So I wanted to document a couple of interesting points that had not occurred to me about hosting ASP.NET Core application. The reason for the disconnect, I believe, is because I have only ever known a web world that was housed within a modern IIS context.
Your web.config file was the primary mechanism for your app to interact with IIS, with it we do things like define Forms Authentication, URL Rewriting, define Http Modules and so much more. However almost all of this has gone, your typical configuration now ends up in Startup.cs configured with Middleware. With this still being IIS though if you deploy from Visual Studio you will get a stripped down web.config for free and it typically looks like this:
<?xml version="1.0" encoding="utf-8"?>
<add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModule" resourceType="Unspecified" />
<aspNetCore processPath="dotnet" arguments=".\DasBlog.Web.dll" />
So what are the important parts? The handler called AspNetCoreModule is the connection between your application and IIS, in fact I have noted before that if you look at task manager you will notice two process (w3wp.exe and dotnet.exe) where once there was one (w3wp.exe). Running outside of the IIS process is a significant architectural change and has significant repercussions that I am sure I will talk about in the future. Finally the aspNetCore element defines your assembly that will be run by dotnet.exe.
FTP deploying my asp.net core application was a genuine hassle for a long time because all you core dlls are in use and it does not provide a shadow copy. In order to push new files out to your server you really need deploy the app_offline.htm file first. I have been using IIS for a long time and I barely remember this, however, this file shuts your app down gracefully and once shutdown you get the chance to copy files. Even performing soft resets was not helpful. WebDeploy in Visual Studio essentially does this process for you automatically and then deletes the file when it is finished.
It took me a long time to realize what was happening, I hope this helps someone.
I got asked an interesting question about that would potentially apply to lots of products and thought it would be an interesting question to talk about here. It went like this:
Most sites have a sign in mechanism that takes passwords from end users via an ASP.NET textbox. We go onto to store that password in a string and, by definition then , strings are stored in managed memory on the heap, and if one happens to take a hang dump the password will be in clear text. It would also be true to say that we do not control exactly when the clear text password gets garbage collected. The question then is would immediately storing user entered passwords in a System.Net.NetworkCredential and/or System.Security.SecureString in ASP.NET provide any worthwhile security benefit.
My initial answer started as a "maybe" and finally morphed into a fairly strong "no".
To be clear there are lots of situations where managing sensitive information with SecureString is critical, let's look at a canonical command line example:
public static void Main()
using (var securePwd = new SecureString())
Console.Write("Enter password: ");
key = Console.ReadKey(true);
if (((int)key.Key) >= 65 && ((int)key.Key <= 90))
while (key.Key != ConsoleKey.Enter);
Process.Start("Notepad.exe", "MyUser", securePwd, "MYDOMAIN");
catch (Win32Exception e)
You can see in this console app I am appending each character directly SecureString so there are no strings floating about. I am also taking advantage of the using pattern and ensure that SecureString object will be disposed of quickly or I could have explicitly used the Dispose method to remove the memory more directly. Would such a pattern help in ASP.NET? I am inclined to think not. What is important to remember here is that strings are immutable (unchangeable) so after you create one for any reason anything you do to it ends up creating a new string for you to manipulate. With that in mind consider then how you get from w3wp process to your specific app domain in the following image.
If the information you are getting off the wire is all about strings to begin with whatever you deserialize that string into after the fact becomes the equivalent of closing the barn door after the horse has already bolted.
This is my loosely held opinion I would love for someone to present a contrary opinion, even if it covers a small use case where SecureString might be useful when handling passwords in this way.
Most of us are unprepared for catastrophic failure in our application, that is, the kind of failure that is so pernicious that even our precious log files have nothing useful to share. In fact to get adequate data during these moments we usually need the conditions to be replicated exactly and then hope we are adequately prepared to monitor the details we missed.
For the last couple of years I have been asking our clients to prepare hang dumps for me under a variety of circumstances so that I can ensure I have an accurate portrait of a given situation. In years past we would normally do this using ADPlus, however, there are few clients who are willing to install a subset of the the Windows SDK during or after production outages.
More recently then I have been pushing the more straightforward copy paste installation of ProcDump. It is a popular command-line utility that serves as a general purpose dump utility. There is a whole list of ProcDump parameters to become familiar with but I wanted to share the combinations that I find myself using repeatedly when collecting hang or crash dumps under a variety of circumstances.
Immediately take a full hang dump:
C:\Dev\Procdump>procdump -ma w3wp
Take a full hang dump when the application crashes:
C:\Dev\Procdump>procdump -e -ma w3wp
Write three full hang dumps 10 seconds apart:
C:\Dev\Procdump>procdump -ma -s 10 -n 3 w3wp
Take a full hang dump when the w3wp process exceeds 40%:
C:\Dev\Procdump>procdump -c 40 -s 5 -n 3 w3wp
Take a full hang dump when the overall CPU exceeds 70%:
C:\Dev\Procdump>procdump - ma w3wp -p "\Processor(_Total)\% Processor Time" 70
Write a full hang dump when an exception contains the word "IO" e.g. "IOException":
procdump - ma -e 1 -f IO w3wp
All the previous hang/crash dump strategies are concerned with w3wp, the process associated with the application pool in IIS, however, you can update this for any process name or number you like.
Much to my disappointment PBS does not have a Xbox One app and they have a lot of British programming that I would miss out on. It feels like an awful oversight, and considering how much emphasis Microsoft has pushed fixing app gaps across their platforms this is especially vexing. Your alternatives are to log in to PBS via the edge browser on Xbox One or Cast to your Xbox from a device you own with the app.
For some reason I thought that the Xbox sat on my network waiting to be projected to from every Windows device on my network. I have found that this is simply not the case.
To cast video or images to the Xbox One from Windows (or any device) you need an app on the Xbox that will allow you to make the connection. If you are a part of the Xbox Insider Program then you probably have access to the Wireless Display (preview) app. For most of us the insider programs represents a bit too much instability and risk if this is the case you should consider using AirServer for Xbox One.
- Install AirServer
- Launch the application and click on Play trial
- On your Windows device go to your Notification Center and click on Connect
- Your Xbox name should be listed in the available devices click on it and you are connected!
I have been tasked with sharing some of things I have learned about .NET applications and how they manage memory and sharing it with the team with intent of ensuring we are better prepared to investigate issues in production and that we are not creating new ones. Concepts like Garbage Collection (GC) exist to shield us from unnecessary complexity unfortunately in doing so it can mask ideas that are important.
For me, working with a high availability custom app server and IIS, healthy memory management is incredibly important, so delving below even good and robust abstractions is critical. I have spent the last few weeks looking for the right combination of videos, articles and topics to kick of this learning exercise. The first one is Everything you need to know about .NET memory by Ben Emmett.
I am encouraging my colleagues to start here, and after watching this video to consider and describe the following concepts:
General information about memory (below the .NET GC abstraction)
Each process has its own and separated virtual address space (we never manipulate physical memory directly), all processes on the machine share the same physical memory (plus the page file). The amount each process can access depends on the whether you are using a 32 or 64 bit machine. 4 GB (2GB user mode) for 32-bit Windows, 16 terabytes (8 terabytes user mode) for 64-bit Windows.
If you are writing managed code the GC is the one who allocates/frees virtual memory on your behalf. Even though this is handled for you, for the sake of speed, virtual address space can and will get fragmented, so it is possible and likely that you get free blocks between used address spaces, otherwise known as fragmentation.
Virtual memory can also be in different states:- free, reserved and committed.
- Free is … well free.
- Reserved is saying “I want to make this region of memory available for use later”. After reserving the space that block may not be used for other requests.
- You still cannot use reserved memory until it is committed. Committed memory has been paired up to the available physical memory so you can actually put data in it.
You can get out of memory if you are running out space to reserve, or space to commit. In the age of 64bit processors out of memory is most likely to mean unable to commit (out of physical memory rather virtual memory).
Programming for long periods is like walking a high tight rope for a really, really long period of time, or at least I imagine it is. As you go further and further out on the rope any break in concentration or just simply stopping becomes more and more difficult. I have described this in the past as tumbling down the rabbit hole but even that does not quite capture the sheer force of will it takes to successfully take an idea from concept to useful working application.
Programmers, I am sure, are not special in this regard there are I assume many occupations that require hours of long, intense concentration. This is especially true when the fundamental concepts are so amorphous that you are forced to construct a kind of memory palace (method of loci) in order to successfully navigate ideas, consider redesigns or fix complex problems.
For the developer this complexity can extend through several abstraction layers (OS, network, or memory), across multiple devices and then simultaneously within multiple threads. All these theoretical considerations can get quite overwhelming which is why so many developers insist on silence, headphones or music of a particular tempo and type. Personally I cannot listen to technical podcasts while I develop software, it's like I have single threaded access to the technical portion of my brain.
Unwinding after programming
My advice to anyone who is forced to do perform this kind of mental gymnastics over long periods of time is to engage in countervailing exercises that allow you to almost wholly inhabit the moment. For many people I work with going for a walk away from your workspace is the simplest and most accessible way to clear your mind of programming fog.
Here are a few other suggestions:-
- Playing video games
- Watching TV
- Listening to music
- Talking to non-technical friends
- Closing my eyes and slow your breathing
The common theme for any anti-programming exercise is to simply be present. Actions that force you to consider things in parallel tend to play on the same exhausted brain cells, I find that some video games do this regardless of my best intentions.
For me personally playing a musical instrument does more to settle my restlessness than any of the previous suggestions. Especially when I am playing a piece of music I enjoy and know well enough to play without additional practice, and more importantly, without doubt or fear of failure, remember the whole point is to unwind. When I play music in this context it is usually error prone and experimental and leaves glaring mistakes hanging in the air for all to hear, and you know what that it is fine, because the whole point is to enjoy the music and the moment in real time.
I know that a lot of people do not have musical inclination but I would encourage you to pick up an instrument and pluck around. Getting good might require time but having fun can happen immediately. Just think of someone playing air guitar the enthusiasm and the joy is exactly the point!
So this is me, what do you do to relax after marathon programming sessions?
I have suggested to all my software engineering colleagues that a lack of git command line experience does not have to be a deterrent to diving into open source. Developers who are familiar with Visual Studio can quickly get up to speed with branching, merging and pull requests. My blog has been built around learning so I acknowledge up front that this gap is me being purposefully obtuse.
So you have no command line experience and someone has sent you a pull request at GitHub, here is what you do.
On GitHub click on your list of Pull request (PR) and click on the PR you want to review, you should have the opportunity to click on the “..open this GitHub Desktop…”.
Edge, in this instance, will attempt to open GitHub for Desktop.
Click Yes and you will open up the cross platform Electron based Desktop app, it is a wonderful UX.
If you open up the Visual Studio project associated with this repo it will have also switched to the PR automagically! Now you have the opportunity to test and review all the changes outside of the GitHub site within the more familiar settings of Visual Studio.
GitHub Visual Studio Extension
To take this to the next level I strongly recommend the use of GitHub for Visual Studio Extension which further allows you to view, check out, and review pull requests right within Visual Studio. Once installed this extension creates a new tab next to your solution explorer with a list of pull requests.
By clicking on the pull request you get full access to a list of the changed files and you even get to do diff on the changes right there!
Just like at the GitHub site you can also put inline comments on each file and of course you can Add your review while Approving or Requesting changes. Frankly this extension allows you to completely manage your entire Github life cycle without the command line.
Politics and technology share some of the same flaws in that they both rely on everyone involved being fundamentally decent. Technology unlike politics should be immediately prepared for the moment when the actions and habits of bad actors metastasizes through the system in an irreversible and permanent way.