RE: Access prereleases? Proget 6.0.9

Then we have something to look forward to, could be that we by then switched to API Keys, but the decision ain't mine.

Thanks for the help and for all the RC that we got to test.

@atripp thanks for your reply.

I guess most of the LDAP requests are for the authentication, would it be possible to cache the authentication request and LDAP response for a short time, think that could also improve things. But sure, the test environment is limited compared to the production environment, tend to be a question about money.

About the keys, we had some keys of which a number were of old type that version 6 don't allow you to create anymore, we decided to remove all api keys that hadn't been in use for a long while, most api keys seemed to not been used at all, so we ended up with deleting all of them. Turned out that a couple of the keys were in frequent use (in production), I'm not sure if it's something we have configured on our side or there are issues in logging of successful use of the api keys?

As there been a will of having a centralized way of administrating access and also quite many places to change if switching from account credentials to api keys wouldn't happen over night. But we may have to look into that path incase we notice issues in production.

@rhessinger thanks for your explanation of the user cache.

Till yesterday our test environment had been the faster one, even if it had half the amount of ram compared to the production environment. So decided to setup the permissions for the LDAP users in the same way. The first test after that took around 60s to run, directly after that we decided to clear the cache and after that the test environment was back on 200s per run.

On the test environment the recycle time for the app pool is 1740m and idle-timeout is 10m, I assume that is default. I don't see anything about reset of the pool or crashes in the eventlog. So it don't explain why having a pause or 30 mins makes the time better than run twice after each other. Any recommended values for these configs?

Yes, the AD is in a different network which causes extra latency, but there is no difference between test and production in this regard. They are both setup in the same way when accessing their AD's.

Regarding the time to run in production the same "test" before the upgrade, I can see the last build before upgrade it took 59s to install the same packages.

Something we noticed while testing on our test environment was that after running a "Clear Cache" in "Task/Permission", the time to fetch packages went up.

If we didn't run tests for a longer time, we started to see better times the first time we run the test, just running like 20 sec later it was back on long responses.

The two test were run approximately 11:00 CET:
Running test 25 mins after previous test:
added 1406 packages from 1153 contributors in 60.835s

Running next test 20-30 sec later:
added 1406 packages from 1153 contributors in 210.565s

We did update the InedoCore to 1.13.1-rc.11 to our production instance, this far running the same test runs seems to do it between 41s to 65s without seeing the same slowdown that we saw in the test environment.
added 1408 packages from 1153 contributors in 65.477s
added 1408 packages from 1153 contributors in 42.449s
added 1408 packages from 1153 contributors in 40.736s
added 1408 packages from 1153 contributors in 52.648s
No, there is no CEIP data from the production instance.

If there are anything you want us to test in the test environment, let us know.

We installed InedoCore 1.13.1-rc.11 on our test environment

npm install: added 1406 packages from 1153 contributors in 215.136s

npm install --no-audit: added 1406 packages from 1153 contributors in 110.997s
(this we not tested before)

Comparing with yesterday, it seems 1.13.1-rc.11 is slower.

We did upgrade production environment, sadly the npm install is still as slow as before, 600s. It's similar to the test environment but twice as much memory.

What would be your recommended vCPU and Memory for a instant that gets a good amount of package requests and also has maybe around 10 new packages pushed (all from nuget to docker images) per hour.

@atripp Will look into the metadata caching and see if it helps us.

The machine name has been posted in EDO-8231

Update: the caching has been enabled all the time for the npm and nuget repositories.

If we pull the packages directly from npm org it takes around 40s to install and that was kind of the time it took on 5.3.11 before the upgrade too (when the packages are cached).

After the upgrade (first to 6.0.6, then 6.0.8), the time it took was just less of 600s (for prod: test should have been around 300s) for the same packages.

I'll see to that the machine name will be posted in the private ticket.

It seems that the 6.0.9.rc.3+1.13.1-rc.10 combination fixed the 404 issue when using the always-auth=false. Sorry no CEIP on that one as I hadn't restarted ProGet service and IIS when I run that test.

@atripp if you have always-auth=true for npm then it will do an authentication each request it makes to the repository, if always-auth=false then it will only do the authentication from time to time (not sure how often or how it decides it's time to authenticate again).
Thanks for the heads up on the change, we will test with the rc.3 for now.

@stevedennis we turned on CEIP on the test instance and run a npm install against the npm feed that just a cache of npm org.
The license number is: CQAB8SJN-XXXX-XXXXXX-XXXXXX-46VCSHTF (ProGet Trial)
Start time: 10.13 CET
Result: added 1406 packages from 1153 contributors in 150.089s

We do tend to configure with always-auth=true for npm, it's just while testing to see if there are any differences that I have tested always-auth=false, but with 1.13.1-rc.10 I noticed the 404 for the first time.

Are there any differences between ProGet 6.0.9-rc.3 and 6.0.9-rc.4 that could affect LDAP?

Regarding CEIP, I have to take that with people higher up in the hierarchy before I can turn it on, some policy that prevents me to take that decision.

Hi @stevedennis,

I'm a bit novice on the LDAP part in ProGet, more used to how Atlassian has it in some of it's products where you as administrator have to setup the LDAP query more or less, a bit more try and error there.

We have now tested a bit (just a couple of runs on npm install) on 6.0.8+1.13.1-rc.10:

Takes more than 100s to install 1153 packages when using always-auth=true in npm

When using npm with always-auth=false then we start suddenly get 404's which we didn't get with the InedoCore 1.13.0.

npm http fetch GET 200 https://internalserver.example.net/npm/private-npm/minipass/-/minipass-3.1.1.tgz 4831ms
npm http fetch GET 200 https://internalserver.example.net/npm/private-npm/terser-webpack-plugin/-/terser-webpack-plugin-2.3.5.tgz 5249ms
npm http fetch GET 404 https://internalserver.example.net/npm/private-npm/del 3152ms
npm http fetch GET 404 https://internalserver.example.net/npm/private-npm/rimraf 2469ms
npm http fetch GET 200 https://internalserver.example.net/npm/private-npm/y18n/-/y18n-4.0.0.tgz 3248ms
npm http fetch GET 200 https://internalserver.example.net/npm/private-npm/@npmcli/installed-package-contents/-/installed-package-contents-1.0.5.tgz 2941ms
npm http fetch GET 200 https://internalserver.example.net/npm/private-npm/read-package-tree/-/read-package-tree-5.3.1.tgz 2951ms

As you can see we still have quite high times on packages that can be downloaded.

A workaround that would work is to set allow anonymous to all feeds, but we wouldn't like that, sadly when you set allow anonymous on a specific feed then it takes long time to fetch packages, seems like it then makes it makes some LDAP logic first (it's our guess).

Forgot to say, we haven't seen any of the LDAP errors that we used to get quite many of with 6.0.8+1.13.0.

Great that you found something, we will try out the InedoCore RC on our test instance and evaluate it. Just a short follow up question, then 1.31.1-RC.10 does it work with 6.0.9-rc.3 only or can this be run on the 6.0.8 too?

Thanks, we got hold of the release candidate (6.0.9-rc.3), but I don't think the PG-2096 solved the issue, we get a high number of requests towards the LDAP/AD server and we still get sometimes errors like this:

System.DirectoryServices.Protocols.LdapException: The LDAP server is unavailable.
at System.DirectoryServices.Protocols.LdapConnection.Connect()
at System.DirectoryServices.Protocols.LdapConnection.BindHelper(NetworkCredential newCredential, Boolean needSetCredential)
at Inedo.Extensions.UserDirectories.DirectoryServicesLdapClient.Bind(NetworkCredential credentials)
at Inedo.Extensions.UserDirectories.ADUserDirectory.Search(String dn, String filter, LdapClientSearchScope scope, String userName, SecureString password)
at Inedo.Extensions.UserDirectories.ADUserDirectory.TryGetPrincipal(PrincipalSearchType searchType, String principalName)
at Inedo.Extensions.UserDirectories.ADUserDirectory.ActiveDirectoryUser.IsMemberOfGroup(String groupName)
at System.Linq.Enumerable.WhereArrayIterator`1.MoveNext()
at System.Linq.Buffer`1..ctor(IEnumerable`1 source)
at System.Linq.OrderedEnumerable`1.<GetEnumerator>d__1.MoveNext()
at System.Linq.Buffer`1..ctor(IEnumerable`1 source)
at System.Linq.Enumerable.ToArray[TSource](IEnumerable`1 source)
at System.Collections.Concurrent.ConcurrentDictionary`2.GetOrAdd(TKey key, Func`2 valueFactory)
at Inedo.ProGet.Web.Security.TaskChecker.CanPerformTask(IUserDirectoryUser user, ProGetSecuredTask task, Nullable`1 feedId)
at Inedo.ProGet.WebApplication.Security.WebApiContext.isAuthorizedForTask(ProGetSecuredTask task, Nullable`1 feedId)
at Inedo.ProGet.WebApplication.Security.WebApiContext.IsAuthorizedForTask(ProGetSecuredTask task, Nullable`1 feedId)
at Inedo.ProGet.WebApplication.FeedEndpoints.Npm.NpmFeedHandlerBase.ValidateTasks(WebApiContext apiContext, Int32 feedId, ProGetSecuredTask[] tasks)
at Inedo.ProGet.WebApplication.FeedEndpoints.Npm.NpmPackageMetadataHandler.<TryProcessRequestAsync>d__0.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Inedo.ProGet.WebApplication.FeedEndpoints.Npm.NpmHandler.<ProcessRequestAsync>d__3.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Inedo.ProGet.WebApplication.FeedEndpoints.FeedEndpointHandler.FeedRequestHandler.<ProcessRequestAsync>d__8.MoveNext()

not as many as before, but still enough to fault a build once in a while. Also the download time of packages has become worse on our test environment after the upgrade.

Yes we do have a private ticket on this.

We have upgraded ProGet to 6.0.8 and we still have issues with LDAP/AD request ain't cached which in turn makes npm/nuget packages to take 100 times longer than using 5.3.x. We tried to rollback to 5.3.44 but due of a type cast error we had to upgrade back to the 6 series.

There is a new fix for this which is part of the 6.0.9 release, https://inedo.myjetbrains.com/youtrack/issue/PG-2096

We really would need to be able to test this and verify that it do fix our problem and to cut down build times if it works and do not cause other issue.

Had been nice if there was a way to get access to prereleases in the InedoHub...