RE: "Bad handshake" when listening for agent

Hi @jimbobmcgee ,

The "Bad handshake" error is occurring (as you probably guessed) while trying to establish SSL tunnel. This basically occurs at the operating system level, and is usually a total mystery. The underlying error seems to be coming from SSPIWrapper.AcquireCredentialsHandle, and is just this:

(0x8009030D): The credentials supplied to the package were not recognized

I have absolutely no idea what that means, but... there's a ton of things I found via searching. A few articles are suggesting that it means lack of access to read the private key

Maybe it's in the wrong folder (on the Otter server)? I think it needs to be in "Personal" folder of "Machine" certificates, but it sounds like it's definitely something wrong with Otter reading the certificate....

Let us now if you find out more!

Hope that helps,

Alana

Hi @jimbobmcgee,

We don't currently support via the API; it's not terribly complex/risky to do, but also not trivial.

I'll add this to the "Otter 2023 wishlist", and it probably also get pushed to BuildMaster as well, since we want the API to be the same in both products.

FYI - we would most certainly prioritize/implement this for a paying user (*wink* *wink*), but for now we'll keep it on the internal wishlist.

@jimbobmcgee thanks for all the help on this! While not a complicated fix, it might not be trivial - so put this on our internal BuildMaster 2023 board. We're in active development, and will review/fix this there, then look to backport to earlier versions of InedoCore.

You're more than welcome to give it a stab as well...

• relatively easy to modify/create extensions (https://docs.inedo.com/docs/creating-an-extension-for-v2022)
• Otter is currently on SDK 2.1 (see versions), so you'd want to branch from here

And feel free to submit a PR if you get something working; lot easier to review/test that way :)

Quick comments...

I assume that fileOps.NewLine uses the platform of the current for server, rather than the platform on which Otter is running

Correct -- it's related to the agent that server uses. For PowerShell Agent, Local Agent, and Inedo Agent, NewLine returns Environment.NewLine. For SSH Agent, it's \n.

However, this probably isn't accurate anymore; I suspect InedoAgent is incorrect if BuildMaster or Otter is running on Linux, and Inedo Agent is running on Windows. But I'm not sure.

public bool RawMode { get; set; }

Good point --- and to be honest I was a little surprised by the fact that these operations even rewrote new lines. Probably came from a support request... my guess is for when you're passing in literals or something :)

In any case, we should probably switch to an enumeration like template operat has (TemplateNewLineMode) -- but a fourth option to the both (None).

Anwyays -- we'll review a bit later if we don't hear back otherwise :)

Hi @jimbobmcgee,

I fixed this via OT-493 FIX; Custom Server Targeting should be selectable if the script type is OtterScript. It was a regression in the job template editor.

Am I right in saying that for server is only expected to work for Custom server targeting, though?

Correct; as of Otter v3 it's no longer supported in other scenarios.

And for server can take a scalar variable argument, such as...

Also correct, so the code you shared should work!

Hi @MF-60085 FYI just sent you an email :)

Let us know when you upload and we'll investigate from there!

Hi @MF-60085 ,

This message is pretty strange, and not quite sure how it's possible.

Are you okay sending us your database? That's going to be easiest.

It's probably too big to attach, but you can send using a "large file transfer" type service. Or we can email you a secure link on our sharepoint server to upload.

Cheers,
Alana

Hi @philippe-camelio_3885 ,

Just to confirm... is the issue just on the "Show Secret Fields" page?

SSH Keys are a little weird, in that they're stored in binary; so I think that page is mistakenly tryring to display that as a string (hence the block characters).

Cheers
Alana

@jimbobmcgee said in Basic arithmetic in OtterScript:

I can only prompt for variables with a job template, but the option for Custom server targeting is not available in job templates.

That doesn't seem right! I'll investigate and report back :)

Hi @jimbobmcgee

To be honest this is pretty old code and I'm not entirely sure how it works :)

I wonder if this is the issue in Apply-Template?
https://github.com/Inedo/inedox-inedocore/blob/master/InedoCore/InedoExtension/Operations/General/ApplyTemplateOperation.cs#L90

I'm guessing the original string must have \r\n in it or something.

Here's the Create-File code, where there seems to be another replacement:
https://github.com/Inedo/inedox-inedocore/blob/master/InedoCore/InedoExtension/Operations/Files/CreateFileOperation.cs#L77
I didn't have much time tot look closely, but wanted to share the code and see if you spotted antyhing!

Cheers,
Alana

Hi @hwittenborn ,

The API should output valid API, but I see there was a typo in the documentation. serviceStatus is either OK or Error, and the status detail will contain the error text.

Cheers,
Alana

Hello, if the ProGet server is running (and didn't crash), and you don't see any errors on the ProGet server... then the issue is between the server and the client.

You can try to trace this using a tool like Wireshare or Fiddler, but to be honest the error could be anything including a bad wifi/network connection. It's not PRoGet or chocolatey specific, so you can search broadly for "how to troubleshoot unable to connect to remote server" for lots and lots of tips on how to resolve such an error.

Cheers,
Alana

Hi @jhaas_7815,

The message "Unable to connect to the remote server" basically means that Chocolatey client can't connect to ProGet at https://xxx:8625/nuget/xxx/'. If you entered the same URL in your browser, I would expect a similar error.

I would check to make sure that the ProGet web site is running. You may need to restart IIS, etc. There's probably some kind of error on the IIS side, but it's really hard to guess what it is.

Cheers,
Alana

Hi @jimbobmcgee ,

You're right, you would have to switch to localhost; however, you wouldn't have to "switch back". In other words, this would work fine:

for server MyLinuxServer
{
  set $MyResult = "";
  for server localhost 
  {
    $MyResult = $PSEval((5 + 3) * 4 / 3^0.5);
  }
}

You could wrap it in a Module, so you could do this:

call MyMaths ( compute: (5 + 3) * 4 / 3^0.5, results => $MyResults);

Otherwise, if you were so inclined, you could create a variable functions in C# that could handle this as you'd expect. But that's quite complex (parsing it, finding a parsing library, etc.), and we're hesitant to explore this any further as a result.

Cheers,
Alana

Hi @philippe-camelio_3885 , there's definitely a bug... it was just hard to reproduce.

The issue was the Otter was looking at the wrong credential to determine if function access was allowed...

Hi @ForgotMyUsername ,

I can't reproduce #1, and I don't have enough details (specific error messages, stack traces, etc) to guess what the issue could be. Same for #2 -- I would need to see specific OtterScript and the errors you're getting to take a guess at where the problem is.

One thing that would be helpful, if you could create step-by-step reproduction information. For example,

1. Create application named TOM + JERRY
2. Create PowerShell Script named XYZ
3. etc...

Short of that, stack traces and errors logs are really important. There are a lot of copmontents working together, and hard to guess based on general descriptions :)

Cheers,
Alana

@philippe-camelio_3885 thanks for confirming that it was broken, I took a closer look and figured it out :)

It will be shipped in the next maintenance release as OT-492 (and also in BuildMaster via BM-3846)

@ForgotMyUsername great news, thanks for letting us know :)

Hi @ForgotMyUsername ,

I'm not sure I'm know where the issue is... can you provide the OtterScript? Or the specific error/logs that triggered that message.

The with isolation is supported, and is a checkbox on the advanced tab of the General block.

Cheers,
Alana

Hi @philippe-camelio_3885 ,

I can't reproduce this at all....

1. Admin > Secrure Credentials> Create
2. test with Username = myuser, PAssword = mypass, check "function usage allowed"
3. Create script Credtest.otter with contents below
4. Run as Ad-hoc job on local host <-- works OK
5. Admin > Secure Credentials, uncheck function allowed
6. Run as Ad-hoc job on local host <-- failed as expected
7. Admin > Secure Credentials, check function allowed
8. Run as Ad-hoc job on local host <-- works OK

So it seems to be working as expected. And as Rich mentioned, the code seems fine and hasn't been changed.

Here's the script:

 set $CredentialUser = $SecureCredentialProperty(test, Username);
 set $CredentialPwd = $SecureCredentialProperty(test, Password);

 Log-Information User is $CredentialUser, Password is $CredentialPwd;

Hi @richard-gagliano_3594 ,

Actually we reviewed this for ProGet 2023, but ultimately decided not to it.

The main reasons were,
(1) it wouldn't work well for remote packages, since we don't have the package file locally
(2) different behavior for remote and local/cached packages is confusing to explain and adds a support burden
(3) it was not trivial with the way README was implemented on NuGet and our abstractions
(4) not in demand - we've had one other request (5 years ago) for this, and it was before the spec was finalized

I suppose you could say that "demand has doubled", but probably best to wait if we have more requests for this... given that it's not trivial and the behavior may be quirky.

Cheers,
Alana

Hi @k-gosciniak_5741 ,

We've got no clue what's causing that, but definitely some kind of IIS configuration. Ultimately I don't think the request for that file is being passed into ProGet, but IIS is trying to find the file on disk instead (which it obviously won't be).

I would guess if you put a file on disk that file would be served via that URL. IT's just a guess.

Other things to look at ... MIME mappings, I've seen those do strange things. Maybe there's other IIS modules. It's really hard to guess.

It might just be easiest to switch to the Integrated Web Server; you can just uninstall / reinstall ProGet. That won't use IIS then.

Cheers,
Alana

Hi @philippe-camelio_3885,

I don't know where the "extra commas" came from, but Otter/BuildMaster wouldn't have generated them that I can tell? It's not like there's a flag we can pass to our JSON library to say "make invalid format"

But in any case, the API response looks valid to me, and it seems to be importing okay?

The Property "Value" was not erxpected message is what you would get if you tried to import the "bad" (extra commas) JSON document.

Maybe try syncing again? The sync is really just an automated version of the manual process, and uses the same code base.

Cheers,
Alana

... hmm that's really weird. Those commas aren't showing up on my instance.

Can you go to Admin > Infrastructure > Export; what do you see showing up there?

That uses the same JSON-serialization code as the API.

You can also copy/paste that JSON into Admin > Infrastructure > Import, and do a kind of manual sync.

hI @k-gosciniak_5741 ,

That's weird; I would try to restart the application pool. Then, try switching from "Classic" to "Integrated" (or vice versa) on the application pool. Both should work... but "Integrated" seems to work best.

Cheers,
Alana

Hi @philippe-camelio_3885 ,

Thanks for clarifying!

I'm not sure why that won't work as a "normal" user, but I'm guessing it has to do with the /etc path or something.

But in any case... I don't think it's possible, at least with our knowledge of the underlying technologies. We rely on the "subprotocol" of SFTP for most file-based operations, and we rely on libssh2 to handle SFTP communication. How those protocols/libraries work is kind of a black box at that level.

On the plus side, you should be able to write "ensure" scripts using Bash :)

Cheers,
Alana

Hi @philippe-camelio_3885 ,

I would expect the "could not be loaded as JSON" message if the endpoint was giving some kind of error.

What happens when you query:
https://otter-2023.ocapiat.fr/api/infrastructure/all/list?key=*****

Is there a kind of error there?

Thanks,
Alana

Hi @norbert ,

Based on the error messages, the problems is occurring somewhere between the ProGet and choco.

• Chocolatey is reporting that the remote connection was forcibly closed.
• ProGet is reporting that the client unexpectedly disconnected.

It's the equivalent of someone "cutting the cord" halfway through the communication, and there's no way to know where that happened or why.

You'll need to investigate intermediate equipment. Typically it's a firewall, ,proxy, or other gateway that is misconfigured.

Cheers,
Alana

Hello,

You can find it under Admin > License Key; here's more information that might be helpful:
https://docs.inedo.com/docs/myinedo-activating-a-license-key

Cheers.
Alana

Hi @philippe-camelio_3885 ,

I don't believe that root is required to SSH into a Linux server.

What did you mean by implicit sudo? I guess you could run sudo from your shell scripts, but I wasn't sure if that's what you meant.

Cheers,
Alana

Hello @jonathan-brown_3775 ,

This is considered a "false positive", so please disregard those results :)

Those are JavaScript files that run inside your browser to display certain charts about feed disk usage in the Web interface; there is no possibility whatsoever of a security vulnerability or attack coming from these javascript files inside of ProGet.

Thanks,
Alana

Hi @pooms_7365 ,

Thanks, I found where the error is in the code; it was in displaying the "code has not been synced" message. Easy fix (BM-3845) and it will ship in next maintenance release :)

And wow... 15gb!

Cheers,
Alana

Hi @ForgotMyUsername ,

1. Checkout-Code operation using Generic Git repository with recurse submodules...

I can't reproduce this, but I can see how that issue might occur. Your repository must have a GitLink entry in the target tree (i.e. folder you're checking out), but there's no corresponding reference entry in the .gitmodules file. I've updated that to be a warning., and just pushed the Git 2.2.3 extension.

It will be included in the next maintenance release of BuildMaster, or you can download/upgrade now.

2. Every minute an exception appears...

Nice find; this will be fixed in next maintenance release (2022.10) via BM-3844

3. Clone application fails when trying to clone application using generic git repository...

I believe this is related to importing "releaseless-builds", and this may be fixed in 2022.9 via an internal commit (i.e. one we didn't log an issue for). Clone does an export then import. If that doesn't fix it, please export the application and provide it to us, so we can inspect the file for issues.

Regarding [5], can you send logs? The scenario you describe (existing repo with the same name) is already tested and handled, but there's likely something that's missing.

Hi @ForgotMyUsername ,

Unfortunately this is not going to be possible to debug with the information you've provided.

Except for the misspelling of Certficiate (which would have no bearing on executing the script), a cursory glance of the code shows that everything is otherwise wired up as expected:

• IisSiteBindingConfiguration.cs
• IisSiteConfiguration.cs

So, I'm hoping you help troubleshoot/debug some more, to show us where the issue is.

IIS settings are ultimately stored in the applicationHost.config stored under %windir%\System32\inetsrv\config\. We do not directly work this file (as you can see from the code), but it's the easiest way to review the settings in IIS that Otter makes.

To help us reproduce these issues, can you send:
(1) Relevant appPool and site elements from the config file
(2) OtterScript code that should work with those entries
(3) Actual vs expected results in the config file

And one note on the bindings... unfortunately this is a difficult problem in general to solve because IIS Sites have multiple bindings, but users often don't want to clear bindings. We used to have a Bindings property (it's still htere) that lets you specify a map, but it was too difficult/confusing to use.

Cheers,
Alana

Hi @ForgotMyUsername,

Under-the-hood, Otter uses an in-process PowerShell Host (i.e. a runspace) to execute scripts, and does not invoke PowerShell.exe:
https://github.com/Inedo/inedox-scripting/blob/master/Scripting/InedoExtension/PowerShell/PowerShellScriptRunner.cs#L181

And as you can see in the code, Otter is properly creating/disposing of those runspaces.

I'm not sure where the powershell.exe processes are coming from, but it sounds like you have some problematic scripts. These will cause a lot of memory to be consumed and never released. In addition, perhaps they are calling other scripts using powershell.exe? Or something? It's really hard to guess...

In any case, Otter already has a mechanism called Isolation (with isolated) that can be used to help solve problematic scripts like this.

When something is run as isolated, then a new Otter.Agent.exe process is created to handle the unit of work (such as a script execution). When the work is done, that process is terminated; if it doesn't terminate, then it is killed within 5 seconds.

Cheers,
Alana

Hi @jimbobmcgee,

OtterScript is a DSL and doesn't have a lot of "general purpose" things like maths, as you've noticed. This is by design.

But you can just use PowerShell for that; for example, set $MyResult = $PSEval((5 + 3) * 4 / 3^0.5);

There isn't any noticeable overhead.

PowerShell is probably also more suitable for string manipulation as well, especially when you're working with diskpaths and the like.

Cheers,
Alana

Hi @h-morgenthaler_3015, we are currently investigating this. ,It sounds like an issue we fixed in ProGet 2022 already, but maybe it didn't get merged over. Please stay tuned.

Hello, unfortunately we really don't know what the underlying issue could be. Perhaps it's only an error on the "test" button, and the plug-in will work?

This is not an Inedo-created plugin, and we're not familiar with Java or Jenkins to know how to to debug it. It should still work (and I know we have some users who got it working), but otherwise we don't really know how to debug it I'm afraid :(

The source code is here, but I don't know if it's at all helpful:
https://github.com/jenkinsci/inedo-proget-plugin

Cheers,
Alana

Hi @jimbobmcgee ,

The "Secret key" field is just an arbitrary string that needs to match on both the Agent and the Otter Server; it needs to be unique across your servers, as its used to uniquely identify an incoming agent connection. The UI generates a random string, but you can enter whatever you'd like.

There needs to be a Server record on the Otter server (i.e. on the "Servers" page) before an agent can connect to Otter. This is true for either Incoming or Outgoing communication modes. This is often called "server registration".

One option is to servers self-register in Incoming mode; you can have the the following script on first boot:

1. Generate a random string ("secret key"); you could use a GUID
2. use the Infrastructure API from the server to "register" the server using that key
3. edit the agent configuration file to have that key
4. start the Inedo agent service

Hope that helps,
Alana

Hi @Justinvolved ,

Oooh - I thought we removed those flags/notices from BuildMaster 2022

Looks like we only removed the code that clears them, and almost all of the code that sets them (with the exception of the CEIP page).

Anyway, I've vanquished the code for good via BM-3839.

In the mean time, please run sql this command to clear the notices:

DELETE [Configuration] WHERE [Key_Name] IN ('Service.DelayExecutionsWhenRestartRequested','Service.RestartRequested', 'Web.RestartRequested')

Cheers,
Alana

Hi @d-gleissner_8620 ,

The best way to handle this scenario is with two feeds (unapproved and approved packages); install from the unapproved in your development environment, and then to promote packages (in bulk) from the unapproved to the approved feed.

Unfortunately, it's not feasible for a tool like ProGet to handle dependency resolution; a dependency is specified as a range (for example, PackageA requires PackageB 3.2 or later), and it's up to the environment (i.e. the client doing the installation, PSGet) to determine which dependencies are currently available and not available.

For example, if you already had "PackageB 3.3" installed, then PowerShell would not install it, even if "Package B 3.4" is the latest version. It gets even more complicated when it comes to platform dependencies and all that. Ultimately, ProGet can't have such environmental knowledge.

hoep that helps!

Cheers,
Alana

Hello,

This is by design; looking over the code, it seems the command says "If metadata file is provided, value will be ignored." I can't answer why that's the design/behavior.

You're welcome to submit a pull request to update the behavior. Here is the relevant code:
https://github.com/Inedo/upack/blob/master/src/upack/Pack.cs

My main concern is, what if someone is relying on the value being ignored , either accidently or intentionally. I don't have a great idea for how to address that concern... though my first thought is to deprecate the manifest argument and rename to manifestFile.

So it's not a trivial change, but you're welcome to give it a shot. It's unlikely we will implement this ourselves anytime soon, as we have a lot of other feature requests on ProGet that take priority, and UPack gets a decent number of pull requests from the community.

Cheers,
Alana

Thanks @sebastian !! Your RegExFu is impressive

Definitely more robust - so I replaced it, and now we will match that "silly" test case of ((a) OR (b))

Hi @martin-noack_4528 ,

Nice points :)

We added this to our ProGet 2023 roadmap as a "Nice to Have"; we're a little behind on the release now so I don't know if it will make it, but we will reevaluate after 2023.0 is released at that point.

Cheers,
Alana

Hi @sebastian

Just an update; this was committed to the PG2023 code base, and seems to work on a few packages I tried (but I can't find too many).

Basically we just will enumerate the code matches in this Regex: ^\(?(( OR )?(?<code>[0-z-_\.]*))+\)?$

That will catch (a OR b) and a OR b, but if one were to be silly and add ((a) OR (b)) then it would revert back.

Doesn't seem worth getting any more complex than that :)

Hi @js-enthoven_2797,

Unfortunately I'm not very familiar with debugging apt :(

The only one I was familiar with was the InRelease-related error, which you worked around.

Otherwise, I haven't seen these before, but they seem to be warnings, so maybe it's okay and is working? It does say "All packages are up to date".

I don't really know what they mean, or if it's related to ProGet, apt configuration, or the package I searched for the text of these errors ("No Hash entry in Release file"), and there are a lot of suggestions on what to do... they are all different, and I have no idea what might work.

The "Connection timed out" is really strange too. Maybe it's related to proxy, or something? A blank page is to be expected if you have no packages in that scope; otherwise you will see a number of "Paragraphs", one for each package.

Cheers,
Alana

Hi @js-enthoven_2797 ,

This issue is unrelated to internet access or whitelisted URLS.

This is the error message you will get from apt if a private repository does not support the InRelease API endpoint. ProGet does not support this endoint, so you will get this error.

Here is some information about how to bypass this warning in apt:
https://www.linuxfordevices.com/tutorials/linux/fix-updating-from-such-a-repository-cant-be-done-securely-error

Basically you have to explicitly trust the PRoGet repository.

Please let us know if that works,

Alana

Hi @js-enthoven_2797,

I'm not totally certain, but I believe this is the result of the InRelease endpoint (i.e. the clear-signed index) is not being implemented by ProGet.

You can ignore the "weak security information" message, and configure apt to use this repository. If you're using HTTPS, the clear-signed index adds no additional security; it's a vestigial feature these days, and is was designed for when HTTPS wasn't available. You can ignore/override those warnings.

We may implement the InRelease endpoint, but there are some problems/bugs with the way BouncyCastle (the encryption library we use) generates "armored output streams". It's a lot of effort for no real value (other than just not having those outdated errors by default).

Cheers,
Alana

Hi @v-makkenze_6348 ,

I can see that you're using the OSS Index? Did you also add PGVC as a source?

I didn't review or try to reproduce this particular case yet... but we have seen this "duplicate data" problem happen from time to time with OSS Index. It's a data-quality issue; ProGet maintains an "external ID", and sometimes OSS Index will report duplicate

ProGet will display the External ID when you click on the vulnerability; that should be unique.

However, based on the description... I wonder if that's the case here? Does this seem to happen with cached packages only, as they've been removed? Any other insight you could provide would be very helpful, so we can investigate this further.

Cheers,
Alana

So sorry @msimkin_1572 , I just double checked.. the Endpoint URL should be formatted like v3/index.json not index.json.

http://my-internal-server/nuget/InternalLibs/v3/index.json

It "looked" right when I typed it, but I should have double checked. Normally I just copy/paste this from the Endpoint URL in the feed page.

Hi @PMExtra ,

Thanks for the details on this, very helpful :)

We actually recently discovered this too (though a different underlying problem) - it was should be addressed in 2022.27 via PG-2321.

Can you try that and see if it helps? We can investigate further if not.

Cheers,
Alana