nats-streaming-server as windows service under limited permissions account

[Nikolai Nikolaev]

Hello.

Is there a way to run nats-streaming-server as Windows service under account with limited permissions (actualy without rights to access registry and write to syslog)?

I have tried version 0.17.0 with NT Service account and it fails to start because of ACCESS DENIED error while trying to access registry.

[Ivan Kozlovic]

Try to specify a logfile option otherwise, when the server detects that it is started as a Windows Service and has no logfile, it defaults to using syslog.

The option would be something like:

```

logfile: "server.log"

logfile_size_limit: 1GB

```

Notice that the "logfile_size_limit" is only available in the latest release v0.17.0

Let me know if that helps.

[Nikolai Nikolaev]

Have found start following option in nats-streaming-server usage description:

-l, --log <string>               File to redirect log output

is it the right param?

Then create win service as follows (paths are changed):

sc.exe create Nats-Streaming binPath="\"c:\...\nats-streaming-server.exe\"  -p=21010 --log=c:\..\logs\nats.log"

Under System account it started successfully with logs written in nats.log file

After changing service account it fails to start (no logs are written)

An older version (v0.12.0) was succesfully used with windows service wrapper (https://github.com/kohsuke/winsw).

When i try to use it with the last one (v0.17.0) it writes some logs:

```

goroutine 1 [running]:
github.com/nats-io/nats-streaming-server/server.Run(0xc000194000, 0xc00015af00, 0xc00008ff50, 0x405aa6, 0xc00001a178)
    /home/travis/gopath/src/github.com/nats-io/nats-streaming-server/server/service_windows.go:145 +0x63f
main.main()
    /home/travis/gopath/src/github.com/nats-io/nats-streaming-server/nats-streaming-server.go:162 +0x56

```

It seems that, when starting as windows service, nats-streaming dont checks if log file path is specified, but tries to initialize syslog and panics when it cant be done (https://github.com/nats-io/nats-streaming-server/blob/master/server/service_windows.go : 138)

суббота, 29 февраля 2020 г., 21:52:41 UTC+3 пользователь Ivan Kozlovic написал:

[Ivan Kozlovic]

Nikolai,

Yes, I see that we try to create the syslog regardless. Would you be able to compile the server from a branch if I post an attempt to a fix?

Or you can even try yourself by changing the "else" clause here with:

} else if nOpts.LogFile == "" {

PS: This code seem to be the same for v0.12.0, so not sure why it works for that release but not the latest.

[Nikolai Nikolaev]

Thanks, at the moment i can compile server from changed source.

Would this change be presented in further release or github issue need to be created?

With older server version - it was v0.10.2 not v0.12.0 - my fault.

воскресенье, 1 марта 2020 г., 3:44:30 UTC+3 пользователь Ivan Kozlovic написал:

[Ivan Kozlovic]

> Thanks, at the moment i can compile server from changed source.

Great, I will have a branch ready for you to test from.

> Would this change be presented in further release or github issue need to be created?

If it fixes the problem, then yes, it will be merged to master and avail in the next release. I can create the giithub issue for you if you want, but if you have a github handle, please do so since I like to credit people reporting issues or contributing in the release notes.

> With older server version - it was v0.10.2 not v0.12.0 - my fault.

Ok, makes sense. The Windows service code was added in v0.11.0, so previously you were probably using some kind of wrapper.

[Ivan Kozlovic]

I just realized that the reason we were creating a syslog is that we wanted to be able to log a possible startup failure.

That is, if the server fails to start before it starts its own logging, the user will not know what went wrong.. At this point I would say that the possible reason for failing before logging is on would be related to parsing of the configuration file. After that, even a failure to start (say problem with store file, etc..) should be logged in the logfile.

So what do you think? Should we completely ignore syslog if a logfile option is set or should we still try to have the syslog but not consider it a fatal error if we can create it and there is a logfile option set?

Ivan.

[Nikolai Nikolaev]

In my situation server is starting under restricted permissions account that hasn't permissions to read/write to registry.

In this case logs arent written anywhere.

Server has starting option: -s, --syslog <string> Enable syslog as log method

I think this option or a similar ont can activate or deactivate syslog at all even to log starting errors.

понедельник, 2 марта 2020 г., 19:41:38 UTC+3 пользователь Ivan Kozlovic написал:

[Ivan Kozlovic]

If you could try from this branch: https://github.com/nats-io/nats-streaming-server/tree/fix_nosyslog_if_logfile_specified

and let me know if that works for you.

Thanks!

[Nikolai Nikolaev]

Hello.

Server built from branch works as expected with file log under account with restricted rights.

Thanks and sorry for delay.

Would be nice to see this change in release.

вторник, 3 марта 2020 г., 3:27:06 UTC+3 пользователь Ivan Kozlovic написал:

[Ivan Kozlovic]

Thank you for the confirmation. We will include this in our next release, which should be soon.