[packaging] proxy binary to be for the root dir of windows archive

[pkoutsovasilis]

What does this PR do?

This PR introduces a Windows-specific proxy binary (elastic-agent-archive-root.exe) that is placed at the root of the Elastic Agent .zip archive. The proxy acts as a thin wrapper that forwards execution to the actual agent binary located under the data/elastic-agent-{commit-sha} directory.

The proxy is built during the packaging step using a new Mage target (WindowsArchiveRootBinary), and replaces the duplicated agent binary that previously resided in the archive root due to lack of symlink support in .zip archives. This approach mimics the behavior seen on other platforms like Linux/macOS, where the root-level agent is a symlink into the versioned binary path.

This change avoids the need to duplicate the agent binary in the archive, reducing both the archive size and post-extraction disk footprint.

Why is it important?

The Windows .zip archive currently includes a full copy of the elastic-agent.exe binary at the root of the archive due to the lack of symlink support in the zip format. This duplication, increases the download size and disk footprint unnecessarily

Checklist

• I have read and understood the pull request guidelines of this project.
• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in ./changelog/fragments using the changelog tool
• I have added an integration test or an E2E test

Disruptive User Impact

There should be no disruptive user impact. The proxy binary is fully backward-compatible with existing workflows that invoke the elastic-agent.exe binary from the root of the archive on Windows. Users should not notice any difference in behavior.

How to test this PR locally

1. Package the windows archive

   PACKAGES=zip EXTERNAL=true PLATFORMS=windows/amd64 SNAPSHOT=true mage -v package
   

2. Unzip the resulting .zip file and verify that:

• The root elastic-agent.exe is a lightweight proxy (~2MB instead of 260MB+)
• The actual binary lives under data/elastic-agent-/elastic-agent.exe
• Running the root elastic-agent.exe launches the nested agent as expected

Related issues

• Closes [Windows] Shrink the disk footprint of the .zip package by including only one copy of elastic-agent.exe #7592

Manual Testing

1. DRA dry-run here and artifacts are produced successfully (link) (ty @pchila 🙏 )
2. With the windows artifact from the above I directly installed a fleet-managed and agent got installed fine and reported healthy
3. I installed a standalone agent at the version v8.17.4. Then again from the windows artifact of the above DRA I did an upgrade and this was successful

[mergify]

This pull request does not have a backport label. Could you fix it @pkoutsovasilis? 🙏
To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-./d./d is the label that automatically backports to the 8./d branch. /d is the digit
• backport-active-all is the label that automatically backports to all active branches.
• backport-active-8 is the label that automatically backports to all active minor branches for the 8 major.
• backport-active-9 is the label that automatically backports to all active minor branches for the 9 major.

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: 159b7b6

History

• 💔 Build #19280 failed a6aa52b

cc @pkoutsovasilis

[elasticmachine]

Pinging @elastic/elastic-agent-control-plane (Team:Elastic-Agent-Control-Plane)

[pchila]

A couple of nitpicks, nothing blocking
Good to merge.

[ebeahan]

I'm unsure about introducing a top level dir named hack 😅

[pkoutsovasilis]

I'm unsure about introducing a top level dir named hack 😅

😄 I am not afraid to admit that choosing where this would live was kinda of puzzle, but then I recalled this one and it seemed appropriate to me. That said, more than happy to accept more "appropriate" proposals

[swiatekm]

LGTM, comment not blocking.

[ebeahan]

more than happy to accept more "appropriate" proposals.

I don't have strong feelings about using hack, but I worry it could be seen and taken out of context.

wrapper(s)? If we think it's something we might address different in the future (famous words): interim?

[cmacknz]

ok so if my understanding is correct remove os.Stat entirely and allow the error from command.Start() to be raised instead?

Try this and see if the error is clearer. The way I tested this was to rename the data sub-directory to something else then run ./elastic-agent.exe install for reference to check what the command did.

[cmacknz]

Something we changed is making Defender want to scan us before executing. That didn't happen the first time. My bet is it was the event log change. That's not worth this so I'd vote we pull that out.

[cmacknz]

(there is a chance this is unrelated but I am no MS Defender whisperer)

[pkoutsovasilis]

(there is a chance this is unrelated but I am no MS Defender whisperer)

hmmm I did get one similar notification but I assumed that windows defender just decided to wake up 🙂 ok better safe than sorry removing the eventlog

[cmacknz]

I can confirm writing to the event log does work, and doesn't happen when not running as an admin as expected.

[cmacknz]

Yeah that's the first time I've ever seen defender pop up like that so I think we must have done something to cause it.

[pkoutsovasilis]

ok reverted back to the initial log implementation but removed the timestamp inconsistency 🙂

[cmacknz]

Tested latest changes again, still works. Curiously I got the Defender pop up again so it wasn't the event log. There seems to be no consequences to this as far as I can tell and I have no idea what is actually causing it. Perhaps the os.Stat implicitly doing CreateFile was part of it? Not sure how much we want to churn on this. I'm not sure we even did anything to cause this TBH.

[elastic-sonarqube]

Quality Gate failed

Failed conditions
0.0% Coverage on New Code (required ≥ 40%)

See analysis details on SonarQube

[cmacknz]

https://support.microsoft.com/en-us/topic/what-is-a-cloud-security-scan-75112696-7660-4450-9194-d717f72a8ad8

There is a chance the defender pop up goes away once we test a version of the file that is properly signed as part of the unified release.

[cmacknz]

LGTM, we should probably include a changelog if the disk size is smaller than 8.17 noting how much this saved (if not, we don't need to highlight how much bigger it got)

[pkoutsovasilis]

LGTM, we should probably include a changelog if the disk size is smaller than 8.17 noting how much this saved (if not, we don't need to highlight how much bigger it got)

So I did a quick comparison we are producing a ~ 50 MB larger archive compared to 8.17 🙂 But no more explosion when you decompress

[blakerouse]

CI passed, looks good!

[pkoutsovasilis]

@ebeahan should we merge this? 🙂