I was exploring options for deploying my ASP.NET web app by creating a publish profile when I noticed that .pubxml files are included in this .gitignore file (which I had been using):
https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
Searching around, the reasoning seems to be that either references to the publish profile or references in the publish profile contain absolute paths or other information that may only be valid on the local dev machine at the time.
Can anyone confirm the reasoning behind this exclusion?
I cannot confirm the reasoning but I can tell you what we do. I include the .pubxml files in source control due to the fact that any of us can publish to our DEV or TEST environments. I even checked the files themselves and did not see any local paths. But consider that we use web deploy, so long as we all have access to the same server to deploy to, then there is no problem.
So it really, IMO, depends on what deployment settings you use and if all of your team have access to the same servers.
No credentials and no local paths are stored in our .pubxml files.
From Microsoft documentation (for ASP.NET Core 2.2 and up)-
When publishing to an Azure target, the .pubxml file contains your
Azure subscription identifier. With that target type, adding this file
to source control is discouraged. When publishing to a non-Azure
target, it's safe to check in the .pubxml file.
Sensitive information (like the publish password) is encrypted on a
per user/machine level. It's stored in the
.pubxml.user file. Because
this file can store sensitive information, it shouldn't be checked
into source control.
This is correct. These publish profile files have local settings like target path to deploy which may be different for different systems. So it is always kept these files only locally.
Related
Can I safely delete the contents of this folder
C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\root
on a Windows 2003 R2 standard system, given that I am not using IIS (6/7) on it?
If that is the case, could you please point me to the relevant documentation about ASP.NET's runtime and maintenance tasks such as this?
Yes, it's safe to delete these, although it may force a dynamic recompilation of any .NET applications you run on the server.
For background, see the Understanding ASP.NET dynamic compilation article on MSDN.
Just an update on more current OS's (Vista, Win7, etc.) - the temp file path has changed may be different based on several variables. The items below are not definitive, however, they are a few I have encountered:
"temp" environment variable setting - then it would be:
%temp%\Temporary ASP.NET Files
Permissions and what application/process (VS, IIS, IIS Express) is running the .Net compiler. Accessing the C:\WINDOWS\Microsoft.NET\Framework folders requires elevated permissions and if you are not developing under an account with sufficient permissions then this folder might be used:
c:\Users\[youruserid]\AppData\Local\Temp\Temporary ASP.NET Files
There are also cases where the temp folder can be set via config for a machine or site specific using this:
<compilation tempDirectory="d:\MyTempPlace" />
I even have a funky setup at work where we don't run Admin by default, plus the IT guys have login scripts that set %temp% and I get temp files in 3 different locations depending on what is compiling things! And I'm still not certain about how these paths get picked....sigh.
Still, dthrasher is correct, you can just delete these and VS and IIS will just recompile them as needed.
I have an application that is installed at several different client's servers. They each have different web.config files and different virtual folders. At the moment I am compiling, manually copying over, setting up IIS, changing web.config and adding virtual folders for each install and also again when updating.
I simply don't know how to deploy using something like Web Deploy or Deployment Package that will let me create different config files or how to manage virtual folders (I would assume I would simply deploy empty folders and would still have to do this part manually). I can handle setting up IIS and virtual folders from the start but I want each client to be able to download new versions and install them without my input (as some Clients are funny about remote access).
You can setup build configurations for each environment. Typically, you get Debug and Release out of the box. I like to replace those with Development, Staging, and Production configurations, which allows a different web.config per environment.
Of course, when publishing, you still have to make sure you select the correct configuration.
I'm not a fan of Web Deploy and other schemes because web-servers, unlike desktops, all tend to have a unique configuration.
In my case, all of our web applications are deployed with custom-written VBScripts (much more pleasant than Batch files and without needing to relearn PowerShell). VBScript (with its default COM object library) provides a compelling platform for writing deployment scripts. And if you can't stand the syntax you can use JScript using the same tools. Bonus: Visual Studio still provides Windows scripting IntelliSense despite it not being an advertised feature).
My most recent deployment script is simple: it's a VBScript (invoked by VS's Post-build command-line) that uses 7-Zip to pack up the web application's files, then generates an ftp.exe batch file (then runs ftp.exe itself) that uploads the files to the server, it also generates an uploads a file called "Unpack.cmd" which calls 7-Zip to extract the files into the right place. The only manual step is executing Unpack.cmd on the server, but that can be done with Remote PowerShell, for example.
Why do you need to customise your IIS configuration separately from the application? Can't you put everything in your web.config file under <system.webServer>?
Should developers keep the web.config file updated and commit it to a VCS such as SVN? At my company we very rarely update it via SVN; instead somebody will create an "instructions" text file in our deployment scripts (SQL scripts and the like, plus batch files to compile the ASPX files as individual DLLs for deployment) that says something like "Change X to Y in web.config files for Sites A, B and D", and relies on the individual developer following those instructions each time the file is updated.
This seems counter-intuitive to me: I would expect the web.config file to be kept in sync as needed, with necessary changes being made and the file committed as any other artifact of the codebase, but I have raised this issue in the past and nobody has paid it any mind.
What approach should be followed when dealing with config files like this?
Absolutely, web config must be in source control, and you can define differences beetween various versions of web.config with web.config configurations
for example we have one for local development server, one for test IIS server, and one for production IIS server. And we can set solution configuration and publish from visual studio for different targets and different clients (sites).
here are the links for web.config configurations :
Common Web.Config transformations with Visual Studio 2010
Web.config Transformation Syntax for Web Application Project Deployment
I wouldn't allow all developers to have access to web.config file at all either via SVN or other way. Although if in your company it is allowed for developers to access web.config i see no reason why it shouldn't be on SVN. Point of SVN is to keep track of your single/multi person development process. If you make changes to web.config and this cause a bug in someone's else code it would be much easier to revert changes using SVN
I want to update an ASP .NET web application (including web.config file changes and database scripts) to multiple production environments - ideally with the click of a button. I do not have direct network connectivity to any of them. I think this means the application servers will have to "pull" the information required for updating the application, and run a script to update the application that resides on the server.
Basically, I need a way to "publish" an update, and the servers see that update and automatically download and run it.
I've thought about possibly setting up an SFTP server for publishing updates, and developing a custom tool which is installed on production environments which looks at the SFTP server every day and downloads application files if they are available. That would at least get the required files onto the servers, and I could use xcopy/robocopy and Migrator.NET to deploy the updates. Still not sure about config file changes, but that at least gets me somewhere.
Is there any good solution for this scenario? Are there any tools that do this for you?
I think the pull rather than push strategy somewhat flaunts conventional wisdom... but this seems like something CruiseControl.NET could easily do. Remember the web.config file is also an XML document, so is easily modifiable in a CruiseControl script. You could xcopy files or use an svn export.
http://varunkumargoel.blogspot.com/2010/03/how-to-make-automatic-deployment-for.html
Please view the above mentioned blog there i have posted details regarding automatic deployment of .NET application with SVN.
Is there a security risk associated with using the option that copies "All project files" when publishing a web application into a production environment? I normally use the option "Only files needed to run this application" which does not copy the source code to the server.
I am the only person with access to the production server. There is also no issue with cluttering the production server as there isn't much on it. In fact I don't mind having all the source files be kept on the server together with the binaries.
Is there any security issue with this?
If no one can get access to the production server then there is no security risk with this option. However this is a pretty big if! I can’t see any real benefit from using the All project files or All files in the source project folder options – these don’t even allow you to update the web application in place on the production server which might be useful in some situations. I would stick to the Only files needed to run this application option just to be save.