Update containerd to ec15fe95aa.

Signed-off-by: Lantao Liu <lantaol@google.com>

vendor/github.com/containerd/containerd/container.go

@@ -2,7 +2,6 @@ package containerd
 
 import (
 	"context"
-	"encoding/json"
 	"os"
 	"path/filepath"
 	"strings"
@@ -14,6 +13,7 @@ import (
 	"github.com/containerd/containerd/errdefs"
 	"github.com/containerd/typeurl"
 	prototypes "github.com/gogo/protobuf/types"
+	jsoniter "github.com/json-iterator/go"
 	specs "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/pkg/errors"
 )
@@ -115,6 +115,7 @@ func (c *container) Spec(ctx context.Context) (*specs.Spec, error) {
 	if err != nil {
 		return nil, err
 	}
+	json := jsoniter.ConfigCompatibleWithStandardLibrary
 	var s specs.Spec
 	if err := json.Unmarshal(r.Spec.Value, &s); err != nil {
 		return nil, err

vendor/github.com/containerd/containerd/container_opts_unix.go

@@ -4,7 +4,6 @@ package containerd
 
 import (
 	"context"
-	"encoding/json"
 	"fmt"
 	"os"
 	"path/filepath"
@@ -20,6 +19,7 @@ import (
 	"github.com/containerd/containerd/platforms"
 	"github.com/gogo/protobuf/proto"
 	protobuf "github.com/gogo/protobuf/types"
+	jsoniter "github.com/json-iterator/go"
 	digest "github.com/opencontainers/go-digest"
 	"github.com/opencontainers/image-spec/identity"
 	"github.com/opencontainers/image-spec/specs-go/v1"
@@ -121,6 +121,7 @@ func decodeIndex(ctx context.Context, store content.Store, id digest.Digest) (*v
 	if err != nil {
 		return nil, err
 	}
+	json := jsoniter.ConfigCompatibleWithStandardLibrary
 	if err := json.Unmarshal(p, &index); err != nil {
 		return nil, err
 	}

vendor/github.com/containerd/containerd/contrib/seccomp/seccomp.go

@@ -4,12 +4,12 @@ package seccomp
 
 import (
 	"context"
-	"encoding/json"
 	"fmt"
 	"io/ioutil"
 
 	"github.com/containerd/containerd/containers"
 	"github.com/containerd/containerd/oci"
+	jsoniter "github.com/json-iterator/go"
 	"github.com/opencontainers/runtime-spec/specs-go"
 )
 
@@ -23,6 +23,7 @@ func WithProfile(profile string) oci.SpecOpts {
 		if err != nil {
 			return fmt.Errorf("Cannot load seccomp profile %q: %v", profile, err)
 		}
+		json := jsoniter.ConfigCompatibleWithStandardLibrary
 		if err := json.Unmarshal(f, s.Linux.Seccomp); err != nil {
 			return fmt.Errorf("Decoding seccomp profile failed %q: %v", profile, err)
 		}

vendor/github.com/containerd/containerd/images/image.go

@@ -2,13 +2,14 @@ package images
 
 import (
 	"context"
-	"encoding/json"
+	"strings"
 	"time"
 
 	"github.com/containerd/containerd/content"
 	"github.com/containerd/containerd/errdefs"
 	"github.com/containerd/containerd/log"
 	"github.com/containerd/containerd/platforms"
+	jsoniter "github.com/json-iterator/go"
 	digest "github.com/opencontainers/go-digest"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/pkg/errors"
@@ -122,6 +123,7 @@ func Manifest(ctx context.Context, provider content.Provider, image ocispec.Desc
 			return ocispec.Manifest{}, err
 		}
 	}
+	json := jsoniter.ConfigCompatibleWithStandardLibrary
 
 	if err := Walk(ctx, HandlerFunc(func(ctx context.Context, desc ocispec.Descriptor) ([]ocispec.Descriptor, error) {
 		switch desc.MediaType {
@@ -215,6 +217,7 @@ func Config(ctx context.Context, provider content.Provider, image ocispec.Descri
 // Platforms returns one or more platforms supported by the image.
 func Platforms(ctx context.Context, provider content.Provider, image ocispec.Descriptor) ([]ocispec.Platform, error) {
 	var platformSpecs []ocispec.Platform
+	json := jsoniter.ConfigCompatibleWithStandardLibrary
 	return platformSpecs, Walk(ctx, Handlers(HandlerFunc(func(ctx context.Context, desc ocispec.Descriptor) ([]ocispec.Descriptor, error) {
 		if desc.Platform != nil {
 			platformSpecs = append(platformSpecs, *desc.Platform)
@@ -285,6 +288,7 @@ func Check(ctx context.Context, provider content.Provider, image ocispec.Descrip
 
 // Children returns the immediate children of content described by the descriptor.
 func Children(ctx context.Context, provider content.Provider, desc ocispec.Descriptor, platform string) ([]ocispec.Descriptor, error) {
+	json := jsoniter.ConfigCompatibleWithStandardLibrary
 	var descs []ocispec.Descriptor
 	switch desc.MediaType {
 	case MediaTypeDockerSchema2Manifest, ocispec.MediaTypeImageManifest:
@@ -353,9 +357,29 @@ func RootFS(ctx context.Context, provider content.Provider, configDesc ocispec.D
 		return nil, err
 	}
 
+	json := jsoniter.ConfigCompatibleWithStandardLibrary
 	var config ocispec.Image
 	if err := json.Unmarshal(p, &config); err != nil {
 		return nil, err
 	}
 	return config.RootFS.DiffIDs, nil
 }
+
+// IsCompressedDiff returns true if mediaType is a known compressed diff media type.
+// It returns false if the media type is a diff, but not compressed. If the media type
+// is not a known diff type, it returns errdefs.ErrNotImplemented
+func IsCompressedDiff(ctx context.Context, mediaType string) (bool, error) {
+	switch mediaType {
+	case ocispec.MediaTypeImageLayer, MediaTypeDockerSchema2Layer:
+	case ocispec.MediaTypeImageLayerGzip, MediaTypeDockerSchema2LayerGzip:
+		return true, nil
+	default:
+		// Still apply all generic media types *.tar[.+]gzip and *.tar
+		if strings.HasSuffix(mediaType, ".tar.gzip") || strings.HasSuffix(mediaType, ".tar+gzip") {
+			return true, nil
+		} else if !strings.HasSuffix(mediaType, ".tar") {
+			return false, errdefs.ErrNotImplemented
+		}
+	}
+	return false, nil
+}

vendor/github.com/containerd/containerd/mount/mount_windows.go

@@ -1,6 +1,13 @@
 package mount
 
-import "github.com/pkg/errors"
+import (
+	"path/filepath"
+	"strings"
+
+	"github.com/Microsoft/hcsshim"
+	jsoniter "github.com/json-iterator/go"
+	"github.com/pkg/errors"
+)
 
 var (
 	// ErrNotImplementOnWindows is returned when an action is not implemented for windows
@@ -9,15 +16,71 @@ var (
 
 // Mount to the provided target
 func (m *Mount) Mount(target string) error {
-	return ErrNotImplementOnWindows
+	home, layerID := filepath.Split(m.Source)
+
+	parentLayerPaths, err := m.GetParentPaths()
+	if err != nil {
+		return err
+	}
+
+	var di = hcsshim.DriverInfo{
+		HomeDir: home,
+	}
+
+	if err = hcsshim.ActivateLayer(di, layerID); err != nil {
+		return errors.Wrapf(err, "failed to activate layer %s", m.Source)
+	}
+	defer func() {
+		if err != nil {
+			hcsshim.DeactivateLayer(di, layerID)
+		}
+	}()
+
+	if err = hcsshim.PrepareLayer(di, layerID, parentLayerPaths); err != nil {
+		return errors.Wrapf(err, "failed to prepare layer %s", m.Source)
+	}
+	return nil
+}
+
+// ParentLayerPathsFlag is the options flag used to represent the JSON encoded
+// list of parent layers required to use the layer
+const ParentLayerPathsFlag = "parentLayerPaths="
+
+// GetParentPaths of the mount
+func (m *Mount) GetParentPaths() ([]string, error) {
+	var parentLayerPaths []string
+	json := jsoniter.ConfigCompatibleWithStandardLibrary
+	for _, option := range m.Options {
+		if strings.HasPrefix(option, ParentLayerPathsFlag) {
+			err := json.Unmarshal([]byte(option[len(ParentLayerPathsFlag):]), &parentLayerPaths)
+			if err != nil {
+				return nil, errors.Wrap(err, "failed to unmarshal parent layer paths from mount")
+			}
+		}
+	}
+	return parentLayerPaths, nil
 }
 
 // Unmount the mount at the provided path
 func Unmount(mount string, flags int) error {
-	return ErrNotImplementOnWindows
+	var (
+		home, layerID = filepath.Split(mount)
+		di            = hcsshim.DriverInfo{
+			HomeDir: home,
+		}
+	)
+
+	if err := hcsshim.UnprepareLayer(di, layerID); err != nil {
+		return errors.Wrapf(err, "failed to unprepare layer %s", mount)
+	}
+	if err := hcsshim.DeactivateLayer(di, layerID); err != nil {
+		return errors.Wrapf(err, "failed to deactivate layer %s", mount)
+	}
+
+	return nil
 }
 
-// UnmountAll mounts at the provided path
+// UnmountAll unmounts from the provided path
 func UnmountAll(mount string, flags int) error {
-	return ErrNotImplementOnWindows
+	return Unmount(mount, flags)
 }

vendor/github.com/containerd/containerd/oci/spec_opts_unix.go

@@ -4,7 +4,6 @@ package oci
 
 import (
 	"context"
-	"encoding/json"
 	"fmt"
 	"os"
 	"path/filepath"
@@ -17,10 +16,12 @@ import (
 	"github.com/containerd/containerd/images"
 	"github.com/containerd/containerd/mount"
 	"github.com/containerd/containerd/namespaces"
+	jsoniter "github.com/json-iterator/go"
 	"github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/opencontainers/runc/libcontainer/user"
 	specs "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/pkg/errors"
+	"github.com/syndtr/gocapability/capability"
 )
 
 // WithTTY sets the information on the spec as well as the environment variables for
@@ -65,6 +66,7 @@ func WithLinuxNamespace(ns specs.LinuxNamespace) SpecOpts {
 // WithImageConfig configures the spec to from the configuration of an Image
 func WithImageConfig(image Image) SpecOpts {
 	return func(ctx context.Context, client Client, c *containers.Container, s *specs.Spec) error {
+		json := jsoniter.ConfigCompatibleWithStandardLibrary
 		ic, err := image.Config(ctx)
 		if err != nil {
 			return err
@@ -346,6 +348,34 @@ func WithUsername(username string) SpecOpts {
 	}
 }
 
+// WithAllCapabilities set all linux capabilities for the process
+func WithAllCapabilities(_ context.Context, _ Client, _ *containers.Container, s *specs.Spec) error {
+	caps := getAllCapabilities()
+
+	s.Process.Capabilities.Bounding = caps
+	s.Process.Capabilities.Effective = caps
+	s.Process.Capabilities.Permitted = caps
+	s.Process.Capabilities.Inheritable = caps
+
+	return nil
+}
+
+func getAllCapabilities() []string {
+	last := capability.CAP_LAST_CAP
+	// hack for RHEL6 which has no /proc/sys/kernel/cap_last_cap
+	if last == capability.Cap(63) {
+		last = capability.CAP_BLOCK_SUSPEND
+	}
+	var caps []string
+	for _, cap := range capability.List() {
+		if cap > last {
+			continue
+		}
+		caps = append(caps, "CAP_"+strings.ToUpper(cap.String()))
+	}
+	return caps
+}
+
 var errNoUsersFound = errors.New("no users found")
 
 func getUIDGIDFromPath(root string, filter func(user.User) bool) (uid, gid uint32, err error) {

vendor/github.com/containerd/containerd/oci/spec_opts_windows.go

@@ -4,12 +4,12 @@ package oci
 
 import (
 	"context"
-	"encoding/json"
 	"fmt"
 
 	"github.com/containerd/containerd/containers"
 	"github.com/containerd/containerd/content"
 	"github.com/containerd/containerd/images"
+	jsoniter "github.com/json-iterator/go"
 	"github.com/opencontainers/image-spec/specs-go/v1"
 	specs "github.com/opencontainers/runtime-spec/specs-go"
 )
@@ -24,6 +24,7 @@ func WithImageConfig(image Image) SpecOpts {
 		var (
 			ociimage v1.Image
 			config   v1.ImageConfig
+			json     = jsoniter.ConfigCompatibleWithStandardLibrary
 		)
 		switch ic.MediaType {
 		case v1.MediaTypeImageConfig, images.MediaTypeDockerSchema2Config:

vendor/github.com/containerd/containerd/remotes/docker/resolver.go

@@ -136,6 +136,9 @@ func (r *dockerResolver) Resolve(ctx context.Context, ref string) (string, ocisp
 		log.G(ctx).Debug("resolving")
 		resp, err := fetcher.doRequestWithRetries(ctx, req, nil)
 		if err != nil {
+			if errors.Cause(err) == ErrInvalidAuthorization {
+				err = errors.Wrapf(err, "pull access denied, repository does not exist or may require authorization")
+			}
 			return "", ocispec.Descriptor{}, err
 		}
 		resp.Body.Close() // don't care about body contents.

vendor/github.com/containerd/containerd/remotes/docker/schema1/converter.go

@@ -5,7 +5,6 @@ import (
 	"compress/gzip"
 	"context"
 	"encoding/base64"
-	"encoding/json"
 	"fmt"
 	"io"
 	"io/ioutil"
@@ -21,6 +20,7 @@ import (
 	"github.com/containerd/containerd/images"
 	"github.com/containerd/containerd/log"
 	"github.com/containerd/containerd/remotes"
+	jsoniter "github.com/json-iterator/go"
 	digest "github.com/opencontainers/go-digest"
 	specs "github.com/opencontainers/image-spec/specs-go"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
@@ -110,6 +110,7 @@ func (c *Converter) Convert(ctx context.Context) (ocispec.Descriptor, error) {
 		return ocispec.Descriptor{}, errors.Wrap(err, "schema 1 conversion failed")
 	}
 
+	json := jsoniter.ConfigCompatibleWithStandardLibrary
 	var img ocispec.Image
 	if err := json.Unmarshal([]byte(c.pulledManifest.History[0].V1Compatibility), &img); err != nil {
 		return ocispec.Descriptor{}, errors.Wrap(err, "failed to unmarshal image from schema 1 history")
@@ -194,6 +195,7 @@ func (c *Converter) fetchManifest(ctx context.Context, desc ocispec.Descriptor)
 		return err
 	}
 
+	json := jsoniter.ConfigCompatibleWithStandardLibrary
 	var m manifest
 	if err := json.Unmarshal(b, &m); err != nil {
 		return err
@@ -316,6 +318,7 @@ func (c *Converter) schema1ManifestHistory() ([]ocispec.History, []digest.Digest
 		return nil, nil, errors.New("no history")
 	}
 
+	json := jsoniter.ConfigCompatibleWithStandardLibrary
 	history := make([]ocispec.History, len(m.History))
 	diffIDs := []digest.Digest{}
 	for i := range m.History {
@@ -373,6 +376,7 @@ type v1History struct {
 // empty layer. A return value of true indicates the layer is empty,
 // however false does not indicate non-empty.
 func isEmptyLayer(compatHistory []byte) (bool, error) {
+	json := jsoniter.ConfigCompatibleWithStandardLibrary
 	var h v1History
 	if err := json.Unmarshal(compatHistory, &h); err != nil {
 		return false, err
@@ -422,6 +426,7 @@ func joseBase64UrlDecode(s string) ([]byte, error) {
 }
 
 func stripSignature(b []byte) ([]byte, error) {
+	json := jsoniter.ConfigCompatibleWithStandardLibrary
 	var sig signature
 	if err := json.Unmarshal(b, &sig); err != nil {
 		return nil, err

vendor/github.com/containerd/containerd/sys/filesys_unix.go

@@ -0,0 +1,10 @@
+// +build !windows
+
+package sys
+
+import "os"
+
+// ForceRemoveAll on unix is just a wrapper for os.RemoveAll
+func ForceRemoveAll(path string) error {
+	return os.RemoveAll(path)
+}

vendor/github.com/containerd/containerd/sys/filesys_windows.go

@@ -11,6 +11,7 @@ import (
 	"unsafe"
 
 	winio "github.com/Microsoft/go-winio"
+	"github.com/Microsoft/hcsshim"
 )
 
 // MkdirAllWithACL is a wrapper for MkdirAll that creates a directory
@@ -234,3 +235,13 @@ func syscallOpenSequential(path string, mode int, _ uint32) (fd syscall.Handle,
 	h, e := syscall.CreateFile(pathp, access, sharemode, sa, createmode, fileFlagSequentialScan, 0)
 	return h, e
 }
+
+// ForceRemoveAll is the same as os.RemoveAll, but uses hcsshim.DestroyLayer in order
+// to delete container layers.
+func ForceRemoveAll(path string) error {
+	info := hcsshim.DriverInfo{
+		HomeDir: filepath.Dir(path),
+	}
+
+	return hcsshim.DestroyLayer(info, filepath.Base(path))
+}

vendor/github.com/containerd/containerd/vendor.conf

@@ -1,5 +1,5 @@
 github.com/coreos/go-systemd 48702e0da86bd25e76cfef347e2adeb434a0d0a6
-github.com/containerd/go-runc ed1cbe1fc31f5fb2359d3a54b6330d1a097858b7
+github.com/containerd/go-runc 4f6e87ae043f859a38255247b49c9abc262d002f
 github.com/containerd/console 84eeaae905fa414d03e07bcd6c8d3f19e7cf180e
 github.com/containerd/cgroups 29da22c6171a4316169f9205ab6c49f59b5b852f
 github.com/containerd/typeurl f6943554a7e7e88b3c14aad190bf05932da84788
@@ -41,3 +41,5 @@ google.golang.org/genproto d80a6e20e776b0b17a324d0ba1ab50a39c8e8944
 golang.org/x/text 19e51611da83d6be54ddafce4a4af510cb3e9ea4
 github.com/dmcgowan/go-tar go1.10
 github.com/stevvooe/ttrpc d2710463e497617f16f26d1e715a3308609e7982
+github.com/syndtr/gocapability db04d3cc01c8b54962a58ec7e491717d06cfcc16
+github.com/json-iterator/go 1.0.4