RE: How to upgrade BuildMaster from 5.8.3 to latest version 6.2

Hello;

Given the problems with the existing server, here is my recommend:

1. Install BuildMaster 6.1 on a new server.
2. Verify it works
3. Stop WebApp and Service
4. Restore 5.8 Database on BuildMaster 6.1 server
5. Manually upgrade newly-restored 5.8 database using the 6.1 version of manual package (use the dbupdater command from the manual install)

Manual install guide for the database: https://docs.inedo.com/docs/buildmaster/installation-and-maintenance/installation-guide/manual

Backup and Restore instructions are here: https://docs.inedo.com/docs/buildmaster/installation-and-maintenance/backing-up

Glad to see you made your own templates!

So, there are two types of templates:

• Setup Templates, which are the JSON-based templates that give you access to quick settings

• Application Templates, which contain plans, pipelines... and setup templates

I just want to confirm, when you say "Apply Template", do you mean the latter (Application Template)?

If you can let me know about the error, such as a stack trace or log file, I can investigate!

That error message looks like it's the PipelinePage, not the Extensions page...

I think you've got a severe configuration problem on the server still. Between multiple databases, and "impossible" errors, I think you should try this...

Start with a totally new server.
Install BuildMaster 6.1, fresh installation
ensure it works (run the tutorial application)
Restore your database to that server.

From there, go to Admin > Extensions, and install what extensions you need.

All of the steps look correct!

I assume that, global::Proget BuildMasterTemplate contains a domain username.password with access to the feed?

The first thing I would try is to (temporarily) change global::Proget BuildMasterTemplate to your name/password. If that doesn't work, then grant Anonymous access to the feed.

If it still doesn't work, then I think the problem is that Integrated Authentication is enabled on IIS. Even though it's not enabled in ProGet, IIS will still force authentication.

I'm sorry, I misunderstood, I thought your instance was working. Now that I see older messages, I see not.

OK ...

What happens when you visit /applications/4? The error message you've shared appears to be from /all-applications.

Great, you've got 6.1 running.

So, BuildMaster v6.2 removes all legacy features, and the upgrade is blocked until you run the legacy feature detector and it says no features are detected. See the BuildMaster 6.2 Upgrade Notes.

I'm concerned about the state of your server. How about making a new server for BuildMaster 6.2, and then migrating your applications as per the guidance in the kb article? Then, you won't have more server problems in the future.

As for that script, I'm a little concerned with it. If it failed to run, then it means the BUILDNUMBER and RELEASENUMBER columns in the database may be too short (new length is 50 characters, old length was ... I forgot... but shorter). It's not a huge problem and would likely go undetected. Just woudl give an error if you made a build number that was between the old length and 50 characters.

Anyways, if you follow the plan of making a new BuildMaster 6.2 server, then migrating your applications per that article, then you won't have to worry about it.

It sure is! They use the same directory structure, and each product ignores what the other product doesn't use.

FYI: in our future vision, we want to make UPack-based rafts, so you can deploy a raft to a PRoGet instance, and download/manage versioned, read-only versions of it.

Can you try this instead? select top 10 executed_date, Script_Guid, Script_Name from __BuildMaster__DbSchemaChanges2 order by Executed_Date DESC

Can you try to restart the web application (in IIS, or restart the Integrated Web Server), then visit the home page? I think something might be cached... that error doesnt' make much sense.

How about browsing to /applications/4/ (since I saw Application with ID = 4 in the database screenshot).

So, if I understand correctly, using Email for username and PAT for password causes a problem. I'm guessing, this is happening during a Bearer token request.

Would you be able to run ProGet through a proxy server, so you can see the requests that are being made, and reproduce those requests? Alternatively, could you use the code I provided to request a Bearer token?

It's possible that you have an intermediate proxy server that's generating that 400 error, or it's a bug on Microsoft's end. The Microsoft documentation could also be wrong. But let's try to see if we can work-around or get information to Microsoft to fix it.

Can you try...

dbupdater.exe Update . /conn="Data Source=WIN-JG
8E2BQKINK\BUILDMASTER;Initial Catalog=BuildMaster;Integrated Security=SSPI;" /init=yes

Looking at dbupdater, the arguments are dbupdater update <script-path> <connection-string>, so I think the "." will include the current path.

Hmm... that's odd. I don't know. Could be a regression in the Legacy BuildMaster agent, or an unrelated problem.

Can you just upgrade it to the Inedo Agent?

https://inedo.com/support/kb/1039/comparison-of-buildmaster-agents

Can you try running inedosql instead of dbupdate?

Seems, an old link; here it is https://my.inedo.com/buildmaster/versions

Thanks; based on this, there's only one application? Is that correct? Seems like it might be off...

Anyways the database definitely wasn't upgraded. I'm guessing, during upgrade, it was pointed to a different database? Hard to guess...

You can manually upgrade the database:
https://docs.inedo.com/docs/buildmaster/installation-and-maintenance/installation-guide/manual

There may have been an error as well (look in the __BuildMAster__DbSchema2 table).

Hello; thanks to your package, we were able to reproduce this, and it's going to fixed as PG-1695 in the next maintenance release. Thanks!

Hello, these still function in the same manner, so I think it's configuration related.

Can you check to make sure the agent's temp directory is...

1. set to an actual filesystem location and not something accidentally entered into the field
2. owned/writable by the user the SSH agent logs in as
3. (if it's in /tmp or something like that) the mount settings don't forbid executing files

Thanks

FYI; this has been released already as a main feed type, no longer a pre-release :)

I'm going to lock the thread from here to make it easier to submit new issues if anyone has them

Something's definitely not right. I'm guessing, some manual adjustments were done on the server, perhaps moving around some files or something, at some point. It's probably not in a good state, and it's a bit strange to see two sQL servers installed, anyways.

From here, your best bet is to figure out what state your BuildMaster server is actually in: BuildMaster is a standard ASP.NET application and Windows Service, and you can ensure it's configuration is correct here:

• https://docs.inedo.com/docs/buildmaster/installation-and-maintenance/installation-guide/manual

The Agents installed on the remote servers are probably Inedo Agents, and if not, they should be:

• https://docs.inedo.com/docs/inedoagent/overview

Your best bet might be to rollback your server at this point.

thanks!! Very interesting to see.

Oh I see, then this actually just seems like a bug to me :)

I thought the problem was that BuildMaster didn't have the feature of "Dependent Roles". Anyways, I've logged the bug as BM-3588, and we'll try to fix this in an upcoming maintenance release.

In your example, TEST should have GSRole, SRole, and FRole in BuildMaster.

The sync should still work... are you getting an error? If you go from Otter -> BuildMaster, then it just won't copy over the role dependency relationships, but you should still have the roles and role variables, etc.

My guess is that you also have SQL Server 2005 installed? It's possible to have multiple instances of SQL Server installed, and an instance named INEDO is installed by default w/ the installer. you'll want to upgrade that instance.

BuildMaster doesn't support role dependencies; that's an Otter feature only.

The upgrade process itself is quite easy. But do note that for v6 you'll need to also update extensions; the admin UI will guide you on doing this. It's documented here: https://inedo.com/support/kb/1163/buildmaster-6-1-upgrade-notes

You can just download the Inedo Hub, then click Upgrade; you won't be able to select 6.2 from the list of versions to upgrade, so just install the latest 6.1 (which will be the default).

Neat! Would you mind sharing it?

We are trying to build up content libraries that show you to do stuff like this... such as this BuildMaster and Terraform content, which does use Modules, but also establishes a nice CI/CD pattern.

Getting an idea of how to do this w/ playbooks would be nice :)

Hello; BuildMaster 6.2 is a "really big" upgrade (perhaps, "biggest ever"), so please take care when upgrading. Most users have had no problems.

First place I'd start is here:
https://docs.inedo.com/docs/buildmaster/installation-and-maintenance/legacy-features/62-migration

Here's a more detailed info about the upgrade: https://inedo.com/support/kb/1766/buildmaster-6-2-upgrade-notes

Long story short, just upgrade to v6.1 first, make sure you're not using legacy features, then you should be ready to go to BuildMaster 6.2 :)

This isn't supported through an API; you could, however, just set-up a retention policy that automatically deletes the cache as space is needed.

Hello;

The Native API is for low, system-level functions, and it's "all or nothing". If you give someone access to Native API, you are effectively making them an administrator, as they can also change permissions and grant admin privileges. So, I don't think you want this. Instead, you'll want to use the Debian API endpoint that we implement.

It's a third-party API format

In order to support third-party package formats types like NuGet, npm, etc., ProGet implements a variety of third-party APIs. We only provide minimal documentation for these APIs, as they are generally either already documented elsewhere. However, you can generally find the basics by searching for specific things you'd like to do with the API, such as "how to search for packages using the NuGet API" or "how to publish an npm package using the API".

So in this case, I recommend to search "how to view and download apt packages".

Thanks, just confirming it was received, and I've attached it to the internal ticket. Stay tuned!

Hello; we transfer would be great. I can download it, and attach to the internal ticket for this forum post! I don't have a local python environment, so best to just get files and manually upload.

Can you try the 5.2.29 docker image? There seems to have been a configuration error.

Thanks!! We'd love to learn more.

By the way, With Otter, we have a general plan to make UPack-based "rafts", and allow users to dowload them from a feed. This way, we can make a community feed of rafts. Easier to build and work-with than extensions, I think.

We do have a lot of users who configure Linux servers, but their usage doesn't seem much more involved than ensuring packages, files, and directories. You may be ablet o get a lot accomplished with just doing that? I'm not sure... happy to learn and help though!

The first error is a known issue, it's related to browsing for packages in the UI, and it's something we've already addressed. I'm not sure about the second error.

As for the package, can you provide a package file that we can actually upload to a test instance of ProGet?

Basically I want to take a package file, then upload it from the UI, then try to download it from the UI. By not involving Python tools, we can eliminate a lot of problems and simplify finding solution.

Ah, thank you very much for the additional information. So, then it seems like setting it to AuthenticatedUsers is a bug. OK, that makes sense. So, I changed it.

Can you try it and let me know if it's going to work?

Instructions on installation of new extension: https://docs.inedo.com/docs/proget/administration/extensions#manual-install

Pre-release of AWS Extension: https://proget.inedo.com/feeds/PrereleaseExtensions/inedox/AWS/1.0.4-RC.3

Then, if it's ok, we can release it.

Thanks.
Alana

Hello;

A 500 error should be logged in ADmin > Diagnostic Center, so if you can check there and find it, that should help us identify what could be causing it.

Is it only that package, or all packages? If it seems to be package-specific, please share the package to us (or a version that still breaks, but has sensitive information removed), then we can try to reproduce the bug and fix it.

Hi Adam,

I'm not so familiar with the intricacies of ACL; they are quite complicated to me... so hopefully you can help me to understand, and I'll be able to then explain a change request

We try to keep our code for this really simple. We have a property called CannedACL that works like this:

private S3CannedACL CannedACL => this.MakePublic 
    ? S3CannedACL.PublicRead 
    : S3CannedACL.AuthenticatedRead;

This property references an S3CannedACL, which is defined by AWS, and MakePublic is what you check in the UI. MakePublic sets PublicRead, if not AuthenticatedRead.

That CannedACL is then used when creating objects:

await client.PutObjectAsync(new PutObjectRequest
{
    BucketName = this.outer.BucketName,
    Key = this.key,
    StorageClass = this.outer.StorageClass,
    CannedACL = this.outer.CannedACL,
    ServerSideEncryptionMethod = this.outer.EncryptionMethod,
    AutoCloseStream = false,
    InputStream = this.inner
}).ConfigureAwait(false);

So I think you're asking is, to use a different CannedACL? Perhaps for MakePublic we could not using a checkbox, but a drop down list? What do you think the values ought to be?

Hello;

Here is a guide on how to migrate packages in feeds: https://inedo.com/support/kb/1168/proget-feed-migration

As far as users and API keys, we don't have a supported migration path for those. However, many users have simply "copied" the data from one database table to another. The tables are Users, Groups, UserGroups, and ApiKeys.

IF the configured encryption key in both instances is the same, it will still encrypt/decrypt fine.

Best.
Alana

Another 5.3 screenshot!

When you enable "strict" (SemVer2) versioning, you'll see how "virtual" get added -- they get automatically generated when you add/remove tags. The feed also restricts adding anything but semver2 tags.

I can confirm this works quite well in 5.3; we hope to have a pre-release this week :)

Here's a sneak peak;

I would try a couple other things, to first eliminate the conditions.

First, how about pulling from a specific connector? Navigate to the version of the package you want, like /feeds/feed-name/adobereader/2020.006.20042, and then click "Pull to ProGet". That way you'll get a specific connector and a specific version.

If the individual packages work, but the "Add Package" route you took doesn't, then perhaps it's some sort of Mono-related bug. Those are hard to track down, and they come/go as the mono docker image is patched. We will eventually address this by moving to a more stable, .NET core version, once it's released by Microsoft.

Try some other packages, to see if they also don't work. If some packages work, but others don't, it's probably related to your gateway/router blocking things that it sees as security risks.

If that still doesn't work, then consider to attach ProGet to a Proxy server, like a Fiddler instance, by going to Admin > Proxy. You can then monitor the outbound traffic.

Hello;

Thank you for the bug report; there was a bad query in that stored procedure that would cause it to fail in some cases.

It will be fixed in the next maintence release of ProGet (5.2.28), but you can download a patch (1.DockerImages_DeleteImage.sql) and run it against your database today :)

The file is attached to the ticket: https://inedo.myjetbrains.com/youtrack/issue/PG-1684

Best,
Alana

Thanks @miles-waller_2091 ; we're heads-down in 5.3 now, so after that we'll be able to resume investigating this. Perhaps May/June? In the meantime, if more people can volunteer to help test, we'll be able to get this going rather quickly :)

Unfortunately we don't yet have an API for the credentials, but it's something we'd like to make. In the mean time, the Native API will work. If you look in the database, you'll be able to see how credentials are structured, and how things like Password are stored.

The secret fields are encrypted using DPAPI, with the Encryption key stored in the configuration file.

Here's the specific code we use to encrypt/decrypt. Please share what you come up with, would definitely help out in the mean time :)

    private static byte[] Decrypt(byte[] data)
    {
        if (protectedAesKey == null || protectedAesKey.Length == 0)
            throw new InvalidOperationException("Cannot decrypt persistent property; decryption key not configured.");

        byte[] key;
        try
        {
            key = ProtectedData.Unprotect(protectedAesKey, null, DataProtectionScope.LocalMachine);
        }
        catch (CryptographicException ex)
        {
            throw new InvalidOperationException(
                $"An error occurred during decryption (\"{ex.Message}\"). This usually means that the encryption key has changed between"
                + " encrypting and decrypting the data, which might happen if you accidentally overwrite a configuration setting, perhaps during an upgrade or reinstall."
                + " Check your configured encryption key, and restart the service and web application(s) as needed.");
        }
        try
        {
            var nonce = new byte[16];
            Array.Copy(data, 0, nonce, 0, 8);
            Array.Copy(data, data.Length - 8, nonce, 8, 8);
            using (var buffer = new MemoryStream(data.Length - 16))
            {
                buffer.Write(data, 8, data.Length - 16);
                buffer.Position = 0;

                using (var aes = new AesManaged { Key = key, IV = nonce, Padding = PaddingMode.PKCS7 })
                using (var cryptoStream = new CryptoStream(buffer, aes.CreateDecryptor(), CryptoStreamMode.Read))
                {
                    var output = new byte[SlimBinaryFormatter.ReadLength(cryptoStream)];
                    cryptoStream.Read(output, 0, output.Length);
                    return output;
                }
            }
        }
        finally
        {
            if (key != null)
                Array.Clear(key, 0, key.Length);
        }
    }
    private static byte[] Encrypt(byte[] data)
    {
        if (protectedAesKey == null || protectedAesKey.Length == 0)
            return null;

        var key = ProtectedData.Unprotect(protectedAesKey, null, DataProtectionScope.LocalMachine);
        try
        {
            using (var aes = new AesManaged { Key = key, Padding = PaddingMode.PKCS7 })
            {
                aes.GenerateIV();

                using (var outputBuffer = new MemoryStream())
                {
                    outputBuffer.Write(aes.IV, 0, 8);

                    using (var cryptoStream = new CryptoStream(new UncloseableStream(outputBuffer), aes.CreateEncryptor(), CryptoStreamMode.Write))
                    {
                        SlimBinaryFormatter.WriteLength(cryptoStream, data.Length);
                        cryptoStream.Write(data, 0, data.Length);
                    }

                    outputBuffer.Write(aes.IV, 8, 8);
                    return outputBuffer.ToArray();
                }
            }
        }
        finally
        {
            if (key != null)
                Array.Clear(key, 0, key.Length);
        }
    }

Hello; this is unusual.

But in this case, restarting the service should have also resolved the error. That will trigger the Agent Update Checker, which does restart the agents.

Most likely, a sort of load error happened on the agent; hard to say what without looking at logs. It's almost always an anti-virus or some sort of program locking files at the wrong time. If it keeps happening, it might be worth investigating further.

Hello; this error basically means that ProGet is unable to talk to Chocolatey.org for a package download request. The most likely cause of this is a sort of firewall/proxy that's blocking the package from being downloaded. It's also possible that you've been request-throttled from Chocolatey.org.

I'm sorry that my suggestion offended you.

ProGet doesn't "prefer" anything. It's a standard, authenticated feed. If it works in your browser (i.e. the feed endpoint URL), then it should work in NuGet. if it doesn't work in NuGet, then NuGet isn't being configured correctly.

"Behind the scenes", NuGet uses "basic authentication" to transmit those credentials to ProGet. It's the same mechanism your browser uses when you navigate to the feed API (i.e. a pop-up).

Credentials are stored in the nuget.config; the link I provided shows you how to edit that configuration file. You can either edit it yourself or use the sources command-line argument.

https://docs.microsoft.com/en-us/nuget/reference/nuget-config-file#packagesourcecredentials

You can attach a tool like Fiddler to NuGet.exe, and see what it's sending in different cases. It might be a NuGet bug.

Those posts are over 5 years old, and nuget.exe has made a lot of improvements since then. Back then, it wasn't easy to authenticate to private feeds.

So, if you follow the article I linked, by Microsoft, it will help you configure nuget.exe to talk to an authenticated feed in ProGet. If you're continuing to have trouble, the problem is not of ProGet, but of some sort of nuget.exe configuration. Your best bet will to do a wide search, like "NuGet.exe prompting for credentials".

Hi; I'm not really sure what the issue is?

NuGet will prompt for credentials if it's not an anonymous feed, that's by design. Here is information on how to store credentials with nuget.exe: https://docs.microsoft.com/en-us/nuget/consume-packages/consuming-packages-authenticated-feeds

Once credentials are stored, then you won't be prompted again. That's also by design of nuget.