Service does not start on Windows with OpenJDK (update to procrun 1.5.1)

[reta]

Description

Service does not start on Windows with OpenJDK (update to procrun 1.5.1).

It took me a while to figure out what is going on, the service and manager are coming from https://commons.apache.org/proper/commons-daemon/procrun.html project. The latest distribution is 1.5.1, the binaries are coming from https://archive.apache.org/dist/commons/daemon/binaries/windows/

Tested on local Windows box, the service is fully operational.

Related Issues

Closes #19141

Check List

• Functionality includes testing.
• API changes companion pull request created, if applicable.
• Public documentation issue/PR created, if applicable.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

📝 Walkthrough

Walkthrough

A changelog entry was added to document a bug fix for OpenSearch 3.x where the service failed to start on Windows with Adoptium OpenJDK due to the -javaagent option in jvm.options.

Changes

Cohort / File(s)	Summary
Changelog Update CHANGELOG.md	Added Fixed entry documenting resolution of Windows OpenJDK service startup issue in Unreleased 3.x section.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 5 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Merge Conflict Detection	⚠️ Warning	❌ Merge conflicts detected (10 files): 🗑️ distribution/src/bin/opensearch-service-mgr.exe (delete-modify) ⚔️ distribution/src/bin/opensearch-service-x64.exe (content) ⚔️ plugins/arrow-flight-rpc/src/main/java/org/opensearch/arrow/flight/bootstrap/ServerConfig.java (content) ⚔️ plugins/arrow-flight-rpc/src/main/java/org/opensearch/arrow/flight/transport/FlightStreamPlugin.java (content) ⚔️ plugins/arrow-flight-rpc/src/main/java/org/opensearch/arrow/flight/transport/FlightTransport.java (content) ⚔️ plugins/arrow-flight-rpc/src/test/java/org/opensearch/arrow/flight/bootstrap/ServerConfigTests.java (content) ⚔️ server/src/main/java/org/opensearch/common/settings/FeatureFlagSettings.java (content) ⚔️ server/src/main/java/org/opensearch/common/util/FeatureFlags.java (content) ⚔️ server/src/main/java/org/opensearch/index/shard/IndexShard.java (content) ⚔️ server/src/main/java/org/opensearch/node/Node.java (content) These conflicts must be resolved before merging into main.	Resolve conflicts locally and push changes to this branch.

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: addressing the Windows service startup issue with OpenJDK through a procrun version update.
Linked Issues check	✅ Passed	The PR title and description indicate an update to procrun 1.5.1 to fix the Windows startup issue, which addresses the core requirement in issue #19141.
Out of Scope Changes check	✅ Passed	The PR only adds a CHANGELOG.md entry documenting the fix; no code changes are made, keeping the scope aligned with the issue objective.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description check	✅ Passed	The PR description follows the required template structure with all essential sections completed: Description explains the change (procrun 1.5.1 update), Related Issues references the closed issue, and Apache 2.0 license confirmation is included.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[peterzhuamazon]

Hi @reta not getting why this would fix the issue?
What are these two pre-build binaries that we add here?

Thanks.

[github-actions]

❗ AI-powered Code-Diff-Analyzer found issues on commit a4ee1eb.

Path	Line	Severity	Description
distribution/src/bin/opensearch-service-x64.exe	0	critical	Binary executable modified without visible source changes. This Windows service binary runs with elevated privileges and cannot be code-reviewed. Common supply chain attack vector - binary could contain backdoors, malware, or data exfiltration code. Requires verification of binary integrity, source code for changes, and build provenance.
distribution/src/bin/opensearch-service-mgr.exe	0	critical	Binary executable modified without visible source changes. Service management executable with potential SYSTEM-level access modified opaquely. No corresponding source code changes visible in diff. Requires hash verification, detailed explanation of changes, and confirmation binaries are built from trusted, auditable sources.

The table above displays the top 10 most important findings.

Total: 2 | Critical: 2 | High: 0 | Medium: 0 | Low: 0

---

Pull Requests Author(s): Please update your Pull Request according to the report above.

Repository Maintainer(s): You can bypass diff analyzer by adding label skip-diff-analyzer after reviewing the changes carefully, then re-run failed actions. To re-enable the analyzer, remove the label, then re-run all actions.

---

⚠️ Note: The Code-Diff-Analyzer helps protect against potentially harmful code patterns. Please ensure you have thoroughly reviewed the changes beforehand.

Thanks.

[cwperks]

@reta how were the updates to the exe files created?

In many repos we have tests that run on Windows so I'm also curious why those tests may have not caught the issue.

[reta]

Thanks @cwperks @peterzhuamazon

@reta how were the updates to the exe files created?

It took me a while to figure out what is going on, the service and manager are coming from https://commons.apache.org/proper/commons-daemon/procrun.html project. The latest distribution is 1.5.1, the binaries are coming from https://archive.apache.org/dist/commons/daemon/binaries/windows/

In many repos we have tests that run on Windows so I'm also curious why those tests may have not caught the issue.

So this is a bit more difficult, we used to have full suite of packaging tests (see please #538) but we don't run them anymore. Essentially those will spin up a full VM (using vagrant and do full msi/rpm/deb) installation. What has to be done here:

• Windows box with admin access
• OpenSearch distribution
• Download OpenSearch distribution, install Windows service, run the service
• Check OpenSearch is up

[github-actions]

❗ AI-powered Code-Diff-Analyzer found issues on commit a4ee1eb.

Path	Line	Severity	Description
distribution/src/bin/opensearch-service-mgr.exe	1	critical	Binary executable modified without corresponding source code changes. Cannot verify contents through code review. Windows service manager executables are high-value targets for backdoors and supply chain attacks. Requires verification: hash comparison with official builds, binary analysis, or rebuild from source.
distribution/src/bin/opensearch-service-x64.exe	1	critical	Binary executable modified without visible source changes. x64 service executable runs with elevated privileges on Windows systems. No way to verify legitimacy through diff review. Classic supply chain attack vector. Must verify against known-good binaries or rebuild from trusted source code.

The table above displays the top 10 most important findings.

Total: 2 | Critical: 2 | High: 0 | Medium: 0 | Low: 0

---

Pull Requests Author(s): Please update your Pull Request according to the report above.

Repository Maintainer(s): You can bypass diff analyzer by adding label skip-diff-analyzer after reviewing the changes carefully, then re-run failed actions. To re-enable the analyzer, remove the label, then re-run all actions.

---

⚠️ Note: The Code-Diff-Analyzer helps protect against potentially harmful code patterns. Please ensure you have thoroughly reviewed the changes beforehand.

Thanks.

[reta]

Hi @reta not getting why this would fix the issue?

@peterzhuamazon Those are new runners, the ones we use are 5+ years old

[github-actions]

❌ Gradle check result for 91e38dd: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

❌ Gradle check result for 91e38dd: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

✅ Gradle check result for 91e38dd: SUCCESS

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 73.19%. Comparing base (ed7e0c5) to head (91e38dd).
⚠️ Report is 4 commits behind head on main.

Additional details and impacted files

@@             Coverage Diff              @@
##               main   #20615      +/-   ##
============================================
- Coverage     73.32%   73.19%   -0.13%     
+ Complexity    72200    71922     -278     
============================================
  Files          5798     5781      -17     
  Lines        329835   329200     -635     
  Branches      47545    47491      -54     
============================================
- Hits         241844   240967     -877     
- Misses        68639    68963     +324     
+ Partials      19352    19270      -82     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.