Update hcsshim tag to v0.10.0-rc.9

Signed-off-by: Kirtana Ashok <kiashok@microsoft.com>

vendor/github.com/Microsoft/hcsshim/.gitignore

@@ -37,6 +37,10 @@ rootfs-conv/*
 deps/*
 out/*
 
+# protobuf files
+# only files at root of the repo, otherwise this will cause issues with vendoring
+/protobuf/*
+
 # test results
 test/results
 

vendor/github.com/Microsoft/hcsshim/.golangci.yml

@@ -135,3 +135,9 @@ issues:
       linters:
         - stylecheck
       Text: "ST1003:"
+    
+    # v0 APIs are deprecated, but still retained for backwards compatability
+    - path: cmd\\ncproxy\\
+      linters:
+        - staticcheck
+      text: "^SA1019: (ncproxygrpcv0|nodenetsvcV0)"

vendor/github.com/Microsoft/hcsshim/Makefile

@@ -94,23 +94,9 @@ out/delta.tar.gz: bin/init bin/vsockexec bin/cmd/gcs bin/cmd/gcstools bin/cmd/ho
 	tar -zcf $@ -C rootfs .
 	rm -rf rootfs
 
--include deps/cmd/gcs.gomake
--include deps/cmd/gcstools.gomake
--include deps/cmd/hooks/wait-paths.gomake
--include deps/cmd/tar2ext4.gomake
--include deps/internal/tools/snp-report.gomake
-
-# Implicit rule for includes that define Go targets.
-%.gomake: $(SRCROOT)/Makefile
+bin/cmd/gcs bin/cmd/gcstools bin/cmd/hooks/wait-paths bin/cmd/tar2ext4 bin/internal/tools/snp-report:
 	@mkdir -p $(dir $@)
-	@/bin/echo $(@:deps/%.gomake=bin/%): $(SRCROOT)/hack/gomakedeps.sh > $@.new
-	@/bin/echo -e '\t@mkdir -p $$(dir $$@) $(dir $@)' >> $@.new
-	@/bin/echo -e '\t$$(GO_BUILD) -o $$@.new $$(SRCROOT)/$$(@:bin/%=%)' >> $@.new
-	@/bin/echo -e '\tGO="$(GO)" $$(SRCROOT)/hack/gomakedeps.sh $$@ $$(SRCROOT)/$$(@:bin/%=%) $$(GO_FLAGS) $$(GO_FLAGS_EXTRA) > $(@:%.gomake=%.godeps).new' >> $@.new
-	@/bin/echo -e '\tmv $(@:%.gomake=%.godeps).new $(@:%.gomake=%.godeps)' >> $@.new
-	@/bin/echo -e '\tmv $$@.new $$@' >> $@.new
-	@/bin/echo -e '-include $(@:%.gomake=%.godeps)' >> $@.new
-	mv $@.new $@
+	GOOS=linux $(GO_BUILD) -o $@ $(SRCROOT)/$(@:bin/%=%)
 
 bin/vsockexec: vsockexec/vsockexec.o vsockexec/vsock.o
 	@mkdir -p bin

vendor/github.com/Microsoft/hcsshim/Protobuild.toml

@@ -9,6 +9,10 @@ plugins = ["grpc", "fieldpath"]
   # treat the root of the project as an include, but this may not be necessary.
   before = ["./protobuf"]
 
+  # defaults are "/usr/local/include" and "/usr/include", which don't exist on Windows.
+  # override defaults to supress errors about non-existant directories.
+  after = []
+
   # Paths that should be treated as include roots in relation to the vendor
   # directory. These will be calculated with the vendor directory nearest the
   # target package.

vendor/github.com/Microsoft/hcsshim/ext4/dmverity/dmverity.go

@@ -178,29 +178,35 @@ func ReadDMVerityInfo(vhdPath string, offsetInBytes int64) (*VerityInfo, error)
 		return nil, errors.Errorf("failed to seek dm-verity super block: expected bytes=%d, actual=%d", offsetInBytes, s)
 	}
 
+	return ReadDMVerityInfoReader(vhd)
+}
+
+func ReadDMVerityInfoReader(r io.Reader) (*VerityInfo, error) {
 	block := make([]byte, blockSize)
-	if s, err := vhd.Read(block); err != nil || s != blockSize {
+	if s, err := r.Read(block); err != nil || s != blockSize {
 		if err != nil {
-			return nil, errors.Wrapf(err, "%s", ErrSuperBlockReadFailure)
+			return nil, fmt.Errorf("%s: %w", ErrSuperBlockReadFailure, err)
 		}
-		return nil, errors.Wrapf(ErrSuperBlockReadFailure, "unexpected bytes read: expected=%d, actual=%d", blockSize, s)
+		return nil, fmt.Errorf("unexpected bytes read expected=%d actual=%d: %w", blockSize, s, ErrSuperBlockReadFailure)
 	}
 
 	dmvSB := &dmveritySuperblock{}
 	b := bytes.NewBuffer(block)
 	if err := binary.Read(b, binary.LittleEndian, dmvSB); err != nil {
-		return nil, errors.Wrapf(err, "%s", ErrSuperBlockParseFailure)
+		return nil, fmt.Errorf("%s: %w", ErrSuperBlockParseFailure, err)
 	}
+
 	if string(bytes.Trim(dmvSB.Signature[:], "\x00")[:]) != VeritySignature {
 		return nil, ErrNotVeritySuperBlock
 	}
-	// read the merkle tree root
-	if s, err := vhd.Read(block); err != nil || s != blockSize {
+
+	if s, err := r.Read(block); err != nil || s != blockSize {
 		if err != nil {
-			return nil, errors.Wrapf(err, "%s", ErrRootHashReadFailure)
+			return nil, fmt.Errorf("%s: %w", ErrRootHashReadFailure, err)
 		}
-		return nil, errors.Wrapf(ErrRootHashReadFailure, "unexpected bytes read: expected=%d, actual=%d", blockSize, s)
+		return nil, fmt.Errorf("unexpected bytes read expected=%d, actual=%d: %w", blockSize, s, ErrRootHashReadFailure)
 	}
+
 	rootHash := hash2(dmvSB.Salt[:dmvSB.SaltSize], block)
 	return &VerityInfo{
 		RootDigest:         fmt.Sprintf("%x", rootHash),
@@ -215,12 +221,21 @@ func ReadDMVerityInfo(vhdPath string, offsetInBytes int64) (*VerityInfo, error)
 	}, nil
 }
 
-// ComputeAndWriteHashDevice builds merkle tree from a given io.ReadSeeker and writes the result
-// hash device (dm-verity super-block combined with merkle tree) to io.WriteSeeker.
-func ComputeAndWriteHashDevice(r io.ReadSeeker, w io.WriteSeeker) error {
+// ComputeAndWriteHashDevice builds merkle tree from a given io.ReadSeeker and
+// writes the result hash device (dm-verity super-block combined with merkle
+// tree) to io.Writer.
+func ComputeAndWriteHashDevice(r io.ReadSeeker, w io.Writer) error {
+	// save current reader position
+	currBytePos, err := r.Seek(0, io.SeekCurrent)
+	if err != nil {
+		return err
+	}
+
+	// reset to the beginning to find the device size
 	if _, err := r.Seek(0, io.SeekStart); err != nil {
 		return err
 	}
+
 	tree, err := MerkleTree(r)
 	if err != nil {
 		return errors.Wrap(err, "failed to build merkle tree")
@@ -230,10 +245,13 @@ func ComputeAndWriteHashDevice(r io.ReadSeeker, w io.WriteSeeker) error {
 	if err != nil {
 		return err
 	}
-	dmVeritySB := NewDMVeritySuperblock(uint64(devSize))
-	if _, err := w.Seek(0, io.SeekEnd); err != nil {
+
+	// reset reader to initial position
+	if _, err := r.Seek(currBytePos, io.SeekStart); err != nil {
 		return err
 	}
+
+	dmVeritySB := NewDMVeritySuperblock(uint64(devSize))
 	if err := binary.Write(w, binary.LittleEndian, dmVeritySB); err != nil {
 		return errors.Wrap(err, "failed to write dm-verity super-block")
 	}

vendor/github.com/Microsoft/hcsshim/ext4/tar2ext4/tar2ext4.go

@@ -13,6 +13,7 @@ import (
 	"github.com/Microsoft/hcsshim/ext4/dmverity"
 	"github.com/Microsoft/hcsshim/ext4/internal/compactext4"
 	"github.com/Microsoft/hcsshim/ext4/internal/format"
+	"github.com/Microsoft/hcsshim/internal/log"
 	"github.com/pkg/errors"
 )
 
@@ -200,7 +201,19 @@ func Convert(r io.Reader, w io.ReadWriteSeeker, options ...Option) error {
 	return nil
 }
 
-// ReadExt4SuperBlock reads and returns ext4 super block from VHD
+// ReadExt4SuperBlock reads and returns ext4 super block from given device.
+func ReadExt4SuperBlock(devicePath string) (*format.SuperBlock, error) {
+	dev, err := os.OpenFile(devicePath, os.O_RDONLY, 0)
+	if err != nil {
+		return nil, err
+	}
+	defer dev.Close()
+
+	return ReadExt4SuperBlockReadSeeker(dev)
+}
+
+// ReadExt4SuperBlockReadSeeker reads and returns ext4 super block given
+// an io.ReadSeeker.
 //
 // The layout on disk is as follows:
 // | Group 0 padding     | - 1024 bytes
@@ -215,28 +228,56 @@ func Convert(r io.Reader, w io.ReadWriteSeeker, options ...Option) error {
 // More details can be found here https://ext4.wiki.kernel.org/index.php/Ext4_Disk_Layout
 //
 // Our goal is to skip the Group 0 padding, read and return the ext4 SuperBlock
-func ReadExt4SuperBlock(vhdPath string) (*format.SuperBlock, error) {
-	vhd, err := os.OpenFile(vhdPath, os.O_RDONLY, 0)
+func ReadExt4SuperBlockReadSeeker(rsc io.ReadSeeker) (*format.SuperBlock, error) {
+	// save current reader position
+	currBytePos, err := rsc.Seek(0, io.SeekCurrent)
 	if err != nil {
 		return nil, err
 	}
-	defer vhd.Close()
 
-	// Skip padding at the start
-	if _, err := vhd.Seek(1024, io.SeekStart); err != nil {
+	if _, err := rsc.Seek(1024, io.SeekCurrent); err != nil {
 		return nil, err
 	}
 	var sb format.SuperBlock
-	if err := binary.Read(vhd, binary.LittleEndian, &sb); err != nil {
+	if err := binary.Read(rsc, binary.LittleEndian, &sb); err != nil {
 		return nil, err
 	}
-	// Make sure the magic bytes are correct.
+
+	// reset the reader to initial position
+	if _, err := rsc.Seek(currBytePos, io.SeekStart); err != nil {
+		return nil, err
+	}
+
 	if sb.Magic != format.SuperBlockMagic {
 		return nil, errors.New("not an ext4 file system")
 	}
 	return &sb, nil
 }
 
+// IsDeviceExt4 is will read the device's superblock and determine if it is
+// and ext4 superblock.
+func IsDeviceExt4(devicePath string) bool {
+	// ReadExt4SuperBlock will check the superblock magic number for us,
+	// so we know if no error is returned, this is an ext4 device.
+	_, err := ReadExt4SuperBlock(devicePath)
+	if err != nil {
+		log.L.Warnf("failed to read Ext4 superblock: %s", err)
+	}
+	return err == nil
+}
+
+// Ext4FileSystemSize reads ext4 superblock and returns the size of the underlying
+// ext4 file system and its block size.
+func Ext4FileSystemSize(r io.ReadSeeker) (int64, int, error) {
+	sb, err := ReadExt4SuperBlockReadSeeker(r)
+	if err != nil {
+		return 0, 0, fmt.Errorf("failed to read ext4 superblock: %w", err)
+	}
+	blockSize := 1024 * (1 << sb.LogBlockSize)
+	fsSize := int64(blockSize) * int64(sb.BlocksCountLow)
+	return fsSize, blockSize, nil
+}
+
 // ConvertAndComputeRootDigest writes a compact ext4 file system image that contains the files in the
 // input tar stream, computes the resulting file image's cryptographic hashes (merkle tree) and returns
 // merkle tree root digest. Convert is called with minimal options: ConvertWhiteout and MaximumDiskSize

vendor/github.com/Microsoft/hcsshim/internal/log/format.go

@@ -0,0 +1,85 @@
+package log
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"net"
+	"reflect"
+	"time"
+
+	"github.com/containerd/containerd/log"
+)
+
+const TimeFormat = log.RFC3339NanoFixed
+
+func FormatTime(t time.Time) string {
+	return t.Format(TimeFormat)
+}
+
+// DurationFormat formats a [time.Duration] log entry.
+//
+// A nil value signals an error with the formatting.
+type DurationFormat func(time.Duration) interface{}
+
+func DurationFormatString(d time.Duration) interface{}       { return d.String() }
+func DurationFormatSeconds(d time.Duration) interface{}      { return d.Seconds() }
+func DurationFormatMilliseconds(d time.Duration) interface{} { return d.Milliseconds() }
+
+// FormatIO formats net.Conn and other types that have an `Addr()` or `Name()`.
+//
+// See FormatEnabled for more information.
+func FormatIO(ctx context.Context, v interface{}) string {
+	m := make(map[string]string)
+	m["type"] = reflect.TypeOf(v).String()
+
+	switch t := v.(type) {
+	case net.Conn:
+		m["localAddress"] = formatAddr(t.LocalAddr())
+		m["remoteAddress"] = formatAddr(t.RemoteAddr())
+	case interface{ Addr() net.Addr }:
+		m["address"] = formatAddr(t.Addr())
+	default:
+		return Format(ctx, t)
+	}
+
+	return Format(ctx, m)
+}
+
+func formatAddr(a net.Addr) string {
+	return a.Network() + "://" + a.String()
+}
+
+// Format formats an object into a JSON string, without any indendtation or
+// HTML escapes.
+// Context is used to output a log waring if the conversion fails.
+//
+// This is intended primarily for `trace.StringAttribute()`
+func Format(ctx context.Context, v interface{}) string {
+	b, err := encode(v)
+	if err != nil {
+		G(ctx).WithError(err).Warning("could not format value")
+		return ""
+	}
+
+	return string(b)
+}
+
+func encode(v interface{}) ([]byte, error) {
+	return encodeBuffer(&bytes.Buffer{}, v)
+}
+
+func encodeBuffer(buf *bytes.Buffer, v interface{}) ([]byte, error) {
+	enc := json.NewEncoder(buf)
+	enc.SetEscapeHTML(false)
+	enc.SetIndent("", "")
+
+	if err := enc.Encode(v); err != nil {
+		err = fmt.Errorf("could not marshall %T to JSON for logging: %w", v, err)
+		return nil, err
+	}
+
+	// encoder.Encode appends a newline to the end
+	return bytes.TrimSpace(buf.Bytes()), nil
+}

vendor/github.com/Microsoft/hcsshim/internal/log/hook.go

@@ -1,23 +1,58 @@
 package log
 
 import (
+	"bytes"
+	"reflect"
+	"time"
+
 	"github.com/Microsoft/hcsshim/internal/logfields"
+	"github.com/containerd/containerd/log"
 	"github.com/sirupsen/logrus"
 	"go.opencensus.io/trace"
 )
 
-// Hook serves to intercept and format `logrus.Entry`s before they are passed
-// to the ETW hook.
+const nullString = "null"
+
+// Hook intercepts and formats a [logrus.Entry] before it logged.
 //
-// The containerd shim discards the (formatted) logrus output, and outputs only via ETW.
-// The Linux GCS outputs logrus entries over stdout, which is consumed by the shim and
-// then re-output via the ETW hook.
-type Hook struct{}
+// The shim either outputs the logs through an ETW hook, discarding the (formatted) output
+// or logs output to a pipe for logging binaries to consume.
+// The Linux GCS outputs logrus entries over stdout, which is then consumed and re-output
+// by the shim.
+type Hook struct {
+	// EncodeAsJSON formats structs, maps, arrays, slices, and [bytes.Buffer] as JSON.
+	// Variables of [bytes.Buffer] will be converted to []byte.
+	//
+	// Default is false.
+	EncodeAsJSON bool
+
+	// FormatTime specifies the format for [time.Time] variables.
+	// An empty string disables formatting.
+	// When disabled, the fall back will the JSON encoding, if enabled.
+	//
+	// Default is [github.com/containerd/containerd/log.RFC3339NanoFixed].
+	TimeFormat string
+
+	// Duration format converts a [time.Duration] fields to an appropriate encoding.
+	// nil disables formatting.
+	// When disabled, the fall back will the JSON encoding, if enabled.
+	//
+	// Default is [DurationFormatString], which appends a duration unit after the value.
+	DurationFormat DurationFormat
+
+	// AddSpanContext adds [logfields.TraceID] and [logfields.SpanID] fields to
+	// the entry from the span context stored in [logrus.Entry.Context], if it exists.
+	AddSpanContext bool
+}
 
 var _ logrus.Hook = &Hook{}
 
 func NewHook() *Hook {
-	return &Hook{}
+	return &Hook{
+		TimeFormat:     log.RFC3339NanoFixed,
+		DurationFormat: DurationFormatString,
+		AddSpanContext: true,
+	}
 }
 
 func (h *Hook) Levels() []logrus.Level {
@@ -25,14 +60,108 @@ func (h *Hook) Levels() []logrus.Level {
 }
 
 func (h *Hook) Fire(e *logrus.Entry) (err error) {
+	// JSON encode, if necessary, then add span information
+	h.encode(e)
 	h.addSpanContext(e)
 
 	return nil
 }
 
+// encode loops through all the fields in the [logrus.Entry] and encodes them according to
+// the settings in [Hook].
+// If [Hook.TimeFormat] is non-empty, it will be passed to [time.Time.Format] for
+// fields of type [time.Time].
+//
+// If [Hook.EncodeAsJSON] is true, then fields that are not numeric, boolean, strings, or
+// errors will be encoded via a [json.Marshal] (with HTML escaping disabled).
+// Chanel- and function-typed fields, as well as unsafe pointers are left alone and not encoded.
+//
+// If [Hook.TimeFormat] and [Hook.DurationFormat] are empty and [Hook.EncodeAsJSON] is false,
+// then this is a no-op.
+func (h *Hook) encode(e *logrus.Entry) {
+	d := e.Data
+
+	formatTime := h.TimeFormat != ""
+	formatDuration := h.DurationFormat != nil
+	if !(h.EncodeAsJSON || formatTime || formatDuration) {
+		return
+	}
+
+	for k, v := range d {
+		// encode types with dedicated formatting options first
+
+		if vv, ok := v.(time.Time); formatTime && ok {
+			d[k] = vv.Format(h.TimeFormat)
+			continue
+		}
+
+		if vv, ok := v.(time.Duration); formatDuration && ok {
+			d[k] = h.DurationFormat(vv)
+			continue
+		}
+
+		// general case JSON encoding
+
+		if !h.EncodeAsJSON {
+			continue
+		}
+
+		switch vv := v.(type) {
+		// built in types
+		// "json" marshals errors as "{}", so leave alone here
+		case bool, string, error, uintptr,
+			int8, int16, int32, int64, int,
+			uint8, uint32, uint64, uint,
+			float32, float64:
+			continue
+
+		// Rather than setting d[k] = vv.String(), JSON encode []byte value, since it
+		// may be a binary payload and not representable as a string.
+		// `case bytes.Buffer,*bytes.Buffer:` resolves `vv` to `interface{}`,
+		// so cannot use `vv.Bytes`.
+		// Could move to below the `reflect.Indirect()` call below, but
+		// that would require additional typematching and dereferencing.
+		// Easier to keep these duplicate branches here.
+		case bytes.Buffer:
+			v = vv.Bytes()
+		case *bytes.Buffer:
+			v = vv.Bytes()
+		}
+
+		// dereference pointer or interface variables
+		rv := reflect.Indirect(reflect.ValueOf(v))
+		// check if `v` is a null pointer
+		if !rv.IsValid() {
+			d[k] = nullString
+			continue
+		}
+
+		switch rv.Kind() {
+		case reflect.Map, reflect.Struct, reflect.Array, reflect.Slice:
+		default:
+			// Bool, [U]?Int*, Float*, Complex*, Uintptr, String: encoded as normal
+			// Chan, Func: not supported by json
+			// Interface, Pointer: dereferenced above
+			// UnsafePointer: not supported by json, not safe to de-reference; leave alone
+			continue
+		}
+
+		b, err := encode(v)
+		if err != nil {
+			// Errors are written to stderr (ie, to `panic.log`) and stops the remaining
+			// hooks (ie, exporting to ETW) from firing. So add encoding errors to
+			// the entry data to be written out, but keep on processing.
+			d[k+"-"+logrus.ErrorKey] = err.Error()
+			// keep the original `v` as the value,
+			continue
+		}
+		d[k] = string(b)
+	}
+}
+
 func (h *Hook) addSpanContext(e *logrus.Entry) {
 	ctx := e.Context
-	if ctx == nil {
+	if !h.AddSpanContext || ctx == nil {
 		return
 	}
 	span := trace.FromContext(ctx)

vendor/github.com/Microsoft/hcsshim/internal/log/scrub.go

@@ -4,7 +4,6 @@ import (
 	"bytes"
 	"encoding/json"
 	"errors"
-	"strings"
 	"sync/atomic"
 
 	hcsschema "github.com/Microsoft/hcsshim/internal/hcs/schema2"
@@ -56,11 +55,11 @@ func ScrubProcessParameters(s string) (string, error) {
 	}
 	pp.Environment = map[string]string{_scrubbedReplacement: _scrubbedReplacement}
 
-	buf := bytes.NewBuffer(b[:0])
-	if err := encode(buf, pp); err != nil {
+	b, err := encodeBuffer(bytes.NewBuffer(b[:0]), pp)
+	if err != nil {
 		return "", err
 	}
-	return strings.TrimSpace(buf.String()), nil
+	return string(b), nil
 }
 
 // ScrubBridgeCreate scrubs requests sent over the bridge of type
@@ -150,21 +149,12 @@ func scrubBytes(b []byte, scrub scrubberFunc) ([]byte, error) {
 		return nil, err
 	}
 
-	buf := &bytes.Buffer{}
-	if err := encode(buf, m); err != nil {
+	b, err := encode(m)
+	if err != nil {
 		return nil, err
 	}
 
-	return bytes.TrimSpace(buf.Bytes()), nil
-}
-
-func encode(buf *bytes.Buffer, v interface{}) error {
-	enc := json.NewEncoder(buf)
-	enc.SetEscapeHTML(false)
-	if err := enc.Encode(v); err != nil {
-		return err
-	}
-	return nil
+	return b, nil
 }
 
 func isRequestBase(m genMap) bool {

vendor/github.com/Microsoft/hcsshim/internal/oc/errors.go

@@ -0,0 +1,69 @@
+package oc
+
+import (
+	"errors"
+	"io"
+	"net"
+	"os"
+
+	"github.com/containerd/containerd/errdefs"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+)
+
+// todo: break import cycle with "internal/hcs/errors.go" and reference errors defined there
+// todo: add errors defined in "internal/guest/gcserror" (Hresult does not implement error)
+
+func toStatusCode(err error) codes.Code {
+	// checks if err implements GRPCStatus() *"google.golang.org/grpc/status".Status,
+	// wraps an error defined in "github.com/containerd/containerd/errdefs", or is a
+	// context timeout or cancelled error
+	if s, ok := status.FromError(errdefs.ToGRPC(err)); ok {
+		return s.Code()
+	}
+
+	switch {
+	// case isAny(err):
+	// 	return codes.Cancelled
+	case isAny(err, os.ErrInvalid):
+		return codes.InvalidArgument
+	case isAny(err, os.ErrDeadlineExceeded):
+		return codes.DeadlineExceeded
+	case isAny(err, os.ErrNotExist):
+		return codes.NotFound
+	case isAny(err, os.ErrExist):
+		return codes.AlreadyExists
+	case isAny(err, os.ErrPermission):
+		return codes.PermissionDenied
+	// case isAny(err):
+	// 	return codes.ResourceExhausted
+	case isAny(err, os.ErrClosed, net.ErrClosed, io.ErrClosedPipe, io.ErrShortBuffer):
+		return codes.FailedPrecondition
+	// case isAny(err):
+	// 	return codes.Aborted
+	// case isAny(err):
+	// 	return codes.OutOfRange
+	// case isAny(err):
+	// 	return codes.Unimplemented
+	case isAny(err, io.ErrNoProgress):
+		return codes.Internal
+	// case isAny(err):
+	// 	return codes.Unavailable
+	case isAny(err, io.ErrShortWrite, io.ErrUnexpectedEOF):
+		return codes.DataLoss
+	// case isAny(err):
+	// 	return codes.Unauthenticated
+	default:
+		return codes.Unknown
+	}
+}
+
+// isAny returns true if errors.Is is true for any of the provided errors, errs.
+func isAny(err error, errs ...error) bool {
+	for _, e := range errs {
+		if errors.Is(err, e) {
+			return true
+		}
+	}
+	return false
+}

vendor/github.com/Microsoft/hcsshim/internal/oc/exporter.go

@@ -3,19 +3,26 @@ package oc
 import (
 	"github.com/sirupsen/logrus"
 	"go.opencensus.io/trace"
+	"google.golang.org/grpc/codes"
+
+	"github.com/Microsoft/hcsshim/internal/log"
+	"github.com/Microsoft/hcsshim/internal/logfields"
 )
 
-var _ = (trace.Exporter)(&LogrusExporter{})
+const spanMessage = "Span"
+
+var _errorCodeKey = logrus.ErrorKey + "Code"
 
 // LogrusExporter is an OpenCensus `trace.Exporter` that exports
 // `trace.SpanData` to logrus output.
-type LogrusExporter struct {
-}
+type LogrusExporter struct{}
+
+var _ trace.Exporter = &LogrusExporter{}
 
 // ExportSpan exports `s` based on the the following rules:
 //
-// 1. All output will contain `s.Attributes`, `s.TraceID`, `s.SpanID`,
-// `s.ParentSpanID` for correlation
+// 1. All output will contain `s.Attributes`, `s.SpanKind`, `s.TraceID`,
+// `s.SpanID`, and `s.ParentSpanID` for correlation
 //
 // 2. Any calls to .Annotate will not be supported.
 //
@@ -23,21 +30,57 @@ type LogrusExporter struct {
 // `s.Status.Code != 0` in which case it will be written at `logrus.ErrorLevel`
 // providing `s.Status.Message` as the error value.
 func (le *LogrusExporter) ExportSpan(s *trace.SpanData) {
-	// Combine all span annotations with traceID, spanID, parentSpanID
-	baseEntry := logrus.WithFields(logrus.Fields(s.Attributes))
-	baseEntry.Data["traceID"] = s.TraceID.String()
-	baseEntry.Data["spanID"] = s.SpanID.String()
-	baseEntry.Data["parentSpanID"] = s.ParentSpanID.String()
-	baseEntry.Data["startTime"] = s.StartTime
-	baseEntry.Data["endTime"] = s.EndTime
-	baseEntry.Data["duration"] = s.EndTime.Sub(s.StartTime).String()
-	baseEntry.Data["name"] = s.Name
-	baseEntry.Time = s.StartTime
+	if s.DroppedAnnotationCount > 0 {
+		logrus.WithFields(logrus.Fields{
+			"name":            s.Name,
+			logfields.TraceID: s.TraceID.String(),
+			logfields.SpanID:  s.SpanID.String(),
+			"dropped":         s.DroppedAttributeCount,
+			"maxAttributes":   len(s.Attributes),
+		}).Warning("span had dropped attributes")
+	}
+
+	entry := log.L.Dup()
+	// Combine all span annotations with span data (eg, trace ID, span ID, parent span ID,
+	// error, status code)
+	// (OC) Span attributes are guaranteed to be  strings, bools, or int64s, so we can
+	// can skip overhead in entry.WithFields() and add them directly to entry.Data.
+	// Preallocate ahead of time, since we should add, at most, 10 additional entries
+	data := make(logrus.Fields, len(entry.Data)+len(s.Attributes)+10)
+
+	// Default log entry may have prexisting/application-wide data
+	for k, v := range entry.Data {
+		data[k] = v
+	}
+	for k, v := range s.Attributes {
+		data[k] = v
+	}
+
+	data[logfields.Name] = s.Name
+	data[logfields.TraceID] = s.TraceID.String()
+	data[logfields.SpanID] = s.SpanID.String()
+	data[logfields.ParentSpanID] = s.ParentSpanID.String()
+	data[logfields.StartTime] = s.StartTime
+	data[logfields.EndTime] = s.EndTime
+	data[logfields.Duration] = s.EndTime.Sub(s.StartTime)
+	if sk := spanKindToString(s.SpanKind); sk != "" {
+		data["spanKind"] = sk
+	}
 
 	level := logrus.InfoLevel
 	if s.Status.Code != 0 {
 		level = logrus.ErrorLevel
-		baseEntry.Data[logrus.ErrorKey] = s.Status.Message
+
+		// don't overwrite an existing "error" or "errorCode" attributes
+		if _, ok := data[logrus.ErrorKey]; !ok {
+			data[logrus.ErrorKey] = s.Status.Message
+		}
+		if _, ok := data[_errorCodeKey]; !ok {
+			data[_errorCodeKey] = codes.Code(s.Status.Code).String()
+		}
 	}
-	baseEntry.Log(level, "Span")
+
+	entry.Data = data
+	entry.Time = s.StartTime
+	entry.Log(level, spanMessage)
 }

vendor/github.com/Microsoft/hcsshim/internal/oc/span.go

@@ -14,8 +14,7 @@ var DefaultSampler = trace.AlwaysSample()
 func SetSpanStatus(span *trace.Span, err error) {
 	status := trace.Status{}
 	if err != nil {
-		// TODO: JTERRY75 - Handle errors in a non-generic way
-		status.Code = trace.StatusCodeUnknown
+		status.Code = int32(toStatusCode(err))
 		status.Message = err.Error()
 	}
 	span.SetStatus(status)
@@ -46,3 +45,14 @@ func update(ctx context.Context, s *trace.Span) (context.Context, *trace.Span) {
 
 var WithServerSpanKind = trace.WithSpanKind(trace.SpanKindServer)
 var WithClientSpanKind = trace.WithSpanKind(trace.SpanKindClient)
+
+func spanKindToString(sk int) string {
+	switch sk {
+	case trace.SpanKindClient:
+		return "client"
+	case trace.SpanKindServer:
+		return "server"
+	default:
+		return ""
+	}
+}

vendor/github.com/Microsoft/hcsshim/internal/security/grantvmgroupaccess.go

@@ -23,20 +23,14 @@ type (
 )
 
 type explicitAccess struct {
-	//nolint:structcheck
 	accessPermissions accessMask
-	//nolint:structcheck
-	accessMode accessMode
-	//nolint:structcheck
-	inheritance inheritMode
-	//nolint:structcheck
-	trustee trustee
+	accessMode        accessMode
+	inheritance       inheritMode
+	trustee           trustee
 }
 
 type trustee struct {
-	//nolint:unused,structcheck
-	multipleTrustee *trustee
-	//nolint:unused,structcheck
+	multipleTrustee          *trustee
 	multipleTrusteeOperation int32
 	trusteeForm              trusteeForm
 	trusteeType              trusteeType

vendor/github.com/Microsoft/hcsshim/osversion/platform_compat_windows.go

@@ -0,0 +1,35 @@
+package osversion
+
+// List of stable ABI compliant ltsc releases
+// Note: List must be sorted in ascending order
+var compatLTSCReleases = []uint16{
+	V21H2Server,
+}
+
+// CheckHostAndContainerCompat checks if given host and container
+// OS versions are compatible.
+// It includes support for stable ABI compliant versions as well.
+// Every release after WS 2022 will support the previous ltsc
+// container image. Stable ABI is in preview mode for windows 11 client.
+// Refer: https://learn.microsoft.com/en-us/virtualization/windowscontainers/deploy-containers/version-compatibility?tabs=windows-server-2022%2Cwindows-10#windows-server-host-os-compatibility
+func CheckHostAndContainerCompat(host, ctr OSVersion) bool {
+	// check major minor versions of host and guest
+	if host.MajorVersion != ctr.MajorVersion ||
+		host.MinorVersion != ctr.MinorVersion {
+		return false
+	}
+
+	// If host is < WS 2022, exact version match is required
+	if host.Build < V21H2Server {
+		return host.Build == ctr.Build
+	}
+
+	var supportedLtscRelease uint16
+	for i := len(compatLTSCReleases) - 1; i >= 0; i-- {
+		if host.Build >= compatLTSCReleases[i] {
+			supportedLtscRelease = compatLTSCReleases[i]
+			break
+		}
+	}
+	return ctr.Build >= supportedLtscRelease && ctr.Build <= host.Build
+}

vendor/github.com/Microsoft/hcsshim/pkg/go-runhcs/runhcs.go

@@ -5,6 +5,7 @@ package runhcs
 import (
 	"bytes"
 	"context"
+	"errors"
 	"fmt"
 	"os"
 	"os/exec"
@@ -36,6 +37,11 @@ func getCommandPath() string {
 	pathi := runhcsPath.Load()
 	if pathi == nil {
 		path, err := exec.LookPath(command)
+		if err != nil {
+			if errors.Is(err, exec.ErrDot) {
+				err = nil
+			}
+		}
 		if err != nil {
 			// LookPath only finds current directory matches based on the
 			// callers current directory but the caller is not likely in the

vendor/github.com/Microsoft/hcsshim/tools.go

@@ -2,4 +2,12 @@
 
 package hcsshim
 
-import _ "github.com/Microsoft/go-winio/tools/mkwinsyscall"
+import (
+	// for go generate directives
+
+	// generate Win32 API code
+	_ "github.com/Microsoft/go-winio/tools/mkwinsyscall"
+
+	// mock gRPC client and servers
+	_ "github.com/golang/mock/mockgen"
+)