RE: Buildmaster - High CPU database since 6.2.22

Typically these are cleaned up via retention policies... but where is the DELETE [Executions] WHERE [Execution_Id] = @Execution_Id being called?

Hello; we haven't forgotten about this, just haven't had an opportunity prioritize with everything else. Hopefully we'll hear from some other users who are seeking similar functionality

Hi Andrew,

The only way to get a Maven artifact in ProGet is by using the API to push it. The re-indexing can detect missing files on disk, but it does not add new files.

This is by design, we simply never created this functionality for ProGet. Even in old versions.

We may add it later, but there's not a lot of demand, since it's "relatively easy" to write a script to import everything in via the API. Really it's just doing a number of HTTP Push commands by starting wtih the POM files as i mentioned.

Cheers,
Alana

Hello;

As of ProGet 5.3.17, ProGet does not support drop paths for Maven; the precise reason is complex, but it's ultimately a result of the way Maven is structured (i.e. a file system vs packages), and how files can be added piece-meal.

It is something we are considering adding in a future release, but it's complex. Other users have reported that they've used a process like this for a disk-based repository.

1. Traverse all directories and upload all POM files with a path relative to the root
2. Traverse all directories again, and upload all non-POM and non-checksum files (like .md5)

There will be errors, particularly if you have invalid POM files or your directory structure doesn't match the required MAVEN convention, so inspect those case-by-case to determine if it matters (like an bad artifact from 5 years ago can probably be ignored).

Unfortunately we don't have a lot more details, but we'd love to hear more from your experience if you end up scripting this,

Cheers,
Alana

Hi Philippe,

I don't think there's anything in particular that would have changed that would cause this slowness.

Those tables are big, and I would definitely recommend purging old data from them.

In any case, the problem is likely index fragmentation. Deleting an execution will cascade to those tables, so I'm thinking there might be some kind of indexing fragmentation or problem.

Here's some information about how to detect and repair index fragmentation: https://inedo.com/support/kb/1167/sql-server-recommendations

Can you try that, and see if it helps?

Thanks, Alana

ProGet does not support package-level permissions; you would need to create separate feeds, or create a custom package filter (in C#) that could have some sort of filtering logic per user.

Hi @Crimrose, this would probably be better to check on the Chocolatey forums / community site. But if you can find the answer, please share it :)

Thanks; I can confirm that there indeed is an error parsing one of the PDBs in the file you sent, which is why it won't index on upload. It could be just that particular package or file, though. I wonder if you try different packages, it might work.

Otherwise, not sure why/how it would work from the service though...

Anyways we'll investigate this further, but it might take several days to schedule the time, since this is quite complex, binary/bit-level parsing logic, and might be complex.

Hello; the files should definitely be indexed on upload...

Could you share the package you created created, so that we could evaluate/test to see if we can reproduce the problem? I'm not sure if you can attach to the forums, but you could also email it to support at inedo dot com ... please add [QA-475] in the subject so we can easily find it.

Hello; due to the complexity of handing the apt signing, connectors to other apt repositories are not supported for Debian Feeds in ProGet at this time; we didn't anticipate this being a common usecase.

You could, however, publish .deb packages you've downloaded to the repository manually.

hi Simon,

The default connection pool size for .NET's SQL Server connection is 100, so that behavior wouldn't be unexpected if there were a lot of requests to ProGet (very common in a package restore) and the database driver wasn't responding fast enough for whatever reason (also very common... too many network requests coming in, too many network requests going out, slow database server, etc.).

The .NET Runtime will eventually close those connections, and they will then be terminated by the TCP stack shortly after (minutes?).

Alana

Hi Simon, I'm guessing there's a 500 error being thrown at the same time? Or, perhaps, it's a permission error? In any case, can you try to get a feeling for the underlying error message? That will help debug it.

Hi Peter,

Thanks for reposting this; this error is basically what you can expect from a "network stack" being overloaded; each request to a ProGet feed can potentially open another requests to each connector configured (maybe NuGet.org, maybe others), and if you are doing a lot of requests at once, you'll get a lot of network activity queuing up. SQL Server also running on the network, so those just get added to the queue, and eventually you run out of connection.

Do you have a lot of containers running on the same computer that ProGet is running on? If so, that coudl also contribute to the network stack being overloaded.

The best way to solve is with more hardware, or by removing connectors to nuget.org, etc.

Also note that users can overload a server as well, and this is why load balancing will be very important if you want to keep reliability; See How to Prevent Server Overload in ProGet to learn more.

Hi @p-bruch_5023 can you post this to a Topic? It'll be a lot easier to track internally, and for other users to find since it's newer and different cases than other timeouts.

Hi Simon, based on what I'm seeing, it looks like the InedoCore extension didn't load, which is what would happen in this case...

Can you try restart container?

On the Admin > Extensions> What do you see on the InedoCore page? There should be a list of extensible components presented, including the directory type...

These days, there are very few packages with quicks like this, so we recommend just repackaging (either using the feature, or manually) a local copy for caching purposes.

Owin is one of these packages unfortunately. The latest (and only) package version is 1.0 (in some cases) and 1.0.0 in others. It's also over 8 years old, so it can't be helped.

ProGet 5.2 had better support for these versions quirks using a feature called "Legacy (Quirks) Feeds", but those feeds couldn't handle SemVer queries properly, since requests like 1.0 were ambiguous (should it return 1.0 or 1.0.0, both of which are valid versions, etc), so it was a big tradeoff. They were fully removed in ProGet 5.3.

You can basically ignore this error.

When you press the Save button on the All Settings page, it triggers a Restart of the Application Pool after saving. Most of the time this is not noticed at all, but sometimes it happens -- and this might happen. It goes away within seconds if you hit refresh.

Hello;

Long story short, the problem is that your package's nuspec file has an invalid version number (1.0); if you edit the file, and put in a proper SemVer, it will be fine. This is what repackaging does, by the way. It creates a new package with a different version number.

This is a long-standing versioning quirk with NuGet that still comes up every now and then; in the old days, you could have packages like 1.0 and 1.0.00 or even 1.000.0, and they'd all be different.

NuGet dropped support for this over five years ago, but since old packages with quirk versions remain, they did all sorts of strange work-arounds in the NuGet client. For example, you may see a file request for 1.0.0, and then 1.0.0.0, then 1 then 1.0.

This is because the NuGet API only shows a three-part SemVer anymore, but the files are still accessed by their original version number. ProGet does not do the "version dance" to find the real package file, which is why you get these errors.

We eventually dropped most support for this versioning, and basically you can just have "some" quick packages in feeds, but they won't work through connectors in most cases.

Hi @scroak_6473 good to know! So, I've added the WORKDIR /usr/local/proget/ line right above our CMD line, and it should go in the next release.

Hello;

Tags in Docker registries are really just a human-readable pointer to a digest (hash) of an container image. It's really just a name+digest, and there's no additional metadata provided by the Docker API.

This is why we encourage Semantic Versioning for Containers, and have a feature built-in that helps with this. You can then reliably parse those tags like semnatic version numbers, and use them as needed.

The Packages vs Containers documentation also talks about some of the quirks, if you're not familiar with them already.

Hi Sri,

At first, you can just replace the license key (Admin > License Key) to change the edition of the software (From Express to Enterprise). There's no need to migrate from one server to another.

However, if you want to migrate from one server to another for a different reason, then there are two general approaches:

• application-by-application (this involves using the import/export feature), and is ideal for when you only want to migrate limited, application-specific data
• full migration of all data, using the back-up / restore instructions

The Backing Up BuildMaster instructions detail this, but basically you just need to have three things:

• BuildMaster Database; a SQL Server database that contains all of BuildMaster's configuration data
• Encryption key; to encrypt/decrypt sensitive data in the database (like credentials); this is stored in the shared configuration file
• Artifact Library Files; the path on disk (defined in Artifacts.BasePath setting) that contains all the files for artifacts you created within BuildMaster

Hope that helps,
Alana

I don't have a detailed timeline with Otter 3.0, the scope appears to continue to creep (but, perhaps in a good way ). But it's still looking on track for early next year.

Probably the best thing to do is to get in touch with our sales engineering team, so we can learn a bit more about what problems you're trying to solve, and can give some more details about how Otter 3.0 will help; they can at least show you what's upcoming, so you can better decide if it's a good fit.

Hello, thank you for helping to identify this issue, and how we can solve it.

Just so I can understand the situation, I want to confirm that setting the WORKDIR will allow ProGet to run on CentOS7?

If so, do you think editing our Dockerfile like below (see the line I added) will fix the issue? It seems something easy we can try in the next release then.

FROM mcr.microsoft.com/dotnet/aspnet:5.0.0

EXPOSE 80

COPY proget/ /usr/local/proget/

****** ADD THIS LINE ****
WORKDIR /usr/local/proget/
****** / ADD THIS LINE ****

ENV SQL_CONNECTION_STRING "Data Source=proget-sql; Initial Catalog=ProGet; User Id=sa; Password=;"
ENV PROGET_SVC_MODE both

VOLUME /var/proget/packages
VOLUME /var/proget/extensions
VOLUME /usr/share/Inedo/SharedConfig

CMD ([ -f /usr/share/Inedo/SharedConfig/ProGet.config ] || echo '<?xml version="1.0" encoding="utf-8"?><InedoAppConfig><ConnectionString Type="SqlServer">'"`$SQL_CONNECTION_STRING"'</ConnectionString><WebServer Enabled="true" Urls="http://*:80/"/></InedoAppConfig>' > /usr/share/Inedo/SharedConfig/ProGet.config) \
&& exec /usr/local/proget/service/ProGet.Service run --mode=`$PROGET_SVC_MODE --linuxContainer

Thanks, pleas let me know

Unfortunately, when symbol serving doesn't work, it can be a pain to diagnose...

Can you "start from scratch", documenting your steps along the way, so that I can try to reproduce exactly what you're doing?

Start by making a very simple, hello world sort of library (maybe one class, with some basic code you can easily step/through and debug).

After that, then create some brand new feed (it sounds like you want two feeds? a symbols and a package feed?), then configure the new feed in Visual Studio. Then follow the other steps, like seeing if you can find the symbols in Visual Studios, etc.

If you can share the exact steps you did, and the package you upload, then I can reproduce the error you're seeing by following steps using the package.

Hello; please restart the ProGet service. This will cancel all executions upon restart.

The legacy pdb format bundles sources in the NuGet package (in which case, it comes from ProGet), whereas pdb file uses source link.

So it depends on the format you make the pdb. It sounds like it's the new format, however.

Sorry, wrong software - please see our friends at otter.ai for transcription. We do server automation.

Cheers

In fact, we're working on this project now :)

It's going to be available in Otter 3.0, which will be released in the coming weeks. And even better, you can run Otter 3.0 on Linux/containers :)

NuGet/VS will aggressively cache packages, so if you're not seeing the "Symbol Load Information" it probably means you have an old, cached package or DLL. It's hard to get-around this, so it's best to really just create new package versions so the caching isn't happen

Symbol serving can be pretty tricky to get working, so make sure to follow the troubleshooting steps in the documentation.

You'll see SymbolLoad information for your DLL, which should look something like this:

If you're not seeing a call to your ProGet server, then Visual STudio isn't configured as needed.

If ProGet is returning a 404, then the symbol isn't indexed. You you see the status of symbols that ProGet found on the "Symbols" tab of your package.

@philippe-camelio_3885 FYI, we will add a checkbox for auto-purging soon, BM-3655

Hi @sbolisetty_3792 , just to let you know, this will be fixed in the next maintence release of BuildMaster (BM-3654). Basically, if a Server has a Single environment, then that environment will be used for credential resolution.

HOWEVER, note that this won't work for your dev-cap server because it's in two environments. So in that case, you couldn't use an environment-specific credential.

Hello, the configuration plans can do a ton of great things, but they're a bit confusing -- and a big thing we want to be improving in the next year, with both software and documentation changes.

But I'll explain a couple things you might already know, for the sake of helping someone who might read this in future. Using your first script (without the execution policy):

• The OtterScript is executed twice in a row; first in "Collect" mode then "Ensure" mode if it
• Ensure-File always executes in Collect (and it records whether the file exists), and it may execute in the "Ensure" run (where it would create/overwrite) if it reported drift
• Start-Service never executes in Collect, but may run in "Ensure" mode... but may executes if another operation in the block reported drift (i.e. if Ensure-File reported drift)
• Post-Http never executes in Collect mode, and it never executes or Ensure modes, because it's the only statement in a block

The with executionPolicy=always policy changes this, and it's the intended use of this execution directive. But... it's an editor bug, so we'll fix it.

So... all that said... I don't think I'd recommend doing an error handling in a Configuration plan like this; it feels more appropriate for an Orchestration plan that you run for a purpose, to like provision or set-up a server.

Otter will perform a routine configuration scan at least every hour, so there's a good chance this will just end up sending the same error message over and over:

1. Drift is a detected
2. Configuration FAILS to change
3. Error notice is sent

This isn't all that helpful, and is more of an indication of an outage more than anything else. And this isn't a great way to detect an outage. Instead, you can check the status of the server; if there is a failure during a Configuration execution, the server status becomes Error, and it can then be investigated about the details.

Hi there, I'm afraid the documentation is incorrect

There is no such way to do that in the current version, so for the time being all users will have full access.

However, the next version of Otter is in the works, and it's going to be great; not only will it run as as a container on Linux, but we're making a lot of UI improvements so that you can do things like run PowerShell / Shell directly as a job.

We'll be bringing over things from BuildMaster as well, like the combined script page, Job Template Variables - and also the pseduo-users like Anonymous, Authenticated, and Everyone.

You will then be able to add/restrict users just like BuildMaster, though all users will still be full admins.

Hello, we haven't seen this before, so it's a bit strange to diagnose.

Can you share exactly what version of ProGet you're using, as well as some screenshots showing the step-by-step? There are some subtle ways different things are displayed, and that might clue us in where to look next.

cheers,
Alana

@nuno-guerreiro-rosa_9280 we have definitely tested similar configurations, and of course our customers have such usage all the time; there haven't been problems like this, and moving to SQL Server has significantly improved performance across the user base (I'm afraid Postgres is not supported)

Do note when you have connectors configured in ProGet, then almost each request to ProGet will often yield other network requests to those connectors. When NuGet builds a dependency tree with 100+ packages, it makes a tremendous amount of requests, often asking "what's the latest version of this package", and the like.

But anyways, it still should be okay. At this point, I'd recommend you to just try setting up a basic virtual machine at like, AWS LightSail or something, and see what you can reproduce.

I see, thanks! So, this is to help a user set-up Visual Studio for the first time, who hasn't done it then?

Well, some feeds already have a "configuration help" button; NuGet does not, and maybe it's not so obvious

We added this tip in ProGet 5.3, but it only shows up when you're configuring a feed, and is intended to "train" the ProGet administrator to where the API Endpoint is (that's why it gives instructions on how to look for it).

This TODO is really obvious, and you can't miss it.

So maybe we can some of the language from the "TODO" tip (like the NPM one), and the make a more obvious "configuration help" button?

@vadim-k_6062 good to know that fixed it! We will add a message to the InedoHub then to help users if they come up with this -- https://inedo.myjetbrains.com/youtrack/issue/DH-42

As I mentioned before, we haven't seen these sorts of issues, but NuGet is a very "chatty" protocol, so a lot of requests are to be expected.

If you can provide some kind of guidance on how to reproduce things, we can certainly consider trying to reproduce it --- but right off the bat, unless you made a mistypo about "1GB of NuGet packages" in a restore that's a kind of red-flag to me.

The "chatty" protocol was never designed for that sort of traffic (tens of megabytes in a restore, maybe), so you'll need to do some networking tweaks (QoS?) to make it so the network stack doesn't get overloaded (which is what sounds like is happening).

Hello;

This error indicates a problem communicating with the domain controller. There are a handful of reasons this error can happen, here are a few:

• To many Domain/LDAP queries, were there any new applications deployed that may be overly chatty with AD?
• A domain controller is offline, but still in the DNS or a change to the IP address. Have you deprecated or changed the IP address on any of your domain controllers recently?
• Overall network communication errors.
• Server requests are sent to a proxy prior to connecting to the server.
• Incorrect certificate

Thus, if you wait and just reboot the server, it just might go away.; otherwise, it might invovle inspecting some of the traffic between the servers. Even if you use our exact code, LDAP just returns the same error, unfortunately.

Let us know what you find / try!

Hello;

Unfortunately, we've had only one other user report this issue, and we didn't hear how they solved it.

Basically, this is failing very early on during the installation process, during the "package extraction" process.

This would most likely be caused by only one of two things:

1. disk is full; the packages are extracted to a temporary directory, so all drives should have at least 1GB just to be totally safe
2. anti-virus is quarantining recently written files to disk

It might also be related to temporary file locking, so try rebooting to see if it helps.

Otherwise, check what could be preventing those package files to be extracted; it's typically the quarantine, so check the log files for that.

Please let us know what you find!

Interesting, that sounds like it might be helpful. Normally we'd just add it, but in this case... for users with integrated windows auth... maybe not so helpful. or if they use API keys, vs passwords, etc.?

In our 5.3 planning documents, I saw some kind of feature called "custom usage text" or something. It didn't make it, in part b/c no one requested it and the only use case we could think of was Universal Packages, where using upack doesn't make sense a lot of times.

Anyways, it seemed tough to market/explain, but the idea was you would be able to edit/add the usage text on the feeds. I guess, this is the first time I heard of a suggestion outside of universal packages, so maybe we can revive the feature idea :)

Got any other usecases you can think of? That'd help us go along way with adding the feature.

@viceice said in docker login failed via https reverse proxy:

So my assumption would be, that proget will respect the X-Forward* headers as already doing in other feeds.

You're right, when writing the Basic realm="<url>" header, ProGet does not look at the X-Forward* headers. I'm not sure if we should? Would that be a security problem? It kind of seems like it might? Or maybe not? I didn't find anything about the topic discussed on the 'net after a quick search...

How about just configuring your reverse proxy to just rewrite that realm in the auth header to go from http to https? I suspect, thatw ould help.

If you can do that, and then we can update the docs on how to do it, other Free users would be very much appreciative :)

And eventually we will fix this in the software, via PG-1849 - should be a simple fix, cheers!

Hi @viceice

The http://proget-test.kriese.eu/ being returned as the Realm because it's set as the BaseUrl.

If you remove that, then it will work; however, it would cause your instance of ProGet Free to report licensing errors due to your reverse proxy configuration.

Ultimately this is a reverse proxy issue, and we might be able to have the Relm respect the X-Forward* headers.... however, I'm not sure if that's appropriate / okay to do?

It might be a security problem? Can you find any documentation or discussion on this topic?

The code change is easy, but we want to confirm it's okay to make before considering it further.

Cheers,
Alana

I don't know a ton about Maven, but other users have reported that they've used a process like this for a disk-based repository.

1. Traverse all directories and upload all POM files with a path relative to the root
2. Traverse all directories again, and upload all non-POM and non-checksum files (like .md5)

There will be errors, particularly if you have invalid POM files or your directory structure doesn't match the required MAVEN convention, so inspect those case-by-case to determine if it matters (like an bad artifact from 5 years ago can probably be ignored).

That's just what I heard from customers, so if you have more details on how you do it, we'd love to hear! THanks much

Hello;

That was a mistake/typo in the docs, which i've since corrected;

https://github.com/Inedo/inedo-docs/commit/cd7091e8eaf37939949d0681f137a78d579acbc6

The correct url is https://«proget-server»/«feed-name»/«packageName»/«versionNumber[optional]»

But note, that's only for NuGet package. You can easily find the download url for any package from the UI, by looking at the Download button on the package page.
Cheers,
Alana

Hello, please review License Key Activation Docs, especially the note at top talking about Automatic License Activation Not Working in older versions.

Also... please upgrade. ProGet 5.3 is great!!

Hello; this is definitely quite strange.

We haven't had any problems in our test labs, using significantly less-powerful hosts and significantly more traffic. Other users aren't reporting this problem on any platform, so I'm inclined to say it's configuration-related, but what configuration?

How is ProGet configured? If it's just a single feed and a single connector to that feed, then it's not your Proget configuration.

In any case, I'm certain it's not the database itself, but it's related to the network stack related. SQL Server uses network connections, and the "connection timeout" happens when the network stack gets overwhelmed. This can happen when a TON of connections are open, but not closed.

One thing we've seen is that certain network-based reporting tools (monitoring/logging) end up causing problems. They try to send a error over the network that the stack is overloaded, which then gets queued up, and continues to overload the stack. Eventually it calms down.

We've also seen bad hardware cause this. One time, it was even a bad wireless access point in. No idea how that happened, but something to do with routing and packets.

So perhaps try a new server, like make one at LightSail , totally fresh. If you can find a way to reproduce it, then it'll be good, because we can at least investigate it further then.

This isn't currently supported, but something we can consider adding if you're open to using our Feature Request Process.

One thing that would go a long way in helping us understand the usecase (and way to explain it to users) is suggesting where precisely we should document this, and how.

https://docs.inedo.com/docs/proget/reference/api/asset-directories-api (source)