-
-
Notifications
You must be signed in to change notification settings - Fork 59
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Put restic binary in a user-writable location on Windows #549
Comments
Hey -- really interesting and thanks for the fairly detailed input on considering locations (and reasons). This is something I've struggled with a bit on Windows as my understanding of correct packaging for the platform is relatively weak. I like the idea re: keeping backrest in %localappdata%, assuming the installer should still be able to configure it to launch on startup from there -- and I imagine that should be the case. Doing that, backrest installs restic using a relative path on windows so it would install next to the backrest binary it in the same directory. Interestingly I also see a Would using appdata be a problem for multiuser installs of backrest? Unsure. |
Just a quick note - I found out Backrest is actually storing restic binary in the working directory, not necessarily the same directory as Backrest binary. It's just that currently the installer uses C:\Program Files\Backrest in the startup shortcut properties. When I changed that, it re-downloaded restic to the new location. For multiuser installs you don't want to use %localappdata%. There is %programdata% that's accessible to all users, but not sure if it's appropriate to install binaries there. Currently the installer creates the shortcuts in the current user's Startup and Desktop folders anyway, so as it stands, it is targeting the current user. |
I've been researching this subject and I propose we make Windows installer ask the user if they want to install only for the current user or for all users. I haven't worked with NSIS before but looked at some examples and documentation, and I think I can do it. When "for current user" mode is selected, Backrest will be installed to %localappdata%\Programs\Backrest. No admins rights are required. It will also take care of restic download since that location is user-writable. When "for everyone" mode is selected, Backrest will be installed to %programfiles%\Backrest. It will ask for privileges elevation like it does now. We need to figure out what to do with the restic location. Currently if the user leaves the installer checkbox "Run application" at the end enabled (default), the download works because Backrest is launched elevated (this one time only), inheriting the elevation from the installer. If the checkbox is unchecked, and Backrest is launched manually afterwards, it can't download restic. What's worse, the Web UI doesn't even come up because it's trying to download restic first. I see several potential options here:
I'm willing to take on the Windows installer work if you want. I already started to work on fixing some issues with the existing installer outside of the changes I'm proposing above; will submit a PR in the near future. |
Hey -- really appreciate the thought you're giving to this. Contributions re: how Windows is packaged and improving the polish there are hugely appreciated, Backrest has quite a large usage on the platform. Thinking through the footguns, a few more to mention are
Thinking through your recommendations, they make sense to me and especially re: the "warning" if installing in a central (program files) type location that updates may be problematic / that the "local user" install is recommended. Re: workarounds for a centralized install and restic management -- I recently switched to working directory relative installs just for windows to allow for portable installs. I think the working directory via shortcut sounds like a good way to manage that, but minimally I think the warning would cover it reasonably well. With a central install, one will have to redownload and run the installer for each update anyway so backrest should (on first run) have administrator privileges. To provide a bit of help with untangling the NSIS installer build scripts, the scripts for this are somewhat messy at the moment but are dockerized which makes them relatively easy to try out. See https://github.com/garethgeorge/backrest/blob/main/scripts/generate-installers.sh . These are runnable on a unix system: So testing the NSIS script is:
I believe nsis would be runnable directly on Windows and goreleaser is also available there or I can help with testing. Thanks for thinking on this :) overall I think your recommendations sound like an improvement and I have seen bugs related to install permissions as a pain point that this will help address. |
I would like to provide some clarity around what user-specific vs machine-wide installations mean. It's really all about these things:
One of the issues with the current installer that I'm fixing is that it installs binaries to "Program Files". Yet all shortcuts and registry uninstall entries are for current user only. Usually, a system-wide installation means just a single copy on disk for desktop applications. Each user has their own running instance and app settings except for global things like license etc. This approach doesn't play well with Backrest due to the port issue like you mentioned. Also, all Backrest configuration is user-specific anyway, there is nothing global. Except for the binaries, which are too small to worry about disk space. If userA configures repos and backup plans, userB won't have any of that configuration even when Backrest is installed in "Program Files" for all users. A system-wide installation doesn't imply "multi-user", which could mean different things. One scenario is a shared home PC with several users but never concurrent. If each users logs off before the next one, there is no problem, it will just work. But in Windows a user can log in without logging off another user, even if that other user can't use the PC. This is where things get a bit complicated. Backrest in its default configuration won't work when multiple instances are launched because of the port conflict. And it doesn't matter whether two users launch Backrest from their own profile binary or from the same "Program Files" readable by both users. It means in order to have multiple running instances, the user will have to configure environment variable with a custom port. I believe this is something I can do in the installer, asking user to override the default port. The installer would take care of the shortcuts too. But the system tray link at the moment appears to be hard-coded and doesn't pick up the variable. In my mind a true system-wide installation means a single running instance, single listening port, shared system-wide Backrest configuration. More like a server scenario although not necessarily accessible outside of this system. Another example is an office PC. No matter what user logs in, they get access to the same Backrest instance and configuration. This is usually deployed as a service. I can leverage Task Scheduler and NT AUTHORITY\SYSTEM user for autostarting the process (more or less equivalent to running as root on Linux). Or use some of the tools that allow to run any executable as a service. To sum up, I would propose the following approach for the installer:
Everything I suggested above can be accomplished without any Backrest code changes, except for the systray port issue that has nothing to do with my suggestion. Both scenarios would allow Backrest and restic self-updates because now user-specific instance will be running from a user-writable location, and system-wide instance will be running with admin rights. Please let me know what you think. |
Various fixes before decisions are made regarding multi-purpose installer (garethgeorge#549) 1. Changed installation location to user %localappdata%\programs since the installer already installed all icons and made registry entry only for the current user. 2. Fixed blurry installer text on high DPI screens. 3. Fixed icon for Start Menu, Desktop shortcuts, and Add/Remove programs entry. 4. Fixed uninstaller not terminating running application and not fully cleaning up installed files. Users upgrading from the previous installer should uninstall it first to avoid conflicts. User configuration will stay intact.
Hello, you can perhaps take a look in my backrest service implementation here: Regards |
@cmbcbe, thank you for your input. I did mention the possibility of using some tool as a service wrapper. It comes down to whether @garethgeorge is comfortable with including a third-party executable in Backrest installer. If there is a desire to see the service installation type, I can add this feature to the installer, utilizing NSSM or another preferred wrapper. Initially I was thinking about Task Scheduler, which doesn't require any third-party tools, but it's more of a hack with no status control like a service has. Ideally, Backrest could support running as a Windows service natively, Go is perfectly capable of that. But it would require changing the code substantially to support both non-service and service executions. NSSM is definitely an easier option. |
hello @homandr, @garethgeorge could add to the goland code the windows service functionnality easily, there is a library for that and it work really well, no need for third party tools like nssm, the exe could work as a service natively |
Hey, first @homandr I just got home from the holidays and tried out the latest versions of the windows installer on my Windows desktop for the first time -- really great work on the improvements you've made there. It's really quite neat to see a proper install flow with a choice of install folder (with the good defaults we discussed!) and starting / restarting the running instance. Re: the question of service support, it does look like there's a golang package for this https://cs.opensource.google/go/x/sys/+/refs/tags/v0.28.0:windows/svc/example/main.go;l=42 https://cs.opensource.google/go/x/sys/+/refs/tags/v0.28.0:windows/svc/example/service.go;l=21 shows the actual service flow. Some changes are definitely needed for service support but they might not be too unreasonable, it's not something I'll immediately rule out. That said it does look like there are some quite reputable binary to service wrappers e.g. I like the looks of https://github.com/winsw/winsw?tab=readme-ov-file and it weighs in at ~1MB which is trivial and looks to implement best practices. I can see bundling this binary or something like it if we pin specific versions (to reduce supply chain risk). |
I'm a bit concerned about WinSW, it appears the project is pretty much abandoned while not being fully stable at this point. See winsw/winsw#1102. If going down the wrapper path, there are many options to consider. I compared the size of all these, srvany-ng is the smallest at 89KB, next is NSSM at 324KB. Shawl is huge at 3.23MB. Another thing to keep in mind is how various antivirus software treats such wrappers. Virustotal has at least one flag for all of the tools above except for srvany-ng. Next comes NSSM that was flagged by a few engines as a hack tool. All the others were flagged at least once as straight malicious. Granted, the tools flagging them are somewhat obscure, so not sure if this is something to take into account at all. |
Hmm -- that's really not great re: the virus flags. I think Backrest as a project should be more sensitive to that sort of thing given that trust is important for backups. Thanks for pointing that out. It may make the most sense for backrest to just integrate with the windows service APIs to provide the best quality of support here. I increasingly like that this will let backrest properly handle service lifecycle events e.g. graceful shutdown signals etc, that's a nice touch for backup software to avoid abrupt cancellations. I can justify the maintenance burden in my head I think. The changes I'll make are: a new wrapper for the main() function that checks if the binary is running as a service and, if it is, handles service lifecycle events and replaces the loggers with ones that output to the win service APIs. I should have some time to prototype this over the weekend and we can make a go / no go decision on that impl vs wrappers based on how complicated that looks, especially if you're interested/think this is high value for the windows installer @homandr or can point me in the right direction re: supporting a service install in the installer once that's done. |
Running Backrest as a service is not something I personally have a use for. I actually have a prototype of installer that installs Backrest as a scheduled task under System account. Effectively, it works as a service, except that the controls to stop/restart are limited (but not really needed 99% of the time). I looked at that approach because it doesn't depend on any third-party components and is easy to implement. The only benefit of a service in this context that I can see is running Backrest (and thus restic) elevated. It would allow to use Volume Shadow Copy feature in restic and also to back up system files or other users' files on the host. However, running as the Local System account means some resources would be unavailable, for example, NAS shares - I use them. It is possible to run a service under an arbitrary account, but it requires to supply the password. And if now it runs under a user account, there is really no benefit - not sure if it can be elevated. I know scheduled tasks can run under a user account and elevated at the same time. For me personally this would be the way to use it if I needed Backrest with elevated privileges. I might be missing something, but I don't see many use cases where Backrest as a service would be beneficial. Running it elevated also raises other concerns and risks, especially if it's used wrong. For example, if a user doesn't add Web UI password protection, now we have a privilege escalation - all non-admin users on that box can tap into an elevated process. I know some backup tools install a service just for VSS, while the main executable runs non-privileged and requests VSS snapshot from the service. It quickly becomes complicated. If Backrest is configured to be accessible from outside of the host, now we have a questionable combination of plain text HTTP and elevated process. If I wanted to use it on a server for non-local access, I would rather have a reverse SSL proxy with proper protections and with Backrest listening on localhost only. In my head Backrest is user desktop software vs enterprise server one. Given how flexible Backrest and restic are, they can certainly be used in various capacities, but it's hard to be good at everything at once. With that being said, I have no objections to work on the installer as needed to include the functionality you decide to implement. |
I would like to suggest that maybe Backrest should store restic binary not in C:\Program Files\Backrest as it does currently, but in a user-writable location. For example, %localappdata%. This is what Chrome browser uses as an example, and Firefox when UAC is cancelled during the installation. C:\Program Files on Windows requires UAC elevation to write even if the current user is an administrator. This creates several issues:
I think even Backrest itself could be stored in %localappdata%. It would eliminate all issues listed above and also make Backrest self-updates (if ever implemented) on Windows easier.
The text was updated successfully, but these errors were encountered: