RE: Scanning containers vulnerabilities

Not as of ProGet 5.1, but this is definitely on our roadmap and we plan to do it likely in 5.2 or 5.3.

Ah, I'm glad to hear it :)

Romp should be able to download packages directly, then install them? Just have Romp point to a feed source instead of a local file on disk

Anyways this usecase sounds really awesome, I would love to learn more about it once you get it closer to working.

That definitely sounds Windows Authentication related... do you have a site in IIS setup that doesn't have Windows Auth enabled? That might be the way to go.

Unfortunately containers (even windows one) don't seem to work well with Kerberors/Windows Auth...

Eventually, but we haven't had too many requests for it :)

If this is something you're interested in, we'd love to partner with a customer or two to help get this developed.

I'm not 100% sure I understand, but when I see "small functions of reusable code", the first thing that comes to mind are Modules. These are bits of OtterScript that you can from OtterScript using the call statement.

module Get-DomainMembership<$Param1, $OptionalParam2 = default, out $OutParam>
{
   set $outParam = hello;
}

call Get-DomainMembership
(
  Param1: some value,
  Param2 => $SomeVariable
);

And then there are also Script Assets, which are PowerShell scripts that you call using the pscall operation from within OtterScript.

Is this helpful?

Good news, thanks to some data from customers enabling our CEIP, we've identified some problems and will fix them ASAP. Please wait for a new version on Friday of this week :)

Try stopping the service before running the installer, then it should work.

Got it! Then this would likely fall inline with an upcoming major feature, and the communication between Otter servers ("main" and "secondary" as you describe) would be done using API/HTTPS/Web requests, in a direction of ("Publisher" -> "Listener").

Basically, you would create a Git-based raft in both instances of Otter, and have them both point to the same Git repository.

The biggest gotcha would be that both instances can potentially update the raft, but as long as you're aware of that it wouldn't be a problem.

I see; in this cases, go to Advanced Settings, and change the base url property.

You can edit the connection string using Inedo Hub; it should be listed right under the Configuration tab. Note you will need to stop/start the service and web app afterwards.

Might be best to stop both beforehand, however, so you don't have two potentially active databases.

How are you performing a feed migration? Is this being done by feed replication?

If so, the biggest consideration will be data. If you have terabytes of data to transfer, it's going to take a long time and probably kill your bandwidth. You could always use the drop-path feature, and then import from a physical disk you move/send?

Not any useful ETAs, but it's something we definitely want to accomplish this year (this has been a very long-standing request), just a matter of prioritizing which part of the year it gets done in, etc.

I'm not familiar with SCCM so well, but I think I understand. Let me try to reexplain though just to make sure.

• Otter should be able to routinely "publish" server configuration (i.e. the key/value pairs) that it collected to another instance of Otter
• Otter should be able to "listen" for server configuration that is sent from another instance of Otter, and then apply (overwrite) that configuration to any matching servers

Am I understanding correctly?

Definitely on our roadmap, and we'd like to Open-source it and make it a community item.

The hardest part, to be honest, is determining the input/outputs of these CmdLets. If you'd be willing to help us think these out, we'd love your help in designing it and making this a reality :)

Definitely! This was one of the usecases of rafts :)

Currently, Git repositories are the way to go, but we plan to support Universal-package Based Rafts as well.

Yes, ProGet supports this.

However, you will need a paid version of Chocolatey in order to do that
https://chocolatey.org/faq#i-would-like-to-be-able-to-offer-my-non-admin-desktop-users-an-option-for-self-service-type-of-installations

I spoke with the engineering team briefly on the issue, and here's some quick feedback.

If we support "double-hop" authentication in the Inedo Agent, we would implement that functionality ourselves, using our own secure channels to ensure end-to-end security. Fortunately that's relatively easy to do, since we control both ends of the pipe.

This is not the case in PowerShell, and we cannot bypass PowerShell's security measures. PowerShell Remoting (and Kerberos) already has the concept of "double hob" authentication. It's very complicated, so we'd encourage you to read this article to understand the challenges with it.

So, long story short, if we implement a relay service ("double-hop authentication") in the Inedo agent, we may be able to use the same UI to control PowerShell, but there is a significant amount of configuration and control required to get it to work.

---

As far as the concept of "collectors", we will be researching a major new feature to Otter that simplifies the collection of like you're describing. So we'll consider it in there

Just to close this post: this was fixed in InedoCore 1.0.12, after diagnosing the issue on a ticket (EDO-5683).

Are you saying you can't create a job from a template?

The main purpose of the template is:

Instead of specifying the plan and server targeting each time you create a job, you can create a job template that will specify these for you. The template can also specify variables that will need to be entered when the job is run.

While this can save you a few steps when running jobs, the biggest benefit of job templates is that, once defined, you can now trigger jobs using a the job trigger API. This will allow you to use nearly any other tool, such as Jenkins or a PowerShell script, to trigger an Otter orchestration job.

However, we plan to expand it to be a lot more useful with better variable selection, etc.

Did the changes from OT-284 help at all? That should have drastically sped up the servers overview page at least. It was in Otter 2.1.3.

Thanks Josh; I'll make sure we discuss this as a team and respond soon!

We definitely won't remove them (especially w/o a replacement), because this functionality is important. We just want to make sure we understand more usecases that are related specifically to build/deploy scenarios as opposed to general-purpose jobs, and make sure we support those really well.

Docker doesn't need to be installed on the server.

Your workstation (i.e. the docker client) needs to trust the certificate. So make sure to do that on your computer as well.

Unfortunately the Native API is essentially a database wrapper, and one of the few things that can't be handled at the database layer is encryption.

While we want to create a resource credential API at some point, in the meantime, the only workaround would be to encrypt/decrypt the secrets yourself, using the Encryption Key stored in your configuration file.

There were no changes that would have caused this, but common things to check are

• Make sure WebDAV or another HTTP-filter didn't get enabled or installed by mistake; this will block certain requests from ever reqching ProGet

• Grant anonymous user full permissions to make sure the connection works; often times, the error is between ProGEt and the client

• Once it works with anonymous, start restoring privileges/API keys until you identify which configuration is causing it

Unfortunately, the Docker client does not seem to support non-SSL connections (despite what their documentation says).

But based on that error, you just need to trust the certificate. This document shows you how to trust the self-signed certificate you created. That's probably what the signing error means.

note you need to reboot after trusting.

Have you seen the Multiple Environments per Server documentation?

We really don't recommend this configuration, because the behavior is very confusing. Servers should generally really only be in single environment.

Instead, can you use server roles?

Here are two posts that might help at least show you where to poke around:

https://inedo.com/support/questions/9293

https://inedo.com/support/questions/4092

If you can identify more specifically what the issue is, we can try to look for a fix!

Hello Damian,

I believe this is due to ILIB-60, which is caused by a bug in Mono.

Please carefully follow the Getting Started with NuGet Feeds in ProGet and Visual Studio tutorial.

You need to use the API endpoint URL (shown to you within ProGet's Feed page), not the URL that you at the top of your browser. The /feeds URL is intended for use by a web browser, and the /nuget URL is used for an API (i.e. Visual Studio).

I'm sorry but I'm not understanding what you mean by "queues" or "hangfire"...

There was a UI change; these are listed under "Containers" in the top UI.

Please note that retention policies are a paid feature. Although rules can still be configured in the free edition, they are always executed in dry run mode in ProGet Free.

In addition, when multiple options are specified, then only packages that meet all of the selected criteria are considered.

Please review the retention rules for more information

Otherwise, the best place to look would be the retention logs, to show you what packages were considered.

There have been no changes to the way our products connect to databases in many years, so this is unrelated to an upgrade.

However, it seems to be some sort of indication that SQL Server must be overloaded, or a network problem. This can typically be diagnosed / reviewed by the SQL Server DBA, who can see incoming connections, and which queries are taking too long, etc.

But in my experience, just restarting the server you have SQL Server installed on fixes it like 80% of the time.

You can use an API key: https://github.com/inedo/upack#push

Basically just use "api" as username, and the key as the password.

In this case, you can use the execute command line operation; please see Executing a Command Line Utility During Deployment in BuildMaster

Hello; this errro means that OTter can't connect to the database. Maybe the connection string changed?

I would check the database connection string in Otter's configuration file.

Maven indexes are for search only, and don't have any sort of sensible ordering, so you won't see packages like you would on npm feeds.

Please refer to KB#1161 for how to update to TLS 1.2

Based on that error, it sounds like your user account doesn't have dbo access to the database? This will be required to install/upgrade ProGet.

Hello Love,

It seems Maven feeds are missing support for caching connector packages. I've filed this as PG-1411.

Can you share the name of your docker image and docker feed?

Can you provide a specific example of a public package (on the official PowerShell Gallery), and then expected and actual results in ProGet?

Please disable the "Overwrite Package" permission in Admin > Tasks.

Then, you will get "Package Already Exists" error

In BuildMaster v6, there is an operation that you can use to set these:

Set-ConfigurationVariable(
    Variable: <text>,
    Value: <RuntimeValue>,
    [Application: <text>],
    [ApplicationGroup: <text>],
    [Deployable: <text>],
    [Server: <text>],
    [ServerRole: <text>],
    [Environment: <text>]
);

But, you said "We do use integrated auth in IIS" ?

If it's configured in IIS, then Docker won't be able to access the page/api. The client must support integrated authentication, which NuGet, web browsers, etc., do.

I'm afraid you can't use Integrated Authentication with Docker.

The client simply doesn't support it, which means IIS will always challenge with 401 prompts. A work-around to this is to set up a separate IIS Site (pointing to same directory) that doesn't have integrated auth configured.

Batch files need to be executed by "cmd.exe". Instead, you can directly execute a ".cmd" file.

There's really no difference between the versions as far as performance is concerned.

At first, try to determine why it's slow; a very common cause is connectors are broken or slow. Disable those, and see if it helps.

Try to see what queries are slow. API vs WebPages, search, etc. That will start clueing into the next area to look.

If you can share more data as what you find, we can provide more specific advice on where to look

Sorry, I misunderstood it myself and responded too quickly.

You're right, the OtterConfiguration_Key points to a DSC Property. It's not an alias, like I had assumed. But looking closer, I see that it is.

It seems this would require a feature/change request to fix; might not be so bad, but I'm not familiar enough w/ it to be certain.