Setting up RavenDB as LocalService fails to start

[Kyle Levien]

We are attempting to set up a RavenDB in our product installer and are using the rvn.exe windows-service register tool with the default LocalService user. We also then get the SID of the new service and add permissions for that identity to the DB directory and attempt to start the service. The service fails to start without any helpful message in the alert popup, ravendb log, or event logs. Manually adding the same permissions to the current user on the machine and running run.ps1 in powershell revealed the following exception:

System.InvalidOperationException: Unable to start the server due to invalid certificate configuration! Admin assistance required. ---> System.InvalidOperationException: Could not load certificate file C:\sites\locService\db\Server\server.certificate.igx.pfx ---> Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: Access denied

This certificate is a self-signed certificate generated earlier using System.Security.Cryptography.X509Certificates from an installer option and imported into the local machine root.

Does anyone have any tips on what we might be doing wrong or what we're missing?

[Igal Merhavia]

Hi,

Can it be an anti-virus that causes the "Access denied"?

Best regards,

Igal

--
You received this message because you are subscribed to the Google Groups "RavenDB - an awesome database" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ravendb+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ravendb/bb167353-7967-4505-848c-3a6686d49568n%40googlegroups.com.

[Oren Eini (Ayende Rahien)]

It looks like the service user doesn't have access to the directory to real the pfx file?

To view this discussion on the web visit https://groups.google.com/d/msgid/ravendb/CAADcGSmRRcvEbgeGMHfCG4c6yG-K5R0%3D%2BGXmyd0Qo%2B7WcaFA6A%40mail.gmail.com.

--

Oren Eini CEO   /   Hibernating Rhinos LTD Mobile:  972-52-548-6969 Sales:  sa...@ravendb.net Skype:  ayenderahien Support:  sup...@ravendb.net

[Oren Eini (Ayende Rahien)]

Or doesn't have permissions to load a certificate entirely.

[Kyle Levien]

I've checked the localservice user permission to the directory and it's all set to full access.

I've also tried giving the service user access to the Rsa/MachineKeys directory on the machine with no luck.

What specific certificate loading permission are you referencing here?

>  Or doesn't have permissions to load a certificate entirely.

[Kyle Levien]

One other thing I'll add. Allowing the local users group access to the MachineKeys directory lets me run raven via run.ps1 while not in an administrator powershell. My hunch is the service was throwing the same access denied message that run.ps1 was, but it continues to fail. I cannot see the exact exception in the service as it does not return anything useful in the alert popup, event logs, or raven logs.

[Egor Shamanaev]

Hi Kyle,

Which user is running the RavenDB service? Can you make sure that it has access to the MachineKeys directory ? 

Can you try to run the service using different user and see if this works?

To view this discussion on the web visit https://groups.google.com/d/msgid/ravendb/3c4af8ab-e49f-43f1-b9af-dd683598709bn%40googlegroups.com.

--

Egor Developer   /   Hibernating Rhinos LTD Sales:  sa...@ravendb.net

[Kyle Levien]

Hi Egor,

That was actually the solution I just worked out yesterday. The LocalService integrated user uses the AuthenticatedUser permission group, which did not have access to the MachineKeys directory. Adding that has resolved our issue.

Thanks,

Kyle

You received this message because you are subscribed to a topic in the Google Groups "RavenDB - an awesome database" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ravendb/4DYvR4uwAbk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ravendb+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ravendb/CAJvo4-kZskoiYnTF%3DbRPFOhwz1n8VmEgBD7Ycg_A02%3Dg3L8TCg%40mail.gmail.com.

[Ryan Heath]

I'm in the process to investigate an upgrade from 3.x to 5.x ravendb.

We used the HiLoKeyGenerator to get an id before a document is added into the db.
So we could link another document with it and store both changes in one go.

Something like:

var doc = new Doc();
var docId = hilo.NextId(documentStore.DatabaseCommands);
docid.Id += docId;
session.Store(doc);

treeOfDocs.Add(docId);

session.Store(treeOfDocs);

session.SaveChanges(); // saves both changes in one transaction

How do we do such in RavenDB 5.x?

// Ryan

[Igal Merhavia]

Hi,

You don’t need to call the hilo.NextId.
Just call session.Store and it will handle that behind the scene inside the session.Store.

var doc = new Doc();
session.Store(doc);treeOfDocs.Add(docId);
session.Store(treeOfDocs);

session.SaveChanges(); // saves both changes in one transaction

https://ravendb.net/docs/article-page/5.0/csharp/client-api/document-identifiers/hilo-algorithm

Best regards,

Igal

--

You received this message because you are subscribed to the Google Groups "RavenDB - an awesome database" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ravendb+u...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ravendb/CABcSOXi1DKVBWKS5pr873agXXrvUgdUJ5v44btMyCQMbM_UjgA%40mail.gmail.com.

[Ryan Heath]

Hi Igal, 

Yes I know about that, but that is not working for my scenario. 

I need to know the id upfront, because the newly created doc’s id should be added to another document. And I want to do this in the same transaction. 

// Ryan

To view this discussion on the web visit https://groups.google.com/d/msgid/ravendb/CAADcGSmUN5k8XL08%3DUuDGbdLROCDy83%2Bdg-S9%3D%2BD22rLi6-gKw%40mail.gmail.com.

[Igal Merhavia]

Hi,

You can get it from the id property before the SaveChanges.

var doc = new Doc();
session.Store(doc);
treeOfDocs.Add(doc.Id); // first option if your class contains id property
treeOfDocs.Add(session.Advanced.GetDocumentId(comment)); // second option if your class does not contain id property
session.Store(treeOfDocs);

session.SaveChanges(); // saves both changes in one transaction

Best regards,

Igal

To view this discussion on the web visit https://groups.google.com/d/msgid/ravendb/CABcSOXgLQoCZkTpEKPpHWsa9RKazpQDaK05VPO6-5Q87He8oKA%40mail.gmail.com.

[Ryan Heath]

Ok, I get it, that should work. 

Thanks!

// Ryan

To view this discussion on the web visit https://groups.google.com/d/msgid/ravendb/CAADcGS%3DABqP4c96VhgqBO%3DcyZ_FQbezyMPmYBEqAM85x%2BHBY3g%40mail.gmail.com.

[Ryan Heath]

It works, but the generated ids are unexpectedly large, and they are not using the hilo document that is stored in the database.

What we did in 3.x is prefix the id another id and added the hilo

doc.id = "targets/123/docs/" + docsHilo.NextId()

But in 5.x we get an id padded with zero and the numeric id is way larger than the hilo document in the database.
For instance: "targets/123/docs/0000000000000247947-B"

The B node postfix is not really an issue, but I'd rather have no zero padding and a numeric value that uses the docs hilo in the database.

Perhaps it is possible with custom conventions? But I do not see how.

// Ryan

[Ryan Heath]

I end up using 

var doc = new Doc();

var docId =  documentStore.Conventions.GenerateDocumentId(documentStore.Database, doc);  

docid.Id += docId;

session.Store(doc);

treeOfDocs.Add(docId);

session.Store(treeOfDocs);

session.SaveChanges(); // saves both changes in one transaction

It would have been great(er) if a certain separator could support such behavior, mixing Hilo generated ids with a prefix.

Currently, this is already supported:

null => hilo => docs/1-A

prefix/ => server side id => prefix/0000000000000001-A

Mixed behavior could end with a \ separator (or another separator if \ is not possible)
prefix\ => hilo mixed with given prefix => prefix/docs/1-A

// Ryan

 

[Ryan Heath]

In RavenDB 3.x we use 

session.Advanced.UseOptimisticConcurrency = true;

At https://ravendb.net/docs/article-page/5.1/csharp/client-api/session/cluster-transaction

we read 

using (var session = store.OpenSession(new SessionOptions
{
    TransactionMode = TransactionMode.ClusterWide
}))

and also

You can store, delete and edit documents and the session will track them as usual.

But at https://ayende.com/blog/190978-B/complex-distributed-transactions-with-ravendb

we see a fairly amount CompareExchangeValue usage involved.

1. Are we required to do CompareExchangeValue on certain attributes? Is this something RavenDB can not figure out itself?
2. Does it make sense to use OptimisticConcurrency in a cluster setup, don't we always want a (expensive) cluster wide transaction?

// Ryan (making his first steps into RavenDB 5.x :) )

[Igal Merhavia]

Hi,

In RavenDB any node in the database group can receive write requests.

So there can be simultaneous modifications to the same document.

In this case, when the nodes try to replicate the document they will get conflict - https://ravendb.net/docs/article-page/4.2/csharp/server/clustering/replication/replication-conflicts.

If your logic cannot stand a conflict you should use cluster-wide transaction.

If you want to prevent an override of document you should use cluster-wide transaction combines with compare exchange.

The common use case is registering a new user with a unique username.

You want it to be unique and you want it to stay valid after the user got confirmation about registration.

But those kinds of operations have cost in a matter of time and you should prevent them as possible.

Patch, counters, resolve conflict .etc are some techniques to achieve that.

Recently we open an issue to simplify the use of compare exchange with cluster-wide transactions and you can read and follow it here - https://issues.hibernatingrhinos.com/issue/RavenDB-16614

Best regards,

Igal

--

You received this message because you are subscribed to the Google Groups "RavenDB - an awesome database" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ravendb+u...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ravendb/CABcSOXhhx3u_TUDOHi-KfTNDPNMFVSpnum3K0cUmtGwQOYgNKA%40mail.gmail.com.

[Ryan Heath]

Hi Igal,

Thanks for your response.

What I still fail to grok is in what cluster wide transactions are different from compare exchanges.

Basically I have 2 needs:

1 uniqueness like a username

2 and protection of resource allocation (I cannot have two users allocate the same resource a the same time)

With RavenDB 3.x point 1 is protected by an id. Point 2 is protected by optimistic concurrency.

How would we do these points in RavenDB 5.x?

Also, how would we test these situations? The test runner seems to always start with a single node.

// Ryan

To view this discussion on the web visit https://groups.google.com/d/msgid/ravendb/CAADcGS%3DaPbHzsXP-G%3DiJHnub4O4cD2xPTU3uucUBzkcTSY1eOA%40mail.gmail.com.

[Oren Eini (Ayende Rahien)]

You can call to the hilo directly, create (and hold as a singleton) a AsyncHiLoIdGenerator and then call to:GetDocumentIdFromId

To view this discussion on the web visit https://groups.google.com/d/msgid/ravendb/CABcSOXiqEUMbR8NeweYp%3DwSfc_GZOBBM6%3DEGYMU77DB2hS4smg%40mail.gmail.com.

[Igal Merhavia]

Hi,

Cluster-wide transaction & compare exchange are two different features that sometimes used together to enforce uniqueness with no overrides and with no conflicts on the replication level.

https://ravendb.net/docs/article-page/4.2/csharp/server/clustering/cluster-transactions

https://ravendb.net/docs/article-page/4.2/csharp/client-api/operations/compare-exchange/overview

https://ravendb.net/learn/inside-ravendb-book/reader/4.0/2-zero-to-ravendb#distributed-compare-exchange-operations-with-ravendb

https://ravendb.net/learn/inside-ravendb-book/reader/4.0/6-ravendb-clusters#ravendb-clusters

Best regards,

Igal

To view this discussion on the web visit https://groups.google.com/d/msgid/ravendb/CABcSOXj4-dNTqHECaAOy9hwQRYHWvN84t-rTP9sfHe93H747Eg%40mail.gmail.com.

[Oren Eini (Ayende Rahien)]

To expand on that, we are adding a new feature for 5.2 which will ensure atomic writes for documents using cluster wide transactions.

That would mean that you don't need to explicitly use compare exchange values. 

To view this discussion on the web visit https://groups.google.com/d/msgid/ravendb/CAADcGSnoNPS0VH%3Dw%2BwtNdfBt8tJ938WmcHnz3FAvCTOcpHi2Pg%40mail.gmail.com.

[Ryan Heath]

Ayende, can you give an estimate on the release of 5.2?

// Ryan

To view this discussion on the web visit https://groups.google.com/d/msgid/ravendb/CAF0G-ZjMoMEy8O4xiDRi3V_4ZY0nyWi-aXOdt%3DP4b0B8MJ6_mA%40mail.gmail.com.

[Oren Eini (Ayende Rahien)]

Just circling back to it, this has been released in 5.2

To view this discussion on the web visit https://groups.google.com/d/msgid/ravendb/CABcSOXiBoKxE1G%2BGFiFGD1S2mRBBshKW_YXH5WELGCGeievAKA%40mail.gmail.com.

[Ryan Heath]

Yes, it is on my radar.

Waiting for a blog post about it ;)

// Ryan

To view this discussion on the web visit https://groups.google.com/d/msgid/ravendb/CAF0G-ZijSgp8wrLfD7_cn%3DeJVYpQRpSmte51KP1iyHaG--cSKg%40mail.gmail.com.

[Oren Eini (Ayende Rahien)]

https://ayende.com/blog/194405-A/ravendb-5-2-simplifying-atomic-cluster-wide-transactions?key=2ce647f84bdf457680c8eaffec691335

To view this discussion on the web visit https://groups.google.com/d/msgid/ravendb/CABcSOXgH4YoWK8V2km3zLPZfcsXE8iQzXHLQmoRSV9AyKcWDVw%40mail.gmail.com.