RE: Logs configuration

@avaleriusdebeffort_3858 what do you want to log? You can enable more detailed logging on ngnix... but otherwise, in ProGet, we don't have any more detailed logging available for end-users to troubleshoot.

Hi @Justinvolved ,

We don't currently have that type of monitor/trigger, but it's something we'd like to support in the future... in addition to new triggers like for Docker images, etc. Our extensible ResourceMonitor Feature is capable of handling this, but it just needs to be coded.

If you're interested, it'd be relatively easy...

• Create a create a class called PackageVersion that will store latest version number of a package (like Revision Number on SvnRepositoryCommit.cs)
• Create a resource monitor that queries for package versions (like how SvnRepositoryMonitor.cs monitors paths)

Hope that helps !

Cheers,
Alana

Hi @mhdos_4222 ,

Sorry, I must be confused.

Is the image actually pushed? It's not very clear from the logs, but it looks like it's working after you login? You wrote:

The push command was executed after successfully logging into our self hosted Proget.

A 401 basically just means the credentials are incorrect or not sent, and I really can't tell from the logs what's happening or not happening.

If things used to work before, do you know what was changed ? It's just hard to guess from the information we have here.

Hello,

ProGet will issue a 401 (Unauthorized) when the request has not been authenticated or if the authenticated credentials are not correct.

We don't have instructions or troubleshooting steps for nerdctl, but in the docker client you will use a login first., before a push.

Here's some more info:
https://docs.inedo.com/docs/proget-docker-private-registries#creating-and-using-a-docker-registries-in-proget

Cheers,
Alana

Hi @OtterFanboy ,

Thanks for the feedback and for finding additional bugs; I just fixed these as BM-3826 - at least I think.

1. Files was definitely broken (I must never have tested it last time)
2. That was probably related to something else (syncing issues?)... but hard to say; in theory, it should give a "red error box" when there's a problem w/ Git instead of a 500
3. This flow was using the wrong properties to create the resource name
4. Same

I also corrected the "new application flow" so that Rakko will do a "repository detection" to help select a pattern to use.

Let us know if you find other UI bugs (browsing, etc.) with the "Generic Git" repository; it should work the same as Git-service integrations, but we didn't do very good regression testing on it.

Hi @Bob_4018 ,

Thanks for the heads-up! We've resolved this, and the link should now work:

http://cdn.inedo.com/downloads/otter/OtterInstaller22.0.9_Offline.exe

Cheers,
Alana

Hi @martin-helgesen_8100 ,

You can aggregate multiple feeds using connectors:
https://docs.inedo.com/docs/proget-feeds-connector-overview

If you want to put all the packages in one feed, then after adding the connector you can use a "feed downloader":
https://docs.inedo.com/docs/proget-feed-importing

Cheers,
Alana

Hi @jim-borden_4965 ,

It looks like that isn't supported; but it should be relatively easy :)

I added a change (PG-2305) that we'll try to get in the next release (scheduled Mar 24).

Cheers,
Alana

Hi @e-rotteveel_1850 ,

ProGet doesn't currently support deleting individual "files" like this under a package, but it's something we can add for sure. The UI definitely seems to act "suboptimal" with some of these conda packages, but we'll fix it!

I suspect it is best for us to wait until ProGet 2023, since we're doing a big data model changes. I'm going to keep this "open" internally, along with the "constrains" request you made earlier (https://forums.inedo.com/post/13876) :)

Cheers,
Alana

@sebastian no problem :)

Actually... I just realized that I have a backup of your database that you sent to us for analysis/review. And your vulnerability assessments were one of our test datasets to see how migration goes.

So we can give you a very accurate and specific answer once we get to that phase of the ProGet 2023 release

Hello @sebastian ,

Great questions, and I'll do my best to help. This is a little complicated I think :)

[1] PGVC vs OSS Index
From a technical standpoint, PGVC is implemented as an "offline database", which offers a lot of performance benefits - namely ProGet can know about vulnerabilities in packages you're not yet using, and display those on remote packages. ProGet will download updates on a nightly basis.

Regarding the "Quality of data", it's really hard to say. I think everyone just aggregates from the same sources like NVD:

• PGVC leverages the Open Source Vulnerability (OSV) platform developed by Google and backed by Microsoft, etc. It’s an open platform.
• OSS Index is just Sonatype, and it’s closed (proprietary).

We decided to invest in PGVC because OSS Index has been rate limiting more and more, and the quality of results have been declining over the years. We believe PGVC (and the underlying OSV platform) will ultimately be superior.

[2] Instant Availability & Overnight Scanning
As I mentioned above, PGVC is an offline database. This means ProGet can immediately query that database to show you vulnerabilities on packages you may want to use or are currently using. This is not possible with OSS Index due to rate limiting.

The "vulnerability scan job" (which both OSS Index and PGVC scan do) will basically compare all packages you have in ProGet (local/cached) against the vulnerability source. This is to show you about vulnerabilities discovered in pakcages you're using.

[3] Migration
We are planning on some guidance about this. In theory, its should be possible because both the PGVC and OSS Index use CVE-ID. But the OSS Index sometimes uses their own ID instead of a CVE-ID.

We'll study some datasets and see what we can bring over. It might be a SQL Script or a tool inside of PRoGet.

[4] Using Both
I want to say, that you should just pick one source. Otherwise you’ll get a lot of duplicate vulnerabilities. Either one should be sufficient for package scanning, as they both aggregate the same publicly-available data sources.

However, it wouldn't hurt to try using both... just to see what comes up for vulnerabilities. If you delete a vulnerability source, it will delete all the assessments -- so that is a quick way to at least test (you can delete the PGVC vulnerability source).

Hi @OtterFanboy ,

FYI, Generic Git repo browsing in the UI has now been fixed as BM-3822 and will be included in the next maintenance release (March 10). If you'd liek a patch/prerelease sooner, just let me know!

Cheers,
Alana

Hi @priyanka-m_4184 , thanks for updating; yes in this case, it must be a really large package file? 30min is long time, and the upack client must be timing out then.

Hi @e-rotteveel_1850 ,

Thanks so much, this will help quite a lot and should be easy to follow! I downloaded those package and attached them to our internal tracker.

So basically... it sounds like we should just treat constrains (no t ) like we do depends? And if we can display it in the UI, then we will.

I peeked at the code, and it's a bit more complex than I hoped... mostly because of how we have to index/cache "connector" data as a SQL Lite database. But hopefully not that complex.

Anyway, I'll update once we have an idea of when we can get this field in.

Cheers,
Alana

Hi @Justinvolved ,

The first thing I would try is enabling verbose logging; this is on the advanced tab of the operation, or you can set with Verbose: true parameter.

That will give a file-by-file comparison, and show you what's being copied and not. You will see texts like:

Copying C:\apxltd\artifact\Inedo.DependencyScan.dll to C:\apxltd\artifact2\Inedo.DependencyScan.dll...
Inedo.DependencyScan.dll already exists in C:\apxltd\artifact2.
Source timestamp: 11/12/2022 8:26:38 AM, Target timestamp: 11/12/2022 8:26:38 AM
Source size: 54272, Target size: 54272
Size and timestamp are the same; skipping Inedo.DependencyScan.dll...

Hopefully that will help trace this a little bit better.

Cheers,
Alana

Hello @jmartschinke_3948 ,

Thanks for letting me know; this appears to be some kind of regression from a python-related change in 2022.20 .

It will be addressed ASAP via PG-2290 in the next maintenance release (coming ASAP).

Cheers,
Alaa

@OtterFanboy got it, thanks!

So this particular change is a bit more involved unfortunately. For example, if you clicked on "Windows Server", you wouldn't find any drifted servers - which would be confusing, because the environment would show as drift.

I'll note this as something to think about for v2023

Hi @e-rotteveel_1850 ,

Thanks for the suggestion! We could definitely use your help in getting a few more details on how to implement this... we only learned CONDA by trying to implement a repository

I couldn't find any info about constraints from searching their documentation.

Can you provide us with an example package we can upload to ProGet (public package is easiest, but private is fine too)? And also, show us what it should look like in the repodata.json file?

Cheers,
Alana

Hello @OtterFanboy ,

Thanks for the bug report! We'll fix it via OT-483.

That tab only displays if "Configuration drift:" is set to something other than "None", but there should be a "no roles" type of message instead of a crash.

Cheers,
Alana

Hello @OtterFanBoy123 ,

I was able to reproduce this; it's a UI regression BuildMaster 2022's new OtterScript editor. This won't impact deployment, the script, or anything like that.

I've logged this as BM-3817 and we'll try to get this fixed in the next maintenance release :)

Cheers,
Alana

@lm thanks for letting us know that it worked!

I'm glad you were able to find the issue on GitHub. Looking closer, it is a NuGet client bug; I posted an update on the issue. The only workaround is what you described (setting a separate API key).

Hi @cshipley_6136,

We aren't trying to pass the buck here, but given the symptoms, it's almost certainly not a software problem I'm afraid. Under the hood, ProGet uses Microsoft's SQL Server driver/components, which uses the operating system's networking drivers/components to communicate to the server. In this case, the error is originating in the operating system's networking components.

Based on the symptoms (intermittent network-level errors), it's most certainly a problem with the network hardware, components, or configuration. Since the problem is intermittent, running nslookup similar commands on the container won't really identify any issues; those commands also communicate on different protocols/ports than SQL Server.

We're not really experts at troubleshooting network problems, but we have seen a few over the years. Have you had a chance to bring this up with your Network/Operations team? What have they tried or investigated so far?

Cheers,
Alana

Hi @lm , thanks for the feedback!

I'm not sure about #1, but I was curious about #2, and spotted a typo in our database updating code.

If you run this against your ProGet database, this will work and should unblock you:

GRANT EXECUTE ON TYPE::[IndexedSymbolEntry] TO [ProGetUser_Role]

This will also be fixed in in ProGet 2022.21 as PG-2287.

Cheers,
Alana

Hi @cshipley_6136 ,

In general, when the database has temporary problems (timeouts, unavailability, etc.), then errors will be shown to users (like the above) when they make a web request. Every web request is a new try, basically, and will cause the same error. But once the database is back up, new requests should work fine.

However, if the application fails during initialization (i.e. the first web request after starting the service), then it effectively requires restarting the application (container/service). This scenario is tricky to work-around.

Otherwise, what was the nature of the user auth issue? If it was an incorrect password, then that would require fixing the connection string (which is passed as an environment variable usually) and then restarting the container.

Hope that helps...

Alana

Hi @cshipley_6136 ,

Thanks for the additional information; we were able to figure out what the underlying issue was with your help. Essentially, it a combination of command caching and some other factors that caused this false-positive behavior. The error should have eventually been triggered after a little while, but it's hard to say.

In any case, we've changed this to use a one minute cache, so this kind of error will be detected much quicker. Either databaseStatus will say Error, or the handler will return a 500 status.

This will be fixed in PG-2284 , which is scheduled for this Friday's maintenance release (2022.20).

Cheers,
Alana

Thanks again for these reproduction instructions! I confirmed the behavior very easily, though it doesn't look like a trivial fix (at least to me)

We are targeting PG-2278 for the upcoming maintenance release (Friday), but it might be delayed if we have other priorities until the following maintenance (Feb 24). Of course we can provide a prerelease/patch version as soon as we code the fix :)

Thanks for the additional insight! To clarify... I know very little about how caching works, and I was just reporting what changed recently so we can track down where to look :)

So just to confirm... you're saying that this used to work in ProGet 6.0, but it's not working after you upgraded to ProGet 2022? If that's the case, then it would very likely be the platform change.

@pfeigl said in Assets do not return Last-Modified header (anymore?):

Anyways, I guess our question simply is: Is it reasonable for you to (re-)add this header in a future version? It feels like a simple change, as the asset UI already shows this exact field.

Yes, we just need to track down exactly what the issue is :)

Our platform code does seem to look for an If-Modified-Since header, and then sends a 304 if the dates are within a minute of each other. So I guess that works.

But then this code, when sending response headers, looks pretty suspicious to me.... I wonder if he should be setting the Last-Modified header instead of Date

Hi @joacim-svensson_8194 ,

This use case isn't very common (and isn't one we necessarily designed for), so it's not so intuitive to do in the UI. To handle this, you can create a create a second vulnerability source, and then use that source in the UI. Let us know how that goes!

Cheers,
Alana

Hi @Justinvolved ,

Hundreds of configuration files in one application -- definitely too much. I'd probably seek a different solution if that's the case. But having one or a few per application is okay.

There is an Http-Post Operation that you can probably use to make API calls. Conceptually it's similar to the PowerShell Invoke-WebRequest method.

I'm not sure what the configuration file would look like (array? map variable?), but there's also a variable function, ($Filecontents()), that could read a file, and an $Eval() function that can can convert text into variables.

That said... it might be a bit challenging to do all this in OtterScript. It's not really designed for this. You may be better off writing a global PowerShell script that can process input from a configuration file that you deploy to the working directory. That would also be easier to test as well.

Cheers,
Alana

Thanks @e-rotteveel_1850 , these repro steps will be very helpful to debug/fix the problem.

With platforms we know little about (Python, Conda) figuring out the repro steps is often the hardest part

Please stay tuned; we'll post an update once we identify or fix the problem

Hi @e-rotteveel_1850 ,

I haven't really tested this, just reporting on information I found in our notes :)

The problem that we fixed via PG-2220 was reproduceable as follows:

1. Create Conda feed w/ connector to default public repository
2. Access this page in UI: feeds/MyCondaFeed/ca-certificates/versions

It also gave errors in the ProGet API. But the underlying issue was related to unexpected ("invalid") metadata from the remote Conda repository's API (index files), specifically with sorting (comparing) those leading zeros.

Python specifications give me a headache, but it has something to do with the PEP-440 Normalization Rules not being followed under the hood

Regardless, it sounds like this is a different bug...

Can you identify how we can repro/fix (without using CONDA client)?

1. Create new CONDA feed (no connector)
2. Download ???? files from the public site (I couldn't tell from this page)
3. Upload those files to ProGet
4. Web UI shows ???? instead of ???
5. API url ???? doesn't download file (as expected)

Cheers,
Alana

Hi @pfeigl ,

The handler for asset file downloading hasn't changed recently.

The last major changes were in ProGet 6.0, where (among other things), the ability to control client-side caching was added. The change you found (PG-2068) fixed a bug related to UTC/Local time differences in those cache headers.

In ProGet 2022, we changed the overall platform (.NET Framework -> .NET6). The platform is what's responsible for reading/responding to cached/head requests.

I'm not sure what the behavior was prior to ProGet 2022... but if you're finding that caching isn't working as expected, I would inspect the cache control headers and see if you can find what the underlying issue is. So far as we can tell/test, it's working as it's supposed to now.

Cheers,
Alana

Whoops, posted too fast :)

@e-rotteveel_1850 said in Uploading ca-certificates (2023 version) to a ProGet conda feed does not work:

I tested with Proget 2022.0.19, but the file is still renamed to "2023.1.10"

The package store is internal to ProGet, and we don't support accessing or modifying those files directly. The folder structure or naming of the files won't impact usage in the ProGet UI or API.

Hi @e-rotteveel_1850 ,

The underlying problem is that ca-certificates has invalid package versions, at least according to Conda's own versioning specification.

2022.07.19 is not supposed to be permitted in a repository... and yet it's there. ProGet follows the Conda specification, which says packages with leading zeros should be "normalized" to 2022.7.19. I guess they treat their specs more like "guidance" than "specifications"

In any case, as you noted, this was addressed in a newer version (PG-2220 in ProGet 2022.10), so upgrading should take care of it.

Cheers,
Alana

Hi @rosario-digiovanni_1930

This is a known bug (#430) in Find-Package; basically this only works with NuGet.org, and doesn't work with other repositories.

I would suggest replying to the issue; it's been a few years since anyone commented on the bug, so bumping it miiiiiight get Microsoft to consider fixing it.

Cheers,
Alana

Thanks for clarifying @Justinvolved

I was able to reproduce this issue, looks like it was a regression with "releaseless builds". Easy fix... it'll be in the next maintenance release as BM-3808. The release is scheduled for this Friday :)

Cheers

Hi @OtterFanboy ,

Thank you for the feedback :)

I've added items for [1] OT-480 and [4] OT-481, they seem relatively easy changes.

Can you send a screenshot for [3], so we can better visualize what your environment page looks like? It would be helpful to see this page with real-data, since our test data typically doesn't use nested environments.

Regarding [2], folders were a late addition to Otter 2022, and unfortunately the functionality is quite limited (i.e. move didn't get added in). This omission is annoying, but a lot of times Git-based rafts are used, and it's easy to move files in Git. We would definitely like to add this, but it's not trivial... because we need to do different operations for Git-based rafts. Otherwise, I logged the analyzer error as a bug (OT-482) because they shouldn't issue an error.

I will discuss with the team when we can prioritize these issues. If it's really easy, maybe we can do it in next maintenance release window.

Cheers,
Alana

Thanks much for that providing query @sebastian !

And yes -- the data is "halfway there" in ProGet 2022 (maybe 20% there?), but "Packages" (which are spread across another different tables like NuGetPackages, NpmPackages, etc.) aren't tied to licenses just yet.

But with the database refactoring we are planning in 2023, it's going to be a lot easier to get and display this information, especially for SCA-related things.

There's also going to be vulnerability improvements as well - please stay tuned :)

Hi @lm , just to clarify...

How do you use symbol files? Is it to "browse / step-in to code" using a debugger in Visual Studio?

If so, caching/proxying symbols wouldn't help with those items, since the PDB is really just providing a URL to the public internet.

Cheers,
Alana

Hi @marc-ledent_9164 , it's a little hidden.

If you Edit Pipelline > Edit Details, there will be a "Delete" button in the bottom-left corner of that dialog.

Cheers,
alana

Hi @philipp-jenni_7195 ,

Hmmm that's basically the same thing I tried a while back ....

Can email/send the package files in this example? mypackage-3.0.0.upack and mypackage-3.0.1.upack

If you email them to support at inedo dot com, with a subject of [QA-976], we will be able to find it. Please let me know when you email it, since we don't watch that box

Cheers,
Alana

Hi @Justinvolved ,

That is definitely a bug in the Operation, as there shouldn't be a NullReference exception like that.

Just to confirm... in the first example, you created a build without a release? I.e. you just "directly" selected a pipeline? But then, it worked when you created a build in a release?

Cheers,
Alana

Hi @Justinvolved ,

Ah, thanks for clarifying that! Yes... they should be Testing to follow everything else. Pipeline templates are a brand-new feature :)

This was a trivial change, and will be updated in next version as BM-3805

Cheers,
Alana

Hi @Justinvolved ,

In this case, I would recommend staging the artifact files first, and then transferring them. Here is the OtterScript you can use for that:

Deploy-Artifact;

Transfer-Files
(
    ToDirectory: c:\websites\the-website-root,
    Exclude: Images\**
);

Cheers,
Alana

As a free user, we're a bit limited to how much we can investigate this, and it's unlikely we'd be able to see anything from the database or docker config. We've seen this message come-up from time-to-time, and it's been related to the two edge cases I mentioned:

• package version is "unlisted"
• package file already exists on disk, but no database record exists

We have yet to see this happen with a newly-created feed.

Perhaps you can set-up something on AWS LightSail, or another very inexpensive hosting platform? Using that, we could investigate much easier.

Hello @itpurchasing_0730,

It sounds like you set things up correctly, but seems like Chocolatey is behaving strangely; if you added a source, then you shouldn't be prompted for the credentials.

In general, you should just need to run choco source add command:
https://docs.chocolatey.org/en-us/choco/commands/sources

Then you won't be prompted again. I would try removing your sources, and adding them back.

You may also want to use a tool like Fiddler classic to monitor the traffic that Chocolatey is making. Unfortunately we can't tell, from just that diagnostic log.

That will let you see exactly what URls are being used... and the underlying problem might be related to something like a proxy server.

Cheers,
Alana

Hi @philipp-jenni_7195 ,

This is still a mystery to us; since you say you can reproduce it with a new feed, can you provide us with a step-by-step guide using a New Feed and a package file to use, then we will try your steps.

The steps should basically be:

1. Create New Feed named XXX
2. Upload this file to the feed (please attach file)

If the server is publicly accessible (or you can create one that is), we can also log-in and attempt to reproduce it on your server.

Cheers,
Alana

Thanks for letting us know @jeff-peirson_4344 ; we'll see if we can better detect and improve this error.

Hi @rosario-digiovanni_1930,

Ah - so it is schema related.

Well, it's definitely compatible with SQL 2019... and we also have no idea why or how that happened. We don't see other users having this issue.

We also tested 00. EnsureDbo.sql works on just about every configuration we could imagine:

• user has no schema
• user has different schema
• user has own schema
• user doesn't have permission to change schema
• etc.

What does SELECT SCHEMA_NAME() return?

Any idea why the following isn't working for you?

IF (SCHEMA_NAME() <> 'dbo') BEGIN
   DECLARE @SQL NVARCHAR(MAX) = 'ALTER USER [' + CURRENT_USER + '] WITH DEFAULT_SCHEMA = [dbo]'
   PRINT 'Changing default schema ("' + SCHEMA_NAME() + '") to dbo via: ' + @SQL
   EXEC sp_executesql @SQL
   PRINT 'Schema changed.'
END

FYI, here is Microsoft's docs on SCHEMA_NAME:
https://learn.microsoft.com/en-us/sql/t-sql/functions/schema-name-transact-sql

Hi @rosario-digiovanni_1930 ,

Thanks for sharing the details; from here, I would recommend just working with inedosql.exe and the SqlSCripts.zip file that's in the ProGet.SqlScripts-22.0.17 package. You can just run inedosql update after extracting the SQLScripts.zip file

The error is from from a while ago (14.07.2020 14:41:44), so I guess it's nothing to worry about. Perhaps it's the same underlying issue?

There's definitely something wrong... I just have no idea what it is. The only guess is schema/permissions, but you've already checked it.

I will describe to you what's happening, and hopefully you can troubleshoot with your database team better, especially since you'll have all the scripts that are run...

The script 0.1.AddStoredProcInfo.sql does the following:

• drop/create table __StoredProcInfo
• drop/create stored procedure __AddStoredProcInfo
• drop/create stored procedure __GetStoredProcInfo
• execute __AddStoredProcInfo

Then later, the 1.ApiKeys_CreateOrUpdateApiKey.sql script is executed. This script starts by executing __AddStoredProcInfo again, but it's called with the [dbo].[__AddStoredProcInfo] prefix instead.

So I think the issue is schema-related.

But as I mention, we try to mitigate this earlier with 00. EnsureDbo.sql . This script works like so:

IF (SCHEMA_NAME() <> 'dbo') BEGIN
   DECLARE @SQL NVARCHAR(MAX) = 'ALTER USER [' + CURRENT_USER + '] WITH DEFAULT_SCHEMA = [dbo]'
   PRINT 'Changing default schema ("' + SCHEMA_NAME() + '") to dbo via: ' + @SQL
   EXEC sp_executesql @SQL
   PRINT 'Schema changed.'
END

Anyway, please let us know what you find. We'd love to make these scripts work in more scenarios, and not cause problems like this.