
- GitLab: Profile → SSH Keys → tick "Usage type: Authentication & signing"
Now register the key on the platform. GitHub treats **Authentication** and **Signing** as *separate* roles for the same key, so you add it under both:

- **Authentication Key** — lets you `clone` / `fetch` / `push` over SSH (`git@github.com:…`). If you cloned over HTTPS, or have never seen `ssh -T git@github.com` greet you by name, you don't have one configured yet — add it now or the `upstream` SSH remote will fail in Lab 2.
- **Signing Key** — gives your commits the **Verified** badge.

- 🐙 GitHub: Settings → SSH and GPG keys → **New SSH key** → add the **same** `~/.ssh/id_ed25519.pub` **twice**, once with Key type **Authentication Key** and once with **Signing Key**.
- 🦊 GitLab: Profile → SSH Keys → a single key with **Usage type: Authentication & signing** covers both.

Confirm authentication works before moving on:

```bash
ssh -T git@github.com
# expect: Hi YOUR_USERNAME! You've successfully authenticated...
```

### 1.4: Make a Signed Commit

Expand Down Expand Up @@ -303,7 +314,8 @@ In `submissions/lab1.md`:
## Common Pitfalls

- 🪤 **PR template doesn't auto-populate** — make sure the template is on `main` *before* opening the PR
- 🪤 **Commits show "Unverified"** — the SSH key must be added as a *Signing Key* on GitHub (not just an authentication key)
- 🪤 **Commits show "Unverified"** — the key must also be added as a **Signing Key** on GitHub; an Authentication Key alone won't verify commits (they're separate roles — see §1.3)
- 🪤 **`git@github.com: Permission denied (publickey)` on clone/fetch/push** — the *reverse* gap: your key is registered for signing but not as an **Authentication Key**. Add it as Authentication too (§1.3) and confirm with `ssh -T git@github.com`. Quick unblock for the *public* upstream: `git remote set-url upstream https://github.com/inno-devops-labs/DevOps-Intro.git`
- 🪤 **`git push` rejected on `main`** — that's the bonus rule working as designed; push to `feature/lab1` instead
- 🪤 **`gpg.format=ssh` ignored** — confirm Git ≥ 2.34: `git --version`
- 🪤 **Pushed to the wrong branch** — `git switch feature/lab1` before `git push`
Expand Down
1 change: 1 addition & 0 deletions labs/lab2.md
Original file line number Diff line number Diff line change
Expand Up @@ -223,6 +223,7 @@ git bisect reset

## Common Pitfalls

- 🪤 **`git@github.com: Permission denied (publickey)` on `git fetch upstream`** — *not* a remote-config bug (the error is at the SSH layer, before Git reads the repo). Your key isn't registered for **authentication** on GitHub — and a **Signing Key** (Lab 1) does *not* count for auth, they're separate roles. Add the same `~/.ssh/id_ed25519.pub` as an **Authentication Key** (Lab 1 §1.3), verify with `ssh -T git@github.com`, then re-run. To unblock right now, the public upstream fetches over HTTPS with no key: `git remote set-url upstream https://github.com/inno-devops-labs/DevOps-Intro.git`
- 🪤 **`reset --hard` without committing first** — your *uncommitted* edits really *are* gone (reflog only saves committed work). Always check `git status` first
- 🪤 **`tag -v` says "no signature"** — you used `git tag NAME` instead of `git tag -a -s NAME -m "..."`
- 🪤 **Rebase conflicts** — resolve, then `git rebase --continue`. Never `git rebase --skip` unless you know what you're skipping
Expand Down
21 changes: 21 additions & 0 deletions labs/lab3.md
Original file line number Diff line number Diff line change
Expand Up @@ -160,6 +160,23 @@ Tips:
- GitLab: `parallel:matrix:`
- Set `fail-fast: false` (GH) or equivalent so a single bad cell doesn't cancel the others — you want to *see* which combo broke

> ⚠️ **The matrix renames your checks — update branch protection (1.6) or your PR blocks forever.** A matrixed `test` job reports as `test (1.23)` and `test (1.24)`; the old required check named `test` will sit at *"Expected — Waiting for status to be reported"* indefinitely, even though every real check is green. Two fixes:
>
> 1. **Quick:** in the branch-protection rule, replace `vet`/`test` with the matrixed names (`vet (1.23)`, `vet (1.24)`, `test (1.23)`, `test (1.24)`).
> 2. **Robust (recommended):** add one aggregation job and require *only* it — then the matrix can change freely without touching protection settings:
>
> ```yaml
> ci-ok:
> if: always()
> needs: [vet, test, lint]
> runs-on: ubuntu-24.04
> steps:
> - run: |
> test "${{ contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled') }}" = "false"
> ```
>
> The `if: always()` matters — without it, a failed `needs` job *skips* `ci-ok`, and a skipped required check lets the PR through on some configurations.

### 2.3: Skip docs-only changes

Edit your trigger so the pipeline runs **only** when something in `app/` or your CI config itself changes. README edits should not burn 4 minutes of CI time.
Expand All @@ -179,6 +196,8 @@ Capture wall-clock times from the CI UI for three scenarios:

> 💡 To get a clean baseline, temporarily disable each optimization with a commit, take a screenshot of the run time, then restore.

> 🧪 **Expect the cache rows to be boring — that's the finding, not a failure.** QuickNotes has **zero third-party dependencies** (look at `app/go.mod` — no `require` block, no `go.sum`), so the module cache has nothing to store and total wall-clock barely moves with `cache: true` vs `cache: false`. Most of your 60–80 s is runner provisioning, checkout, and the Go toolchain download — none of which `setup-go`'s cache touches. Report what you measured and *explain why* (that's design question **f** in disguise). To see where caching *would* pay, compare the **per-step** durations (`setup-go`, `go test`) instead of job totals, and note which step a real dependency-heavy project would save on.

### 2.5: Document

In `submissions/lab3.md`:
Expand Down Expand Up @@ -284,6 +303,8 @@ Answer in 4-6 sentences:
- 🪤 **Forgot `working-directory` (or `cd app`) for Go commands** — Go modules live in `app/`, not the repo root; commands run from the root will fail with "no Go files"
- 🪤 **`fail-fast: true` (the GH Actions default) in a matrix** — one fail cancels the others; you can't see *which* combo broke
- 🪤 **Branch protection set on someone else's fork's `main`** — you can only protect *your* fork's `main`. The upstream course repo has its own protection
- 🪤 **PR stuck on "Expected — Waiting for status to be reported" after adding the matrix** — the matrix renamed `test` → `test (1.23)`/`test (1.24)`, but branch protection still requires the old `test` context, which will never report again. Update the required-check names or switch to the `ci-ok` aggregation job (see §2.2)
- 🪤 **"Caching didn't speed anything up"** — on a zero-dependency module that's the *correct* result, not a mistake (see §2.4); don't pad the timing table with numbers you didn't observe
- 🪤 **`golangci-lint` version not pinned** — "latest" pulls a new release tomorrow that may flag your code with new rules. Pin `v2.5.0` exactly
- 🪤 **GitLab CI: incorrect anchor syntax** (`<<: *name`) — GitLab is strict; use the in-platform CI Lint tool (`Project → CI/CD → Editor → Validate`)
- 🪤 **Cache hits expire after 7 days of inactivity on GH** — that's expected; the cache key is what protects you against poisoning
Expand Down
Loading