Why IIS? Also, why Chocolatey for winconfig functions?

Mar 18, 2014 at 2:51 AM
I have been playing with BoxStarter this past couple of days. I love the idea; especially of being able to just have a universally-reachable shorturl for a script.

So I created a super-simple script: just run Install-WindowsUpdate -AcceptEula. And I put it here, and followed these instructions to make that into an url. Then I ran it on a Win7 VM that's running on a Hyper-V server.

Watching it, and looking over the logs, I see that it has installed IIS. Why? Is this for some sort of Chocolatey server mode? Will that be removed later? What are the consequences to Boxstarter and Chocolatey if IIS is removed?

Also, I wonder why it gets and installs Chocolatey for a script that contains no Chocolatey commands.

The installation of these two things takes time, and disk space, and so on. So I was curious, and decided I would ask here about the thinking behind this. Thanks for any replies.
Mar 18, 2014 at 5:36 AM
Good questions.

First, the IIS install is something that should be rectified soon. Chocolatey (I'll get to that one in a bit) requires the .Net 4 runtime or higher. It uses the Web Platform Installer to install this. The Web Platform Installer provides an easy way to install the .net runtime over the internet in a silent manner. An unfortunate side effect is that it assumes that you are installing the runtime to be used for web development. After all, its not the desktop platform installer. So it wants to setup things line ASP.Net, etc which requires a running IIS server.

The contributors to Chocolatey, which I am one of, recognize this is far from Ideal. The next version of Chocolatey uses a different method to install .net 4. It will just install the basic .net 4 MSI which will not include IIS or anything else outside of the core run time. So that said, it is perfectly safe to disable the IIS feature after the install if you do not need this. Also note that this is only installed when the .net 4 runtime is not already installed. It is now installed by default on the newer windows 8/2012 operating systems.

So regarding Chocolatey itself. Even if your Boxstarter script does not install any Chocolatey packages, your script itself is a chocolatey package. Chocolatey (and Nuget) provides alot of the plumbing around installing software, managing dependencies and tracking a local repository of install packages. While it is possible to define Boxstarter scripts like the one you mention that simply installs updates, these represent a minority of most Boxstarter packages. The central Boxstarter use case scenario that inspired me to start the project is the repave scenario and making that as friction free and unobtrusive as possible. Of coarse, I'd like to make the experience regardless of what is being installed ,the best experience possible. With any "side project", I have to make decisions regarding what I can support now and what I hope to support in the future.

I hope that answers your questions. I really enjoy getting feedback: negative and positive and hearing about reactions of how the experience went for you. Thanks so much for sharing your impressions of Boxstarter.
Mar 18, 2014 at 6:47 AM
Thanks; that's illuminating. I appreciate the time you took to collect, compose, and share your thoughts. And I understand that not all choices are black-and-white.

I do think that there should be more explicit notice of the IIS installation - not just by you/BoxStarter but also by the Chocolatey folks. It took me by surprise. And as a sysadmin I have to say it sent a little thrill of fear down my spine. I have memories of malware passing via unauthorized, undocumented IIS and SQL installs. I know things are better now, but still. Part of the reason for scripting deployments is that we want known, repeatable, well documented deployment practices. So it's scary when the deployment tool itself brings along undocumented hitch-hikers like IIS - which adds significantly to the attack surface of any given system, and in some environments that means a whole new set of auditing checklists must now be worked through.

I feel pretty strongly about this. As a sysadmin I need to know what's happening with the systems I wrangle. And even if I didn't feel strongly about this, I can imagine the complaints of certain other stakeholders. I can imagine how embarrassed I'd be, and how much respect I might lose, when someone else noticed the IIS role I had unwittingly installed!

So to sum up, BoxStarter/Chocolatey should, imho, clearly document all that they will add to any platform they'll run on. And should strive to minimize their footprint where possible.

Do you have any idea of when the next, IIS-free Chocolatey will be available? I see the issue here, but I can't see any hints about when it will be resolved.
Mar 18, 2014 at 7:16 AM
I can totally appreciate this Bryan. I cant speak for Chocolatey's next release date, but I have just commited a change to Boxstarter that checks for .net 4 prior to the chocolatey install and will install the "vanilla" MSI .net 4.5 install if .net 4 is not already on the box. Boxstarter already had been doing this for remote installs so its literally a 2 line change to do the same for local installs. I imagine this will go live this month.
Marked as answer by BryanLockwood on 3/18/2014 at 1:11 AM
Mar 18, 2014 at 7:35 AM
I should also add that Boxstarter and Chocolatey strive to be very clear on the prerequisites and other items they install. This IIS issue is a clear exception but entirely unintentional, not that that is much justification at all, in fact it might just be more damning that it went unnoticed. I'd also point out that I personally contributed the .net 4 install to chocolatey so I take responsibility for this. The WebPI, installer does not make it obvious that this is happening and I did not notice until late last year that it was enabling this feature along with the initial .net install. Living in the web space, I have IIS enabled on just about everything so having this enabled is always a normal characteristic of my environment. I completely understand that this is very much not desired on many if not most other systems.
Mar 18, 2014 at 8:06 AM
Thanks. All good to hear, and I prefer solutions to blame, so I am glad to see these issues being addressed.