grafclouds.com / documents / insights / training / devops-challenges

DevOps Challenges

48 production-decision training scenarios across AWS, Kubernetes, Terraform, Docker, Linux, CI/CD, databases, security and observability. Each scenario presents a real production situation and the tempting quick fix that usually gets proposed — the write-up explains why the quick fix fails, what the right approach is, and how to defend that position under pushback. Every scenario has its own study page; click a card to open it.

15Beginner · ~8–10 min
17Intermediate · ~11–14 min
16Advanced · ~13–15 min

Beginner 15 challenges · ~8–10 min each

1.6GB Docker Image, 8-Minute Builds. Add Runners?

~8 min

Builds are slow and the image is bloated; the quick fix on the table is buying more CI runners. Defend fixing the Dockerfile (multi-stage builds, layer ordering, smaller base images) instead of scaling hardware around the problem.

DockerCI/CD

502 Bad Gateway Right After a Deploy

~8 min

Nginx starts returning 502 immediately after a deploy and the reflex is to fiddle with the Nginx config. Defend investigating the upstream first — is the app process actually up, listening on the right socket/port, and healthy?

Nginx

A Contractor Needs DB Access for a Week. Open the Port?

~9 min

A contractor needs temporary database access and someone proposes opening the DB port to the internet. Defend secure alternatives: bastion/VPN access, time-boxed credentials, least privilege, and audit logging.

SecurityDatabases

Access Keys Are Hardcoded on the EC2 Box. Just Rotate Them?

~10 min

Long-lived AWS access keys are hardcoded on an EC2 instance and rotation is offered as the fix. Defend removing static keys entirely in favour of IAM instance roles and temporary credentials.

AWSSecurity

Deploy Fails with Permission Denied. chmod 777 Everything?

~8 min

A deploy fails with permission errors and chmod 777 would make it go away. Defend diagnosing ownership and using correct users/groups and minimal permissions instead of opening everything to everyone.

LinuxSecurity

Deploys Are SSH + git pull at 5pm Friday. Why Change It?

~9 min

Deployments are done by SSHing into the box and running git pull, late on Friday. Defend moving to a real deployment pipeline: repeatable builds, rollbacks, and deploy windows that don't ruin weekends.

GitCI/CD

Disk Is at 100% and the App Is Down. rm -rf?

~8 min

The disk is full, the app is down, and deleting things at random is tempting. Defend finding what is actually consuming space (logs, caches, deleted-but-open files) before running anything destructive.

Linux

History Is Messy, So Force-Push a Clean main?

~8 min

Someone wants to rewrite a messy history on the shared main branch with a force-push. Defend why rewriting shared history breaks everyone downstream and what the safe alternatives are.

Git

Nightly Backups Run. Are You Actually Covered?

~8 min

Nightly backups run and everyone feels safe. Defend why backups that were never restored are not disaster readiness: restore testing, RPO/RTO, and off-site copies.

Databases

Tests Pass Locally, Fail in CI. Just Retry?

~8 min

Tests pass locally but fail in CI, and hitting retry usually works. Defend treating flaky tests as real defects: environment differences, timing assumptions, and shared-state leaks.

CI/CD

The Build Is Slow, So Let's Just Add --no-cache to CI?

~9 min

A stale-cache incident makes someone propose --no-cache on every CI build. Defend fixing the caching strategy (layer ordering, cache keys) instead of throwing away Docker's build cache entirely.

DockerCI/CD

The Cert Expires Tonight. Just Bump It to a 10-Year Cert?

~10 min

A TLS certificate expires tonight and a long-lived self-signed cert would buy quiet. Defend proper automated renewal (ACME/Let's Encrypt), expiry monitoring, and why 10-year certs are a liability.

NginxSecurity

The t3 Instance Got Slow. Just Size It Up?

~9 min

A t3 instance got slow and upsizing looks like the obvious cure. Defend checking CPU burst-credit depletion first — the metrics tell you whether you need a bigger box or a different instance family.

AWSObservability

You Pushed AWS Keys to a Public Repo

~8 min

AWS keys landed in a public repository and a force-push to remove them feels like enough. Defend the real incident response: revoke immediately, audit for abuse, rotate everywhere, and assume the keys are compromised forever.

GitSecurity

Your S3 Website Returns 403. Make the Bucket Public?

~9 min

An S3-hosted site returns 403 and making the whole bucket public would fix it. Defend the safe options: CloudFront with origin access control, scoped bucket policies, and understanding what actually causes the 403.

AWSSecurity

Intermediate 17 challenges · ~11–14 min each

3 AM Outage: Roll Back or Fix Forward?

~12 min

Production is down at 3 AM after a deploy. Defend a position on rolling back versus fixing forward: what makes rollback safe, when forward fixes are justified, and how migrations complicate both.

CI/CD

A Traffic Spike Caused an Outage. Autoscaling Did Not Save You.

~13 min

A sudden traffic spike took the service down even though autoscaling was on. Defend why autoscaling alone can't absorb sharp spikes — scale-up lag, warm capacity, load shedding, and admission control.

KubernetesObservability

Add a NOT NULL Column to a 50M-Row Prod Table

~14 min

A NOT NULL column has to land on a 50-million-row production table. Defend a zero-downtime migration plan: nullable-first, backfill in batches, validate, then enforce the constraint.

Databases

Every Deploy Hammers the Database for 10 Minutes. Bigger DB?

~12 min

Every deploy is followed by 10 minutes of database pain, and a bigger instance is proposed. Defend fixing the cache stampede: cold caches after deploy, request coalescing, and cache warming.

DatabasesObservability

Finance Wants Everything on Spot Instances. Including the Database.

~13 min

Finance wants the whole fleet on Spot, database included. Defend the line between interruption-tolerant stateless workloads and stateful systems where a Spot reclaim means data loss or an outage.

AWS

Lambda Is Exhausting Your RDS Connections. Raise the Limit?

~12 min

Lambda concurrency is exhausting RDS connections and raising max_connections is on the table. Defend connection pooling (RDS Proxy) and concurrency control over cranking a limit that just moves the cliff.

AWSDatabases

On-Call Is Drowning in Alerts. Silence Them?

~12 min

On-call is flooded with alerts and mass-silencing is tempting. Defend redesigning the alerting: symptom-based alerts, severity tiers, and deleting alerts that never require action.

Observability

Pod Stuck in CrashLoopBackOff After a Deploy

~12 min

A pod cycles between Running and CrashLoopBackOff after a deploy and a teammate wants to raise CPU/memory. Defend a diagnostic-first approach: logs, exit codes, probes, and what actually changed in the release.

Kubernetes

Pods Keep OOMKilling: Scale Up or Fix the Leak?

~12 min

Pods keep getting OOMKilled and raising memory limits keeps buying time. Defend finding the leak: memory profiles, limits vs requests, and why blind scaling only postpones the same failure.

KubernetesObservability

Someone Changed Infra by Hand. Terraform Plan Is a Mess.

~12 min

Manual console changes left Terraform plan full of drift. Defend a reconciliation strategy: decide per resource whether code or reality wins, then close the door on out-of-band changes.

Terraform

SQS Is Delivering the Same Message Twice. Is the Queue Broken?

~13 min

SQS delivers the same message twice and the queue gets blamed. Defend at-least-once semantics: idempotent consumers and visibility-timeout tuning instead of switching queue technology.

AWS

Terraform Doesn't Know About the Manually-Made DB. Just Let It Recreate It?

~12 min

A database was created by hand and Terraform wants to create its own. Defend importing the existing resource into state instead of letting Terraform destroy and recreate a live database.

TerraformDatabases

The Container Needs Docker, So Mount the Socket and Run --privileged?

~12 min

A build container needs Docker, and mounting the socket with --privileged would work. Defend why that hands out root on the host, and argue for rootless builders (BuildKit, kaniko) or isolated build runners.

DockerSecurity

The Fix Is One Line in /etc. Just SSH In and Edit It?

~11 min

The fix is a one-line sysctl change and SSHing in takes a minute. Defend how to handle hotfixes when infrastructure is under configuration management — and how unmanaged edits silently rot.

Linux

The NAT Gateway Bill Exploded. Add More Gateways?

~12 min

The NAT Gateway bill exploded and adding gateways is proposed. Defend finding the traffic driver first: per-GB processing costs, VPC endpoints for S3/ECR, and cross-AZ data paths.

AWS

The Pipeline Is Slow. Skip Tests to Ship?

~12 min

The pipeline is slow and skipping tests would ship faster. Defend making the pipeline fast instead: parallelization, test selection, caching — without giving up the safety net.

CI/CD

The Queue Backlog Doubles Every Day. 10x the Consumers Tonight?

~12 min

A queue backlog doubles daily and 10x-ing the consumers tonight sounds decisive. Defend diagnosing the bottleneck first — if consumers are blocked on a downstream, more of them makes it worse.

Observability

Advanced 16 challenges · ~13–15 min each

A 30-Second Blip Became a 2-Hour Outage. More Retries?

~14 min

A 30-second dependency blip cascaded into a 2-hour outage, and more retries are proposed. Defend taming the retry storm: exponential backoff with jitter, retry budgets, and circuit breakers.

Observability

A Container in Prod Is Mining Crypto

~15 min

A production container is mining cryptocurrency. Defend a real incident response: isolate and preserve evidence, find the entry point, rotate what the workload could reach, and harden the pipeline that let it in.

KubernetesSecurity

An EKS Pod Needs AWS Access. Attach It to the Node Role?

~15 min

An EKS pod needs AWS permissions and attaching them to the node role works instantly. Defend per-pod identity (IRSA / Pod Identity) over node-role permissions every pod on the node inherits.

KubernetesAWSSecurity

Cross-Account S3 Access Still Fails. Just Open It Up?

~15 min

Cross-account access to an encrypted bucket keeps failing and loosening policies is tempting. Defend solving the real chain: bucket policy, KMS key policy, and the caller's IAM policy must all agree.

AWSSecurity

DynamoDB Is Throttling but Capacity Looks Idle. Crank It Up?

~15 min

DynamoDB throttles while table-level capacity looks idle. Defend the hot-partition diagnosis: skewed partition keys throttle locally no matter how much capacity you buy at the table level.

AWSDatabases

Failover Lost 5 Minutes of Writes. Promise Zero Data Loss?

~14 min

An async-replica failover lost 5 minutes of writes and leadership wants a zero-data-loss promise. Defend honest trade-offs: async vs sync replication, RPO you can actually commit to, and what sync costs in latency.

Databases

One Giant Terraform State Runs Everything

~15 min

All infrastructure lives in one giant Terraform state. Defend splitting it: blast-radius reduction, faster plans, per-team ownership — and how to migrate state safely without downtime.

Terraform

p99 Latency Spiked Across a Microservice Chain

~15 min

p99 latency spiked across a chain of microservices and every team blames another. Defend tracing the actual bottleneck with distributed tracing instead of guessing from per-service dashboards.

Observability

Secrets Rotation Took Down Prod at 3 AM. Pin Credentials?

~13 min

Automated secrets rotation broke production overnight and pinning long-lived credentials is proposed. Defend fixing the rotation mechanism — dual-secret overlap windows, graceful reload — instead of abandoning rotation.

Security

Service A Intermittently Cannot Reach Service B

~15 min

Service A intermittently fails to reach Service B in the cluster. Defend a systematic diagnosis of the boring-but-hard middle: DNS resolution, conntrack, endpoints churn, and network policy.

KubernetesObservability

Terraform Wants to Replace the Database. Apply Now?

~14 min

Terraform plan shows the production database will be destroyed and recreated. Defend stopping the apply: understand what forces replacement, use lifecycle guards, and find a non-destructive path.

Terraform

The Box Keeps OOM-Killing. Just Add a Huge Swapfile?

~13 min

A server keeps OOM-killing processes and a huge swapfile would stop the kills. Defend finding what eats the memory: swap turns a fast failure into a slow, thrashing one.

LinuxObservability

The Nightly Report Is Slow. Just Run It in One Big Transaction?

~13 min

A slow nightly report gets wrapped in one giant transaction. Defend why long-running transactions hurt Postgres — vacuum blocking, bloat, lock contention — and design the batch job properly.

Databases

We're Missing a Dimension, So Add user_id as a Label?

~14 min

An analysis needs per-user data and adding user_id as a Prometheus label would provide it. Defend cardinality discipline: unbounded labels blow up memory; use exemplars, logs, or traces for high-cardinality questions.

Observability

Your CI Has Keys to Prod and Pulls Unpinned Deps

~15 min

CI holds production credentials while pulling unpinned dependencies. Defend real supply-chain hardening: pinned and verified dependencies, OIDC short-lived deploy credentials, and least-privilege pipelines — beyond just adding a scanner.

CI/CDSecurity

Your Primary Region Is Down. Fail Over Now?

~15 min

The primary region is down and pressure mounts to fail over immediately. Defend a disciplined failover: confirm the outage scope, check replication state, follow the tested runbook, and know your split-brain risks.

DatabasesAWS