Its the Windows VM instance of ProGet that is the issue. Yes i've restarted both the ProGet Service and the IIS app pool.
When installing the InedoCore extension from the Web UI I don't get an option which version it installs. I presume 1.13.4 as that is the 'latest' version as shown in the screenshot above
My extension page looks like this:
I've tried deleting the extensions from the Web UI (and I see the .upack file deleted on the file system) and re-adding it from the web UI however I still get this error.
Thanks
Simon
Hi Support,
I'm attempting to migrate our ProGet instance from Docker to a dedicated Windows 2019 Virtual Machine.
I've installed ProGet 6.0.13 (same as docker version) from InedoHub and backup/restored the database and updated the advanced settings with all the correct directories.
All is functioning correctly on the new VM apart from the extensions, I'm getting the following error when ProGet is trying to load them:
System.Runtime.Serialization.InvalidDataContractException: Type 'Inedo.Extensibility.UpackMetadata' cannot be serialized. Consider marking it with the DataContractAttribute attribute, and marking all of its members you want serialized with the DataMemberAttribute attribute. If the type is a collection, consider marking it with the CollectionDataContractAttribute. See the Microsoft .NET Framework documentation for other supported types. at System.Runtime.Serialization.DataContract.DataContractCriticalHelper.ThrowInvalidDataContractException(String message, Type type) at System.Runtime.Serialization.DataContract.DataContractCriticalHelper.CreateDataContract(Int32 id, RuntimeTypeHandle typeHandle, Type type) at System.Runtime.Serialization.DataContract.DataContractCriticalHelper.GetDataContractSkipValidation(Int32 id, RuntimeTypeHandle typeHandle, Type type) at System.Runtime.Serialization.Json.DataContractJsonSerializer.get_RootContract() at System.Runtime.Serialization.Json.DataContractJsonSerializer.InternalIsStartObject(XmlReaderDelegator reader) at System.Runtime.Serialization.Json.DataContractJsonSerializer.InternalReadObject(XmlReaderDelegator xmlReader, Boolean verifyObjectName) at System.Runtime.Serialization.XmlObjectSerializer.ReadObjectHandleExceptions(XmlReaderDelegator reader, Boolean verifyObjectName, DataContractResolver dataContractResolver) at System.Runtime.Serialization.Json.DataContractJsonSerializer.ReadObject(XmlDictionaryReader reader) at Inedo.Extensibility.ExtensionsVerifier.VerifyExtensionInternal(String bmxFileName, String shadowRoot, IEnumerable1 sdkAssemblyNames, AssemblyName coreAssemblyName, Version minimumAllowedVersion)`
I've checked the file permissions and "NETWORK SERVICE" has full control permissions to the extensions directory
Thanks
Simon
Hi @apxltd
Your description sounds perfect. Look forward to seeing this in a future version.
Also your software products rock! Keep up the great work!
Thanks
Simon
Yes that is exactly what I was thinking except I would make it a 'user' level function vs 'feed'. I.E we don't want users creating different API keys for each feed that they manage.
We want one API key that gives them all the same access as their user account.
For example as a developer I have access to a nuget feed as well as a container image feed, I want to use a single API key to access both these feeds.
Simon
Hi @stevedennis
The user then needs an API key to use with CI/CD tools on the users workstation.
What tools, specifically? What permissions does this API key have?
Things like docker desktop, to connect to a proget docker feed you need to use Docker login proget.somehost.com which stores your credentials as a secret. These credentials are then used everytime you do docker pull proget.somehost.com/feed/containername:latest
You can use your AD credentials for this however if your password changes (which you're required to do every 60 days) you'll need to constantly update your docker login credentials. Or worse, your could have an automated deployment using these docker login credentials that is constantly locking out your ad account (as the stored password is now wrong)
The same thing can happen with the nuget package manger that is part of Visual Studio, inputing API credentials here in the below screenshot would make more sense:
Administrator needs to login to admin portal, add the ad user with the correct "security", then generate an API key and "impersonate" the user that has just been setup.
How often does this happen?
Everytime we have a new developer come on board that needs access to the Nuget feed.
If you impersonate an AD username, I would expect it to "just work" like logging in? Meaning, you don't need to set-up special privileges - just give the group? Is this not the case (maybe this is a bug)?
Can you give a specific case?
Apologies after more testing "impersonating" a user specified in an AD group works. However it does take an proget administrator to generate each api key for each user.
Thanks
Simon
Hey Guys,
Hoping to submit a feature request here.
In Proget you should provide the ability for a user to manage their own API keys via the web interface.
At the minute API keys need to be setup by an administrator and assigned to a user via the impersonate user field.
It would be nice if the user was able to create their own API key via the user menu here:
Use case:
Access to proget is setup using AD authentication and assigning an AD group (not ad user) with the correct privilege's.
The user then needs an API key to use with CI/CD tools on the users workstation.
Today:
Administrator needs to login to admin portal, add the ad user with the correct "security", then generate an API key and "impersonate" the user that has just been setup.
Required state:
User logs into the web portal and generates their own key that inherits the users current permission set.
Thanks
Simon
Hi @atripp
Just to let you know that I just upgraded version 5.3.24 and can confirm that this issue is now resolved!
Thanks so much for all your help!
Thanks
Simon
Awesome thanks @atripp
I'll wait for the 5.3.24 release. I'll let you know how testing goes!
Thanks
Simon
Thanks for the update @atripp
I await you're fix for this one. Let me know if I can be of anymore assistance.
Thanks
Simon
Hi @atripp,
A nuget feed is actually the endpoint i've been testing on since I upgraded to v5.3.22 and sent you the logs via email, i've been able to extract the same logs in an easier to read format, do this help?
You can see my original GET request to "http://proget.xxxxxxxx.com/nuget/nuget-inntopia/v3/index.json" in the second log line below
Then the exception "'Inedo.ProGet.Web.Security.UserNotFoundException'"
And finally the 500 error being thrown in the last log message
proget.inedo.com/productimages/inedo/proget:5.3.22@sha256:3c2d2dcac563ec335ebdfb2bd4b9c0b08311b941eed415eb6cad0e49877ac39c/Proget_Server.1.pq13ondxps0li5kutof6qmug7/c53e518d3efb [40m[32minfo[39m[22m[49m: Microsoft.AspNetCore.Hosting.Diagnostics[1]
proget.inedo.com/productimages/inedo/proget:5.3.22@sha256:3c2d2dcac563ec335ebdfb2bd4b9c0b08311b941eed415eb6cad0e49877ac39c/Proget_Server.1.pq13ondxps0li5kutof6qmug7/c53e518d3efb Request starting HTTP/1.1 GET http://proget.xxxxxxxx.com/nuget/nuget-inntopia/v3/index.json - -
proget.inedo.com/productimages/inedo/proget:5.3.22@sha256:3c2d2dcac563ec335ebdfb2bd4b9c0b08311b941eed415eb6cad0e49877ac39c/Proget_Server.1.pq13ondxps0li5kutof6qmug7/c53e518d3efb [41m[30mfail[39m[22m[49m: Microsoft.AspNetCore.Server.Kestrel[13]
proget.inedo.com/productimages/inedo/proget:5.3.22@sha256:3c2d2dcac563ec335ebdfb2bd4b9c0b08311b941eed415eb6cad0e49877ac39c/Proget_Server.1.pq13ondxps0li5kutof6qmug7/c53e518d3efb Connection id "0HM6CBB8CS3D5", Request id "0HM6CBB8CS3D5:00000036": An unhandled exception was thrown by the application.
proget.inedo.com/productimages/inedo/proget:5.3.22@sha256:3c2d2dcac563ec335ebdfb2bd4b9c0b08311b941eed415eb6cad0e49877ac39c/Proget_Server.1.pq13ondxps0li5kutof6qmug7/c53e518d3efb Inedo.ProGet.Web.Security.UserNotFoundException: Exception of type 'Inedo.ProGet.Web.Security.UserNotFoundException' was thrown.
proget.inedo.com/productimages/inedo/proget:5.3.22@sha256:3c2d2dcac563ec335ebdfb2bd4b9c0b08311b941eed415eb6cad0e49877ac39c/Proget_Server.1.pq13ondxps0li5kutof6qmug7/c53e518d3efb at Inedo.ProGet.WebApplication.ProGetHttpModule.AuthorizeRequestAsync(HttpApplication app) in C:\InedoAgent\BuildMasterTemp\192.168.44.60\Temp\_E106466\Src\ProGet.WebApplication\ProGetHttpModule.cs:line 332
proget.inedo.com/productimages/inedo/proget:5.3.22@sha256:3c2d2dcac563ec335ebdfb2bd4b9c0b08311b941eed415eb6cad0e49877ac39c/Proget_Server.1.pq13ondxps0li5kutof6qmug7/c53e518d3efb at Inedo.Web.AhWebMiddleware.InvokeAsync(HttpContext context)
proget.inedo.com/productimages/inedo/proget:5.3.22@sha256:3c2d2dcac563ec335ebdfb2bd4b9c0b08311b941eed415eb6cad0e49877ac39c/Proget_Server.1.pq13ondxps0li5kutof6qmug7/c53e518d3efb at Inedo.Web.AhWebMiddleware.InvokeAsync(HttpContext context)
proget.inedo.com/productimages/inedo/proget:5.3.22@sha256:3c2d2dcac563ec335ebdfb2bd4b9c0b08311b941eed415eb6cad0e49877ac39c/Proget_Server.1.pq13ondxps0li5kutof6qmug7/c53e518d3efb at Inedo.Web.AhWebMiddleware.InvokeAsync(HttpContext context)
proget.inedo.com/productimages/inedo/proget:5.3.22@sha256:3c2d2dcac563ec335ebdfb2bd4b9c0b08311b941eed415eb6cad0e49877ac39c/Proget_Server.1.pq13ondxps0li5kutof6qmug7/c53e518d3efb at Dynatrace.OneAgent.Introspection.Shared.NewAspNetCoreTracingMiddlewareBase`1.Invoke(Context context)
proget.inedo.com/productimages/inedo/proget:5.3.22@sha256:3c2d2dcac563ec335ebdfb2bd4b9c0b08311b941eed415eb6cad0e49877ac39c/Proget_Server.1.pq13ondxps0li5kutof6qmug7/c53e518d3efb at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.ProcessRequests[TContext](IHttpApplication`1 application)
proget.inedo.com/productimages/inedo/proget:5.3.22@sha256:3c2d2dcac563ec335ebdfb2bd4b9c0b08311b941eed415eb6cad0e49877ac39c/Proget_Server.1.pq13ondxps0li5kutof6qmug7/c53e518d3efb [40m[32minfo[39m[22m[49m: Microsoft.AspNetCore.Hosting.Diagnostics[2]
proget.inedo.com/productimages/inedo/proget:5.3.22@sha256:3c2d2dcac563ec335ebdfb2bd4b9c0b08311b941eed415eb6cad0e49877ac39c/Proget_Server.1.pq13ondxps0li5kutof6qmug7/c53e518d3efb Request finished HTTP/1.1 GET http://proget.xxxxxxx.com/nuget/nuget-inntopia/v3/index.json - - - 500 0 - 30.1883ms
Also Dynatrace is also showing this, does that help?
Again I can show you Dynatrace in more detail if we can setup a screenshare.
Hey @Stephen-Schaff
Thanks for the suggestion. I have tried removing the @yourdomain.com piece from the impersonate field and i'm still having the same issue.
Curious what version of proget are you running? are you running it in a container?
Thanks
Simon
Hi @atripp,
There are no logs under the admin page that relate to this error that I could see, additionally when I get this 500 error just for this page the rest of the proget server is fine no 500 errors.
Is there any way we can do a call or screenshare for you to look at this issue? It's preventing me from using ProGet for some additional integrations.
During the call I have access to splunk logging and DynaTrace diagnostic tools I can show you.
Thanks
Simon
Hi @atripp
I actually get a regular 500 error now when I attempt to access using a browser (no fancy Proget 500 error)
I've been able to get some additional logs from our container. I've emailed them to you
Thanks
Simon
Hey Guys,
I'm trying to configure Clair to scan my proget docker registry. My Clair container is up and running and it looks like step 1 in the "Vulnerability Scanning" section here is working OK:
https://docs.inedo.com/docs/proget/compliance/clair#configureproget
However I'm getting these errors in the Clair error log when executing "Step 2":
quay.io/coreos/clair:v2.1.6@sha256:ac7ea2811ac7f21a140b048c9b02bd9854b881b62dca0a4f7bfc7220db399710/Proget_clairApp.1.wj83pt57ty9puvx18bng4in48/159eccc6e7c8 {"Event":"failed to extract data from path","Level":"error","Location":"worker.go:122","Time":"2021-02-08 20:04:53.195393","error":"could not find layer","layer":"sha256:bb9fc6048a9dd25ab6a26f64809be519e91cca2cf15d4e0cdddd0a8f99a3cd94","path":"https://proget.xxxxxxxxxx.com/api/docker-blobs/download/sha256%3Abb9fc6048a9dd25ab6a26f64809be519e91cca2cf15d4e0cdddd0a8f99a3cd94"}
Event Actions
My assumption is that Clair is struggling downloading the image from ProGet as I require authentication on ProGet to connect to the docker registry.
How do I pass (proget) credentials to Clair so that it can use them to download the image layers?
The strange thing is that I do see this "API" credential created when the "VulernablityDownloader" task is running, but it doesn't seam to have access:
I'm running ProGet v5.3.22 and Clair v2.1.6
I see errors like this in the "VulnerablityDownloader" log:
WARN : 2021-02-08 20:05:35Z - Clair returned error BadRequest for layer sha256:c9817fc410f6223217d62f147379cbdfc3ed993cd307adccc05eebdcfc818f69.
WARN : 2021-02-08 20:05:35Z - Clair returned error BadRequest for layer sha256:c9817fc410f6223217d62f147379cbdfc3ed993cd307adccc05eebdcfc818f69.
WARN : 2021-02-08 20:05:35Z - Clair returned error BadRequest for layer sha256:9f30fc0b74dd5bc842d09b2b2d8afcac1ed37b7d28c4d85beb3b96bb5726e770.
ERROR: 2021-02-08 20:05:35Z - Unhandled exception: System.NullReferenceException: Object reference not set to an instance of an object.
at Inedo.Extension.Clair.VulnerabilitySources.ClairVulnerabilitySource.PushLayerToClair(JsonSerializer serializer, WebRequest request, IVulnerabilityDockerBlob blob) in C:\InedoAgent\BuildMasterTemp\192.168.44.60\Temp\_E82939\Src\Clair\InedoExtension\VulnerabilitySources\ClairVulnerabilitySource.cs:line 190
at Inedo.Extension.Clair.VulnerabilitySources.ClairVulnerabilitySource.GetVulnerabilitiesAsync(IVulnerabilitySourceContext context) in C:\InedoAgent\BuildMasterTemp\192.168.44.60\Temp\_E82939\Src\Clair\InedoExtension\VulnerabilitySources\ClairVulnerabilitySource.cs:line 43
at Inedo.ProGet.ScheduledTasks.General.VulnerabilityDownloaderScheduledTask.ExecuteAsync(ScheduledTaskContext context) in C:\InedoAgent\BuildMasterTemp\192.168.44.60\Temp\_E106466\Src\ProGetCoreEx\ScheduledTasks\General\VulnerabilityDownloaderScheduledTask.cs:line 35
at Inedo.ProGet.Service.Executions.ActiveScheduledTaskExecution.ExecuteAsync() in C:\InedoAgent\BuildMasterTemp\192.168.44.60\Temp\_E106466\Src\ProGet.Service\Executions\ActiveScheduledTaskExecution.cs:line 61
Also getting errors like this in the error log:
Thanks
Simon
Hi @rhessinger
I've been able to capture some wireshark traces of this happening. Is there anyway you can email me? So that I can send you the traces? I'd rather not post them on this forum?
Thanks
Simon
Hey Guys,
We're running ProGet v5.3.17 (.Net 5) in a docker container and it is creating excessive database connections to our Microsoft Database Server (external to docker).
We had an alert from the DB server that at one point it was over 100 sperate TCP connections coming from our single ProGet Container
Doing a "netstat -a" on the container currently shows over 17 connections:
Any ideas why so many? This has only been an issue since we moved to the .Net 5 version of ProGet.
Thanks
Simon
Hi @atripp
I was able to use "Boomerang" chrome plugin to communicate with the proget V2 endpoint directly and found the following:
URL: https://proget.xxxxx.com/v2/_auth
Basic HTTP auth username: api
Basic HTTP auth password: <api key here>
When impersonate user is set within proget like the screenshots above I get the following returned:
<!DOCTYPE html>
<html>
<head>
<title></title>
<script type="text/javascript" src="/resources/InedoLib/AH/AH.js?950.1.0.3"></script>
<link type="text/css" rel="stylesheet" href="/resources/InedoLib/styles/common.css?950.1.0.3" />
<link type="text/css" rel="stylesheet" href="/resources/InedoLib/styles/normalize.css?950.1.0.3" />
<link type="text/css" rel="stylesheet" href="/resources/InedoLib/styles/fonts.css?950.1.0.3" />
<link type="text/css" rel="stylesheet" href="/resources/InedoLib/styles/icons.css?950.1.0.3" />
<link type="text/css" rel="stylesheet" href="/resources/InedoLib/styles/controls.css?950.1.0.3" />
<link type="text/css" rel="stylesheet" href="/resources/InedoLib/styles/nonmodal.css?950.1.0.3" />
<link type="text/css" rel="stylesheet" href="/resources/styles/proget.css" />
<script type="text/javascript" src="/resources/InedoLib/jquery-1.11.3.min.js?950.1.0.3"></script>
<link type="text/css" rel="stylesheet" href="/resources/InedoLib/jquery-ui-1.11.4/jquery-ui.min.css?950.1.0.3" />
<link type="text/css" rel="stylesheet" href="/resources/InedoLib/jquery-ui-1.11.4/jquery-ui.structure.min.css?950.1.0.3" />
<script type="text/javascript" src="/resources/InedoLib/jquery-ui-1.11.4/jquery-ui.min.js?950.1.0.3"></script>
<link type="text/css" rel="stylesheet" href="/resources/InedoLib/jquery-ui-1.11.4/jquery-ui.theme.min.css?950.1.0.3" />
<link type="text/css" rel="stylesheet" href="/resources/InedoLib/jquery-ui-1.11.4/jquery-ui.hacks.css?950.1.0.3" />
<script type="text/javascript" src="/resources/InedoLib/inedojq/inedojq_frameddialog.js?950.1.0.3"></script>
<script type="text/javascript" src="/Resources/Scripts/urls.js"></script>
<link type="text/css" rel="stylesheet" href="/resources/styles/v5.css" />
<script type="text/javascript">$(function(){ AhValidation.InitializeForms(); });</script>
<link rel="icon" type="image/x-icon" href="/Resources/Images/favicon.ico" />
<script type="text/javascript">(function () {
$.ajaxPrefilter(function (options) {
if (!options.beforeSend) {
options.beforeSend = function (xhr) {
xhr.setRequestHeader('AHAntiCsrfToken', 'CfDJ8OKwK+rfXXJAmA1eylO2/kEZZj+tsETzFOJDnEEQg/dchD9TrmaI/hm7UD2VjfFoyUg6gxFMhRrMr+oxVgijmjx4jbnkpwC6KFMOaKPHN1WCi1i4ke1NpNWqWq+IizvnnACFp6gFbopXWz+qkZnwbnBkFlgi1dIyWUsJFM51Ve6M');
}
}
});
})();</script>
<script type="text/javascript">$(function(){ AhValidation.InitializeForms(); });</script>
</head>
<body>
<div id="notification-bar-wrapper"></div>
<script type="text/javascript">$(function(){var fn = function(){$('#notification-bar-wrapper').load('/0x44/ProGet.WebApplication/Inedo.ProGet.WebApplication.Controls.Layout.NotificationBar/GetNotifications #notifications', [], function(){ setTimeout(fn, 10000);});}; fn();});</script>
<div class="content-container" id="navigation-bar">
<div class="content">
<a href="/">
<img class="logo" alt="" src="/resources/images/layout/logo.svg" />
</a>
<div class="user-controls">
<a class="dropdown settings" href="/administration"></a>
<a class="dropdown user" href="/log-in?ReturnUrl=%2Ferrors%2Fuser-not-found%3FdirectoryName%3DQueries%2520the%2520current%2520domain%252C%2520global%2520catalog%2520for%2520trusted%2520domains%252C%2520or%2520a%2520specific%2520li%26userName%3Dapi"></a>
<div id="user-navigation-container">
<ul id="user-navigation">
<li>
<a href="/change-password" onclick="$.inedojq_frameddialog(this.href,{resizable: true,refreshOnClose: false,width:645,height:480});return false;">Change Password</a>
</li>
<li>
<a target="_blank" href="http://inedo.com/support/documentation/proget?utm_source=proget&utm_medium=product&utm_campaign=proget5">Documentation</a>
</li>
<li>
<a class="logoff" href="/log-out">Log Off</a>
</li>
</ul>
</div>
</div>
<ul class="navigation">
<li>
<a href="/feeds">Feeds</a>
</li>
<li>
<a href="/packages">Packages</a>
</li>
<li>
<a href="/assets">Assets</a>
</li>
<li>
<a href="/containers">Containers</a>
</li>
<li>
<a href="/licenses/rules">Licenses</a>
</li>
<li>
<a href="/vulnerabilities">Vulnerabilities</a>
</li>
</ul>
</div>
</div>
<form method="post" enctype="application/x-www-form-urlencoded">
<input type="hidden" name="AHAntiCsrfToken" value="CfDJ8OKwK+rfXXJAmA1eylO2/kGF1WuSIIUz6SQ9hvTJv4Ylv+pIINp26Yo1xC38Xp8nhLb3SGM9ljRE3t1Gsu4MGGMg1SzS+6qxIW+1AvpBMnL+sf2vPdo23WRQ8Sqw5gnKTjm1cgz5M1V27HPvXGdkHQJ+noL4LGLcfjan53rd9pde" />
<noscript>
<div class="content-container">
<div class="content">
<div class="info-box error">
<h2>Please Enable JavaScript!</h2>
<p>ProGet requires the use of JavaScript to function properly. Please enable JavaScript in your browser for this site.</p>
</div>
</div>
</div>
</noscript>
<div id="banner-wrapper">
<div class="content-container banner">
<div class="content">
<div class="banner-section">
<h1>User Not Found</h1>
</div>
</div>
</div>
</div>
<div class="content-container">
<div class="content">
<div class="info-box error">
<p>There was an error attempting to load the user 'api' from the user directory 'Queries the current domain, global catalog for trusted domains, or a specific li'. This can be caused by an invalid user name or if cookies are not cleared after switching directory providers.</p>
<div class="action-button-container">
<a class="button solid red" name="ah0~ah3~ah0~ah1~ah1" onclick="AhValidation.TriggerPostBack(this, true, 'click');">Clear Authentication Cookies</a>
</div>
</div>
<p>If the user exists and clearing cookies does not resolve the problem, a ProGet system administrator can re-enable the built-in directory and Admin account by logging into the ProGet server (i.e. 8a15be05340a) and executing the following command:</p>
<code class="console">(proget-installation-directory)\Service> .\ProGet.Service.exe resetadminpassword</code>
<p>Once the user directory is reset, the ProGet web application must be restarted which can be done by clicking here:
<a href="/0x44/ProGet.WebApplication/Inedo.ProGet.WebApplication.Pages.Errors.UserNotFoundErrorPage/RestartWeb">Restart Web Application</a>
</p>
<p>It is also recommended that all users clear their cookies before attempting to visit ProGet again.</p>
</div>
</div>
</form>
<div class="content-container" id="footer">
<div class="content">
<p class="current-user"> •
<span title="ID: api">Anonymous User</span>
</p>
<p class="version-number">Version
<span id="ProGet Basic Edition_Version">5.3.17 (Build 19)</span>
</p>
<p>ProGet Basic Edition © 2020 Inedo, LLC</p>
</div>
</div>
</body>
</html>
When I remove the "impersonate user" and leave blank I get the following:
{
"token": "09F0C9F0E2B02BEADF5D7240980D5ECA53B6FE41B2F80BC9DD5C15C55FB002E1D726526020369C86B6DF863B8248439B32682488A51F85A76DFCFD7CF8C3340C1D5570B14195A10B34AD79D7899C2428B22A7D276E74F97197F2114D9A075DE9AF24939D79A3348F40935B995E193E07E038AB67143E94FE0DC936B49AD3417A90D5AF50DBE6831BA8F8FCD2330B1244FA71F551",
"expires_in": 3600,
"issued_at": "2020-12-08T18:27:33.6719276Z"
}
So not a 500 error unfortunately, but there does appear to be an error message in the HTML above.
Thanks
Simon
@rhessinger additionally the "Create new user directory" white screen "bug" above also happens when you try to add a new (clair) Vulnerability source:
Thanks
Simon
Hey @rhessinger,
I get the following error when selecting "use LDAPS":
Unchecking the LDAPS box results in a successful connection/test.
My guess is that the docker image is unable to verify the SSL certificate of the LDAPS server, as the docker host is a Linux VM so it does not have a "root CA" certificate installed on it to verify the SSL cert of the domain controller.
Most other containerized applications all you to "skip the verification" like this example from Portainer:
My previous forum post (linked to above) was a request to add this feature.
Alternatively if there if you guys can reference a root CA certificate that is installed on the containers file system I can see if I can "mount" it in the correct location. You'll just need to let me know where the certificate needs to be installed.
Additionally could you let me know the .Net 5 library you are using to provide this LDAP functionality?
Thanks
Simon
Thanks @rhessinger
Can confirm this workaround works.
However it looks like you guys still are not supporting LDAPS, I have another forum post here: https://forums.inedo.com/topic/3024/proget-docker-image-ldap-ldaps-support?_=1607379833333
Do you know if LDAPS in a docker container image will ever be supported?
Thanks
Simon
Hey Guys,
I've just configured LDAP/AD authentication on ProGet (.net5) V5.3.17 and also removed anonymous user access.
Therefore I am trying to setup docker image feed access from our docker hosts using API keys.
I've setup the api key like this:
Using the "Impersonate user" username of an LDAP account that has administrator permissions set for it in the "Users & Tasks" form:
My plan is to reduce the amount of access this user has later.
But when I try to do a "docker login" using "api" as the username and the API key as the password I get this error:
If I remove the "impersonate user" field from the key and leave it blank I can login without issue.
Thanks
Simon
Hi @atripp
I have/did restart the container but no change:
This is the InedoCore extension page:
Thanks
Simon
Hey Guys,
I'm Running ProGet 5.3.17 on a Docker host and I'm trying to configure an LDAP/AD connection for user authentication.
I'm following these instructions: https://docs.inedo.com/docs/various/ldap/advanced
But when I try to add an "Active Directory (LDAP)" connection I get the following blank screen:
The error log shows this:
An error occurred in the web application: Could not load file or assembly 'InedoCore, Culture=neutral, PublicKeyToken=null'. The system cannot find the file specified.
Details:
URL: http://proget.xxxxx.com/administration/security/directories/edit?type=Inedo.Extensions.UserDirectories.ADUserDirectory%2CInedoCore
Referrer: https://proget.xxxxxxx.com/administration/security/create-new-directory
User: Admin
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
Stack trace: at System.RuntimeTypeHandle.GetTypeByName(String name, Boolean throwOnError, Boolean ignoreCase, StackCrawlMarkHandle stackMark, ObjectHandleOnStack assemblyLoadContext, ObjectHandleOnStack type, ObjectHandleOnStack keepalive)
at System.RuntimeTypeHandle.GetTypeByName(String name, Boolean throwOnError, Boolean ignoreCase, StackCrawlMark& stackMark, AssemblyLoadContext assemblyLoadContext)
at System.Type.GetType(String typeName, Boolean throwOnError)
at Inedo.Web.HttpArgs.QualifiedTypeQueryStringArgumentAttribute.ConvertFromString(Type targetType, String value)
at Inedo.Web.HttpArgs.QueryStringArgumentAttribute.ConvertFromStringInternal(Type targetType, String value)
at Inedo.Web.HttpArgs.QueryStringArgumentAttribute.Decode(String argumentName, Type targetType, HttpContext context)
at Inedo.Web.HttpArgs.HttpArgumentProvider.HttpArgumentPage.InitializeArguments(IHttpHandler handler, HttpContext context)
at Inedo.ProGet.WebApplication.ProGetHttpModule.PostMapRequestHandlerAsync(HttpApplication app) in C:\InedoAgent\BuildMasterTemp\192.168.44.60\Temp\_E82850\Src\ProGet.WebApplication\ProGetHttpModule.cs:line 437
at Inedo.Web.AhWebMiddleware.InvokeAsync(HttpContext context)
My extensions look like this:
And advanced settings look like this:
Any ideas?
Thanks
Simon
Hi @atripp
I've been struggling getting the new version of proget(core) working on our Docker (CentOs) hosts for a while and I can confirm this is the issue!
This can also be fixed when using a docker compose (stack) file by adding:
working_dir: /usr/local/proget
Would still be great to get this built in to the dockerfile during the next release however.
Thank you @shijiyong_6709 for figuring this out!
Simon
That's amazing! Thanks so much @rhessinger
You guys rock!
@atripp yes its easy to add using apt-get when required however if you have an issue where the container is automatically restarting (for some reason) you would need to install it after every restart.
Its pretty common to have this application installed in most container images.
Simon
@atripp thats amazing! Let me know when this releases. Happy to try it out in our Dev environment.
Thanks
Simon
Hi @atripp,
That's correct. I'm having issue getting my proget container talking to my clair container and I want to make sure proget can communicated with clair over their shared docker network.
So I connect to proget's container command line and try to issue "Ping clair" etc
Simon
Hi @atripp
Yep just the standard ping command. You can install it on your container image using something like the following in the dockerfile:
apt-get install iputils-ping.
Thanks
Simon
Hi @atripp,
I can try but with you guys using Mono it would be a challenge to find out where it would need to go.
I'm curious would using this method work with your code:
I'll investigate installing the certificate on the container now.
Thanks
Simon
Hi @atripp
Thanks for this. Unfortunately I am not a developer so couldn't really help in forking InedoCore. But I do have the ability to run and tests this in a CI container build, in a docker dev environment.
It would seam there is also limited logging so you would need to let me know how best to troubleshoot this implementation for you should it not work.
Let me know how I can help.
Thanks
Simon
Hi @rhessinger
Thanks for the quick response.
I can confirm that works but only when I de-select "Use LDAPS", given that Microsoft is the removing the ability to query AD using LDAP (instead making people query using LDAPS) in the very near future how can I get the LDAPS connection working?
My guess is that given that this docker container is not on a windows domain (and therefore does not have any domain ca certificates) it is unable to verify the LDAPS certificate.
Shouldn't there be an option to "ignore or skip certificate verification"
Thanks
Simon
Hey Guys,
Wondering if anyone has successfully configured LDAP/LDAPS login on the ProGet container image?
Most of the documentation references LDAP authentication working through IIS. Which is obviously not available on the Linux proget image.
In trying to set this up using LDAPS (preferred) I get the following:
Unchecking LDAPS gives me this:
I can ping the domain controller from the containers command line:
Nothing is showing up in the event log.
Running Proget V5.3.7.
Thanks
Simon
Hey Guys,
Wondering if you could update a future proget container image to include "ping", this is very useful when troubleshooting.
Thanks
Simon
Hi @atripp
I've created a PR and added an expanded section on Environment variables.
I would suggest creating a new page called running on Linux docker swarm and I can add some example stack files/notes to that page later.
Thanks
Simon
Amazing thanks @atripp
Let me know what version this appears in I would love to try it out.
Thanks
Simon
Hi Guys,
Please could you allow your ProGet docker image to support secrets. Secrets are mounted as files from the docker host to the container. You should then allow a docker environment variable to specify a file path to the secret.
This could be used in a docker stack file in the following way:
version: '3.4'
services:
Server:
image: proget.inedo.com/productimages/inedo/proget:5.3.7
networks:
- traefik-public
- clair
environment:
SQL_CONNECTION_STRING_FILE: "/run/secrets/proget_connection_string"
TZ: "America/Denver"
secrets:
- source: proget_connection_string
target: /run/secrets/proget_connection_string
volumes:
- "/mnt/docker/proget/packages:/var/proget/packages"
- "/mnt/docker/proget/extensions:/var/proget/extensions"
deploy:
mode: replicated
replicas: 1
placement:
constraints:
- node.platform.os == linux
secrets:
proget_connection_string:
external: true
name: proget_connection_string
You can find out more about docker secrets here:
https://docs.docker.com/engine/swarm/secrets/
Thanks
Simon
Hi @atripp
I like your "tags that use this layer" suggestion, I was also thinking you could do something like this mock-up within the repo view:
In addition you could also improve the "feed view" with some more information about the number of tags/images & vulnerablities per repo like this:
Or even:
Thanks @rhessinger
If that is the case then perhaps this view could have an extra column detailing the package this layer (and vulnerability) exists in?
The use case I have:
Thanks
Simon
Hi Guys,
Pretty sure this is a bug, I'm running ProGet v5.3.7 as a docker container.
Clicking on "Vulnerabilities" in the top navigation bar lists all discovered vulnerabilities. However in the package column it displays the package digest, not the name. It would be great if we could have the name instead.
Thanks
Simon
Hi @gdivis
I can confirm that TimeZone can now be specified as an environment variable in ProGet 5.3.7
Thanks for including this!
Simon
Hi @atripp
Perhaps you could also update the page on Docker Hub telling users that of the new location to download the proget image.
https://hub.docker.com/r/inedo/proget
Thanks
Simon
Hi @atripp
It looks like you guys are using a Debian based container image. Therefore you would just need to add the following to your dockerfile to install tzdata on the image.
RUN DEBIAN_FRONTEND="noninteractive" apt-get -y install tzdata
Users (like myself) could then use something like the following to add a timezone environment variable to the docker run command:
docker run -d -v proget-packages:/var/proget/packages -p 80:80 --net=proget \
--name=proget --restart=unless-stopped -e PROGET_DB_TYPE=SqlServer \
-e SQL_CONNECTION_STRING='Data Source=proget-sql; Initial Catalog=ProGet; User ID=sa; Password=‹YourStrong!Passw0rd›' TZ='Europe/London' \
proget.inedo.com/productimages/inedo/proget:<version>
Thanks
Simon