| Index | Recent Threads | Unanswered Threads | Who's Active | Guidelines | Search |
 |
World Community Grid Forums
Category: Support
Forum: BOINC Agent Support
Thread: install as service-v 5.10.3x |
| No member browsing this thread |
|
Thread Status: Active Total posts in this thread: 14
|
|
| Author |
|
|
Former Member
Cruncher Joined: May 22, 2018 Post Count: 0 Status: Offline |
my question is about the service-based install AND what the installer does when configuring the client to run.
First question: what are considered valid "usernames" ? Of course a domain\username with local administrator rights should work. But can you specify any other built-in accounts? Second question: what does the installer do to configure BOINC.exe to run as a service? (e.g. it appears that the useraccount must have "logon as a service" logon rights, since the installer configures boinc.exe to run as a service; it must therefore use an account which already has the "logon as a service" right.) Any help on clarifying this would be helpful. |
||
|
|
Former Member
Cruncher Joined: May 22, 2018 Post Count: 0 Status: Offline |
You don't need local administrator rights just to run the client. I recommend you create a dedicated account with minimal permissions if you can.
The installer will give the "logon as a service" right to the account if it doesn't already have it. |
||
|
|
Former Member
Cruncher Joined: May 22, 2018 Post Count: 0 Status: Offline |
along those lines, wouldn't running the boinc.exe as a service, where the security principal is "localsystem" be the best approach.
I'm just not sure how to do that. |
||
|
|
Former Member
Cruncher Joined: May 22, 2018 Post Count: 0 Status: Offline |
No.
That is just as insecure as running BOINC as local administrator. While people do sometimes run BOINC in that configuration, I can't recommend it for a mass deployment. World Community Grid has excellent security practices, but I note that you plan to connect to other projects as well. My recommendation is to run with the minimum possible permission set. (And I'd say run World Community Grid exclusively, too....) |
||
|
|
Former Member
Cruncher Joined: May 22, 2018 Post Count: 0 Status: Offline |
So you suggest using an account with appropriate permissions whose credentials never change RATHER than using the LOCALSYSTEM account?
I also don't quite understand how the installer application can grant "logon as a service" to the account specified to run the service. |
||
|
|
Former Member
Cruncher Joined: May 22, 2018 Post Count: 0 Status: Offline |
If you can, use the NetworkService account. If you can't, then set up an account using whatever password policy you normally use.
MSDN has this to say: The SCM does not maintain the passwords of service user accounts. If a password is expired, the logon fails and the service fails to start. The system administrator who assigns accounts to services can create accounts with passwords that never expire. The administrator can also manage accounts with passwords that expire by using a service configuration program to periodically change the passwords. The second part of your question is easy: the installer has to run with elevated permissions, so it can normally change user rights. You may need to set the permissions manually if you use a domain account that the installer can't access. |
||
|
|
Former Member
Cruncher Joined: May 22, 2018 Post Count: 0 Status: Offline |
my problem then is that I don't know how to configure the installer to use this built-in security principal.
how do you propose doing this? |
||
|
|
Former Member
Cruncher Joined: May 22, 2018 Post Count: 0 Status: Offline |
You may have to configure it post-install. Last time I checked, the 5.x series don't support using built-in accounts directly. This should be corrected in BOINC 6.
|
||
|
|
Former Member
Cruncher Joined: May 22, 2018 Post Count: 0 Status: Offline |
I've only seen version 5.10.x being listed as stable, the later versions of 5.10.x are according to boinc still in beta version.
I have seen reference to version 6 clients, but since later 5.10.x are still in beta I'd assumed that 6 is further off. As far as which account to run the service under, it appears we have to specify a domain account with permissions to run as a service. (not to mention permission to start a system service). Please note that lazy slug indicates in his documentation that if you don't specify a username/password with his .mst creator that it attempts to use LOCALSYSTEM as the account to run boinc as. I'd have to look at his code. Random question, but do you know anything about WCG support if we are a partner? Someone noted that I might get official support from them if I was qualified. Thanks for your help today -Matt |
||
|
|
Former Member
Cruncher Joined: May 22, 2018 Post Count: 0 Status: Offline |
That's correct, you should stick with the recommended version if possible. I mentioned BOINC 6 just to show that it is a known issue.
You make a good point about the lazy slug's approach - now I think harder about it, the problem with the installer is only with the GUI and possibly the custom actions. Windows Installer can cope with the built-in accounts fine, so you may be able to fix it in the transform. If you are a World Community Grid partner, you will have a personal contact on the WCG staff, for phone or email support. However, WCG will give anyone attempting a mass deployment all the support they can. |
||
|
|
|