Replace nssm.exe and install the Windows service differently

[wohali]

Issue #1302 (and others in the past) highlight that nssm, an application we use to run couchdb.cmd as the service launcher for CouchDB, is sometimes detected as risky software by 3rd party virus detectors. This is because Microsoft Windows doesn't allow registration of batch/command/shell script files as services - only .exes.

We can work around this by writing a standalone exe that replaces couchdb.cmd. This can be installed as the service instead.

Alternative solutions may also be possible.

[wohali]

I spent a bit of time today looking at this and considering http://erlang.org/doc/man/erlsrv.html as an alternative.

The problem is that erlsrv.exe doesn't provide the full flexibility we expect for the startup process here: https://github.com/apache/couchdb/blob/master/rel/files/couchdb.cmd.in

Specifically, users can modify that file (or write their own) to change environment variables for the JS/CoffeeScript query servers and the Fauxton docroot, plus of course change the config file search path/chain.

Also, erlsrv.exe always installs and runs a service as Administrator, which is higher privilege than we require - arguably, too high. The manual page says the user can be changed later via the Service control panel, but that's too late for us.

Here's a better option: https://github.com/oze4/New-PSService

[wohali]

Unfortunately that last link depends on https://github.com/DSorlov/Sorlov.PowerShell which is GPL v3. :(

[wohali]

An alternative: https://github.com/kohsuke/winsw This requires the .NET Framework as a dependency, though, which would balloon our installer. It also doesn't natively support overriding of parameters.

I think writing a custom C# wrapper like https://docs.microsoft.com/en-us/archive/msdn-magazine/2016/may/windows-powershell-writing-windows-services-in-powershell would be best. Full example code is here: https://github.com/JFLarvoire/SysToolsLib/blob/master/PowerShell/PSService.ps1

Apache License v2

[mtkennerly]

@wohali Hey, I found this ticket by chance on Google and just wanted to suggest a project of mine that could hopefully be useful to you: https://github.com/mtkennerly/shawl . It should have enough customization to cover what you mentioned above, but let me know if you see any gaps. Plus it's MIT and designed to be bundleable with other apps.

I have McAfee on my work laptop, so I double checked and it doesn't complain about the exe, and VirusTotal is happy with it too (32-bit scan, 64-bit scan).

[wohali]

Thanks, @mtkennerly . I'd really, REALLY rather not add yet another runtime environment to our build chain, and we build all of our dependencies from scratch (including Rust), but I'll keep this in mind. Thanks.

[wohali]

The right path forward here is probably using erlsrv.exe, which is purpose-made for us.

We need to move the goop living currently in couchdb.cmd and couchdb (bash shell script) inside of the (Erlang) startup process somehow, so all platforms invoke and deal with environment variables the same way.

[nicpenning]

Carbon Black flags the nssm.exe software as well. Is there an ETA to get this taken care of?

[wohali]

@nicpenning Pull requests welcome.

[jason-sachs]

How do you start nssm.exe manually? It got blocked by Carbon Black when I installed CouchDB. I have since got our IT department to whitelist nssm.exe, but now I don't know what to do. nssm install couchdb? nssm start couchdb?

[big-r81]

The installer does something like

nssm.exe install <servicename> <program>

to install the service. Like

nssm.exe install "Apache CouchDB" "C:\PATH-TO-COUCHDB\bin\couchdb.cmd"

You can also start CouchDB manually with the provided cmd-file.

[eight04]

Today I downloaded couchdb-3.4.1 installer on Windows 10. Then the file was immediately removed by McAfee.

After bringing it back, I verified sha256, installed, and now the service runs successfully. Though McAfee is still complaining about the installer.

Maybe this is a different issue?