dmj.one

Work / Cloud · Infra / DevOps Shell Scripts

DEVOPS-SHELL-SCRIPTS(1) Training Handbook Shoolini · L&T EduTech

devops-shell-scripts A handbook for the bash that survives the first day on the job.

Most training scripts work in the trainer's lab and break in the student's first job. They run with no error trapping, swallow undefined variables, hide failed pipes, and copy-paste straight into a prod incident. This handbook teaches the opposite. Industry-pattern bash from line one. Lint in CI. MIT-licensed. Run it in a container or a throwaway VM, never in production.

Open the repository Browse the labs Top-10 daily tools
10Lab modules · containers to SIEM
20Daily tools mapped · DevOps + DevSecOps
CILint gate on every push
MITLicensed · learn in public
0Scripts intended for production

Act I · The Problem

The training script worked. The first job did not.

Most DevOps tutorials teach the happy path with unsafe defaults. The script runs once, the screen says "ok", the student learns the wrong habit. Then the same student lands at a real company, runs the same pattern against a real cluster, and an undefined variable expands to rm -rf / in front of the senior on call.

  1. Pain · 01

    No set -e. No set -u. No pipefail.

    The script keeps running after a failed step. The exit code lies. The pipeline reports green. The pod is broken. The on-call learns the habit was never installed in the first place.

  2. Pain · 02

    "It works on my machine" is the curriculum.

    The lab assumes the trainer's laptop. No container. No version pin. No idempotency. Re-running the script the second time blows up because the first run already created the resource. Real teams demand reruns.

  3. Pain · 03

    Security is an afterthought, not a gate.

    SCA, SAST, secret scanning, container scanning, IaC policy, SBOMs. None of it is in the lab, none of it is in CI. The student ships a CV that says "DevOps" and walks into a DevSecOps interview unarmed.

  4. Pain · 04

    The repo is one giant script, not ten small labs.

    You cannot study what you cannot isolate. A handbook needs a table of contents. Each lab needs to fail safely on its own. Each lab needs to lint, run, and clean up without taking the laptop with it.

Act II · The Promise

Safe defaults on line one. Every script. Every lab.

Bash has the discipline. Most curricula skip teaching it. This handbook puts the strict flags, the trap, the umask and the temp-dir cleanup at the top of every script. The student copies the pattern into the first job and never has to unlearn it.

~/devops-shell-scripts/_template.sh copy · paste · keep 
#!/usr/bin/env bash
# ----------------------------------------------------------
# Safe-default lab script · Shoolini × L&T EduTech
# Run inside a container or throwaway VM, never on prod.
# ----------------------------------------------------------
set -Eeuo pipefail
shopt -s inherit_errexit nullglob
umask 077
IFS=$'\n\t'

readonly SCRIPT_NAME="${0##*/}"
readonly WORK_DIR="$(mktemp -d -t lab.XXXXXX)"

log()  { printf '[%s] %s\n' "$(date -u +%FT%TZ)" "$*"; }
die()  { log "FATAL: $*"; exit 1; }
need() { command -v "$1" >/dev/null || die "missing tool: $1"; }

cleanup() {
  local rc=$?
  rm -rf -- "$WORK_DIR"
  log "$SCRIPT_NAME exited rc=$rc"
  exit "$rc"
}
trap cleanup EXIT
trap 'die "interrupted"' INT TERM

# preflight · fail loudly, fail early
need docker; need kubectl; need shellcheck

# your lab here · idempotent, isolated, scoped to $WORK_DIR
log "workspace=$WORK_DIR"

Act III · The Curriculum

Ten labs. Each one ends with a habit the first job will reward.

Every lab lives in its own directory. Every lab is small enough to run on a 4 GB Linux VM or a Docker-in-Docker sandbox. Every lab finishes with a checklist the student walks into the office knowing.

Table of Contents · ten lab modules leaf 01 of 01 · run in order or pick what you need
  1. Lab 01

    Defensive Bash

    Strict flags, traps, idempotency, ShellCheck. The skeleton above, drilled until it is muscle memory.

    /_template.sh · shellcheck
  2. Lab 02

    Containers from scratch

    Multi-stage Dockerfiles, distroless runtime, non-root user, healthchecks. Compose for the local stack.

    /docker · compose
  3. Lab 03

    Kubernetes by hand

    Manifests written before Helm. kind and minikube helpers. Kustomize overlays. Helm charts only after the manifests are read line by line.

    /k8s · kind · kustomize
  4. Lab 04

    CI you can re-read

    Jenkins auto-config plus reusable GitHub Actions. Pipelines that fail loud, log structured, and rerun on retry.

    /jenkins · .github/workflows
  5. Lab 05

    SonarQube quality gate

    Compose-up, scanner config, fail-the-build thresholds. The PR that does not meet the bar does not merge.

    /sonarcube · quality gate
  6. Lab 06

    Observability starter

    Prometheus scrape config, Grafana dashboards, the four golden signals. A drill on writing one alert that pages and a hundred that do not.

    /prometheus · /grafana
  7. Lab 07

    Spring Boot reference app

    The app the labs deploy. Real endpoints, real metrics, a real readiness probe. Used end to end across containers, K8s and CI.

    /springboot
  8. Lab 08

    Zero-trust MySQL

    TLS-required connections, scoped users, network policy, secrets in the right place. A safer DB lab than the default tutorial.

    /zero-trust-mysql
  9. Lab 09

    Autoscaling and load balancing

    HPA on a real metric, not CPU. Layer-4 vs layer-7 demonstration. A controlled chaos drill to watch it scale.

    /autoscalling-loadbalancing-demo
  10. Lab 10

    DevSecOps gates

    Trivy and Grype on the image, Checkov on the IaC, Gitleaks on history, Semgrep on source, cosign on the artifact. Shift left, keep the habit.

    trivy · grype · checkov · gitleaks · semgrep · cosign

Act IV · The Field Map

Twenty tools, two professions. Recognise them all on day one.

A junior engineer who can name and place these on a whiteboard is already an asset to the team. The handbook frames every lab against this map so the student leaves knowing where each tool sits in a real release.

DevOps · top 10 daily build · ship · run
  1. 01
    Source control and PR flowGitHub · GitLab · Bitbucket
  2. 02
    CI/CD pipelinesGitHub Actions · Jenkins · GitLab CI · Azure DevOps · CircleCI
  3. 03
    ContainersDocker · Podman
  4. 04
    Orchestration platformKubernetes · Helm · Kustomize · Argo CD · Flux
  5. 05
    Infrastructure as codeTerraform · OpenTofu · CloudFormation · Pulumi
  6. 06
    Config and releaseAnsible · Helm · Packer
  7. 07
    ObservabilityPrometheus · Grafana · Datadog · New Relic · Splunk
  8. 08
    Centralised loggingElastic Stack · Loki · CloudWatch · Cloud Logging
  9. 09
    Artifact and image registriesArtifactory · Nexus · Harbor · ECR · GCR · ACR
  10. 10
    Tracking and ChatOpsJira · GitHub Issues · Slack · Microsoft Teams
DevSecOps · top 10 daily shift left
  1. 01
    SCA and dependency updatesDependabot · Snyk · OWASP Dependency-Check · Renovate
  2. 02
    Secret hygieneGitHub Secret Scanning · Gitleaks · TruffleHog
  3. 03
    SAST in CISonarQube · Semgrep · Checkmarx · Veracode · GitLab SAST
  4. 04
    DASTOWASP ZAP · Burp Suite · StackHawk
  5. 05
    Image and artifact scanningTrivy · Grype · Anchore · Clair · Syft
  6. 06
    IaC and K8s policyCheckov · tfsec · Terrascan · OPA · Conftest · Kyverno
  7. 07
    Secrets managementHashiCorp Vault · External Secrets Operator · cloud KMS
  8. 08
    Supply chain integritySyft · CycloneDX · SPDX · Sigstore cosign
  9. 09
    Runtime threat detectionFalco · CNAPP · CSPM · Wiz · Prisma · Defender
  10. 10
    Vulnerability and SIEM/SOARNessus · Qualys · Defender for Cloud · Splunk · Sentinel

Act V · Proof

A handbook that checks itself on every push.

CI · lint badge live

ShellCheck on every PR

GitHub Actions runs lint.yml on every push and pull request. The handbook holds itself to the same gate the labs preach to the students.

Audience · Shoolini × L&T EduTech

Hands-on training programme

Prepared by Divya Mohan under the guidance of Prashant Singh Gautam, L&T EduTech. The repository is the lab manual for the DevOps and Deployment programme at Shoolini University.

Licence · MIT

Learn in public, fork in public

Every script is MIT licensed. Every lab is reproducible. Discussions, issues and pull requests are open. Security findings go to SECURITY.md first, never to the public tracker.

Surface · 10 lab directories

Containers to SIEM

docker, k8s, jenkins, sonarcube, prometheus, grafana, springboot, zero-trust-mysql, autoscalling-loadbalancing-demo, plus the DevSecOps gate set. Each one isolated, each one rerunnable.

Safety · container or VM only

Never the trainer's laptop

Every lab is intended for an isolated environment. The repository's responsible-use note is the first thing the contributor reads. The pattern is the lesson.

Reach · students and early-career

From "what's a pod?" to "what's the SLO?"

Designed for the student writing their first Dockerfile and the developer moving toward SRE. Small labs, fast feedback, safer habits than the default tutorial.

The Toolbelt

Boring on purpose. Production-shaped from the first lab.

  • Bash · set -Eeuo pipefail
  • ShellCheck
  • Docker · Compose
  • Kubernetes
  • kind · minikube
  • Helm · Kustomize
  • Jenkins
  • GitHub Actions
  • SonarQube
  • Prometheus
  • Grafana
  • Spring Boot
  • Trivy · Grype
  • Checkov · tfsec
  • Gitleaks · Semgrep
  • Sigstore cosign
  • OPA · Conftest · Kyverno
  • MIT licence

If a training repo can ship like this, your team's runbook can too.

I write the handbooks the senior on call wishes the junior had read. If your team needs a curriculum, a hardened script template, or a CI lane that catches the bash mistakes the lab teaches by accident, the conversation starts here.

Hire me Back to work