Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Change install dir to Program Files #209

Merged
merged 5 commits into from
Nov 17, 2023
Merged

Change install dir to Program Files #209

merged 5 commits into from
Nov 17, 2023

Conversation

amitkanfer
Copy link
Contributor

@amitkanfer amitkanfer commented Nov 11, 2023
edited
Loading

This PR mitigates a security issue described here.

  • Bumps the .NET version to the current LTS (6.0.319)
  • MSI installers to stop using C:\ProgramData

@amitkanfer amitkanfer requested a review from a team as a code owner November 11, 2023 11:46
amitkanfer
amitkanfer commented Nov 11, 2023
View reviewed changes
src/installer/BeatPackageCompiler/BeatPackageCompiler.cs
@@ -150,40 +147,19 @@ static void Main(string[] args)

var packageContents = new List<WixEntity>
{
new DirFiles(Path.Combine(opts.PackageInDir, MagicStrings.Files.All), path =>
new Files(Path.Combine(opts.PackageInDir, MagicStrings.Files.All), path =>
Copy link
Contributor Author

@amitkanfer amitkanfer Nov 11, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the change responsible for choosing all files including subfolders (recursive), instead of just the parent top folder

@amitkanfer
Copy link
Contributor Author

amitkanfer commented Nov 11, 2023
edited
Loading

Before this PR, command line example:

"C:\Program Files\Elastic\Beats\8.11.0\filebeat\filebeat.exe"  --path.home "C:\Program Files\Elastic\Beats\8.11.0\filebeat" --path.config "C:\ProgramData\Elastic\Beats\filebeat" --path.data "C:\ProgramData\Elastic\Beats\filebeat\data" --path.logs "C:\ProgramData\Elastic\Beats\filebeat\logs" -E logging.files.redirect_stderr=true

With this PR:

"C:\Program Files\Elastic\Beats\8.11.0\filebeat\filebeat.exe"  --path.home "C:\Program Files\Elastic\Beats\8.11.0\filebeat" --path.config "C:\Program Files\Elastic\Beats\8.11.0\filebeat" --path.data "C:\Program Files\Elastic\Beats\8.11.0\filebeat" --path.logs "C:\Program Files\Elastic\Beats\8.11.0\filebeat" -E logging.files.redirect_stderr=true

@cmacknz , few questions:

  • Note the difference with the command lines. logs and data are to the installed folder. Is that OK?
  • Original logic renamed the config file to .example.yml. Not sure why. This logic also prevented the service from starting (as there wasn't filebeat.yml), not sure if this was the intent. Should we keep this logic? Code is here
  • Pending on the answer for the previous question, we should change the logic that open file explorer at the end of the MSI flow

With this PR, on my local machine, all files are copied to the Program Files folder, the service is installed, and if i click Start / Stop everything works well.

@amitkanfer amitkanfer requested a review from cmacknz November 11, 2023 11:57
@amitkanfer amitkanfer requested review from leehinman and removed request for cmacknz November 16, 2023 07:27
leehinman
leehinman approved these changes Nov 16, 2023
View reviewed changes
Copy link

@leehinman leehinman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Also tested on a Win2019 server. Install worked fine, and no data in %PROGRAMDATA%

@amitkanfer amitkanfer merged commit f8c4ece into main Nov 17, 2023
@amitkanfer amitkanfer deleted the change_install_dir branch November 17, 2023 12:23
@Sxderp
Copy link

Sxderp commented Feb 6, 2024

So. We just stumbled upon this as 8.12 has been released. This is a big breaking change, especially for organizations that use some sort of provisioning process (SaltStack). Yet there is NO mention of it in the changelogs.

https://www.elastic.co/guide/en/beats/libbeat/current/release-notes-8.12.0.html

The security issue also seems to be hidden so we don't even know what the problem is. I've never heard of ProgramData being a security issue, so this just seems.. confusing?

@amitkanfer
Copy link
Contributor Author

@Sxderp hello 👋
Can you please share a bit way this a breaking change for you? what processes you have in place exactly and how this change has an impact on them? (i have my assumptions, but just want to make sure we address your use-case)

+1 on the release notes, we'll get those updated ASAP

@Sxderp
Copy link

Sxderp commented Feb 7, 2024
edited
Loading

We use Salt to deploy our filebeat / metricbeat configurations.

  1. Salt installs the programs via chocolatey.
  2. Salt deploys the configuration file to C:\ProgramData\Elastic\Beats*
  3. Salt starts the installed services.

Now that C:\ProgramData is no longer used the services are not picking up the configuration and are just crashing. I should also note that this also broke our existing installs. The config files from C:\ProgramData were not migrated and our hosts are crashing with config files not found.

The new paths also make it /very/ difficult to deploy the configuration en-mass. The beats use the version numbers within their paths. In order to deploy the configuration we now need to know the exact version that is being installed and dynamically update the filepath. That adds another layer of headache trying to do that during orchestration.

I'm also not thrilled with the idea that configurations may break on every new upgrade. As I said, the configurations were not migrated to C:\Program Files. If a new version of filebeat is installed, with a new version path, are we going to lose the configuration from the previous version?

Can we get a reason on why C:\ProgramData is considered "insecure"? It's used by many programs and even Microsoft.

This was referenced Feb 7, 2024
Merged
Merged
@amitkanfer
Copy link
Contributor Author

@Sxderp thanks for the continued feedback.
We placed a PR to allow users to override the INSTALLDIR, so for example, this should work:
msiexec /i winlogbeat-8.12.1-windows-x86_64.msi INSTALLDIR="c:\Program Files\Elastic\Beats\winlogbeat

And then you won't have the version in the path. Can you confirm this will work for you?

@amitkanfer amitkanfer mentioned this pull request Feb 9, 2024
Merged
@Sxderp
Copy link

Sxderp commented Feb 9, 2024

That should work for us, assuming it's for all the beats and not just winlogbeat. Having an unversioned install location as the default would be better.

@obi-juan-syn
Copy link

obi-juan-syn commented Feb 23, 2024
edited
Loading

would it be possible to add where we can point the installer to our own custom config path folder of our choosing during install? this way, any config management of said configs should be a breeze, even if the version exists in the PROGRAMFILES install path

i.e. CONFIGDIR=c:\somewhere\secret

@amitkanfer
Copy link
Contributor Author

would it be possible to add where we can point the installer to our own custom config path folder of our choosing during install? this way, any config management of said configs should be a breeze, even if the version exists in the PROGRAMFILES install path

i.e. CONFIGDIR=c:\somewhere\secret

yes, it's here:
https://github.com/elastic/elastic-stack-installers?tab=readme-ov-file#installing-to-a-custom-location

This was referenced Apr 9, 2024
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@leehinman leehinman leehinman approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@amitkanfer @Sxderp @obi-juan-syn @leehinman