winget-cli icon indicating copy to clipboard operation
winget-cli copied to clipboard
verified publisher icon microsoft

install in Windows-Sandbox

Open dpprdan opened this issue 3 years ago • 17 comments

Description of the new feature / enhancement

Add a new CLI option for installing packages into Windows Sandbox, e.g. via winget test <manifest>/winget sandbox <manifest> or winget install --sandbox <manifest>.

Note that this was already proposed in #253, but I cannot retrace why it was "only" implemented as a Powershell script and not natively into winget. Pinging @felipecrs, who might be interested in implementing this?

This would allow users to install/try applications in the Windows Sandbox directly from winget, without having to download/git clone the winget-pkgs repo.

UPDATE: Note that my request goes beyond verification/validation of manifests, but to have full winget functionality in the Windows Sandbox, plus being able to spin it up from the host machine and install the desired application with winget.

I use the SandboxTest.ps1 quite frequently for example when I want to install a different version than I have installed locally or when I want to have a clean environment. I would be even better, if I could tell someone "run winget install --sandbox <manifest of your application> to reproduce".

I am not sure if this has any overlap with #386.

Proposed technical implementation details

This would incorporate the functionality of SandboxTest.ps1, but natively in winget. That would make it possible to easily install applications from remote sources (msstore, winget-pkgs, etc.) as well.

IMHO winget install --sandbox <manifest> would be preferable, since we probably want "Install this manifest, just do it in the Windows-Sandbox". I don't know, however, if all winget install arguments would be applicable to a sandbox install as well.

dpprdan avatar Apr 11 '22 13:04 dpprdan

I find it neat, indeed. But I'm not so sure if it is worth it.

The bar is lower for contributing a PowerShell script in a repository that will only get accessed by developers who clone it if compared to this repository.

If it were to be included in the winget-cli source code, I suspect we would need to spend many more cycles to make the code production-ready (we are talking about delivering it to any Windows 10/11 device out there). One example is internationalization.

Edit: I suspect this also the reason why wingetcreate is developed as a separate project.

But anyway, I'm saying this as my opinion only. I would be happy to see it in winget-cli as well.

Pinging @felipecrs, who might be interested in implementing this?

I am not interested... but that does not change much, as I know very little about C# anyway.

felipecrs avatar Apr 11 '22 13:04 felipecrs

I would also add that not every device supports the windows sandbox. Given that winget is supported on Win10 Home edition, it could be very confusing for someone to think that the option was available but then find they don’t meet the requirements to enable the sandbox. Given that developers are more likely to read into the documentation, having the script is good enough in my opinion.

There are also other challeneges to running winget in the sandbox such as ensuring that VCLibs and the XamlLibs are installed; This is relatively easy to do with a powershell script, but for the client to do this would involve more downloading and copying of files, unless it were to only download the application and provide it as a file available to the sandbox and not install winget inside the sandbox. This would mean that users should be informed that additional dependencies would be downloaded, which may cause some users security concerns.

For a majority of users, I dont believe there is a business case that makes sense to integrate directly with the sandbox for installation.

Trenly avatar Apr 11 '22 14:04 Trenly

not every device supports the windows sandbox

I'd be surprised if that couldn't be queried easily on winget startup.

As for the business case:

Windows Sandbox provides a lightweight desktop environment to safely run applications in isolation. https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview

The winget command line tool enables users to discover, install, upgrade, remove and configure applications on Windows 10 and Windows 11 computers. https://docs.microsoft.com/en-us/windows/package-manager/winget/

Those are literally the first sentences on those two pages. "run applications" and "install (etc.) applications" sounds like those two should definitely work together. Actually I'd find it pretty weird if the Windows Package Manager wouldn't be integrated in the Windows Sandbox.

dpprdan avatar Apr 11 '22 16:04 dpprdan

I think this is probably better in wingetcreate:

  • microsoft/winget-create/issues/98

I see the use case of verification/validation in Sandbox more applies there.

Running in a sandbox as opposed to the OS is an interesting scenario to consider. I'll leave this one open to see if it gets any traction (as in more 👍).

denelon avatar Apr 11 '22 19:04 denelon

@denelon Thanks! I see this as going beyond "just" verification/validation of manifests, namely to "discover, install, upgrade, remove and configure applications" in the sandbox for whatever reason. In my case this has mostly been debugging, but I am sure there are other use-cases as well.

Having winget available within the sandbox when it is installed on the host machine would already go a long way (is it on Win11? it definitely isn't on my Win10). Being able to spin up the sandbox from winget on the host machine (like SandboxTest.ps1 does) would be even better.

dpprdan avatar Apr 12 '22 08:04 dpprdan

I wanted to test an automated installation script in Windows Sandbox and introduce winget for some dependencies. I found that winget is not available in the sandbox. I don't know of other implications, e. g. Microsoft Store is also not available there as well.

As it was mentioned before: The purpose of the sandbox to run apps in isolation and the ability to automate installation of apps using winget is a perfect fit.

calle2010 avatar May 18 '22 12:05 calle2010

@calle2010 you can definitely leverage the SandboxTest.ps1, as it allows you to run any other script.

felipecrs avatar May 18 '22 13:05 felipecrs

Yes, I did that now. I had to adapt it, though, because e. g. I need other settings in the WSB file. I still believe it should be easier to use winget in Windows Sandbox.

calle2010 avatar May 18 '22 15:05 calle2010

If anyone wants to permanently install WinGet (don't want to install everytime sandbox starts), they can use this gist made by one of the moderators of community repo: https://gist.github.com/Trenly/3e8ba9a9498c6cc12a9bb25e4179a98c

It will modify the sandbox's base image which the sandbox launches on start-up.

vedantmgoyal9 avatar May 18 '22 15:05 vedantmgoyal9

This should be a no-brainer. I expected it to be there already and got heavily dissapointed.

Slluxx avatar Feb 18 '23 13:02 Slluxx

I used the new DSC Resource for configuring the WIndows Sandbox in:

  • https://github.com/microsoft/winget-cli/issues/3887

I uploaded the files to that issue in a .zip.

We are working on samples and better documentation to be added to https://aka.ms/dsc.yaml.

denelon avatar Nov 14 '23 22:11 denelon

@denelon now that we can install winget using DSC, we can close this issue?

vedantmgoyal9 avatar Mar 12 '24 17:03 vedantmgoyal9

@vedantmgoyal9 "can install winget using DSC" doesn't mean that it winget is available in the sandbox after a "normal" winget install, is it? AFAIU DSC is a feature for developers (i.e. not all users) and requires additional install or configuration steps from the user.

What I meant with this issue is that winget is available in the sandbox on a default windows install (assuming that winget and sandbox are installed, of course).

This would allow users to install/try applications in the Windows Sandbox directly from winget, without having to ~~download/git clone the winget-pkgs repo~~

... fuss with additional setup steps.

So being able to install winget using DSC does not solve this issue completely, as far as I am concerned (unless I am missing something?). If that's the best we can/want to do ATM, then that's fine, of course, but it does not solve it the way I meant.

dpprdan avatar Mar 13 '24 08:03 dpprdan

I've reached out to the Windows Sandbox team with several requests. I don't have timelines for these, but I thought I'd share a few:

  • Include App Installer from Host OS
  • Ability to increase disk size for Sandbox
  • Ability to pass a configuration file to the sandbox

denelon avatar Mar 13 '24 16:03 denelon

There are some additional caveats with the Sandbox since the default WDAGUtilityAccount is an administrator when it comes to having something like an argument to specify installing the package directly in the Windows Sandbox from the host OS. I do like where this is going though. I've found the ephemeral and isolated nature of the Windows Sandbox to be very useful from a WinGet Configuration validation scenario as well as a quick way to test a package out without installing it on my daily driver.

denelon avatar Mar 13 '24 16:03 denelon

I hope we dont have to manually install WinGet. It should be available by default, without us needing to modify anything.

Slluxx avatar Mar 13 '24 16:03 Slluxx

I'm here because I use sandbox daily for testing things. Today I wanted to use winget to deploy something and was pleased to find it should be on all recent versions of Windows 10 and 11. I was not pleased to find that it doesn't work in sandbox without additional setup.

ScottBeeson avatar Apr 10 '24 17:04 ScottBeeson