apache / couchdb

Seamless multi-master syncing database with an intuitive HTTP/JSON API, designed for reliability
https://couchdb.apache.org/
Apache License 2.0
6.26k stars 1.03k forks source link

Replace nssm.exe and install the Windows service differently #1303

Open wohali opened 6 years ago

wohali commented 6 years ago

Issue #1302 (and others in the past) highlight that nssm, an application we use to run couchdb.cmd as the service launcher for CouchDB, is sometimes detected as risky software by 3rd party virus detectors. This is because Microsoft Windows doesn't allow registration of batch/command/shell script files as services - only .exes.

We can work around this by writing a standalone exe that replaces couchdb.cmd. This can be installed as the service instead.

Alternative solutions may also be possible.

wohali commented 4 years ago

I spent a bit of time today looking at this and considering http://erlang.org/doc/man/erlsrv.html as an alternative.

The problem is that erlsrv.exe doesn't provide the full flexibility we expect for the startup process here: https://github.com/apache/couchdb/blob/master/rel/files/couchdb.cmd.in

Specifically, users can modify that file (or write their own) to change environment variables for the JS/CoffeeScript query servers and the Fauxton docroot, plus of course change the config file search path/chain.

Also, erlsrv.exe always installs and runs a service as Administrator, which is higher privilege than we require - arguably, too high. The manual page says the user can be changed later via the Service control panel, but that's too late for us.

Here's a better option: https://github.com/oze4/New-PSService

wohali commented 4 years ago

Unfortunately that last link depends on https://github.com/DSorlov/Sorlov.PowerShell which is GPL v3. :(

wohali commented 4 years ago

An alternative: https://github.com/kohsuke/winsw This requires the .NET Framework as a dependency, though, which would balloon our installer. It also doesn't natively support overriding of parameters.

I think writing a custom C# wrapper like https://docs.microsoft.com/en-us/archive/msdn-magazine/2016/may/windows-powershell-writing-windows-services-in-powershell would be best. Full example code is here: https://github.com/JFLarvoire/SysToolsLib/blob/master/PowerShell/PSService.ps1

Apache License v2

mtkennerly commented 4 years ago

@wohali Hey, I found this ticket by chance on Google and just wanted to suggest a project of mine that could hopefully be useful to you: https://github.com/mtkennerly/shawl . It should have enough customization to cover what you mentioned above, but let me know if you see any gaps. Plus it's MIT and designed to be bundleable with other apps.

I have McAfee on my work laptop, so I double checked and it doesn't complain about the exe, and VirusTotal is happy with it too (32-bit scan, 64-bit scan).

wohali commented 4 years ago

Thanks, @mtkennerly . I'd really, REALLY rather not add yet another runtime environment to our build chain, and we build all of our dependencies from scratch (including Rust), but I'll keep this in mind. Thanks.

wohali commented 4 years ago

The right path forward here is probably using erlsrv.exe, which is purpose-made for us.

We need to move the goop living currently in couchdb.cmd and couchdb (bash shell script) inside of the (Erlang) startup process somehow, so all platforms invoke and deal with environment variables the same way.

nicpenning commented 3 years ago

Carbon Black flags the nssm.exe software as well. Is there an ETA to get this taken care of?

wohali commented 3 years ago

@nicpenning Pull requests welcome.

jason-sachs commented 1 year ago

How do you start nssm.exe manually? It got blocked by Carbon Black when I installed CouchDB. I have since got our IT department to whitelist nssm.exe, but now I don't know what to do. nssm install couchdb? nssm start couchdb?

big-r81 commented 1 year ago

The installer does something like

nssm.exe install <servicename> <program>

to install the service. Like

nssm.exe install "Apache CouchDB" "C:\PATH-TO-COUCHDB\bin\couchdb.cmd"

You can also start CouchDB manually with the provided cmd-file.

eight04 commented 1 month ago

Today I downloaded couchdb-3.4.1 installer on Windows 10. Then the file was immediately removed by McAfee.

After bringing it back, I verified sha256, installed, and now the service runs successfully. Though McAfee is still complaining about the installer. image image image

Maybe this is a different issue?