RE: [Otter 3] Upgrade Inedo Agent failed

@philippe-camelio_3885 a failure there is rather peculiar, and the error message just looks like a generic "can't connect" error. The agent upgrade hasn't really even started yet, it's just some initial prep of downloading the file.

That message is occurring when making a very basic "direct connection" to the Inedo Agent (as opposed to the more complicated, "pass through" connection to the Otter Agent that the Inedo Agent manages).

The other time a "direct connection" is made is during the "Server Checker" task runner. That runs on service startup, and then every hour, or when you trigger it manually (Admin > Service).

Anyway you could check it there. So, it could just be bad timing? Maybe the server is actually inactive, or agent got off?

Ah ok, I was able to reproduce this behavior; it was unfortunately a 3.0 regression as part of migrating the Legacy ResourceCredentials changes... but it's relatively easy to fix as OT-413 -- it's already scheduled for Otter 3.0.5 (next Friday), but we could make it available as a patch/pre-release version if you'd prefer?

Hi @ipluskal_1214

You're right, there haven't been any RPM changes... the error message is implying that ProGet is rejecting the data you're sending for some reason, "Unable to parse package header. The supplied package may be an invalid RPM file".

It might be a .NET5 issue, just based on the version numbers you told me. Since ProGet v5.3.12, the inedo/proget image is hosted using the .NET Core runtime. Previously, it was hosted using the Mono runtime. The inedo/progetmono image is available to v5.3.19.

Cheers,
Alana

Hi @Stephen-Schaff,

Docker is pretty wonky, and technically doesn't support multiple registries per host.

A Docker Registry is tied to a host (like myproget.mydomain.net), not a URL. A Docker Registry's catalog API endpoint is always «host-name»/v2/_catalog, but I guess your third-party tool isn't so particular, and does a basic concatenation against the field.

This silly implementation makes no sense for ProGet -- so we just work-around that by requiring a "Namespace" on your Docker Registries that starts with the feed name.

So technically, you have a Docker Registry at «host-name» that hosts a bunch of Docker Repositories named «feed-name»/«repo-name». I'm afraid your only option here is to do what Docker wants you to -- which is create a user with restricted permissions to the containers you want.

@philippe-camelio_3885 sorry this has been frustrating

There is a compatibility shim for this that should have picked this up... but after the migration from ResourceCredentials to SecureResources and SecureCredentials, we no longer use the type name to qualify credentials.

Long story short, this should fix it...

set $CredentialUser = $CredentialProperty(myaccount, Username);
set $CredentialPwd = $CredentialProperty(myaccount, Password);

@afd-compras_2365 ProGet implements the NuGet Server API, so you can use ProGet as a private NuGet server; we did not design that API, we simply implement it

Here is the same API call on NuGet gallery with a package that doesn't exist

https://www.nuget.org/api/v2/FindPackagesById()?id='NotRealPackageFakeFAke'&semVerLevel=2.0.0

I'm not sure I understand the dependency question with nuget.exe though... but in a case like this, you can just put those packages in your feeds I believe? Then you won't get update issues

@brett-polivka sorry about that, there's always room to improve the testing, and you just got "unlucky" with a few edge cases that slipped through the cracks.

But not to worry -- you can just downgrade the extension by following the manual installation instructions - the 1.9.0 of Azure will still use the old libraries - https://proget.inedo.com/feeds/Extensions/inedox/Azure/1.9.0

@afd-compras_2365 that's the proper behavior of the /FindPackagesById() API endpoint; as far as why that's the proper behavior, you'd probably have to track down the folks at Microsoft who designed the API over ten years ago and ask them ;)

That particular API returns a resultset; if the set has 0 items, then there are no packages with that ID found.

@joshuagilman_1054 I don't really know PowerShell myself (today I learned you can do classes )... but behind-the-scenes it's .NET, and that means we can use nullable value types.

I tried [int?] (nullable shortcut syntax) and [Nullable<int>] (generics shortcut syntax) but PowerShell isn't so happy with either. So the long way it is...

[System.Nullable``1[[System.Int32]]] $myInt = 0
echo "myInt is $myInt "
$myInt = $null
echo "myInt is $myInt "
$myInt = 1000
echo "myInt is $myInt "

That should do the trick for you, and is close to our JSON Model anyways.

@joshuagilman_1054 said in API expects null instead of 0 for integer values:

The only option I have is to manually check for these edge cases and convert the zeroes into nulls before sending off the JSON which seems rather silly. Is there a specific reason the API won't accept a zero in this case?

Well, the specific reason is due to data integrity rules; the TriggerDownload_Count is just defined as a nullable, non-zero, positive integer. Using -1 would also yield the same error.

And as a general practice, we don't convert user input to NULL, or add extra code to make it work in a case like yours -- we just let the data integrity rules raise errors like that.

In our own code, we'll do what you do (and pass a zero or empty string around, for example); so in a case like that, we just have a function like NullIf(value,0) or Nullif(value,"") before attempting an internal API call. So that would probably be the best bet.

Hello,

That API will only delete package metadata from the database, not from disk. It's mostly intended for internal use only, and probably shouldn't be exposed to the API. In any case, we don't store the @ with internally, so if you change @myscope to myscope it should work.

Note that the NPM doesn't provide a way to delete packages, and we never implemented it. There hasn't been any demand for it to date, as people don't really delete packages programmatically - but you're definitely welcome to submit a feature request and help us understand why it'd be a value (like, the workflow you use that requires deleting packages, etc).

Alana

@Stephen-Schaff ah that's too bad, quite frustrating! Any luck setting up test server, so it doesn't' inconvenience production?

I don't why it didn't work, but it's not what I would have expected.

We had been assuming this was failing in the TryParseLoginUserName method, which is where that NETBIOS mapping occurs. It seems to be working fine, and is surprising to see.

Instead, it seems to be failing in TryGetUserAsync, which calls the TryGetPrincipal method. The TryGetUser method is called in a bunch of places (and when it returns null for an authenticated user, you'll get that can't find user error), but it's also on the "Configure User Directory Page", when you hit the "test get user" button.

You showed that you tested the connectivity using "test search", but there's good reason one query (get) would work, but not the other (search).

That doesn't make a lot of sense to me. I'm thinking, another test from that page is in order.

Here's the (messy) code for /debug/integrated-auth.

                WriteLine($"Id:\t\t{domain.Id}");
                {
                    var messages = new List<string>();

                    WriteLine("---------");
                    var ad = WebUserContext.CurrentUserDirectory;

                    ad.MessageLogged +=
                        (s, e) => messages.Add(e.Message);

                    var parsedLogonUser = ad.TryParseLogonUser(context.Request.ServerVariables["LOGON_USER"]);
                    if (parsedLogonUser == null)
                        WriteLine("Could not parse LOGON_USER.");
                    else
                        WriteLine("LOGON_USER parsed as: " + parsedLogonUser.Name);

                    var user = await ad.TryGetUserAsync(context.Request.ServerVariables["LOGON_USER"]);
                    if (user == null)
                        WriteLine("Username not found.");
                    else
                        WriteLine($"Username:\t\t{user.Name}");
                    WriteLine("Additional messages:");
                    foreach (var m in messages)
                        WriteLine(" - " + m);
                }

Here's the (messy) code for the "Test" button next to "Test get user" on that page:

        var btnTestGetUser = new PostBackButtonLink("Test", () =>
        {
            var log = new StringBuilder();
            try
            {
                instance = instance ?? (UserDirectory)Activator.CreateInstance(this.Type);
                editor.WriteToInstance(instance);

                instance.MessageLogged += (s, e) => log.AppendLine($"[{e.Level}] {e.Message}");

                var principal = instance.TryGetUser(txtTestUser.Value);
                if (principal == null)
                {
                    divSearchResults.Controls.Add(InfoBox.Warning(new P("User ", new Element("code", txtTestUser.Value), " not found.")));
                    return;
                }
                else
                {
                    divSearchResults.Controls.Add(InfoBox.Success(
                        new P("User ", new Element("code", txtTestUser.Value), " found: "),
                        new Ul(
                            new Li("Name: ", principal.Name ?? ""),
                            new Li("EmailAddress: ", principal.EmailAddress ?? ""),
                            new Li("DisplayName: ", principal.DisplayName ?? "")
                        )
                    ));

                    if (!string.IsNullOrEmpty(txtTestUserGroup.Value))
                    {
                        if (principal.IsMemberOfGroup(txtTestUserGroup.Value))
                            divSearchResults.Controls.Add(InfoBox.Success(new P("Member of ", new Element("code", txtTestUserGroup.Value))));
                        else
                            divSearchResults.Controls.Add(InfoBox.Warning(new P("Is not member of ", new Element("code", txtTestUserGroup.Value))));
                    }
                }
            }
            catch (Exception ex)
            {
                divSearchResults.Controls.Add(InfoBox.Error(new P($"Error: {ex.Message}")));
            }
            if (log.Length > 0)
                divSearchResults.Controls.Add(new Element("textarea", log.ToString()) { Style = "width:500px; height:50px;" });
            divSearchResults.Visible = true;
        });

Lots of code, but I wanted to share both of these, so we're looking at exactly the same thing, if you need it.

** Can you try testing "get user" again (not "search user") using that page? You will most certainly see the exact same set of error messages. **

If this is the case, then the problem is most definitely related to credentials/permissions, and really doesn't seem to be related to NETBIOS alias, after all.

Next steps.

1. Confirm that you're getting same error from the "Get user" test but that "Search user" works
2. Remove the NETBIOS alias mapping, make sure results are identical (get doesn't work, search does)
3. Enter wrong credentials, like a bad username or bad password; ensure that "Search user" fails
4. Correct the credentials, and makes sure that "search user" works again
5. Try your own, personal credentials to see if it makes a difference
6. Disable LDAPS (if it was enabled) and try again
7. Create a ProGet test server, see if you can replicate behavior
8. Open a ticket with Microsoft with replication results (the tool works, the servers don't, etc)

I hate that last step... but there's no reason on earth why this same, basic query that's run by the same C# code using the same credentials would work in one environment (desktop app on one server) but not another (web app)

Thanks for making the pull request @viceice !!

Well, I can see the issue... 5.3.24.7 != 5.3.24

Okay, so next version it should work. Diagnostics.DbVersion is set in the build/release process, so we just changed the code that sets Diagnostics.DbVersion.

Next time it should work.

@viceice it was shipped in 5.3.23, so please give it a shot and let us know!

We didn't test it in a Kubernetes deployment (I hope we can get great docs on that some day!), but in the meantime I did add this to the documentation:

https://github.com/Inedo/inedo-docs/commit/358be6d03160ff569d791532f14cc5f05012b2a8

If you have any suggestions, especially on how to improve the docs, please share it or submit a PR to our docs :)

@Stephen-Schaff thanks for clarifying, I misunderstood!

Let me explaim how integrated auth works. Basically IIS/Windows Auth only provides ProGet with something like INEDO\username. However, INEDO is not a domain name, it's a NETBIOS alias. To query a directory, you need the real domain name (in our case, it's inedo.local).

To find the domain name the global catalog for the domain server will be queried to determine any mappings, but this can sometimes fail due to permission errors. This is why you get a "User not found" error. The legacy provider relies on DNS resolution, which was incorrect.

As an alternative, you can provide a list of key/value pairs that map NETBIOS names to domain names may also be specified (one per line); e.g. KRAMUS=us.kramerica.local and if any value is specified, the automatic query is not performed, so all NETBIOS names must be specified.

There's a lot of details on the [Advanced LDAP Configuration] (https://docs.inedo.com/docs/various/ldap/advanced) to consider, but basically the reason it wasn't working was because the NETBIOS mappings could not be resolved correctly.

In any case, that's the field to work with, the NETBIOS Mapping.

@JonathanEngstrom Otter 3.0.3 scheduled for Friday, so please check it out then :)

So first, we do take breaking/deprecating pretty seriously; we put a ton of effort in documenting and helping migrate from BuildMaster Legacy Features for example, and even built-in tools, etc. to do it.

Why did we break it in Otter? Well, we normally wouldn't break something like PSEnsure -- but this feature saw almost no usage. I think only like 3-4 customers made use of it, and then some community folks like yourself. We already talked to the customers, and figured... early adopters in community might ask ;)

One reason it saw so little usage is that the old PSEnsure required two scripts (Collect and Configure), and lots of messy parameters. So it was always on our list to do it with a single script.

Our original plan was to make it backwards compatible, but that proved to be technically unfeasible. From a training/documentation standpoint, we wanted to make PSCall, PSVerify, and PSEnsure, all work very consistently, and we just went with PSEnsureScripts...

If there were more users of the features, we would have been a lot more careful and either automated or carefully documented a migration plan. But in this case, we figured it was a major version change (so breaking things are expected), and we can act reactively (like this) and help migrate as needed.

A couple customers will have a lot of OtterScript Configurations to migrate, but it's just a search/replace of PSEnsure to PSEnsureScripts for them...

Thanks @JonathanEngstrom!

Could not resolve variable $ErrorActionPreference.

There could be a regression with Variable resolution? Can you let us know how/where this is configured, so we can try a repro?

PSEnsure that I test with and has always worked

This was a big change. We really liked the name PSEnsure but hated how it worked, and we don't want people to use it anymore. So we decided to rename it to PSEnsureScripts and redefine the behavior.

Quick Fix - Rename the Operation

PSEnsureScripts
(
    Key: Simple Test,
    Value: True,
    Collect: >>
if (Test-Path C:\Temp2){$true}else {$false}
        
    >>,
    Configure: >>
    New-Item -Path C:\ -Name Temp2 -ItemType Directory -Verbose
    Write-Output "Make C:\Temp directory"
    >>
);

Recommended Fix - Rewrite your Verify / Ensure Scripts

<# 
.DESCRIPTION
Verifies that the specified HotFix is installed

.AHCONFIGKEY
Simple Test

.AHEXECMODE
$ExecMode

#>

if $ExecMode -eq "Configure" {
    New-Item -Path C:\ -Name Temp2 -ItemType Directory -Verbose
    Write-Output "Make C:\Temp directory"
} else { 
if (Test-Path C:\Temp2) { return $true} else { return $false }
}

PS Love the new look of Otter 3 :D

Thanks! And it's too bad you didn't try out Otter 3.0.3 (shipping this week, Friday); we now have cute character/artwork in the onboarding steps

---

And for reference, here are the descriptions of the Added Help values you can use.

.AHDESIREDVALUE
This is what you wish the configuration value to be. When not specified, $true is used

.AHCURRENTVALUE
This is the actual value of the configuration. When not specified, the script's return (output) is used.

.AHCONFIGKEY
This is the "configuration key" used by the script, which is a string that uniquely identifies configuration on a server. It's like a file on disk (a file is uniquely identified by its name), or the name of an IIS Application pool (an application pool is unqiuely identified by its name). Optional. When not specified, the name of the script is used.

.AHVALUEDRIFTED
This is an indicator as to whether the value is considered drifted. When not specified, it's a basic comparison of the desired and current values.

.AHEXECMODE
This is either "Collect" or "Configure", and is only used on PSEnsure operations; it will be ignored (or set to Collect, depending on what's easier to code) on PSVerify. Using a PSEnsure without a .AHEXECMODE will cause an error.

The Additional Help items can be specified as a value or a variable; variables will simply start with a $.

That's strange; we haven't heard this before, and I don't think that ProGet sets the domain in the cookie; can you check other URLS, to make sure the host is actually being forwarded, such as the nuGet package index?

here is some examples to help guide: https://forums.inedo.com/topic/3037/how-to-configure-the-proget-free-with-self-connector/13

@Stephen-Schaff if you're using the legacy directory (i.e. not the one Active Directory (LDAP) one), then there were no changes to that, or anything that uses that code, that would yield behavior like this

There were a lot of non-functional changes to the Active Directory (LDAP), namely that we made a upgrade to which version of the Microsoft libraries we are using. A few users of these libraries with legacy features from ancient (i.e. Windows 2000) domains have reported some problems. Maybe you're describing a such problem?

Because it's obviously impossible for us to reproduce these oddities, we have a debugging tool available, but it requires Visual Studio to compile/run at this time: https://github.com/Inedo/inedox-inedocore/tree/master/InedoCore/AD.Tester

Not sure if that's helpful though.

I'm sorry for the frustrations, this sometimes causes problems on some environments due to some really old bugs in Windows, and/or some really complicated Active Directory configuration.

There three things to unpack here.

COM ERROR. That error message "Creating an instance of the COM component with CLSID {080D0D78-F421-11D0-A36E-00C04FB950DC} from the IClassFactory failed due to the following error: 800401e4 Invalid syntax (Exception from HRESULT: 0x800401E4 (MK_E_SYNTAX))" is one such Windows bug (it's related to COM+ activation in Microsoft's AD libraries), and it's been around for almost twenty years now.

It just happens on some servers, for no good reason, and it goes away after a reboot. If you navigate to the Advanced Settings of your IIS App Pool and set the "Load User Profile" option to True, it will almost never happen again.

LOCKED OUT. As for getting locked out of ProGet, it's unclear to me; did you run the resetadminpassword command via ProGet.Service.exe? That will update the database, but the Web application must be restarted to read the new authentication options. The most sure way to restart the web application is to go into IIS and restart the application pool. If you ran the resetadminpassword command, then I think the web app wasn't restarted. It's easy to miss one or both steps during a "system is down" panic...

USER NOT FOUND. The message, "there was an error attempting to load the user MYDOMAIN\ME" almost alwasy means that you have Integrated Windows Authentication enabled, and ProGet was unable to map MYDOMAIN to a domain. You can just disable Windows Auth (via IIS), and then you can log-in with a Name/Password if you have this happen.

MYDOMAIN is a NETBIOS alias, and if ProGet doesn't have permission to query the forest for domains (to unmap the alias), then you'll need to specify this in the Advanced settings of the Active Directory (LDAP).

The message is strange, but there's just a bug in the ProGet error message, I think, where it's using the Description of the directory instead of the name of the directory.

@Joshua_1353 sorry about that, I missed it.

As you can see from the flurry of commits I just made to your repository, I'm simply not experiencing the problem. I tried this with both a Secure Credential, and without.

Here's what I discovered during my testing

• the Git Raft Editor isn't very clear about "keeping the same password" if it's unchanged, but that's what happens
• GitHub doesn't seem to look at the username? I entered invalid usernames and it worked fine
• the PAT permission required seems to be "public_repo

Unless you have something that's "doing something" between Otter and GitHub, I think that:

• you made a typo or something in your PAT; you can't have any spaces, it must be exactly a PAT, so make sure to edit and save it
• your PAT doesn't have right permission

From here, about the onloy thing you could do is attach a proxy server like Fiddler between Otter and GitHub, and see specifically what traffic is flowing through. But like I said I think it's one of the above to

@nuno-guerreiro-rosa_9280 the API you referenced is the "NuGet v2 API", and we simply follow the specification when we implement their API.

In the same way, we follow the Docker API specification, which does not provide a way to query a docker image in the way you'd like. I think you have a good point, but it's not our specification or decision, but Docker's

There's not much of a demand for a ProGet-proprietary API for packages at this time, but if you can help us understand the value of this, then we can better considering it - https://inedo.com/open/feature-requests

Hello,

This is a bug, in that PSVerify shouldn't show up on the statement list. Instead, your scripts should, in a manner like this, with a Script Execution mode:

Then, they'll look in Otter like this:

PSVerify VerifyFreeSpace
(
    MinimumFreeGB: 24,
    DriveToVerify: C
);

Here's how this script works behind the scenes...

<# 
.DESCRIPTION
Verifies that an hdars server has the required and expected configuration

.AHDESIREDVALUE 
True

.AHCURRENTVALUE 
$AmpleFreeSpace

.PARAMETER DriveToVerify
The drive letter (such as "C") for what to verify

.PARAMETER MinimumFreeGB
The minimum free space required on the drive, in gigabytes


#>
param ([int]$MinimumFreeGB = 20, [string]$DriveToVerify = "C")

$ActualFreeGB = [int]((Get-PSDrive $DriveToVerify).Free / (1024 * 1024 * 1024))
$AmpleFreeSpace = $ActualFreeGB -gt $MinimumFreeGB

And for reference, the additional help parameter descriptions...

.AHDESIREDVALUE
This is what you wish the configuration value to be. When not specified, the value of $true is assumed.

.AHCURRENTVALUE
This is the actual value of the configuration. When not specified, script's output is used.

.AHCONFIGKEY
This is the "configuration key" used by the script, which is a string that uniquely identifies configuration on a server. It's like a file on disk (a file is uniquely identified by its name), or the name of an IIS Application pool (an application pool is unqiuely identified by its name). Optional. When not specified, the name of the script is used.

.AHVALUEDRIFTED
This is an indicator as to whether the value is considered drifted. When not specified, it's a string comparison of the desired and current value.

.AHEXECMODE
This is either "Collect" or "Configure", and is only used on PSEnsure operations; it will be ignored (or set to Collect, depending on what's easier to code) on PSVerify. Using a PSEnsure without a .AHEXECMODE will cause an error.

The Additional Help items can be specified as a value or a variable; variables will simply start with a $.

hello;

I assume you're referring to the Docker feeds Docker API's implementation?

https://docs.docker.com/registry/spec/api/#listing-image-tags

The docs don't give a great clue, but it does say "ordered lexically", which it seems ProGet's API follows. We can't really add parameters, and changing behavior might break things that otherwise expect this order.

But I do agree the order doesn't' make much sense; we just followed the API. If you can find evidence find how other implementers handle ordering differently (DockerHub, etc.), we can consider to change it.

Cheers,
Alana

Hello;

Please check the BaseUrl property under Admin > Advanced. That will override the X-Forwarded-Host value.

Cheers,
Alana

@scroak_6473 FYI, this has been fixed in our library (ILIB-115) and we plan to upgrade to that library version via PG-1902 in the next maintence release -- so this should be fixed in 5.3.24, scheduled for the Friday the 5th

If you'd like a pre-release let us know, and we can let you know when it's merged in so you can use it sooner.

Hi @Stephen-Schaff,

Thanks for the request!

As you noted, testing/sandbox environments are really important... not just for configuration changes and upgrades, but also for training and exploring features.

But setting up the right test/sandbox environment -- one that delivers value -- can get complicated, because there's a lot of infrastructure to duplicate, which is significantly more expensive than just the licensing fee of ProGet. For example, when you have multiple instances of ProGet Enterprise replicating, some in HA, some not in HA, how and what do you test? And so on.

For ProGet Enterprise customers, we do our best to help develop a test/sandbox environment that works from a value-standpoint. Whether that means mixing less-expensive ProGet Basic instances in, or creating smaller clusters with, say, two nodes instead of four.

For ProGet Basic customers, there's just a single instance and single server to consider. As such, we've found that there isn't a lot of middle ground in terms of value between using ProGet Free as a test/sandbox environment, and purchasing another ProGet Basic license.

What features/configurations specifically would you want to test in ProGet Basic that you couldn't in ProGet Free?

@scroak_6473 thanks again for all the stack traces and help

Good news, we finally were able to track this down. It seems to impact .NET5 only (i.e. ProGet for Linux), and involves using impersonation with a somewhat "faulty" LDAP setup (like yours, with those expected referral errors).

There's an easy fix, and it involves a small library change on our end. We will get it in the next maintence release of ProGet, but I don't have the issue numbers off hand yet.

@Joshua_1353 sorry, I thought it was closed/resolved already

Did you enter main in the Raft Configuration's branch setting? The default branch name in a Git repository is is master, but GitHub now uses main as the default branch, which means you have to explicitly specify it in many tools.

If you don't specify main, then you'll get this error.

Basically, this involves denying or removing the "Overwrite Package" permission.

Under the Security and Access Controls Documentation, we have a fairly detailed guide on Creating and Customizing Tasks which might help go into more detail!

We definitely want to make this as easy as possible, without having to read through lots of documentation, so if you have recommendations on how/where to improve, please share it to us.

Oh and we also gladly accept docs pull requests ;)

That's great thanks for sharing!! We want to build a content backlog, and will add this to it -- at least a way to download from jenkins in this manner. nice find :)

@scroak_6473 sorry but this one is just really tough and we didn't get the chance to dig in deeper, we're still trying to find time as a team to figure it out

Is SA9350001 also a group?

The change that @rhessinger mentioned only impacted the "new" active directory, though there may have been a change in ProGet that happened. Do you remember what you upgraded from? It'd be easier to find on this long list ... https://my.inedo.com/proget/versions

Otherwise, can you elaborate on this?

I looked at the "non legacy" one and I cannot see how to make it work. It seems to not have the needed settings (to map user names and email addresses).

We hadn't found anyone using custom field mappings, and only a small handful of other products even support the ability to use custom fields (Windows doesn't), so we didn't add it...

So I wonder if it would "just work" after all

Hi @mcascone, I'm afraid it's not possible.

nuget or dotnet nuget tools only understand the NuGet Package Format, and the NuGet API, so there's no way for the tools to use different formats or different APIs...

@nuno-guerreiro-rosa_9280 very glad we could fix it! It's definitely a .NET5 bug, and in a totally unexpected place

@jn_7742 unfortunately, Microsoft has also abandoned Source Server in favor of SourceLink, and they will not add Source Server support to Portable PDB files

Technically, ProGet's Source Server works on Linux, but since ProGet can't inject its Source Server urls into the .pdb files, it's impractical to use. I'll let you guess which 20+ year old program is required to inject Source Server metadata into Microsoft PDB files

Bottom line, you'll need to upgrade your processes to use SourceLink

Unfortunately this is just an invalid package... someone really needs to tell the developers at Microsoft that the developers at Microsoft really want packages to be in SemVer2 format, per the Microsoft documentation

https://docs.microsoft.com/en-us/nuget/concepts/package-versioning

Microsoft's documentation seems to no longer describe what Microsoft's once documented "legacy versioning" used to be, but we captured it in our documentation before Microsoft removed it.

Bottom line, the "." is an invalid character in a non-SemVer2 (i.e. four-part version number) pre-release tag. Hence, why it's getting a 400 error. It used to do that on NuGet.org, too. I guess it doesn't now. We probably won't change this, since it kind of works already., and since it's only one package.

But if you email the Microsoft team responsible for that package, they probably will just change their versioning going forward. IT'd be nice if Microsoft documented how their non-SemVer2 packages are supposed to work.

Hello;

The best place to look to troubleshoot this would be the Symbol and Source Server documentation.

Symbol server does work in Linux, but just not with symbols in the "Microsoft PDB format" (which might be what you're referring to). It's fine for Portable PDB (which is the "new" format).

Unfortunately Microsoft seems to have totally abandoned the legacy (Microsoft PDB) format, and has not nor will not open-source the code or specifications required to read those files.

The only supported way is using PDBSTR.EXE, which is essentially a 20+ year old program that modern tools (including ProGet) embed. It can't run on Linux, only Windows.

We decided not to do some hacks (like use WINE) to run it, because there's less and less legacy usage each year.

Best,
Alana

Whoops, my bad!

@brett-polivka thanks so much for the help, this was a baffling .NET5 issue, but so glad we could identify and fix it. This will definitely go in the maintence release as well, of course.

@viceice thanks! We will add a command via PG-1897 to handle this, it seems quite straight forward...

Stay tuned :)

@brett-polivka thanks again for all the help and insights!

I talked this over with the engineering team, and we just decided to remove the ParallelEnumerable query.

Would you be able to try a pre-release container?

inedo/proget:5.3.23-ci.4

@viceice sorry on the slow reply, but I presented this at our engineering meeting and our product manager thinks it's a great idea. But, he asked me to write the documentation on it so they know exactly what changes need to be made, and how it will be used...

So I wonder if you can help?

https://docs.inedo.com/docs/proget/installation/installation-guide/linux-docker#upgrading

Basically I think we should add another heading like this.

Upgrading the Database (Optional)

The ProGet container will automatically upgrade the database when starting up; this upgrade might take a few minutes, which may appear to cause delays to automated probes (??) like Kubernetes.

You can run the following command to instruct the ProGet container to upgrade the database, and then exit.

docker run ???? docker exec ???

I'm just stuck at how to document the new command to run.

From a code/C# standpoint, we can simply just add a option to ProGet.Service.exe to upgrade the database and exit. And then, we won't upgrade the database if the version matches.

@brett-polivka fantastic, thanks for the additional research. This will make it so much easier to debug from here.

Do most of the stack traces look like this? I.e. coming from Inedo.Web.PageFree.PageFreeHandler.GetHttpHandler?

If so, the issue is happening in a totally unexpected place (basically routing a URL). This is just using a relatively simple query with Linq's ParallelEnumerable library methods. Under-the-hood (as the stack trace shows), that seems to leverage operating-system level mutex support... which is likely why it's problematic only on your specific hardware/environment.

We saw a ton of Mono-related bugs early-on with this (some even would SEGFAULT on certain hosts), largely because we tend to find the "corner-cases" with optimizations, like working-around Activator.CreateInstance slowness using using System.Reflection.Emit directly.

Anyways, I'm going to have to involve our engineering team for ideas, because at this point we have to guess how to work-around this.

@entro_4370 said in Support for R and CRAN:

Hi! Any news on R-support in ProGet? There seems to be quite a demand! As a Data Engineer in a large government that bases its package management on ProGet i feel that there is a clear gap here...

I'm afraid it's still not on our roadmap, based on our research. Here's how we evaluate this sort of things.

At first, what's the market demand outside of existing users? We didn't find much opportunity to attract data engineers (or their bosses, who would buy software) who aren't already using ProGet (or a competing product) to use a private repository instead of CRAN directly. It's just not big discussion of R/CRAN community, unlike other package types.

And then, we surveyed/asked users. But we phrase it like this: how much more would you pay for ProGet it if it had this feature, because this is an honest assessment of "how much more value would this feature bring to you" (which is what we want to decide).

Unfortunately everyone we asked said, "it's a nice to have, but we would actually pay X% more if ProGet had feature X instead."

Anyways still something we want to do, but we want to make features that bring most value to most people at first...

of course if you have insights on this please let us know! Cheers.

@scroak_6473 this is very helpful actually, thank you!

There might be a relation to the LdapReferalException here, so we're going to do some more research and try to suggest what to try next. It might involve some new code (and potentially an upgrade).

Please stay tuned...

Thanks for the update @brett-polivka

The ProGet code (application layer) is effectively identical between those images; the main differences is are the underlying container image and .NET5 vs Mono. We had some initial bugs with .NET5, but is the first we've heard of Mono vs DotNetCore problems of this nature out of a lot of users.

Unfortunately, we really don't have any means to diagnose this further at this point. We're not even sure what code we could put in place to do network / operating-system level debugging. And worse, we can't reproduce this in our containers, even on Azure host.

We're open to ideas here, but I think your best bet would be go to as basic of an installation as possible; just a simple container with a simple database, and then add the pieces back until you figure out which thing is causing problems.

If you've upgraded, then the problem is most certainly in your Azure/cluster configuration. I don't know, maybe it's some default configuration setting or something in your cluster that's causing strange network/routing problems... a total guess, because I don't know how to advice to kubernets cluster diagnostic. But that's where to look.

As you said, 100 simultaneous queries are really easy to handle -- the micro-servers (like 512MB RAM, including SQL Server) we use in our testing labs can do that no problem.

I'm afraid there's nothing in ProGet that can really help diagnose this... it would just tell you what you already know -- there are a lot of incoming/waiting connections and the database connections are timing out. All of that's happening at the operating system level, not in the application level of our codes.

@brett-polivka the standard version of ProGet can indeed handle a single project, and in fact many projects from many users at the same time -- it's the most performant private server on the market, by far, in fact.

But a single server/computer/container can only handle so many network connections, and what you're experiencing is the network stack being overloaded

It could be related to the virtualization or container settings, etc. It could be authentication across networks, which shouldn't happen in Azure but it might. But it's not really related to the database, or database performance at all. This is the first place you'll see stack overload, since database connections have short timeouts, compared to connectors like nuget.org.

There is an optimization in 5.3.22 (PG-1891) that might help in scenarios like yours (Linux connected to slow-ish database), so I would try to upgrade.

Otherwise investigate why the network is being overloaded.

@Stephen-Schaff is SA-RestrictedAuto also a group? It's possible in AD to have a User and Group have the same name.

There is (or was) an issue in our products where adding privileges will favor the Group when both a User and a Group have the same name. I'm not sure if it's been resolved, but @rhessinger might be able to confirm it.

The issue is related to the UI more than anything, and it can be worked-around with a "database hack", by changing the PrincipalType_Code from G to U in the Privileges table for the appropriate entry.