Per Machine install? #2685
Comments
|
@Jhacker9: Interesting question! I must admit, we've not considered that one before. But based on the wording of your question, it sounds like your Windows admin skills exceed ours. Therefore I'll first share what I know and perhaps add your knowledge onto that. 😉 Per the contributing doc, Brim is an Electron-based app, and it's packaged with electron-builder. Per these docs, it looks like we're using the default package type of NSIS, so I guess these NSIS docs become relevant. Knowing I'm not going to be an instant expert in NSIS, I instead just read through the options here and it confirmed that we've been relying on its default of a one-click, per-user install. And this all results in things landing in the paths described in https://github.com/brimdata/brim/wiki/Filesystem-Paths, which has the app binaries in one location and the user data in another. Today in a PR #2686 I played around and confirmed that it did indeed pop up its "assisted" installer so I could pick the per-machine install option and that did what I expected. Now, I see above that you said your ultimate need is for a silent per-machine install, so I guess this doesn't get you all the way there. While it would be feasible for us to use these same options to flip over to doing a one-click (i.e., silent), per-machine install, since we've been shipping Brim for years now with a per-user install and this is the first time the topic has come up, I'm a little hesitant to toggle the behavior-when-silent and maybe upset some users. But I think you could likely make your MSI idea work. I did a smoke test by doing a single-user install and then copying the app binaries folder out from under As for your mention of I'll also mention that per this blog post we're about to put out a major release where Brim's name will change to Zui and a bunch more functionality will be added. Depending on how desperately you need to roll out the app in your environment, I'd probably advise waiting until we've made that transition. |
|
@Jhacker9: Responding to the items in your last comment:
Zui v1.0.0 was actually released yesterday. It did include the changes from #2686 so it now offers the option to select per-machine installation. Based on what you said, I assume that means the
I did look into this and have opened a new issue #2713 to pursue that. I did some initial hacking based on the issue & PR linked from there, but it seems the functionality in electron-builder is a little under-documented so it wasn't the quick change I was hoping for. Feel free to keep an eye on that issue and hopefully we'll get it working before too long. I'll hold this issue open while we wait to hear if you've got success doing what you need with Zui v1.0.0. |
|
@Jhacker9: Circling back with one more update. A bug specific to per-machine install on Windows just surfaced yesterday (#2715), so if your user base is doing security work with pcaps you might want to hold off on rolling out Zui v1.0.0 until that's been addressed. Of course, there's no harm in testing in the meantime. |
|
Hi Phil, so I ran into an issue. I built an MSI to install Brim per-machine to C:\Program Files (x86)\Brim
Today I launched and got this message
***@***.***
I clicked Later.
I now have both Brim and Zui 1.0.0 installed (the Zui installed per-user)
***@***.***
For Brim, I went through the entire directory tree and tried deleting every .exe that has the name "update" in it. It still auto installs the new product. Am also looking to see if there are any config files that can be tweaked.
Regardless of whether running Brim or any version of Zui, we cannot allow automatic download and install regardless of whether we are running in an Admin or standard user context.
How can this be disabled?
If we switched to Zui (provided your per-machine build is 100%), would it still auto install new versions into the user context?
Also I noticed something else peculiar. The Zui at one point seemed to uninstall itself, then reinstall a few minutes later. Perhaps my imagination, it has been a long week.
In closing, I cant think of any environment, especially government where an auto-install from the Internet like what we just witnessed would be allowed.
Advise if there is a solution to this, our Cyber team is really interested in the products capabilities, but our OCIO just won't tolerate auto-updates nor installs of new products directly from the Internet.
John Hacker
Desktop Software and Services Division (DSSD)
End User Software Services
DSSD/EUSO/OCIO
U.S. Patent & Trademark Office
Department of Commerce
Phone: (571) 272-5760
Email: ***@***.******@***.***>
From: Hacker, John (Halvik_PPL)
Sent: Wednesday, March 8, 2023 12:26 PM
To: brimdata/zui ***@***.***>; brimdata/zui ***@***.***>
Cc: Mention ***@***.***>
Subject: RE: [brimdata/zui] Per Machine install? (Issue #2685)
Thanks Phil. Zui is on hold for us for now. I imported all your Brim 0.31.0 runtimes (minus the update utility) into an MSI and configured it to install per machine to C:\Program Files (x86)\Brim. We are in certification process for that custom build now.
We will eventually upgrade to Zui at some point. Appreciate your team addressing the per machine installs, that is pretty much a US government standard, or at least what our OCIO department wants. Per user installs are really discouraged in controlled baselines as we do not allow auto-updates.
Let me know when Zui is really ready. It is our Cyber department that want it to use in conjunction with WireShark captures.
John Hacker
Desktop Software and Services Division (DSSD)
End User Software Services
DSSD/EUSO/OCIO
U.S. Patent & Trademark Office
Department of Commerce
Phone: (571) 272-5760
Email: ***@***.******@***.***>
From: Phil Rzewski ***@***.******@***.***>>
Sent: Wednesday, March 8, 2023 12:18 PM
To: brimdata/zui ***@***.******@***.***>>
Cc: Hacker, John (Halvik_PPL) ***@***.******@***.***>>; Mention ***@***.******@***.***>>
Subject: Re: [brimdata/zui] Per Machine install? (Issue #2685)
CAUTION: This email has originated from a source outside of USPTO. PLEASE CONSIDER THE SOURCE before responding, clicking on links, or opening attachments.
@Jhacker9<https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgit.luolix.top%2FJhacker9&data=05%7C01%7CJohn.Hacker%40USPTO.gov%7Cadc7ad7ca9534238070808db1ff906ac%7Cff4abfe983b540268b8ffa69a1cad0b8%7C1%7C0%7C638138926641090994%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Yvt8yw9Qu1kdaXd3%2FlvxpsUyLLkUILcrKqGUZ4MsVRc%3D&reserved=0>: Circling back with one more update. A bug specific to per-machine install on Windows just surfaced yesterday (#2715<https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgit.luolix.top%2Fbrimdata%2Fzui%2Fissues%2F2715&data=05%7C01%7CJohn.Hacker%40USPTO.gov%7Cadc7ad7ca9534238070808db1ff906ac%7Cff4abfe983b540268b8ffa69a1cad0b8%7C1%7C0%7C638138926641090994%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=s96eAEsQYEmJpVl75733Qw5fTsPEnCrNn9ogGXDsjf0%3D&reserved=0>), so if your user base is doing security work with pcaps you might want to hold off on rolling out Zui v1.0.0 until that's been addressed. Of course, there's no harm in testing in the meantime.
-
Reply to this email directly, view it on GitHub<https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgit.luolix.top%2Fbrimdata%2Fzui%2Fissues%2F2685%23issuecomment-1460527735&data=05%7C01%7CJohn.Hacker%40USPTO.gov%7Cadc7ad7ca9534238070808db1ff906ac%7Cff4abfe983b540268b8ffa69a1cad0b8%7C1%7C0%7C638138926641090994%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Su5x%2FIyWCA%2BpmlJldoviJ1fKIYNoN4XW%2BwC2ekF%2B46s%3D&reserved=0>, or unsubscribe<https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgit.luolix.top%2Fnotifications%2Funsubscribe-auth%2FA6F2OLE276HPOCVNWKVHQMLW3C5LDANCNFSM6AAAAAAVK4BE74&data=05%7C01%7CJohn.Hacker%40USPTO.gov%7Cadc7ad7ca9534238070808db1ff906ac%7Cff4abfe983b540268b8ffa69a1cad0b8%7C1%7C0%7C638138926641090994%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=txiTRYLOLmDStglg9loyztu%2F4ZKrYnznlScQ%2Ffpako4%3D&reserved=0>.
You are receiving this because you were mentioned.Message ID: ***@***.******@***.***>>
|
|
@Jhacker9: We certainly understand your concerns and can respond to the specific issues you've raised. However, I sense that it might work best if you could join a call with our team to do some Q&A and talk through the details and see what's the best way forward. Could you email us at support@brimdata.io with your contact info and let us know if there might be day/time ranges in the latter half of next week when you might be available for such a chat? FYI we're in the U.S. Pacific time zone. Thanks! |
|
Phil, Citing time zone difference this Thursday or Friday afternoon would work. My core hours are 0700 - 1500 (7am - 3pm) EDST with some wiggle room. I have gone through our OCIO policies and screen capped the items that need to be addressed.
OCIO-POL-36
***@***.***
***@***.***
OCIO-POL-66
***@***.***
***@***.***
…-----------------------------------------------------------------------------------------------------------------------------------------
* Neither Brim nor Zui are currently approved. We were on the cusp of authorizing Brim 0.31.0 until it auto-installed Zui which is a significant security concern and violation of at least (2) of our OCIO policies, unapproved and auto-installed.
* All approved software is to be installed by our service desk personnel using their enhanced credentials (admin privileges).
* We track software by versioning, and any new software regardless of how minor the version change is needs to be re-evaluated. New features could be introduced that might have a detrimental effect on our infrastructure and or network performance.
* For the above reasons we need a product that only installs per-machine and installs nothing additional in the user context. You can mention new versions and features in emails but it is our prerogative as to whether or not we want those capabilities and that would only be after undergoing another round of evaluation and test.
John Hacker
Desktop Software and Services Division (DSSD)
End User Software Services
DSSD/EUSO/OCIO
U.S. Patent & Trademark Office
Department of Commerce
Phone: (571) 272-5760
Email: ***@***.******@***.***>
From: Phil Rzewski ***@***.***>
Sent: Friday, March 10, 2023 5:04 PM
To: brimdata/zui ***@***.***>
Cc: Hacker, John (Halvik_PPL) ***@***.***>; Mention ***@***.***>
Subject: Re: [brimdata/zui] Per Machine install? (Issue #2685)
CAUTION: This email has originated from a source outside of USPTO. PLEASE CONSIDER THE SOURCE before responding, clicking on links, or opening attachments.
@Jhacker9<https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgit.luolix.top%2FJhacker9&data=05%7C01%7CJohn.Hacker%40USPTO.gov%7C7de1167739d348f352e708db21b35d15%7Cff4abfe983b540268b8ffa69a1cad0b8%7C1%7C0%7C638140826469099553%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=PvYNwEZQtH1YmMvxOPmCWyChDDA2IhSTMa6bi%2F5P%2BoA%3D&reserved=0>: We certainly understand your concerns and can respond to the specific issues you've raised. However, I sense that it might work best if you could join a call with our team to do some Q&A and talk through the details and see what's the best way forward. Could you email us at ***@***.******@***.***> with your contact info and let us know if there might be day/time ranges in the latter half of next week when you might be available for such a chat? FYI we're in the U.S. Pacific time zone. Thanks!
-
Reply to this email directly, view it on GitHub<https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgit.luolix.top%2Fbrimdata%2Fzui%2Fissues%2F2685%23issuecomment-1464530779&data=05%7C01%7CJohn.Hacker%40USPTO.gov%7C7de1167739d348f352e708db21b35d15%7Cff4abfe983b540268b8ffa69a1cad0b8%7C1%7C0%7C638140826469099553%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=GxKGxxe2uzSpXj3TgQJZkv0gUcCgBzWumJCQZzOcNsU%3D&reserved=0>, or unsubscribe<https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgit.luolix.top%2Fnotifications%2Funsubscribe-auth%2FA6F2OLFHRTDHNOFUQ7C4ZS3W3OQNDANCNFSM6AAAAAAVK4BE74&data=05%7C01%7CJohn.Hacker%40USPTO.gov%7C7de1167739d348f352e708db21b35d15%7Cff4abfe983b540268b8ffa69a1cad0b8%7C1%7C0%7C638140826469099553%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=zr6R9rAWmgDg%2F7uDQK%2BRm8RFsNpxV2uJi0HWvnvDVuM%3D&reserved=0>.
You are receiving this because you were mentioned.Message ID: ***@***.******@***.***>>
|
|
@Jhacker9: Thanks for sharing the windows of availability. I suspect a firewall or email proxy on your end keeps scrubbing out the screen captures and email addresses from your updates, as lots of stuff is blanked out with |
|
Good morning Phil, I just cancelled our Brim 0.31.0 effort, citing its depreciation and the auto install of its replacement Zui.
I have left open the possibility for our end users to submit Zui 1.0.0 for my teams analysis, it can be silently installed per-machine .. Maybe that one wont auto-update or install a completely new/different product??
You can close out the Brim issues.
Thanks for setting up Zui to install per-machine. I did find the following issues with your first attempt.
* If Zui/Zed are running the uninstall will remove the ARP from Control Panel - Programs and Features, but keep all files on the C: Drive (C:\Program Files\Zui )
* The solution to that is to Taskkill.exe /IM Zui.exe /IM Zed.exe /F /T before initiating the uninstall. I can automate that as a custom action in an InstallShield Suite
* Even if we do the above TaskKill the empty folder C:\Program Files\Zui remains on the system. Again I can fix that with and InstallShield custom action as follows RD /S /Q "C:\Program Files\Zui)
So my team will focus on an InstallShield wrapper around your basic installer if/when they opt to submit it to our team for review.
Thanks
John Hacker
Desktop Software and Services Division (DSSD)
End User Software Services
DSSD/EUSO/OCIO
U.S. Patent & Trademark Office
Department of Commerce
Phone: (571) 272-5760
Email: ***@***.******@***.***>
From: Phil Rzewski ***@***.***>
Sent: Monday, March 13, 2023 12:25 PM
To: brimdata/zui ***@***.***>
Cc: Hacker, John (Halvik_PPL) ***@***.***>; Mention ***@***.***>
Subject: Re: [brimdata/zui] Per Machine install? (Issue #2685)
CAUTION: This email has originated from a source outside of USPTO. PLEASE CONSIDER THE SOURCE before responding, clicking on links, or opening attachments.
@Jhacker9<https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgit.luolix.top%2FJhacker9&data=05%7C01%7CJohn.Hacker%40USPTO.gov%7C77a45bafad4f49f53a3c08db23df8f7d%7Cff4abfe983b540268b8ffa69a1cad0b8%7C1%7C0%7C638143215334099110%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=nYbjLHzbn4PSUODqe5HPRo4QjibcLAd9fcqnOPCk9Us%3D&reserved=0>: Thanks for sharing the windows of availability. I suspect a firewall or email proxy on your end keeps scrubbing out the screen captures and email addresses from your updates, as lots of stuff is blanked out with ****** by the time it makes it into GitHub. In any case, your policies make sense and I understand how they're out of sync with how Brim/Zui currently behave. Could you drop an email to ***@***.******@***.***> so we could send an invite for a possible meeting slot? Thanks.
-
Reply to this email directly, view it on GitHub<https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgit.luolix.top%2Fbrimdata%2Fzui%2Fissues%2F2685%23issuecomment-1466472016&data=05%7C01%7CJohn.Hacker%40USPTO.gov%7C77a45bafad4f49f53a3c08db23df8f7d%7Cff4abfe983b540268b8ffa69a1cad0b8%7C1%7C0%7C638143215334099110%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=r%2Bor3kXd8a2jcC6EwUrTm6%2BBKyhL1DtvMJRhoDk1Mr0%3D&reserved=0>, or unsubscribe<https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgit.luolix.top%2Fnotifications%2Funsubscribe-auth%2FA6F2OLCTBMFAPSSYBD2GDBLW35C7NANCNFSM6AAAAAAVK4BE74&data=05%7C01%7CJohn.Hacker%40USPTO.gov%7C77a45bafad4f49f53a3c08db23df8f7d%7Cff4abfe983b540268b8ffa69a1cad0b8%7C1%7C0%7C638143215334099110%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=JwpftCYYRxOzU2EqiApIp60ljnbZ3DPBI6ic6HaOiuE%3D&reserved=0>.
You are receiving this because you were mentioned.Message ID: ***@***.******@***.***>>
|
|
@Jhacker9: Glad to hear you've got a likely path forward for Zui when your user base requests it. I'll go ahead and close this particular issue since per-machine install is now at least possible. Your findings did spawn several other issues that we'll pursue over time to improve our Windows installation experience. I'll summarize below in the event you'd like to keep an eye on those other issues. Feel free to chime in with comments if you have additional input/problems.
Just to provide a little background here, we did provide several months of notice to our user base of the coming name change for the app, such as this blog post and this Tweet. We've also had an issue #1211 open for for 2+ years now tracking interest in disabling auto-update but were surprised that nobody's expressed it as a requirement until now. But thanks to the issue you've raised, we've now boosted the priority on adding that. If left to our own, the way we would have initially implemented it would have been as a user preference, i.e., a user would have the ability to enable/disable the auto-update. But based on your policies you've described, I've made the assumption that your environment would need to be able to disable auto-update as a feature entirely at install time such that users would not even have the option to re-enable it.
I tried to reproduce this so we could pursue it as a bug but I was unable. The first video attached below shows the manual uninstall that most users use. If Zui is running, the user is prompted to close it, and if they click Ok, it does close the app, the uninstall proceeds, and all the files in Manual.Uninstall.mp4Silent.Uninstall.mp4
This I was able to reproduce, so I've opened #2725 to pursue getting that cleaned up along with some registry entries I also see are left behind. Beyond those, #2713 and #2715 are the others that we've opened along the way. |
Is there a way to install per-machine? In our environment per-user installs are discouraged. We need a silent per machine install in MECM/SCCM. I note that in your ARP in registry the uninstall is /currentuser /S. So wondering if there is something like /machine /S? Alternatively, if I create an MSI with all the installed files and install that to say C:\Program Files (x86)\Brim with matching shortcut, would the product work?
The text was updated successfully, but these errors were encountered: