Affects Version/s: None
Fix Version/s: None
geographically distributed mesh of Artifactory 6.21.0 HA instances pull replication repository topology many NuGet repositories configured according to this topology (1 virtual aggregating a local and N smart remotes to every other Artifactory instance in the mesh) NuGet v5.7 clients configured to use some or all of these Artifactory virtual repositories as sources
- geographically distributed mesh of Artifactory 6.21.0 HA instances
- pull replication repository topology
- many NuGet repositories configured according to this topology (1 virtual aggregating a local and N smart remotes to every other Artifactory instance in the mesh)
- NuGet v5.7 clients configured to use some or all of these Artifactory virtual repositories as sources
NuGet clients use the FindPackagesById() endpoint to enumerate all versions of a given package ID. NuGet client sources configured to use the v3 protocol (via the protocolVersion="3" tag) also seem to continue to use this endpoint (tested with a nuget install command using a NuGet v5.7 client proxying an Artifactory virtual NuGet repository).
In a busy development environment where there are lots of NuGet repositories and many build servers (which in our case don't have persistent client-side package caches between builds - something that we are addressing), the bursty nature of NuGet client requests to this endpoint can very quickly overwhelm all Artifactory instances in an Artifactory mesh configured in a pull replicated repository topology, leading to periods of service outages.
The FindPackagesById() endpoint is called for every dependency in a project - and it isn't uncommon for our projects have 1000+ dependencies - so this problem is greatly exacerbated when the NuGet client is proxying an Artifactory virtual repository which has multiple smart remote repositories aggregated, as this results in Artifactory itself calling FindPackagesById() for each dependency against each (smart) remote repository in the virtual aggregation - hence why it can bring down an entire mesh of instances.
Artifactory ought to be able to cache responses to NuGet client FindPackagesById() calls - presumably via the existing "Metadata Retrieval Cache Period" value on remote repositories and the "virtualRetrievalCacheSecs" value configurable on virtual repositories - thereby greatly reducing the impact of these requests.