Merge pull request #1264 from Random-Liu/windows-support-2

Add Implementation for WCOW process isolation support.

.travis.yml

@@ -37,7 +37,6 @@ before_script:
 script:
   - make .install.gitvalidation
   - make .gitvalidation
-  - make binaries
   - make install.deps
   - make containerd
   - sudo PATH=$PATH GOPATH=$GOPATH make install-containerd

Makefile

@@ -129,14 +129,14 @@ containerd: $(BUILD_DIR)/containerd ## build a customized containerd with CRI pl
 
 install-containerd: containerd ## installs customized containerd to system location
 	@echo "$(WHALE) $@"
-	@install -D -m 755 $(BUILD_DIR)/containerd $(BINDIR)/containerd
+	@install -D -m 755 $(BUILD_DIR)/containerd "$(BINDIR)/containerd"
 
 install: install-containerd ## installs customized containerd to system location
 	@echo "$(WHALE) $@"
 
 uninstall: ## remove containerd from system location
 	@echo "$(WHALE) $@"
-	@rm -f $(BINDIR)/containerd
+	@rm -f "$(BINDIR)/containerd"
 
 $(BUILD_DIR)/$(TARBALL): static-binaries vendor.conf
 	@BUILD_DIR=$(BUILD_DIR) TARBALL=$(TARBALL) VERSION=$(VERSION) ./hack/release.sh
@@ -152,12 +152,22 @@ proto: ## update protobuf of the cri plugin api
 	@API_PATH=pkg/api/v1 hack/update-proto.sh
 	@API_PATH=pkg/api/runtimeoptions/v1 hack/update-proto.sh
 
-.PHONY: install.deps
+.PHONY: install.deps .install.deps.linux .install.deps.windows
 
-install.deps: ## install dependencies of cri (default 'seccomp apparmor' BUILDTAGS for runc build)
+ifeq ($(GOOS),windows)
+install.deps: .install.deps.windows ## install windows deps on windows
+else
+install.deps: .install.deps.linux ## install windows deps on linux
+endif
+
+.install.deps.linux: ## install dependencies of cri (default 'seccomp apparmor' BUILDTAGS for runc build)
 	@echo "$(WHALE) $@"
 	@./hack/install/install-deps.sh
 
+.install.deps.windows: ## install dependencies of cri on windows
+	@echo "$(WHALE) $@"
+	@./hack/install/windows/install-deps.sh
+
 .PHONY: .gitvalidation
 # When this is running in travis, it will only check the travis commit range.
 # When running outside travis, it will check from $(EPOCH_TEST_COMMIT)..HEAD.

cri.go

@@ -40,6 +40,7 @@ import (
 
 	criconfig "github.com/containerd/cri/pkg/config"
 	"github.com/containerd/cri/pkg/constants"
+	criplatforms "github.com/containerd/cri/pkg/containerd/platforms"
 	"github.com/containerd/cri/pkg/server"
 )
 
@@ -89,6 +90,7 @@ func initCRIService(ic *plugin.InitContext) (interface{}, error) {
 	client, err := containerd.New(
 		"",
 		containerd.WithDefaultNamespace(constants.K8sContainerdNamespace),
+		containerd.WithDefaultPlatform(criplatforms.Default()),
 		containerd.WithServices(servicesOpts...),
 	)
 	if err != nil {

hack/install/install-cni.sh

@@ -23,8 +23,7 @@ CNI_DIR=${DESTDIR}/opt/cni
 CNI_PKG=github.com/containernetworking/plugins
 
 # Create a temporary GOPATH for cni installation.
-TMPGOPATH=$(mktemp -d /tmp/cri-install-cni.XXXX)
+GOPATH=$(mktemp -d /tmp/cri-install-cni.XXXX)
-GOPATH=${TMPGOPATH}
 
 # Install cni
 from-vendor CNI github.com/containernetworking/plugins
@@ -35,4 +34,4 @@ ${SUDO} mkdir -p ${CNI_DIR}
 ${SUDO} cp -r ./bin ${CNI_DIR}
 
 # Clean the tmp GOPATH dir.
-rm -rf ${TMPGOPATH}
+rm -rf ${GOPATH}

hack/install/install-containerd.sh

@@ -19,7 +19,7 @@ set -o nounset
 set -o pipefail
 
 source $(dirname "${BASH_SOURCE[0]}")/utils.sh
-CONTAINERD_DIR=${DESTDIR}/usr/local
+CONTAINERD_DIR=${CONTAINERD_DIR:-"${DESTDIR}/usr/local"}
 CONTAINERD_PKG=github.com/containerd/containerd
 
 # CHECKOUT_CONTAINERD indicates whether to checkout containerd repo.
@@ -29,8 +29,7 @@ CHECKOUT_CONTAINERD=${CHECKOUT_CONTAINERD:-true}
 
 if ${CHECKOUT_CONTAINERD}; then
   # Create a temporary GOPATH for containerd installation.
-  TMPGOPATH=$(mktemp -d /tmp/cri-install-containerd.XXXX)
+  GOPATH=$(mktemp -d /tmp/cri-install-containerd.XXXX)
-  GOPATH=${TMPGOPATH}
   from-vendor CONTAINERD github.com/containerd/containerd
   checkout_repo ${CONTAINERD_PKG} ${CONTAINERD_VERSION} ${CONTAINERD_REPO}
 fi
@@ -40,9 +39,11 @@ cd ${GOPATH}/src/${CONTAINERD_PKG}
 make BUILDTAGS="${BUILDTAGS}"
 # containerd make install requires `go` to work. Explicitly
 # set PATH to make sure it can find `go` even with `sudo`.
-${SUDO} sh -c "PATH=${PATH} make install -e DESTDIR=${CONTAINERD_DIR}"
+# The single quote is required because containerd Makefile
+# can't handle spaces in the path.
+${SUDO} make install -e DESTDIR="'${CONTAINERD_DIR}'"
 
 # Clean the tmp GOPATH dir.
 if ${CHECKOUT_CONTAINERD}; then
-  rm -rf ${TMPGOPATH}
+  rm -rf ${GOPATH}
 fi

hack/install/install-critools.sh

@@ -19,22 +19,22 @@ set -o nounset
 set -o pipefail
 
 source $(dirname "${BASH_SOURCE[0]}")/utils.sh
-CRITOOL_DIR=${DESTDIR}/usr/local/bin
+CRITOOL_DIR="${CRITOOL_DIR:-${DESTDIR}/usr/local/bin}"
-CRICTL_CONFIG_DIR=${DESTDIR}/etc
+CRICTL_CONFIG_DIR="${CRICTL_CONFIG_DIR:-"${DESTDIR}/etc"}"
+CRICTL_RUNTIME_ENDPOINT=${CRICTL_RUNTIME_ENDPOINT:-unix:///run/containerd/containerd.sock}
 
 # Create a temporary GOPATH for crictl installation.
-TMPGOPATH=$(mktemp -d /tmp/cri-install-crictl.XXXX)
+GOPATH=$(mktemp -d /tmp/cri-install-crictl.XXXX)
-GOPATH=${TMPGOPATH}
 
 #Install crictl
 checkout_repo ${CRITOOL_PKG} ${CRITOOL_VERSION} ${CRITOOL_REPO}
 cd ${GOPATH}/src/${CRITOOL_PKG}
 make VERSION=${CRITOOL_VERSION}
-${SUDO} make install -e BINDIR=${CRITOOL_DIR} GOPATH=${GOPATH}
+${SUDO} make install -e BINDIR="\"${CRITOOL_DIR}\"" GOPATH=${GOPATH}
 ${SUDO} mkdir -p ${CRICTL_CONFIG_DIR}
-${SUDO} bash -c 'cat >'${CRICTL_CONFIG_DIR}'/crictl.yaml <<EOF
+${SUDO} bash -c 'cat >"'"${CRICTL_CONFIG_DIR}"'"/crictl.yaml <<EOF
-runtime-endpoint: unix:///run/containerd/containerd.sock
+runtime-endpoint: '${CRICTL_RUNTIME_ENDPOINT}'
 EOF'
 
 # Clean the tmp GOPATH dir.
-rm -rf ${TMPGOPATH}
+rm -rf ${GOPATH}

hack/install/install-runc.sh

@@ -23,8 +23,7 @@ RUNC_DIR=${DESTDIR}
 RUNC_PKG=github.com/opencontainers/runc
 
 # Create a temporary GOPATH for runc installation.
-TMPGOPATH=$(mktemp -d /tmp/cri-install-runc.XXXX)
+GOPATH=$(mktemp -d /tmp/cri-install-runc.XXXX)
-GOPATH=${TMPGOPATH}
 
 # Install runc
 from-vendor RUNC github.com/opencontainers/runc
@@ -35,4 +34,4 @@ ${SUDO} make install -e DESTDIR=${RUNC_DIR}
 
 # Clean the tmp GOPATH dir. Use sudo because runc build generates
 # some privileged files.
-${SUDO} rm -rf ${TMPGOPATH}
+${SUDO} rm -rf ${GOPATH}

hack/install/windows/install-cni-config.sh

@@ -0,0 +1,86 @@
+#!/bin/bash
+
+# Copyright The containerd Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+CNI_CONFIG_DIR="${CNI_CONFIG_DIR:-"C:\\Program Files\\containerd\\cni\\conf"}"
+mkdir -p "${CNI_CONFIG_DIR}"
+
+# split_ip splits ip into a 4-element array.
+split_ip() {
+  local -r varname="$1"
+  local -r ip="$2"
+  for i in {0..3}; do
+    eval "$varname"[$i]=$( echo "$ip" | cut -d '.' -f $((i + 1)) )
+  done
+}
+
+# subnet gets subnet for a gateway, e.g. 192.168.100.0/24.
+calculate_subnet() {
+  local -r gateway="$1"
+  local -r prefix_len="$2"
+  split_ip gateway_array "$gateway"
+  local len=$prefix_len
+  for i in {0..3}; do
+    if (( len >= 8 )); then
+      mask=255
+    elif (( len > 0 )); then
+      mask=$(( 256 - 2 ** ( 8 - len ) ))
+    else
+      mask=0
+    fi
+    (( len -= 8 ))
+    result_array[i]=$(( gateway_array[i] & mask ))
+  done
+  result="$(printf ".%s" "${result_array[@]}")"
+  result="${result:1}"
+  echo "$result/$((32 - prefix_len))"
+}
+
+# nat already exists on the Windows VM, the subnet and gateway
+# we specify should match that.
+gateway="$(powershell -c "(Get-NetIPAddress -InterfaceAlias 'vEthernet (nat)' -AddressFamily IPv4).IPAddress")"
+prefix_len="$(powershell -c "(Get-NetIPAddress -InterfaceAlias 'vEthernet (nat)' -AddressFamily IPv4).PrefixLength")"
+
+subnet="$(calculate_subnet "$gateway" "$prefix_len")"
+
+# The "name" field in the config is used as the underlying
+# network type right now (see
+# https://github.com/microsoft/windows-container-networking/pull/45),
+# so it must match a network type in:
+# https://docs.microsoft.com/en-us/windows-server/networking/technologies/hcn/hcn-json-document-schemas
+bash -c 'cat >"'"${CNI_CONFIG_DIR}"'"/0-containerd-nat.conf <<EOF
+{
+    "cniVersion": "0.2.0",
+    "name": "nat",
+    "type": "nat",
+    "master": "Ethernet",
+    "ipam": {
+        "subnet": "'$subnet'",
+        "routes": [
+            {
+                "gateway": "'$gateway'"
+            }
+        ]
+    },
+    "capabilities": {
+        "portMappings": true,
+        "dns": true
+    }
+}
+EOF'

hack/install/windows/install-cni.sh

@@ -0,0 +1,37 @@
+#!/bin/bash
+
+# Copyright The containerd Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+source $(dirname "${BASH_SOURCE[0]}")/../utils.sh
+# WINCNI_BIN_DIR is the cni plugin directory
+WINCNI_BIN_DIR="${WINCNI_BIN_DIR:-"C:\\Program Files\\containerd\\cni\\bin"}"
+WINCNI_PKG=github.com/Microsoft/windows-container-networking
+WINCNI_VERSION=33bc4764ea3ad7c6ec58c5716370d329f5eb1266
+
+# Create a temporary GOPATH for cni installation.
+GOPATH="$(mktemp -d /tmp/cri-install-cni.XXXX)"
+
+# Install cni
+checkout_repo "${WINCNI_PKG}" "${WINCNI_VERSION}" "${WINCNI_PKG}"
+cd "${GOPATH}/src/${WINCNI_PKG}"
+go build "${WINCNI_PKG}/plugins/nat"
+install -D -m 755 "nat.exe" "${WINCNI_BIN_DIR}/nat.exe"
+
+# Clean the tmp GOPATH dir.
+rm -rf "${GOPATH}"

hack/install/windows/install-deps.sh

@@ -0,0 +1,47 @@
+#!/bin/bash
+
+# Copyright The containerd Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+cd $(dirname "${BASH_SOURCE[0]}")
+
+# Install hcsshim
+./install-hcsshim.sh
+
+# Install cni
+./install-cni.sh
+
+# Install cni config
+./install-cni-config.sh
+
+# Install containerd
+NOSUDO=true \
+  BUILDTAGS="" \
+  CONTAINERD_DIR='C:\Program Files\Containerd' \
+  ../install-containerd.sh
+# Containerd makefile always installs into a "bin" directory.
+# Use slash instead of bach slash so that `*` can work.
+mv C:/'Program Files'/Containerd/bin/* 'C:\Program Files\Containerd\'
+rm -rf 'C:\Program Files\Containerd\bin'
+
+#Install critools
+NOSUDO=true \
+  CRITOOL_DIR='C:\Program Files\Containerd' \
+  CRICTL_RUNTIME_ENDPOINT="npipe:////./pipe/containerd-containerd" \
+  CRICTL_CONFIG_DIR="C:\\Users\\$(id -u -n)\\.crictl" \
+  ../install-critools.sh

hack/install/windows/install-hcsshim.sh

@@ -0,0 +1,37 @@
+#!/bin/bash
+
+# Copyright 2018 The containerd Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+source $(dirname "${BASH_SOURCE[0]}")/../utils.sh
+HCSSHIM_DIR="${HCSSHIM_DIR:-"C:\\Program Files\\Containerd"}"
+HCSSHIM_PKG=github.com/Microsoft/hcsshim
+
+# Create a temporary GOPATH for hcsshim installation.
+GOPATH="$(mktemp -d /tmp/cri-install-hcsshim.XXXX)"
+
+# Install hcsshim
+from-vendor HCSSHIM "${HCSSHIM_PKG}"
+checkout_repo "${HCSSHIM_PKG}" "${HCSSHIM_VERSION}" "${HCSSHIM_REPO}"
+cd "${GOPATH}/src/${HCSSHIM_PKG}"
+go build "${HCSSHIM_PKG}/cmd/containerd-shim-runhcs-v1"
+install -D -m 755 containerd-shim-runhcs-v1 "${HCSSHIM_DIR}"/containerd-shim-runhcs-v1
+
+# Clean the tmp GOPATH dir. Use sudo because runc build generates
+# some privileged files.
+rm -rf ${GOPATH}

hack/test-cri.sh

@@ -52,7 +52,8 @@ if [ ! -x "$(command -v ${CRITEST})" ]; then
   cd ${GOPATH}/src/${CRITOOL_PKG}
   git fetch --all
   git checkout ${CRITOOL_VERSION}
-  make
+  make critest
+  make install-critest -e BINDIR="${GOPATH}/bin"
 fi
 which ${CRITEST}
 

hack/utils.sh

@@ -17,7 +17,7 @@
 ROOT="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"/..
 
 # Not from vendor.conf.
-CRITOOL_VERSION=427262054f59f3b849391310856a19474acb7e83
+CRITOOL_VERSION=84b8540c69e82671bfc244a0b0fe28a6a98381ce
 CRITOOL_PKG=github.com/kubernetes-sigs/cri-tools
 CRITOOL_REPO=github.com/kubernetes-sigs/cri-tools
 

pkg/config/config_windows.go

@@ -18,7 +18,53 @@ limitations under the License.
 
 package config
 
+import (
+	"os"
+	"path/filepath"
+
+	"github.com/containerd/containerd"
+	"k8s.io/kubernetes/pkg/kubelet/server/streaming"
+)
+
 // DefaultConfig returns default configurations of cri plugin.
 func DefaultConfig() PluginConfig {
-	return PluginConfig{}
+	return PluginConfig{
+		CniConfig: CniConfig{
+			NetworkPluginBinDir:       filepath.Join(os.Getenv("ProgramFiles"), "containerd", "cni", "bin"),
+			NetworkPluginConfDir:      filepath.Join(os.Getenv("ProgramFiles"), "containerd", "cni", "conf"),
+			NetworkPluginMaxConfNum:   1,
+			NetworkPluginConfTemplate: "",
+		},
+		ContainerdConfig: ContainerdConfig{
+			Snapshotter:        containerd.DefaultSnapshotter,
+			DefaultRuntimeName: "runhcs-wcow-process",
+			NoPivot:            false,
+			Runtimes: map[string]Runtime{
+				"runhcs-wcow-process": {
+					Type: "io.containerd.runhcs.v1",
+				},
+			},
+		},
+		DisableTCPService:   true,
+		StreamServerAddress: "127.0.0.1",
+		StreamServerPort:    "0",
+		StreamIdleTimeout:   streaming.DefaultConfig.StreamIdleTimeout.String(), // 4 hour
+		EnableTLSStreaming:  false,
+		X509KeyPairStreaming: X509KeyPairStreaming{
+			TLSKeyFile:  "",
+			TLSCertFile: "",
+		},
+		SandboxImage:            "mcr.microsoft.com/k8s/core/pause:1.0.0",
+		StatsCollectPeriod:      10,
+		MaxContainerLogLineSize: 16 * 1024,
+		Registry: Registry{
+			Mirrors: map[string]Mirror{
+				"docker.io": {
+					Endpoints: []string{"https://registry-1.docker.io"},
+				},
+			},
+		},
+		MaxConcurrentDownloads: 3,
+		// TODO(windows): Add platform specific config, so that most common defaults can be shared.
+	}
 }

pkg/containerd/opts/spec.go

@@ -42,6 +42,12 @@ func WithRelativeRoot(root string) oci.SpecOpts {
 	}
 }
 
+// WithoutRoot sets the root to nil for the container.
+func WithoutRoot(ctx context.Context, client oci.Client, c *containers.Container, s *runtimespec.Spec) error {
+	s.Root = nil
+	return nil
+}
+
 // WithProcessArgs sets the process args on the spec based on the image and runtime config
 func WithProcessArgs(config *runtime.ContainerConfig, image *imagespec.ImageConfig) oci.SpecOpts {
 	return func(ctx context.Context, client oci.Client, c *containers.Container, s *runtimespec.Spec) (err error) {

pkg/containerd/opts/spec_unix.go

@@ -137,7 +137,6 @@ func WithMounts(osi osinterface.OS, config *runtime.ContainerConfig, extra []*ru
 				mounts = append(mounts, e)
 			}
 		}
-		// ---
 
 		// Sort mounts in number of parts. This ensures that high level mounts don't
 		// shadow other mounts.

pkg/containerd/opts/spec_windows.go

@@ -0,0 +1,174 @@
+// +build windows
+
+/*
+Copyright The containerd Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package opts
+
+import (
+	"context"
+	"path/filepath"
+	"sort"
+
+	"github.com/containerd/containerd/containers"
+	"github.com/containerd/containerd/oci"
+	runtimespec "github.com/opencontainers/runtime-spec/specs-go"
+	"github.com/pkg/errors"
+	runtime "k8s.io/cri-api/pkg/apis/runtime/v1alpha2"
+
+	osinterface "github.com/containerd/cri/pkg/os"
+)
+
+// WithWindowsNetworkNamespace sets windows network namespace for container.
+// TODO(windows): Move this into container/containerd.
+func WithWindowsNetworkNamespace(path string) oci.SpecOpts {
+	return func(ctx context.Context, client oci.Client, c *containers.Container, s *runtimespec.Spec) error {
+		if s.Windows == nil {
+			s.Windows = &runtimespec.Windows{}
+		}
+		if s.Windows.Network == nil {
+			s.Windows.Network = &runtimespec.WindowsNetwork{}
+		}
+		s.Windows.Network.NetworkNamespace = path
+		return nil
+	}
+}
+
+// WithWindowsMounts sorts and adds runtime and CRI mounts to the spec for
+// windows container.
+func WithWindowsMounts(osi osinterface.OS, config *runtime.ContainerConfig, extra []*runtime.Mount) oci.SpecOpts {
+	return func(ctx context.Context, client oci.Client, _ *containers.Container, s *runtimespec.Spec) error {
+		// mergeMounts merge CRI mounts with extra mounts. If a mount destination
+		// is mounted by both a CRI mount and an extra mount, the CRI mount will
+		// be kept.
+		var (
+			criMounts = config.GetMounts()
+			mounts    = append([]*runtime.Mount{}, criMounts...)
+		)
+		// Copy all mounts from extra mounts, except for mounts overriden by CRI.
+		for _, e := range extra {
+			found := false
+			for _, c := range criMounts {
+				if filepath.Clean(e.ContainerPath) == filepath.Clean(c.ContainerPath) {
+					found = true
+					break
+				}
+			}
+			if !found {
+				mounts = append(mounts, e)
+			}
+		}
+
+		// Sort mounts in number of parts. This ensures that high level mounts don't
+		// shadow other mounts.
+		sort.Sort(orderedMounts(mounts))
+
+		// Copy all mounts from default mounts, except for
+		// - mounts overriden by supplied mount;
+		// - all mounts under /dev if a supplied /dev is present.
+		mountSet := make(map[string]struct{})
+		for _, m := range mounts {
+			mountSet[filepath.Clean(m.ContainerPath)] = struct{}{}
+		}
+
+		defaultMounts := s.Mounts
+		s.Mounts = nil
+
+		for _, m := range defaultMounts {
+			dst := filepath.Clean(m.Destination)
+			if _, ok := mountSet[dst]; ok {
+				// filter out mount overridden by a supplied mount
+				continue
+			}
+			s.Mounts = append(s.Mounts, m)
+		}
+
+		for _, mount := range mounts {
+			var (
+				dst = mount.GetContainerPath()
+				src = mount.GetHostPath()
+			)
+			// TODO(windows): Support special mount sources, e.g. named pipe.
+			// Create the host path if it doesn't exist.
+			if _, err := osi.Stat(src); err != nil {
+				// If the source doesn't exist, return an error instead
+				// of creating the source. This aligns with Docker's
+				// behavior on windows.
+				return errors.Wrapf(err, "failed to stat %q", src)
+			}
+			src, err := osi.ResolveSymbolicLink(src)
+			if err != nil {
+				return errors.Wrapf(err, "failed to resolve symlink %q", src)
+			}
+
+			var options []string
+			// NOTE(random-liu): we don't change all mounts to `ro` when root filesystem
+			// is readonly. This is different from docker's behavior, but make more sense.
+			if mount.GetReadonly() {
+				options = append(options, "ro")
+			} else {
+				options = append(options, "rw")
+			}
+			s.Mounts = append(s.Mounts, runtimespec.Mount{
+				Source:      src,
+				Destination: dst,
+				Options:     options,
+			})
+		}
+		return nil
+	}
+}
+
+// WithWindowsResources sets the provided resource restrictions for windows.
+func WithWindowsResources(resources *runtime.WindowsContainerResources) oci.SpecOpts {
+	return func(ctx context.Context, client oci.Client, c *containers.Container, s *runtimespec.Spec) error {
+		if resources == nil {
+			return nil
+		}
+		if s.Windows == nil {
+			s.Windows = &runtimespec.Windows{}
+		}
+		if s.Windows.Resources == nil {
+			s.Windows.Resources = &runtimespec.WindowsResources{}
+		}
+		if s.Windows.Resources.CPU == nil {
+			s.Windows.Resources.CPU = &runtimespec.WindowsCPUResources{}
+		}
+		if s.Windows.Resources.Memory == nil {
+			s.Windows.Resources.Memory = &runtimespec.WindowsMemoryResources{}
+		}
+
+		var (
+			count  = uint64(resources.GetCpuCount())
+			shares = uint16(resources.GetCpuShares())
+			max    = uint16(resources.GetCpuMaximum())
+			limit  = uint64(resources.GetMemoryLimitInBytes())
+		)
+		if count != 0 {
+			s.Windows.Resources.CPU.Count = &count
+		}
+		if shares != 0 {
+			s.Windows.Resources.CPU.Shares = &shares
+		}
+		if max != 0 {
+			s.Windows.Resources.CPU.Maximum = &max
+		}
+		if limit != 0 {
+			s.Windows.Resources.Memory.Limit = &limit
+		}
+		return nil
+	}
+}

pkg/containerd/platforms/default_unix.go

@@ -0,0 +1,28 @@
+// +build !windows
+
+/*
+Copyright The containerd Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package platforms
+
+import (
+	"github.com/containerd/containerd/platforms"
+)
+
+// Default returns the current platform's default platform specification.
+func Default() platforms.MatchComparer {
+	return platforms.Default()
+}

pkg/containerd/platforms/default_windows.go

@@ -0,0 +1,77 @@
+// +build windows
+
+/*
+Copyright The containerd Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package platforms
+
+import (
+	"fmt"
+	"strconv"
+	"strings"
+
+	"github.com/containerd/containerd/platforms"
+	imagespec "github.com/opencontainers/image-spec/specs-go/v1"
+	"golang.org/x/sys/windows"
+)
+
+type matchComparer struct {
+	defaults        platforms.Matcher
+	osVersionPrefix string
+}
+
+// Match matches platform with the same windows major, minor
+// and build version.
+func (m matchComparer) Match(p imagespec.Platform) bool {
+	if m.defaults.Match(p) {
+		// TODO(windows): Figure out whether OSVersion is deprecated.
+		return strings.HasPrefix(p.OSVersion, m.osVersionPrefix)
+	}
+	return false
+}
+
+// Less sorts matched platforms in front of other platforms.
+// For matched platforms, it puts platforms with larger revision
+// number in front.
+func (m matchComparer) Less(p1, p2 imagespec.Platform) bool {
+	m1, m2 := m.Match(p1), m.Match(p2)
+	if m1 && m2 {
+		r1, r2 := revision(p1.OSVersion), revision(p2.OSVersion)
+		return r1 > r2
+	}
+	return m1 && !m2
+}
+
+func revision(v string) int {
+	parts := strings.Split(v, ".")
+	if len(parts) < 4 {
+		return 0
+	}
+	r, err := strconv.Atoi(parts[3])
+	if err != nil {
+		return 0
+	}
+	return r
+}
+
+// Default returns the current platform's default platform specification.
+func Default() platforms.MatchComparer {
+	major, minor, build := windows.RtlGetNtVersionNumbers()
+	return matchComparer{
+		defaults:        platforms.Only(platforms.DefaultSpec()),
+		osVersionPrefix: fmt.Sprintf("%d.%d.%d", major, minor, build),
+	}
+}

pkg/containerd/platforms/default_windows_test.go

@@ -0,0 +1,150 @@
+// +build windows
+
+/*
+Copyright The containerd Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package platforms
+
+import (
+	"sort"
+	"testing"
+
+	"github.com/containerd/containerd/platforms"
+	imagespec "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestMatchComparerMatch(t *testing.T) {
+	m := matchComparer{
+		defaults: platforms.Only(imagespec.Platform{
+			Architecture: "amd64",
+			OS:           "windows",
+		}),
+		osVersionPrefix: "10.0.17763",
+	}
+	for _, test := range []struct {
+		platform imagespec.Platform
+		match    bool
+	}{
+		{
+			platform: imagespec.Platform{
+				Architecture: "amd64",
+				OS:           "windows",
+				OSVersion:    "10.0.17763.1",
+			},
+			match: true,
+		},
+		{
+			platform: imagespec.Platform{
+				Architecture: "amd64",
+				OS:           "windows",
+				OSVersion:    "10.0.17763.2",
+			},
+			match: true,
+		},
+		{
+			platform: imagespec.Platform{
+				Architecture: "amd64",
+				OS:           "windows",
+				OSVersion:    "10.0.17762.1",
+			},
+			match: false,
+		},
+		{
+			platform: imagespec.Platform{
+				Architecture: "amd64",
+				OS:           "windows",
+				OSVersion:    "10.0.17764.1",
+			},
+			match: false,
+		},
+		{
+			platform: imagespec.Platform{
+				Architecture: "amd64",
+				OS:           "windows",
+			},
+			match: false,
+		},
+	} {
+		assert.Equal(t, test.match, m.Match(test.platform))
+	}
+}
+
+func TestMatchComparerLess(t *testing.T) {
+	m := matchComparer{
+		defaults: platforms.Only(imagespec.Platform{
+			Architecture: "amd64",
+			OS:           "windows",
+		}),
+		osVersionPrefix: "10.0.17763",
+	}
+	platforms := []imagespec.Platform{
+		{
+			Architecture: "amd64",
+			OS:           "windows",
+			OSVersion:    "10.0.17764.1",
+		},
+		{
+			Architecture: "amd64",
+			OS:           "windows",
+		},
+		{
+			Architecture: "amd64",
+			OS:           "windows",
+			OSVersion:    "10.0.17763.1",
+		},
+		{
+			Architecture: "amd64",
+			OS:           "windows",
+			OSVersion:    "10.0.17763.2",
+		},
+		{
+			Architecture: "amd64",
+			OS:           "windows",
+			OSVersion:    "10.0.17762.1",
+		},
+	}
+	expected := []imagespec.Platform{
+		{
+			Architecture: "amd64",
+			OS:           "windows",
+			OSVersion:    "10.0.17763.2",
+		},
+		{
+			Architecture: "amd64",
+			OS:           "windows",
+			OSVersion:    "10.0.17763.1",
+		},
+		{
+			Architecture: "amd64",
+			OS:           "windows",
+			OSVersion:    "10.0.17764.1",
+		},
+		{
+			Architecture: "amd64",
+			OS:           "windows",
+		},
+		{
+			Architecture: "amd64",
+			OS:           "windows",
+			OSVersion:    "10.0.17762.1",
+		},
+	}
+	sort.SliceStable(platforms, func(i, j int) bool {
+		return m.Less(platforms[i], platforms[j])
+	})
+	assert.Equal(t, expected, platforms)
+}

pkg/netns/netns_windows.go

@@ -18,33 +18,61 @@ limitations under the License.
 
 package netns
 
-// TODO(windows): Implement netns for windows.
+import "github.com/Microsoft/hcsshim/hcn"
-// NetNS holds network namespace.
+
+// NetNS holds network namespace for sandbox
 type NetNS struct {
+	path string
 }
 
-// NewNetNS creates a network namespace.
+// NewNetNS creates a network namespace for the sandbox
 func NewNetNS() (*NetNS, error) {
-	return nil, nil
+	temp := hcn.HostComputeNamespace{}
+	hcnNamespace, err := temp.Create()
+	if err != nil {
+		return nil, err
+	}
+
+	return &NetNS{path: string(hcnNamespace.Id)}, nil
 }
 
 // LoadNetNS loads existing network namespace.
 func LoadNetNS(path string) *NetNS {
-	return nil
+	return &NetNS{path: path}
 }
 
-// Remove removes network namepace. Remove is idempotent, meaning it might
+// Remove removes network namepace if it exists and not closed. Remove is idempotent,
-// be invoked multiple times and provides consistent result.
+// meaning it might be invoked multiple times and provides consistent result.
 func (n *NetNS) Remove() error {
+	hcnNamespace, err := hcn.GetNamespaceByID(n.path)
+	if err != nil {
+		if hcn.IsNotFoundError(err) {
 			return nil
 		}
+		return err
+	}
+	err = hcnNamespace.Delete()
+	if err == nil || hcn.IsNotFoundError(err) {
+		return nil
+	}
+	return err
+}
 
 // Closed checks whether the network namespace has been closed.
 func (n *NetNS) Closed() (bool, error) {
+	_, err := hcn.GetNamespaceByID(n.path)
+	if err == nil {
 		return false, nil
 	}
+	if hcn.IsNotFoundError(err) {
+		return true, nil
+	}
+	return false, err
+}
 
 // GetPath returns network namespace path for sandbox container
 func (n *NetNS) GetPath() string {
-	return ""
+	return n.path
 }
+
+// NOTE: Do function is not supported.

pkg/server/container_create.go

@@ -284,8 +284,7 @@ func (c *criService) volumeMounts(containerRootDir string, criMounts []*runtime.
 }
 
 // runtimeSpec returns a default runtime spec used in cri-containerd.
-// TODO(windows): Remove nolint after windows starts using this helper.
+func runtimeSpec(id string, opts ...oci.SpecOpts) (*runtimespec.Spec, error) {
-func runtimeSpec(id string, opts ...oci.SpecOpts) (*runtimespec.Spec, error) { // nolint: deadcode, unused
 	// GenerateSpec needs namespace.
 	ctx := ctrdutil.NamespacedContext()
 	spec, err := oci.GenerateSpec(ctx, nil, &containers.Container{ID: id}, opts...)

pkg/server/container_create_test.go

@@ -17,14 +17,183 @@ limitations under the License.
 package server
 
 import (
+	"context"
 	"path/filepath"
 	"testing"
 
 	imagespec "github.com/opencontainers/image-spec/specs-go/v1"
+	runtimespec "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 	runtime "k8s.io/cri-api/pkg/apis/runtime/v1alpha2"
+
+	"github.com/containerd/cri/pkg/config"
+	"github.com/containerd/cri/pkg/containerd/opts"
 )
 
+func checkMount(t *testing.T, mounts []runtimespec.Mount, src, dest, typ string,
+	contains, notcontains []string) {
+	found := false
+	for _, m := range mounts {
+		if m.Source == src && m.Destination == dest {
+			assert.Equal(t, m.Type, typ)
+			for _, c := range contains {
+				assert.Contains(t, m.Options, c)
+			}
+			for _, n := range notcontains {
+				assert.NotContains(t, m.Options, n)
+			}
+			found = true
+			break
+		}
+	}
+	assert.True(t, found, "mount from %q to %q not found", src, dest)
+}
+
+func TestGeneralContainerSpec(t *testing.T) {
+	testID := "test-id"
+	testPid := uint32(1234)
+	containerConfig, sandboxConfig, imageConfig, specCheck := getCreateContainerTestData()
+	ociRuntime := config.Runtime{}
+	c := newTestCRIService()
+	testSandboxID := "sandbox-id"
+	spec, err := c.containerSpec(testID, testSandboxID, testPid, "", containerConfig, sandboxConfig, imageConfig, nil, ociRuntime)
+	require.NoError(t, err)
+	specCheck(t, testID, testSandboxID, testPid, spec)
+}
+
+func TestPodAnnotationPassthroughContainerSpec(t *testing.T) {
+	testID := "test-id"
+	testSandboxID := "sandbox-id"
+	testPid := uint32(1234)
+
+	for desc, test := range map[string]struct {
+		podAnnotations []string
+		configChange   func(*runtime.PodSandboxConfig)
+		specCheck      func(*testing.T, *runtimespec.Spec)
+	}{
+		"a passthrough annotation should be passed as an OCI annotation": {
+			podAnnotations: []string{"c"},
+			specCheck: func(t *testing.T, spec *runtimespec.Spec) {
+				assert.Equal(t, spec.Annotations["c"], "d")
+			},
+		},
+		"a non-passthrough annotation should not be passed as an OCI annotation": {
+			configChange: func(c *runtime.PodSandboxConfig) {
+				c.Annotations["d"] = "e"
+			},
+			podAnnotations: []string{"c"},
+			specCheck: func(t *testing.T, spec *runtimespec.Spec) {
+				assert.Equal(t, spec.Annotations["c"], "d")
+				_, ok := spec.Annotations["d"]
+				assert.False(t, ok)
+			},
+		},
+		"passthrough annotations should support wildcard match": {
+			configChange: func(c *runtime.PodSandboxConfig) {
+				c.Annotations["t.f"] = "j"
+				c.Annotations["z.g"] = "o"
+				c.Annotations["z"] = "o"
+				c.Annotations["y.ca"] = "b"
+				c.Annotations["y"] = "b"
+			},
+			podAnnotations: []string{"t*", "z.*", "y.c*"},
+			specCheck: func(t *testing.T, spec *runtimespec.Spec) {
+				t.Logf("%+v", spec.Annotations)
+				assert.Equal(t, spec.Annotations["t.f"], "j")
+				assert.Equal(t, spec.Annotations["z.g"], "o")
+				assert.Equal(t, spec.Annotations["y.ca"], "b")
+				_, ok := spec.Annotations["y"]
+				assert.False(t, ok)
+				_, ok = spec.Annotations["z"]
+				assert.False(t, ok)
+			},
+		},
+	} {
+		t.Run(desc, func(t *testing.T) {
+			c := newTestCRIService()
+			containerConfig, sandboxConfig, imageConfig, specCheck := getCreateContainerTestData()
+			if test.configChange != nil {
+				test.configChange(sandboxConfig)
+			}
+
+			ociRuntime := config.Runtime{
+				PodAnnotations: test.podAnnotations,
+			}
+			spec, err := c.containerSpec(testID, testSandboxID, testPid, "",
+				containerConfig, sandboxConfig, imageConfig, nil, ociRuntime)
+			assert.NoError(t, err)
+			assert.NotNil(t, spec)
+			specCheck(t, testID, testSandboxID, testPid, spec)
+			if test.specCheck != nil {
+				test.specCheck(t, spec)
+			}
+		})
+	}
+}
+
+func TestContainerSpecCommand(t *testing.T) {
+	for desc, test := range map[string]struct {
+		criEntrypoint   []string
+		criArgs         []string
+		imageEntrypoint []string
+		imageArgs       []string
+		expected        []string
+		expectErr       bool
+	}{
+		"should use cri entrypoint if it's specified": {
+			criEntrypoint:   []string{"a", "b"},
+			imageEntrypoint: []string{"c", "d"},
+			imageArgs:       []string{"e", "f"},
+			expected:        []string{"a", "b"},
+		},
+		"should use cri entrypoint if it's specified even if it's empty": {
+			criEntrypoint:   []string{},
+			criArgs:         []string{"a", "b"},
+			imageEntrypoint: []string{"c", "d"},
+			imageArgs:       []string{"e", "f"},
+			expected:        []string{"a", "b"},
+		},
+		"should use cri entrypoint and args if they are specified": {
+			criEntrypoint:   []string{"a", "b"},
+			criArgs:         []string{"c", "d"},
+			imageEntrypoint: []string{"e", "f"},
+			imageArgs:       []string{"g", "h"},
+			expected:        []string{"a", "b", "c", "d"},
+		},
+		"should use image entrypoint if cri entrypoint is not specified": {
+			criArgs:         []string{"a", "b"},
+			imageEntrypoint: []string{"c", "d"},
+			imageArgs:       []string{"e", "f"},
+			expected:        []string{"c", "d", "a", "b"},
+		},
+		"should use image args if both cri entrypoint and args are not specified": {
+			imageEntrypoint: []string{"c", "d"},
+			imageArgs:       []string{"e", "f"},
+			expected:        []string{"c", "d", "e", "f"},
+		},
+		"should return error if both entrypoint and args are empty": {
+			expectErr: true,
+		},
+	} {
+
+		config, _, imageConfig, _ := getCreateContainerTestData()
+		config.Command = test.criEntrypoint
+		config.Args = test.criArgs
+		imageConfig.Entrypoint = test.imageEntrypoint
+		imageConfig.Cmd = test.imageArgs
+
+		var spec runtimespec.Spec
+		err := opts.WithProcessArgs(config, imageConfig)(context.Background(), nil, nil, &spec)
+		if test.expectErr {
+			assert.Error(t, err)
+			continue
+		}
+		assert.NoError(t, err)
+		assert.Equal(t, test.expected, spec.Process.Args, desc)
+	}
+}
+
 func TestVolumeMounts(t *testing.T) {
 	testContainerRootDir := "test-container-root"
 	for desc, test := range map[string]struct {
@@ -95,3 +264,117 @@ func TestVolumeMounts(t *testing.T) {
 		}
 	}
 }
+
+func TestContainerAnnotationPassthroughContainerSpec(t *testing.T) {
+	testID := "test-id"
+	testSandboxID := "sandbox-id"
+	testPid := uint32(1234)
+
+	for desc, test := range map[string]struct {
+		podAnnotations       []string
+		containerAnnotations []string
+		podConfigChange      func(*runtime.PodSandboxConfig)
+		configChange         func(*runtime.ContainerConfig)
+		specCheck            func(*testing.T, *runtimespec.Spec)
+	}{
+		"passthrough annotations from pod and container should be passed as an OCI annotation": {
+			podConfigChange: func(p *runtime.PodSandboxConfig) {
+				p.Annotations["pod.annotation.1"] = "1"
+				p.Annotations["pod.annotation.2"] = "2"
+				p.Annotations["pod.annotation.3"] = "3"
+			},
+			configChange: func(c *runtime.ContainerConfig) {
+				c.Annotations["container.annotation.1"] = "1"
+				c.Annotations["container.annotation.2"] = "2"
+				c.Annotations["container.annotation.3"] = "3"
+			},
+			podAnnotations:       []string{"pod.annotation.1"},
+			containerAnnotations: []string{"container.annotation.1"},
+			specCheck: func(t *testing.T, spec *runtimespec.Spec) {
+				assert.Equal(t, "1", spec.Annotations["container.annotation.1"])
+				_, ok := spec.Annotations["container.annotation.2"]
+				assert.False(t, ok)
+				_, ok = spec.Annotations["container.annotation.3"]
+				assert.False(t, ok)
+				assert.Equal(t, "1", spec.Annotations["pod.annotation.1"])
+				_, ok = spec.Annotations["pod.annotation.2"]
+				assert.False(t, ok)
+				_, ok = spec.Annotations["pod.annotation.3"]
+				assert.False(t, ok)
+			},
+		},
+		"passthrough annotations from pod and container should support wildcard": {
+			podConfigChange: func(p *runtime.PodSandboxConfig) {
+				p.Annotations["pod.annotation.1"] = "1"
+				p.Annotations["pod.annotation.2"] = "2"
+				p.Annotations["pod.annotation.3"] = "3"
+			},
+			configChange: func(c *runtime.ContainerConfig) {
+				c.Annotations["container.annotation.1"] = "1"
+				c.Annotations["container.annotation.2"] = "2"
+				c.Annotations["container.annotation.3"] = "3"
+			},
+			podAnnotations:       []string{"pod.annotation.*"},
+			containerAnnotations: []string{"container.annotation.*"},
+			specCheck: func(t *testing.T, spec *runtimespec.Spec) {
+				assert.Equal(t, "1", spec.Annotations["container.annotation.1"])
+				assert.Equal(t, "2", spec.Annotations["container.annotation.2"])
+				assert.Equal(t, "3", spec.Annotations["container.annotation.3"])
+				assert.Equal(t, "1", spec.Annotations["pod.annotation.1"])
+				assert.Equal(t, "2", spec.Annotations["pod.annotation.2"])
+				assert.Equal(t, "3", spec.Annotations["pod.annotation.3"])
+			},
+		},
+		"annotations should not pass through if no passthrough annotations are configured": {
+			podConfigChange: func(p *runtime.PodSandboxConfig) {
+				p.Annotations["pod.annotation.1"] = "1"
+				p.Annotations["pod.annotation.2"] = "2"
+				p.Annotations["pod.annotation.3"] = "3"
+			},
+			configChange: func(c *runtime.ContainerConfig) {
+				c.Annotations["container.annotation.1"] = "1"
+				c.Annotations["container.annotation.2"] = "2"
+				c.Annotations["container.annotation.3"] = "3"
+			},
+			podAnnotations:       []string{},
+			containerAnnotations: []string{},
+			specCheck: func(t *testing.T, spec *runtimespec.Spec) {
+				_, ok := spec.Annotations["container.annotation.1"]
+				assert.False(t, ok)
+				_, ok = spec.Annotations["container.annotation.2"]
+				assert.False(t, ok)
+				_, ok = spec.Annotations["container.annotation.3"]
+				assert.False(t, ok)
+				_, ok = spec.Annotations["pod.annotation.1"]
+				assert.False(t, ok)
+				_, ok = spec.Annotations["pod.annotation.2"]
+				assert.False(t, ok)
+				_, ok = spec.Annotations["pod.annotation.3"]
+				assert.False(t, ok)
+			},
+		},
+	} {
+		t.Run(desc, func(t *testing.T) {
+			c := newTestCRIService()
+			containerConfig, sandboxConfig, imageConfig, specCheck := getCreateContainerTestData()
+			if test.configChange != nil {
+				test.configChange(containerConfig)
+			}
+			if test.podConfigChange != nil {
+				test.podConfigChange(sandboxConfig)
+			}
+			ociRuntime := config.Runtime{
+				PodAnnotations:       test.podAnnotations,
+				ContainerAnnotations: test.containerAnnotations,
+			}
+			spec, err := c.containerSpec(testID, testSandboxID, testPid, "",
+				containerConfig, sandboxConfig, imageConfig, nil, ociRuntime)
+			assert.NoError(t, err)
+			assert.NotNil(t, spec)
+			specCheck(t, testID, testSandboxID, testPid, spec)
+			if test.specCheck != nil {
+				test.specCheck(t, spec)
+			}
+		})
+	}
+}

pkg/server/container_create_unix_test.go

@@ -31,12 +31,6 @@ import (
 	"github.com/containerd/containerd/contrib/seccomp"
 	"github.com/containerd/containerd/mount"
 	"github.com/containerd/containerd/oci"
-	"github.com/containerd/cri/pkg/annotations"
-	"github.com/containerd/cri/pkg/config"
-	"github.com/containerd/cri/pkg/containerd/opts"
-	ctrdutil "github.com/containerd/cri/pkg/containerd/util"
-	ostesting "github.com/containerd/cri/pkg/os/testing"
-	"github.com/containerd/cri/pkg/util"
 	imagespec "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/opencontainers/runc/libcontainer/devices"
 	runtimespec "github.com/opencontainers/runtime-spec/specs-go"
@@ -44,26 +38,14 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	runtime "k8s.io/cri-api/pkg/apis/runtime/v1alpha2"
-)
 
-func checkMount(t *testing.T, mounts []runtimespec.Mount, src, dest, typ string,
+	"github.com/containerd/cri/pkg/annotations"
-	contains, notcontains []string) {
+	"github.com/containerd/cri/pkg/config"
-	found := false
+	"github.com/containerd/cri/pkg/containerd/opts"
-	for _, m := range mounts {
+	ctrdutil "github.com/containerd/cri/pkg/containerd/util"
-		if m.Source == src && m.Destination == dest {
+	ostesting "github.com/containerd/cri/pkg/os/testing"
-			assert.Equal(t, m.Type, typ)
+	"github.com/containerd/cri/pkg/util"
-			for _, c := range contains {
+)
-				assert.Contains(t, m.Options, c)
-			}
-			for _, n := range notcontains {
-				assert.NotContains(t, m.Options, n)
-			}
-			found = true
-			break
-		}
-	}
-	assert.True(t, found, "mount from %q to %q not found", src, dest)
-}
 
 func getCreateContainerTestData() (*runtime.ContainerConfig, *runtime.PodSandboxConfig,
 	*imagespec.ImageConfig, func(*testing.T, string, string, uint32, *runtimespec.Spec)) {
@@ -195,18 +177,6 @@ func getCreateContainerTestData() (*runtime.ContainerConfig, *runtime.PodSandbox
 	return config, sandboxConfig, imageConfig, specCheck
 }
 
-func TestGeneralContainerSpec(t *testing.T) {
-	testID := "test-id"
-	testPid := uint32(1234)
-	containerConfig, sandboxConfig, imageConfig, specCheck := getCreateContainerTestData()
-	ociRuntime := config.Runtime{}
-	c := newTestCRIService()
-	testSandboxID := "sandbox-id"
-	spec, err := c.containerSpec(testID, testSandboxID, testPid, "", containerConfig, sandboxConfig, imageConfig, nil, ociRuntime)
-	require.NoError(t, err)
-	specCheck(t, testID, testSandboxID, testPid, spec)
-}
-
 func TestContainerCapabilities(t *testing.T) {
 	testID := "test-id"
 	testSandboxID := "sandbox-id"
@@ -299,134 +269,6 @@ func TestContainerSpecTty(t *testing.T) {
 	}
 }
 
-func TestPodAnnotationPassthroughContainerSpec(t *testing.T) {
-	testID := "test-id"
-	testSandboxID := "sandbox-id"
-	testPid := uint32(1234)
-
-	for desc, test := range map[string]struct {
-		podAnnotations []string
-		configChange   func(*runtime.PodSandboxConfig)
-		specCheck      func(*testing.T, *runtimespec.Spec)
-	}{
-		"a passthrough annotation should be passed as an OCI annotation": {
-			podAnnotations: []string{"c"},
-			specCheck: func(t *testing.T, spec *runtimespec.Spec) {
-				assert.Equal(t, spec.Annotations["c"], "d")
-			},
-		},
-		"a non-passthrough annotation should not be passed as an OCI annotation": {
-			configChange: func(c *runtime.PodSandboxConfig) {
-				c.Annotations["d"] = "e"
-			},
-			podAnnotations: []string{"c"},
-			specCheck: func(t *testing.T, spec *runtimespec.Spec) {
-				assert.Equal(t, spec.Annotations["c"], "d")
-				_, ok := spec.Annotations["d"]
-				assert.False(t, ok)
-			},
-		},
-		"passthrough annotations should support wildcard match": {
-			configChange: func(c *runtime.PodSandboxConfig) {
-				c.Annotations["t.f"] = "j"
-				c.Annotations["z.g"] = "o"
-				c.Annotations["z"] = "o"
-				c.Annotations["y.ca"] = "b"
-				c.Annotations["y"] = "b"
-			},
-			podAnnotations: []string{"t*", "z.*", "y.c*"},
-			specCheck: func(t *testing.T, spec *runtimespec.Spec) {
-				t.Logf("%+v", spec.Annotations)
-				assert.Equal(t, spec.Annotations["t.f"], "j")
-				assert.Equal(t, spec.Annotations["z.g"], "o")
-				assert.Equal(t, spec.Annotations["y.ca"], "b")
-				_, ok := spec.Annotations["y"]
-				assert.False(t, ok)
-				_, ok = spec.Annotations["z"]
-				assert.False(t, ok)
-			},
-		},
-	} {
-		t.Run(desc, func(t *testing.T) {
-			c := newTestCRIService()
-			containerConfig, sandboxConfig, imageConfig, specCheck := getCreateContainerTestData()
-			if test.configChange != nil {
-				test.configChange(sandboxConfig)
-			}
-
-			ociRuntime := config.Runtime{
-				PodAnnotations: test.podAnnotations,
-			}
-			spec, err := c.containerSpec(testID, testSandboxID, testPid, "",
-				containerConfig, sandboxConfig, imageConfig, nil, ociRuntime)
-			assert.NoError(t, err)
-			assert.NotNil(t, spec)
-			specCheck(t, testID, testSandboxID, testPid, spec)
-			if test.specCheck != nil {
-				test.specCheck(t, spec)
-			}
-		})
-	}
-}
-
-func TestContainerAnnotationPassthroughContainerSpec(t *testing.T) {
-	testID := "test-id"
-	testSandboxID := "sandbox-id"
-	testPid := uint32(1234)
-
-	for desc, test := range map[string]struct {
-		podAnnotations       []string
-		containerAnnotations []string
-		configChange         func(*runtime.PodSandboxConfig)
-		specCheck            func(*testing.T, *runtimespec.Spec)
-	}{
-		"passthrough annotations from pod and container should be passed as an OCI annotation": {
-			podAnnotations:       []string{"c"},
-			containerAnnotations: []string{"c*"}, // wildcard should pick up ca-c->ca-d pair in container
-			specCheck: func(t *testing.T, spec *runtimespec.Spec) {
-				assert.Equal(t, "d", spec.Annotations["c"])
-				assert.Equal(t, "ca-d", spec.Annotations["ca-c"])
-			},
-		},
-		"annotations should not pass through if no passthrough annotations are configured": {
-			podAnnotations:       []string{},
-			containerAnnotations: []string{},
-			specCheck: func(t *testing.T, spec *runtimespec.Spec) {
-				assert.Equal(t, "", spec.Annotations["c"])
-				assert.Equal(t, "", spec.Annotations["ca-c"])
-			},
-		},
-		"unmatched annotations should not pass through even if passthrough annotations are configured": {
-			podAnnotations:       []string{"x"},
-			containerAnnotations: []string{"x*"},
-			specCheck: func(t *testing.T, spec *runtimespec.Spec) {
-				assert.Equal(t, "", spec.Annotations["c"])
-				assert.Equal(t, "", spec.Annotations["ca-c"])
-			},
-		},
-	} {
-		t.Run(desc, func(t *testing.T) {
-			c := newTestCRIService()
-			containerConfig, sandboxConfig, imageConfig, specCheck := getCreateContainerTestData()
-			if test.configChange != nil {
-				test.configChange(sandboxConfig)
-			}
-			ociRuntime := config.Runtime{
-				PodAnnotations:       test.podAnnotations,
-				ContainerAnnotations: test.containerAnnotations,
-			}
-			spec, err := c.containerSpec(testID, testSandboxID, testPid, "",
-				containerConfig, sandboxConfig, imageConfig, nil, ociRuntime)
-			assert.NoError(t, err)
-			assert.NotNil(t, spec)
-			specCheck(t, testID, testSandboxID, testPid, spec)
-			if test.specCheck != nil {
-				test.specCheck(t, spec)
-			}
-		})
-	}
-}
-
 func TestContainerSpecReadonlyRootfs(t *testing.T) {
 	testID := "test-id"
 	testSandboxID := "sandbox-id"
@@ -550,68 +392,6 @@ func TestContainerAndSandboxPrivileged(t *testing.T) {
 	}
 }
 
-func TestContainerSpecCommand(t *testing.T) {
-	for desc, test := range map[string]struct {
-		criEntrypoint   []string
-		criArgs         []string
-		imageEntrypoint []string
-		imageArgs       []string
-		expected        []string
-		expectErr       bool
-	}{
-		"should use cri entrypoint if it's specified": {
-			criEntrypoint:   []string{"a", "b"},
-			imageEntrypoint: []string{"c", "d"},
-			imageArgs:       []string{"e", "f"},
-			expected:        []string{"a", "b"},
-		},
-		"should use cri entrypoint if it's specified even if it's empty": {
-			criEntrypoint:   []string{},
-			criArgs:         []string{"a", "b"},
-			imageEntrypoint: []string{"c", "d"},
-			imageArgs:       []string{"e", "f"},
-			expected:        []string{"a", "b"},
-		},
-		"should use cri entrypoint and args if they are specified": {
-			criEntrypoint:   []string{"a", "b"},
-			criArgs:         []string{"c", "d"},
-			imageEntrypoint: []string{"e", "f"},
-			imageArgs:       []string{"g", "h"},
-			expected:        []string{"a", "b", "c", "d"},
-		},
-		"should use image entrypoint if cri entrypoint is not specified": {
-			criArgs:         []string{"a", "b"},
-			imageEntrypoint: []string{"c", "d"},
-			imageArgs:       []string{"e", "f"},
-			expected:        []string{"c", "d", "a", "b"},
-		},
-		"should use image args if both cri entrypoint and args are not specified": {
-			imageEntrypoint: []string{"c", "d"},
-			imageArgs:       []string{"e", "f"},
-			expected:        []string{"c", "d", "e", "f"},
-		},
-		"should return error if both entrypoint and args are empty": {
-			expectErr: true,
-		},
-	} {
-
-		config, _, imageConfig, _ := getCreateContainerTestData()
-		config.Command = test.criEntrypoint
-		config.Args = test.criArgs
-		imageConfig.Entrypoint = test.imageEntrypoint
-		imageConfig.Cmd = test.imageArgs
-
-		var spec runtimespec.Spec
-		err := opts.WithProcessArgs(config, imageConfig)(context.Background(), nil, nil, &spec)
-		if test.expectErr {
-			assert.Error(t, err)
-			continue
-		}
-		assert.NoError(t, err)
-		assert.Equal(t, test.expected, spec.Process.Args, desc)
-	}
-}
-
 func TestContainerMounts(t *testing.T) {
 	const testSandboxID = "test-id"
 	for desc, test := range map[string]struct {

pkg/server/container_create_windows.go

@@ -19,13 +19,14 @@ limitations under the License.
 package server
 
 import (
-	"github.com/containerd/containerd/errdefs"
 	"github.com/containerd/containerd/oci"
 	imagespec "github.com/opencontainers/image-spec/specs-go/v1"
 	runtimespec "github.com/opencontainers/runtime-spec/specs-go"
 	runtime "k8s.io/cri-api/pkg/apis/runtime/v1alpha2"
 
+	"github.com/containerd/cri/pkg/annotations"
 	"github.com/containerd/cri/pkg/config"
+	customopts "github.com/containerd/cri/pkg/containerd/opts"
 )
 
 // No container mounts for windows.
@@ -33,11 +34,63 @@ func (c *criService) containerMounts(sandboxID string, config *runtime.Container
 	return nil
 }
 
-// TODO(windows): Add windows container spec.
 func (c *criService) containerSpec(id string, sandboxID string, sandboxPid uint32, netNSPath string,
 	config *runtime.ContainerConfig, sandboxConfig *runtime.PodSandboxConfig, imageConfig *imagespec.ImageConfig,
 	extraMounts []*runtime.Mount, ociRuntime config.Runtime) (*runtimespec.Spec, error) {
-	return nil, errdefs.ErrNotImplemented
+	specOpts := []oci.SpecOpts{
+		customopts.WithProcessArgs(config, imageConfig),
+	}
+	if config.GetWorkingDir() != "" {
+		specOpts = append(specOpts, oci.WithProcessCwd(config.GetWorkingDir()))
+	} else if imageConfig.WorkingDir != "" {
+		specOpts = append(specOpts, oci.WithProcessCwd(imageConfig.WorkingDir))
+	}
+
+	if config.GetTty() {
+		specOpts = append(specOpts, oci.WithTTY)
+	}
+
+	// Apply envs from image config first, so that envs from container config
+	// can override them.
+	env := imageConfig.Env
+	for _, e := range config.GetEnvs() {
+		env = append(env, e.GetKey()+"="+e.GetValue())
+	}
+	specOpts = append(specOpts, oci.WithEnv(env))
+
+	specOpts = append(specOpts,
+		// Clear the root location since hcsshim expects it.
+		// NOTE: readonly rootfs doesn't work on windows.
+		customopts.WithoutRoot,
+		customopts.WithWindowsNetworkNamespace(netNSPath),
+	)
+
+	specOpts = append(specOpts, customopts.WithWindowsMounts(c.os, config, extraMounts))
+
+	specOpts = append(specOpts, customopts.WithWindowsResources(config.GetWindows().GetResources()))
+
+	username := config.GetWindows().GetSecurityContext().GetRunAsUsername()
+	if username != "" {
+		specOpts = append(specOpts, oci.WithUser(username))
+	}
+	// TODO(windows): Add CredentialSpec support.
+
+	for pKey, pValue := range getPassthroughAnnotations(sandboxConfig.Annotations,
+		ociRuntime.PodAnnotations) {
+		specOpts = append(specOpts, customopts.WithAnnotation(pKey, pValue))
+	}
+
+	for pKey, pValue := range getPassthroughAnnotations(config.Annotations,
+		ociRuntime.ContainerAnnotations) {
+		specOpts = append(specOpts, customopts.WithAnnotation(pKey, pValue))
+	}
+
+	specOpts = append(specOpts,
+		customopts.WithAnnotation(annotations.ContainerType, annotations.ContainerTypeContainer),
+		customopts.WithAnnotation(annotations.SandboxID, sandboxID),
+	)
+
+	return runtimeSpec(id, specOpts...)
 }
 
 // No extra spec options needed for windows.

pkg/server/container_create_windows_test.go

@@ -0,0 +1,140 @@
+// +build windows
+
+/*
+Copyright The containerd Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package server
+
+import (
+	"testing"
+
+	imagespec "github.com/opencontainers/image-spec/specs-go/v1"
+	runtimespec "github.com/opencontainers/runtime-spec/specs-go"
+	"github.com/stretchr/testify/assert"
+	runtime "k8s.io/cri-api/pkg/apis/runtime/v1alpha2"
+
+	"github.com/containerd/cri/pkg/annotations"
+	"github.com/containerd/cri/pkg/config"
+)
+
+func getCreateContainerTestData() (*runtime.ContainerConfig, *runtime.PodSandboxConfig,
+	*imagespec.ImageConfig, func(*testing.T, string, string, uint32, *runtimespec.Spec)) {
+	config := &runtime.ContainerConfig{
+		Metadata: &runtime.ContainerMetadata{
+			Name:    "test-name",
+			Attempt: 1,
+		},
+		Image: &runtime.ImageSpec{
+			Image: "sha256:c75bebcdd211f41b3a460c7bf82970ed6c75acaab9cd4c9a4e125b03ca113799",
+		},
+		Command:    []string{"test", "command"},
+		Args:       []string{"test", "args"},
+		WorkingDir: "test-cwd",
+		Envs: []*runtime.KeyValue{
+			{Key: "k1", Value: "v1"},
+			{Key: "k2", Value: "v2"},
+			{Key: "k3", Value: "v3=v3bis"},
+			{Key: "k4", Value: "v4=v4bis=foop"},
+		},
+		Mounts: []*runtime.Mount{
+			// everything default
+			{
+				ContainerPath: "container-path-1",
+				HostPath:      "host-path-1",
+			},
+			// readOnly
+			{
+				ContainerPath: "container-path-2",
+				HostPath:      "host-path-2",
+				Readonly:      true,
+			},
+		},
+		Labels:      map[string]string{"a": "b"},
+		Annotations: map[string]string{"c": "d"},
+		Windows: &runtime.WindowsContainerConfig{
+			Resources: &runtime.WindowsContainerResources{
+				CpuShares:          100,
+				CpuCount:           200,
+				CpuMaximum:         300,
+				MemoryLimitInBytes: 400,
+			},
+			SecurityContext: &runtime.WindowsContainerSecurityContext{
+				RunAsUsername: "test-user",
+			},
+		},
+	}
+	sandboxConfig := &runtime.PodSandboxConfig{
+		Metadata: &runtime.PodSandboxMetadata{
+			Name:      "test-sandbox-name",
+			Uid:       "test-sandbox-uid",
+			Namespace: "test-sandbox-ns",
+			Attempt:   2,
+		},
+		Annotations: map[string]string{"c": "d"},
+	}
+	imageConfig := &imagespec.ImageConfig{
+		Env:        []string{"ik1=iv1", "ik2=iv2", "ik3=iv3=iv3bis", "ik4=iv4=iv4bis=boop"},
+		Entrypoint: []string{"/entrypoint"},
+		Cmd:        []string{"cmd"},
+		WorkingDir: "/workspace",
+	}
+	specCheck := func(t *testing.T, id string, sandboxID string, sandboxPid uint32, spec *runtimespec.Spec) {
+		assert.Nil(t, spec.Root)
+		assert.Equal(t, []string{"test", "command", "test", "args"}, spec.Process.Args)
+		assert.Equal(t, "test-cwd", spec.Process.Cwd)
+		assert.Contains(t, spec.Process.Env, "k1=v1", "k2=v2", "k3=v3=v3bis", "ik4=iv4=iv4bis=boop")
+		assert.Contains(t, spec.Process.Env, "ik1=iv1", "ik2=iv2", "ik3=iv3=iv3bis", "k4=v4=v4bis=foop")
+
+		t.Logf("Check bind mount")
+		checkMount(t, spec.Mounts, "host-path-1", "container-path-1", "", []string{"rw"}, nil)
+		checkMount(t, spec.Mounts, "host-path-2", "container-path-2", "", []string{"ro"}, nil)
+
+		t.Logf("Check resource limits")
+		assert.EqualValues(t, *spec.Windows.Resources.CPU.Shares, 100)
+		assert.EqualValues(t, *spec.Windows.Resources.CPU.Count, 200)
+		assert.EqualValues(t, *spec.Windows.Resources.CPU.Maximum, 300)
+		assert.EqualValues(t, *spec.Windows.Resources.CPU.Maximum, 300)
+		assert.EqualValues(t, *spec.Windows.Resources.Memory.Limit, 400)
+
+		t.Logf("Check username")
+		assert.Contains(t, spec.Process.User.Username, "test-user")
+
+		t.Logf("Check PodSandbox annotations")
+		assert.Contains(t, spec.Annotations, annotations.SandboxID)
+		assert.EqualValues(t, spec.Annotations[annotations.SandboxID], sandboxID)
+
+		assert.Contains(t, spec.Annotations, annotations.ContainerType)
+		assert.EqualValues(t, spec.Annotations[annotations.ContainerType], annotations.ContainerTypeContainer)
+	}
+	return config, sandboxConfig, imageConfig, specCheck
+}
+
+func TestContainerWindowsNetworkNamespace(t *testing.T) {
+	testID := "test-id"
+	testSandboxID := "sandbox-id"
+	testPid := uint32(1234)
+	nsPath := "test-cni"
+	c := newTestCRIService()
+
+	containerConfig, sandboxConfig, imageConfig, specCheck := getCreateContainerTestData()
+	spec, err := c.containerSpec(testID, testSandboxID, testPid, nsPath, containerConfig, sandboxConfig, imageConfig, nil, config.Runtime{})
+	assert.NoError(t, err)
+	assert.NotNil(t, spec)
+	specCheck(t, testID, testSandboxID, testPid, spec)
+	assert.NotNil(t, spec.Windows)
+	assert.NotNil(t, spec.Windows.Network)
+	assert.Equal(t, nsPath, spec.Windows.Network.NetworkNamespace)
+}

pkg/server/container_start.go

@@ -18,7 +18,6 @@ package server
 
 import (
 	"io"
-	"os"
 	"time"
 
 	"github.com/containerd/containerd"
@@ -175,7 +174,7 @@ func resetContainerStarting(container containerstore.Container) error {
 func (c *criService) createContainerLoggers(logPath string, tty bool) (stdout io.WriteCloser, stderr io.WriteCloser, err error) {
 	if logPath != "" {
 		// Only generate container log when log path is specified.
-		f, err := os.OpenFile(logPath, os.O_CREATE|os.O_APPEND|os.O_WRONLY, 0640)
+		f, err := openLogFile(logPath)
 		if err != nil {
 			return nil, nil, errors.Wrap(err, "failed to create and open log file")
 		}

pkg/server/container_stats.go

@@ -25,8 +25,6 @@ import (
 
 // ContainerStats returns stats of the container. If the container does not
 // exist, the call returns an error.
-// TODO(windows): hcsshim Stats is not implemented, add windows support after
-// that is implemented.
 func (c *criService) ContainerStats(ctx context.Context, in *runtime.ContainerStatsRequest) (*runtime.ContainerStatsResponse, error) {
 	cntr, err := c.containerStore.Get(in.GetContainerId())
 	if err != nil {

pkg/server/container_stats_list_windows.go

@@ -25,11 +25,36 @@ import (
 	containerstore "github.com/containerd/cri/pkg/store/container"
 )
 
-// TODO(windows): Implement a dummy version of this, and actually support this
-// when stats is supported by the hcs containerd shim.
 func (c *criService) containerMetrics(
 	meta containerstore.Metadata,
 	stats *types.Metric,
 ) (*runtime.ContainerStats, error) {
-	return nil, nil
+	var cs runtime.ContainerStats
+	var usedBytes, inodesUsed uint64
+	sn, err := c.snapshotStore.Get(meta.ID)
+	// If snapshotstore doesn't have cached snapshot information
+	// set WritableLayer usage to zero
+	if err == nil {
+		usedBytes = sn.Size
+		inodesUsed = sn.Inodes
+	}
+	cs.WritableLayer = &runtime.FilesystemUsage{
+		Timestamp: sn.Timestamp,
+		FsId: &runtime.FilesystemIdentifier{
+			Mountpoint: c.imageFSPath,
+		},
+		UsedBytes:  &runtime.UInt64Value{Value: usedBytes},
+		InodesUsed: &runtime.UInt64Value{Value: inodesUsed},
+	}
+	cs.Attributes = &runtime.ContainerAttributes{
+		Id:          meta.ID,
+		Metadata:    meta.Config.GetMetadata(),
+		Labels:      meta.Config.GetLabels(),
+		Annotations: meta.Config.GetAnnotations(),
+	}
+
+	// TODO(windows): hcsshim Stats is not implemented, add windows support after
+	// that is implemented.
+
+	return &cs, nil
 }

pkg/server/helpers.go

@@ -24,6 +24,7 @@ import (
 	"strings"
 
 	"github.com/BurntSushi/toml"
+	runhcsoptions "github.com/Microsoft/hcsshim/cmd/containerd-shim-runhcs-v1/options"
 	"github.com/containerd/containerd"
 	"github.com/containerd/containerd/containers"
 	"github.com/containerd/containerd/plugin"
@@ -86,6 +87,9 @@ const (
 
 	// defaultIfName is the default network interface for the pods
 	defaultIfName = "eth0"
+
+	// runtimeRunhcsV1 is the runtime type for runhcs.
+	runtimeRunhcsV1 = "io.containerd.runhcs.v1"
 )
 
 // makeSandboxName generates sandbox name from sandbox metadata. The name
@@ -321,6 +325,8 @@ func getRuntimeOptionsType(t string) interface{} {
 		return &runcoptions.Options{}
 	case plugin.RuntimeLinuxV1:
 		return &runctypes.RuncOptions{}
+	case runtimeRunhcsV1:
+		return &runhcsoptions.Options{}
 	default:
 		return &runtimeoptions.Options{}
 	}

pkg/server/helpers_unix.go

@@ -20,6 +20,7 @@ package server
 
 import (
 	"fmt"
+	"os"
 	"path"
 	"path/filepath"
 	"regexp"
@@ -135,3 +136,8 @@ func (c *criService) apparmorEnabled() bool {
 func (c *criService) seccompEnabled() bool {
 	return runcseccomp.IsEnabled()
 }
+
+// openLogFile opens/creates a container log file.
+func openLogFile(path string) (*os.File, error) {
+	return os.OpenFile(path, os.O_CREATE|os.O_APPEND|os.O_WRONLY, 0640)
+}

pkg/server/helpers_windows.go

@@ -0,0 +1,158 @@
+// +build windows
+
+/*
+Copyright The containerd Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package server
+
+import (
+	"os"
+	"path/filepath"
+	"syscall"
+)
+
+// openLogFile opens/creates a container log file.
+// It specifies `FILE_SHARE_DELETE` option to make sure
+// log files can be rotated by kubelet.
+// TODO(windows): Use golang support after 1.14. (https://github.com/golang/go/issues/32088)
+func openLogFile(path string) (*os.File, error) {
+	path = fixLongPath(path)
+	if len(path) == 0 {
+		return nil, syscall.ERROR_FILE_NOT_FOUND
+	}
+	pathp, err := syscall.UTF16PtrFromString(path)
+	if err != nil {
+		return nil, err
+	}
+	createmode := uint32(syscall.OPEN_ALWAYS)
+	access := uint32(syscall.FILE_APPEND_DATA)
+	sharemode := uint32(syscall.FILE_SHARE_READ | syscall.FILE_SHARE_WRITE | syscall.FILE_SHARE_DELETE)
+	h, err := syscall.CreateFile(pathp, access, sharemode, nil, createmode, syscall.FILE_ATTRIBUTE_NORMAL, 0)
+	if err != nil {
+		return nil, err
+	}
+	return os.NewFile(uintptr(h), path), nil
+}
+
+// Copyright (c) 2009 The Go Authors. All rights reserved.
+//
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+//    * Redistributions of source code must retain the above copyright
+// notice, this list of conditions and the following disclaimer.
+//    * Redistributions in binary form must reproduce the above
+// copyright notice, this list of conditions and the following disclaimer
+// in the documentation and/or other materials provided with the
+// distribution.
+//    * Neither the name of Google Inc. nor the names of its
+// contributors may be used to endorse or promote products derived from
+// this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+// fixLongPath returns the extended-length (\\?\-prefixed) form of
+// path when needed, in order to avoid the default 260 character file
+// path limit imposed by Windows. If path is not easily converted to
+// the extended-length form (for example, if path is a relative path
+// or contains .. elements), or is short enough, fixLongPath returns
+// path unmodified.
+//
+// See https://msdn.microsoft.com/en-us/library/windows/desktop/aa365247(v=vs.85).aspx#maxpath
+//
+// This is copied from https://golang.org/src/path/filepath/path_windows.go.
+func fixLongPath(path string) string {
+	// Do nothing (and don't allocate) if the path is "short".
+	// Empirically (at least on the Windows Server 2013 builder),
+	// the kernel is arbitrarily okay with < 248 bytes. That
+	// matches what the docs above say:
+	// "When using an API to create a directory, the specified
+	// path cannot be so long that you cannot append an 8.3 file
+	// name (that is, the directory name cannot exceed MAX_PATH
+	// minus 12)." Since MAX_PATH is 260, 260 - 12 = 248.
+	//
+	// The MSDN docs appear to say that a normal path that is 248 bytes long
+	// will work; empirically the path must be less then 248 bytes long.
+	if len(path) < 248 {
+		// Don't fix. (This is how Go 1.7 and earlier worked,
+		// not automatically generating the \\?\ form)
+		return path
+	}
+
+	// The extended form begins with \\?\, as in
+	// \\?\c:\windows\foo.txt or \\?\UNC\server\share\foo.txt.
+	// The extended form disables evaluation of . and .. path
+	// elements and disables the interpretation of / as equivalent
+	// to \. The conversion here rewrites / to \ and elides
+	// . elements as well as trailing or duplicate separators. For
+	// simplicity it avoids the conversion entirely for relative
+	// paths or paths containing .. elements. For now,
+	// \\server\share paths are not converted to
+	// \\?\UNC\server\share paths because the rules for doing so
+	// are less well-specified.
+	if len(path) >= 2 && path[:2] == `\\` {
+		// Don't canonicalize UNC paths.
+		return path
+	}
+	if !filepath.IsAbs(path) {
+		// Relative path
+		return path
+	}
+
+	const prefix = `\\?`
+
+	pathbuf := make([]byte, len(prefix)+len(path)+len(`\`))
+	copy(pathbuf, prefix)
+	n := len(path)
+	r, w := 0, len(prefix)
+	for r < n {
+		switch {
+		case os.IsPathSeparator(path[r]):
+			// empty block
+			r++
+		case path[r] == '.' && (r+1 == n || os.IsPathSeparator(path[r+1])):
+			// /./
+			r++
+		case r+1 < n && path[r] == '.' && path[r+1] == '.' && (r+2 == n || os.IsPathSeparator(path[r+2])):
+			// /../ is currently unhandled
+			return path
+		default:
+			pathbuf[w] = '\\'
+			w++
+			for ; r < n && !os.IsPathSeparator(path[r]); r++ {
+				pathbuf[w] = path[r]
+				w++
+			}
+		}
+	}
+	// A drive's root directory needs a trailing \
+	if w == len(`\\?\c:`) {
+		pathbuf[w] = '\\'
+		w++
+	}
+	return string(pathbuf[:w])
+}

pkg/server/io/helpers.go

@@ -112,7 +112,7 @@ func newStdioPipes(fifos *cio.FIFOSet) (_ *stdioPipes, _ *wgCloser, err error) {
 	}()
 
 	if fifos.Stdin != "" {
-		if f, err = openFifo(ctx, fifos.Stdin, syscall.O_WRONLY|syscall.O_CREAT|syscall.O_NONBLOCK, 0700); err != nil {
+		if f, err = openPipe(ctx, fifos.Stdin, syscall.O_WRONLY|syscall.O_CREAT|syscall.O_NONBLOCK, 0700); err != nil {
 			return nil, nil, err
 		}
 		p.stdin = f
@@ -120,7 +120,7 @@ func newStdioPipes(fifos *cio.FIFOSet) (_ *stdioPipes, _ *wgCloser, err error) {
 	}
 
 	if fifos.Stdout != "" {
-		if f, err = openFifo(ctx, fifos.Stdout, syscall.O_RDONLY|syscall.O_CREAT|syscall.O_NONBLOCK, 0700); err != nil {
+		if f, err = openPipe(ctx, fifos.Stdout, syscall.O_RDONLY|syscall.O_CREAT|syscall.O_NONBLOCK, 0700); err != nil {
 			return nil, nil, err
 		}
 		p.stdout = f
@@ -128,7 +128,7 @@ func newStdioPipes(fifos *cio.FIFOSet) (_ *stdioPipes, _ *wgCloser, err error) {
 	}
 
 	if fifos.Stderr != "" {
-		if f, err = openFifo(ctx, fifos.Stderr, syscall.O_RDONLY|syscall.O_CREAT|syscall.O_NONBLOCK, 0700); err != nil {
+		if f, err = openPipe(ctx, fifos.Stderr, syscall.O_RDONLY|syscall.O_CREAT|syscall.O_NONBLOCK, 0700); err != nil {
 			return nil, nil, err
 		}
 		p.stderr = f

pkg/server/io/helpers_unix.go

@@ -26,6 +26,6 @@ import (
 	"golang.org/x/net/context"
 )
 
-func openFifo(ctx context.Context, fn string, flag int, perm os.FileMode) (io.ReadWriteCloser, error) {
+func openPipe(ctx context.Context, fn string, flag int, perm os.FileMode) (io.ReadWriteCloser, error) {
 	return fifo.OpenFifo(ctx, fn, flag, perm)
 }

pkg/server/io/helpers_windows.go

@@ -20,12 +20,62 @@ package io
 
 import (
 	"io"
+	"net"
 	"os"
+	"sync"
 
+	winio "github.com/Microsoft/go-winio"
+	"github.com/pkg/errors"
 	"golang.org/x/net/context"
 )
 
-// TODO(windows): Add windows FIFO support.
+type pipe struct {
-func openFifo(ctx context.Context, fn string, flag int, perm os.FileMode) (io.ReadWriteCloser, error) {
+	l      net.Listener
-	return nil, nil
+	con    net.Conn
+	conErr error
+	conWg  sync.WaitGroup
+}
+
+func openPipe(ctx context.Context, fn string, flag int, perm os.FileMode) (io.ReadWriteCloser, error) {
+	l, err := winio.ListenPipe(fn, nil)
+	if err != nil {
+		return nil, err
+	}
+	p := &pipe{l: l}
+	p.conWg.Add(1)
+	go func() {
+		defer p.conWg.Done()
+		c, err := l.Accept()
+		if err != nil {
+			p.conErr = err
+			return
+		}
+		p.con = c
+	}()
+	return p, nil
+}
+
+func (p *pipe) Write(b []byte) (int, error) {
+	p.conWg.Wait()
+	if p.conErr != nil {
+		return 0, errors.Wrap(p.conErr, "connection error")
+	}
+	return p.con.Write(b)
+}
+
+func (p *pipe) Read(b []byte) (int, error) {
+	p.conWg.Wait()
+	if p.conErr != nil {
+		return 0, errors.Wrap(p.conErr, "connection error")
+	}
+	return p.con.Read(b)
+}
+
+func (p *pipe) Close() error {
+	p.l.Close()
+	p.conWg.Wait()
+	if p.con != nil {
+		return p.con.Close()
+	}
+	return p.conErr
 }

pkg/server/sandbox_run_test.go

@@ -21,13 +21,140 @@ import (
 	"testing"
 
 	cni "github.com/containerd/go-cni"
+	"github.com/containerd/typeurl"
+	imagespec "github.com/opencontainers/image-spec/specs-go/v1"
+	runtimespec "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/stretchr/testify/assert"
 	runtime "k8s.io/cri-api/pkg/apis/runtime/v1alpha2"
 
 	"github.com/containerd/cri/pkg/annotations"
 	criconfig "github.com/containerd/cri/pkg/config"
+	sandboxstore "github.com/containerd/cri/pkg/store/sandbox"
 )
 
+func TestSandboxContainerSpec(t *testing.T) {
+	testID := "test-id"
+	nsPath := "test-cni"
+	for desc, test := range map[string]struct {
+		configChange      func(*runtime.PodSandboxConfig)
+		podAnnotations    []string
+		imageConfigChange func(*imagespec.ImageConfig)
+		specCheck         func(*testing.T, *runtimespec.Spec)
+		expectErr         bool
+	}{
+		"should return error when entrypoint and cmd are empty": {
+			imageConfigChange: func(c *imagespec.ImageConfig) {
+				c.Entrypoint = nil
+				c.Cmd = nil
+			},
+			expectErr: true,
+		},
+		"a passthrough annotation should be passed as an OCI annotation": {
+			podAnnotations: []string{"c"},
+			specCheck: func(t *testing.T, spec *runtimespec.Spec) {
+				assert.Equal(t, spec.Annotations["c"], "d")
+			},
+		},
+		"a non-passthrough annotation should not be passed as an OCI annotation": {
+			configChange: func(c *runtime.PodSandboxConfig) {
+				c.Annotations["d"] = "e"
+			},
+			podAnnotations: []string{"c"},
+			specCheck: func(t *testing.T, spec *runtimespec.Spec) {
+				assert.Equal(t, spec.Annotations["c"], "d")
+				_, ok := spec.Annotations["d"]
+				assert.False(t, ok)
+			},
+		},
+		"passthrough annotations should support wildcard match": {
+			configChange: func(c *runtime.PodSandboxConfig) {
+				c.Annotations["t.f"] = "j"
+				c.Annotations["z.g"] = "o"
+				c.Annotations["z"] = "o"
+				c.Annotations["y.ca"] = "b"
+				c.Annotations["y"] = "b"
+			},
+			podAnnotations: []string{"t*", "z.*", "y.c*"},
+			specCheck: func(t *testing.T, spec *runtimespec.Spec) {
+				assert.Equal(t, spec.Annotations["t.f"], "j")
+				assert.Equal(t, spec.Annotations["z.g"], "o")
+				assert.Equal(t, spec.Annotations["y.ca"], "b")
+				_, ok := spec.Annotations["y"]
+				assert.False(t, ok)
+				_, ok = spec.Annotations["z"]
+				assert.False(t, ok)
+			},
+		},
+	} {
+		t.Logf("TestCase %q", desc)
+		c := newTestCRIService()
+		config, imageConfig, specCheck := getRunPodSandboxTestData()
+		if test.configChange != nil {
+			test.configChange(config)
+		}
+
+		if test.imageConfigChange != nil {
+			test.imageConfigChange(imageConfig)
+		}
+		spec, err := c.sandboxContainerSpec(testID, config, imageConfig, nsPath,
+			test.podAnnotations)
+		if test.expectErr {
+			assert.Error(t, err)
+			assert.Nil(t, spec)
+			continue
+		}
+		assert.NoError(t, err)
+		assert.NotNil(t, spec)
+		specCheck(t, testID, spec)
+		if test.specCheck != nil {
+			test.specCheck(t, spec)
+		}
+	}
+}
+
+func TestTypeurlMarshalUnmarshalSandboxMeta(t *testing.T) {
+	for desc, test := range map[string]struct {
+		configChange func(*runtime.PodSandboxConfig)
+	}{
+		"should marshal original config": {},
+		"should marshal Linux": {
+			configChange: func(c *runtime.PodSandboxConfig) {
+				if c.Linux == nil {
+					c.Linux = &runtime.LinuxPodSandboxConfig{}
+				}
+				c.Linux.SecurityContext = &runtime.LinuxSandboxSecurityContext{
+					NamespaceOptions: &runtime.NamespaceOption{
+						Network: runtime.NamespaceMode_NODE,
+						Pid:     runtime.NamespaceMode_NODE,
+						Ipc:     runtime.NamespaceMode_NODE,
+					},
+					SupplementalGroups: []int64{1111, 2222},
+				}
+			},
+		},
+	} {
+		t.Logf("TestCase %q", desc)
+		meta := &sandboxstore.Metadata{
+			ID:        "1",
+			Name:      "sandbox_1",
+			NetNSPath: "/home/cloud",
+		}
+		meta.Config, _, _ = getRunPodSandboxTestData()
+		if test.configChange != nil {
+			test.configChange(meta.Config)
+		}
+
+		any, err := typeurl.MarshalAny(meta)
+		assert.NoError(t, err)
+		data, err := typeurl.UnmarshalAny(any)
+		assert.NoError(t, err)
+		assert.IsType(t, &sandboxstore.Metadata{}, data)
+		curMeta, ok := data.(*sandboxstore.Metadata)
+		assert.True(t, ok)
+		assert.Equal(t, meta, curMeta)
+	}
+}
+
 func TestToCNIPortMappings(t *testing.T) {
 	for desc, test := range map[string]struct {
 		criPortMappings []*runtime.PortMapping

pkg/server/sandbox_run_unix_test.go

@@ -23,7 +23,6 @@ import (
 	"path/filepath"
 	"testing"
 
-	"github.com/containerd/typeurl"
 	imagespec "github.com/opencontainers/image-spec/specs-go/v1"
 	runtimespec "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/stretchr/testify/assert"
@@ -33,7 +32,6 @@ import (
 	"github.com/containerd/cri/pkg/annotations"
 	"github.com/containerd/cri/pkg/containerd/opts"
 	ostesting "github.com/containerd/cri/pkg/os/testing"
-	sandboxstore "github.com/containerd/cri/pkg/store/sandbox"
 )
 
 func getRunPodSandboxTestData() (*runtime.PodSandboxConfig, *imagespec.ImageConfig, func(*testing.T, string, *runtimespec.Spec)) {
@@ -82,13 +80,11 @@ func getRunPodSandboxTestData() (*runtime.PodSandboxConfig, *imagespec.ImageConf
 	return config, imageConfig, specCheck
 }
 
-func TestSandboxContainerSpec(t *testing.T) {
+func TestLinuxSandboxContainerSpec(t *testing.T) {
 	testID := "test-id"
 	nsPath := "test-cni"
 	for desc, test := range map[string]struct {
 		configChange func(*runtime.PodSandboxConfig)
-		podAnnotations    []string
-		imageConfigChange func(*imagespec.ImageConfig)
 		specCheck    func(*testing.T, *runtimespec.Spec)
 		expectErr    bool
 	}{
@@ -138,13 +134,6 @@ func TestSandboxContainerSpec(t *testing.T) {
 				})
 			},
 		},
-		"should return error when entrypoint and cmd are empty": {
-			imageConfigChange: func(c *imagespec.ImageConfig) {
-				c.Entrypoint = nil
-				c.Cmd = nil
-			},
-			expectErr: true,
-		},
 		"should set supplemental groups correctly": {
 			configChange: func(c *runtime.PodSandboxConfig) {
 				c.Linux.SecurityContext = &runtime.LinuxSandboxSecurityContext{
@@ -157,42 +146,6 @@ func TestSandboxContainerSpec(t *testing.T) {
 				assert.Contains(t, spec.Process.User.AdditionalGids, uint32(2222))
 			},
 		},
-		"a passthrough annotation should be passed as an OCI annotation": {
-			podAnnotations: []string{"c"},
-			specCheck: func(t *testing.T, spec *runtimespec.Spec) {
-				assert.Equal(t, spec.Annotations["c"], "d")
-			},
-		},
-		"a non-passthrough annotation should not be passed as an OCI annotation": {
-			configChange: func(c *runtime.PodSandboxConfig) {
-				c.Annotations["d"] = "e"
-			},
-			podAnnotations: []string{"c"},
-			specCheck: func(t *testing.T, spec *runtimespec.Spec) {
-				assert.Equal(t, spec.Annotations["c"], "d")
-				_, ok := spec.Annotations["d"]
-				assert.False(t, ok)
-			},
-		},
-		"passthrough annotations should support wildcard match": {
-			configChange: func(c *runtime.PodSandboxConfig) {
-				c.Annotations["t.f"] = "j"
-				c.Annotations["z.g"] = "o"
-				c.Annotations["z"] = "o"
-				c.Annotations["y.ca"] = "b"
-				c.Annotations["y"] = "b"
-			},
-			podAnnotations: []string{"t*", "z.*", "y.c*"},
-			specCheck: func(t *testing.T, spec *runtimespec.Spec) {
-				assert.Equal(t, spec.Annotations["t.f"], "j")
-				assert.Equal(t, spec.Annotations["z.g"], "o")
-				assert.Equal(t, spec.Annotations["y.ca"], "b")
-				_, ok := spec.Annotations["y"]
-				assert.False(t, ok)
-				_, ok = spec.Annotations["z"]
-				assert.False(t, ok)
-			},
-		},
 	} {
 		t.Logf("TestCase %q", desc)
 		c := newTestCRIService()
@@ -200,12 +153,7 @@ func TestSandboxContainerSpec(t *testing.T) {
 		if test.configChange != nil {
 			test.configChange(config)
 		}
-
+		spec, err := c.sandboxContainerSpec(testID, config, imageConfig, nsPath, nil)
-		if test.imageConfigChange != nil {
-			test.imageConfigChange(imageConfig)
-		}
-		spec, err := c.sandboxContainerSpec(testID, config, imageConfig, nsPath,
-			test.podAnnotations)
 		if test.expectErr {
 			assert.Error(t, err)
 			assert.Nil(t, spec)
@@ -460,47 +408,6 @@ options timeout:1
 	}
 }
 
-// TODO(windows): Move this to sandbox_run_test.go
-func TestTypeurlMarshalUnmarshalSandboxMeta(t *testing.T) {
-	for desc, test := range map[string]struct {
-		configChange func(*runtime.PodSandboxConfig)
-	}{
-		"should marshal original config": {},
-		"should marshal Linux": {
-			configChange: func(c *runtime.PodSandboxConfig) {
-				c.Linux.SecurityContext = &runtime.LinuxSandboxSecurityContext{
-					NamespaceOptions: &runtime.NamespaceOption{
-						Network: runtime.NamespaceMode_NODE,
-						Pid:     runtime.NamespaceMode_NODE,
-						Ipc:     runtime.NamespaceMode_NODE,
-					},
-					SupplementalGroups: []int64{1111, 2222},
-				}
-			},
-		},
-	} {
-		t.Logf("TestCase %q", desc)
-		meta := &sandboxstore.Metadata{
-			ID:        "1",
-			Name:      "sandbox_1",
-			NetNSPath: "/home/cloud",
-		}
-		meta.Config, _, _ = getRunPodSandboxTestData()
-		if test.configChange != nil {
-			test.configChange(meta.Config)
-		}
-
-		any, err := typeurl.MarshalAny(meta)
-		assert.NoError(t, err)
-		data, err := typeurl.UnmarshalAny(any)
-		assert.NoError(t, err)
-		assert.IsType(t, &sandboxstore.Metadata{}, data)
-		curMeta, ok := data.(*sandboxstore.Metadata)
-		assert.True(t, ok)
-		assert.Equal(t, meta, curMeta)
-	}
-}
-
 func TestSandboxDisableCgroup(t *testing.T) {
 	config, imageConfig, _ := getRunPodSandboxTestData()
 	c := newTestCRIService()

pkg/server/sandbox_run_windows.go

@@ -20,18 +20,53 @@ package server
 
 import (
 	"github.com/containerd/containerd"
-	"github.com/containerd/containerd/errdefs"
 	"github.com/containerd/containerd/oci"
 	imagespec "github.com/opencontainers/image-spec/specs-go/v1"
 	runtimespec "github.com/opencontainers/runtime-spec/specs-go"
+	"github.com/pkg/errors"
 	runtime "k8s.io/cri-api/pkg/apis/runtime/v1alpha2"
+
+	"github.com/containerd/cri/pkg/annotations"
+	customopts "github.com/containerd/cri/pkg/containerd/opts"
 )
 
-// TODO(windows): Add windows support.
 // TODO(windows): Configure windows sandbox shares
 func (c *criService) sandboxContainerSpec(id string, config *runtime.PodSandboxConfig,
 	imageConfig *imagespec.ImageConfig, nsPath string, runtimePodAnnotations []string) (*runtimespec.Spec, error) {
-	return nil, errdefs.ErrNotImplemented
+	// Creates a spec Generator with the default spec.
+	specOpts := []oci.SpecOpts{
+		oci.WithEnv(imageConfig.Env),
+		oci.WithHostname(config.GetHostname()),
+	}
+	if imageConfig.WorkingDir != "" {
+		specOpts = append(specOpts, oci.WithProcessCwd(imageConfig.WorkingDir))
+	}
+
+	if len(imageConfig.Entrypoint) == 0 && len(imageConfig.Cmd) == 0 {
+		// Pause image must have entrypoint or cmd.
+		return nil, errors.Errorf("invalid empty entrypoint and cmd in image config %+v", imageConfig)
+	}
+	specOpts = append(specOpts, oci.WithProcessArgs(append(imageConfig.Entrypoint, imageConfig.Cmd...)...))
+
+	specOpts = append(specOpts,
+		// Clear the root location since hcsshim expects it.
+		// NOTE: readonly rootfs doesn't work on windows.
+		customopts.WithoutRoot,
+		customopts.WithWindowsNetworkNamespace(nsPath),
+	)
+
+	for pKey, pValue := range getPassthroughAnnotations(config.Annotations,
+		runtimePodAnnotations) {
+		specOpts = append(specOpts, customopts.WithAnnotation(pKey, pValue))
+	}
+
+	specOpts = append(specOpts,
+		customopts.WithAnnotation(annotations.ContainerType, annotations.ContainerTypeSandbox),
+		customopts.WithAnnotation(annotations.SandboxID, id),
+		customopts.WithAnnotation(annotations.SandboxLogDir, config.GetLogDirectory()),
+	)
+
+	return runtimeSpec(id, specOpts...)
 }
 
 // No sandbox container spec options for windows yet.

pkg/server/sandbox_run_windows_test.go

@@ -0,0 +1,84 @@
+// +build windows
+
+/*
+Copyright The containerd Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package server
+
+import (
+	"testing"
+
+	imagespec "github.com/opencontainers/image-spec/specs-go/v1"
+	runtimespec "github.com/opencontainers/runtime-spec/specs-go"
+	"github.com/stretchr/testify/assert"
+	runtime "k8s.io/cri-api/pkg/apis/runtime/v1alpha2"
+
+	"github.com/containerd/cri/pkg/annotations"
+)
+
+func getRunPodSandboxTestData() (*runtime.PodSandboxConfig, *imagespec.ImageConfig, func(*testing.T, string, *runtimespec.Spec)) {
+	config := &runtime.PodSandboxConfig{
+		Metadata: &runtime.PodSandboxMetadata{
+			Name:      "test-name",
+			Uid:       "test-uid",
+			Namespace: "test-ns",
+			Attempt:   1,
+		},
+		Hostname:     "test-hostname",
+		LogDirectory: "test-log-directory",
+		Labels:       map[string]string{"a": "b"},
+		Annotations:  map[string]string{"c": "d"},
+	}
+	imageConfig := &imagespec.ImageConfig{
+		Env:        []string{"a=b", "c=d"},
+		Entrypoint: []string{"/pause"},
+		Cmd:        []string{"forever"},
+		WorkingDir: "/workspace",
+	}
+	specCheck := func(t *testing.T, id string, spec *runtimespec.Spec) {
+		assert.Equal(t, "test-hostname", spec.Hostname)
+		assert.Nil(t, spec.Root)
+		assert.Contains(t, spec.Process.Env, "a=b", "c=d")
+		assert.Equal(t, []string{"/pause", "forever"}, spec.Process.Args)
+		assert.Equal(t, "/workspace", spec.Process.Cwd)
+
+		t.Logf("Check PodSandbox annotations")
+		assert.Contains(t, spec.Annotations, annotations.SandboxID)
+		assert.EqualValues(t, spec.Annotations[annotations.SandboxID], id)
+
+		assert.Contains(t, spec.Annotations, annotations.ContainerType)
+		assert.EqualValues(t, spec.Annotations[annotations.ContainerType], annotations.ContainerTypeSandbox)
+
+		assert.Contains(t, spec.Annotations, annotations.SandboxLogDir)
+		assert.EqualValues(t, spec.Annotations[annotations.SandboxLogDir], "test-log-directory")
+	}
+	return config, imageConfig, specCheck
+}
+
+func TestSandboxWindowsNetworkNamespace(t *testing.T) {
+	testID := "test-id"
+	nsPath := "test-cni"
+	c := newTestCRIService()
+
+	config, imageConfig, specCheck := getRunPodSandboxTestData()
+	spec, err := c.sandboxContainerSpec(testID, config, imageConfig, nsPath, nil)
+	assert.NoError(t, err)
+	assert.NotNil(t, spec)
+	specCheck(t, testID, spec)
+	assert.NotNil(t, spec.Windows)
+	assert.NotNil(t, spec.Windows.Network)
+	assert.Equal(t, nsPath, spec.Windows.Network.NetworkNamespace)
+}

pkg/server/service_windows.go

@@ -20,16 +20,39 @@ package server
 
 import (
 	cni "github.com/containerd/go-cni"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
 )
 
+// windowsNetworkAttachCount is the minimum number of networks the PodSandbox
+// attaches to
+const windowsNetworkAttachCount = 1
+
 // initPlatform handles linux specific initialization for the CRI service.
-// TODO(windows): Initialize CRI plugin for windows
 func (c *criService) initPlatform() error {
+	var err error
+	// For windows, the loopback network is added as default.
+	// There is no need to explicitly add one hence networkAttachCount is 1.
+	// If there are more network configs the pod will be attached to all the
+	// networks but we will only use the ip of the default network interface
+	// as the pod IP.
+	c.netPlugin, err = cni.New(cni.WithMinNetworkCount(windowsNetworkAttachCount),
+		cni.WithPluginConfDir(c.config.NetworkPluginConfDir),
+		cni.WithPluginMaxConfNum(c.config.NetworkPluginMaxConfNum),
+		cni.WithPluginDir([]string{c.config.NetworkPluginBinDir}))
+	if err != nil {
+		return errors.Wrap(err, "failed to initialize cni")
+	}
+
+	// Try to load the config if it exists. Just log the error if load fails
+	// This is not disruptive for containerd to panic
+	if err := c.netPlugin.Load(c.cniLoadOptions()...); err != nil {
+		logrus.WithError(err).Error("Failed to load cni during init, please check CRI plugin status before setting up network for pods")
+	}
 	return nil
 }
 
 // cniLoadOptions returns cni load options for the windows.
-// TODO(windows): Implement CNI options for windows.
 func (c *criService) cniLoadOptions() []cni.CNIOpt {
-	return nil
+	return []cni.CNIOpt{cni.WithDefaultConf}
 }

test/windows/runner.sh

@@ -0,0 +1,98 @@
+#!/bin/bash
+
+# Copyright The containerd Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -o errexit
+set -o nounset
+set -o pipefail
+set -o xtrace
+
+GCE_PROJECT="${GCE_PROJECT:-"cri-containerd-node-e2e"}"
+GCE_IMAGE="${GCE_IMAGE:-"windows-server-1809-dc-core-for-containers-v20190827"}"
+GCE_IMAGE_PROJECT="${GCE_IMAGE_PROJECT:-"windows-cloud"}"
+ZONE="${ZONE:-"us-west1-b"}"
+ARTIFACTS="${ARTIFACTS:-"/tmp/test-cri-windows/_artifacts"}"
+CLEANUP="${CLEANUP:-"true"}"
+
+root="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"/../..
+script_path="${root}/test/windows"
+node_name="windows-cri-$(cat /proc/sys/kernel/random/uuid)"
+
+# log logs the test logs.
+function log() {
+  echo "$(date) $1"
+}
+
+function cleanup() {
+  if [[ "$CLEANUP" == "true" ]]; then
+    log "Delete the test instance"
+    gcloud compute instances delete -q "${node_name}"
+  fi
+}
+
+function retry() {
+  local -r MAX_ATTEMPTS=$1
+  local attempts=1
+  shift
+  until "$@" || (( attempts == MAX_ATTEMPTS ))
+  do
+    log "$* failed, retry in 1 second..."
+    (( attempts++ ))
+    sleep 1
+  done
+}
+
+gcloud config set compute/zone "${ZONE}"
+gcloud config set project "${GCE_PROJECT}"
+
+log "Create the test instance"
+gcloud compute instances create "${node_name}" --machine-type=n1-standard-2 \
+  --image="${GCE_IMAGE}" --image-project="${GCE_IMAGE_PROJECT}" \
+  --metadata-from-file=windows-startup-script-ps1="${script_path}/setup-ssh.ps1"
+trap cleanup EXIT
+
+log "Wait for ssh to be ready"
+retry 180 gcloud compute ssh "${node_name}" --command="echo ssh ready"
+
+log "Setup test environment in the test instance"
+retry 5 gcloud compute scp "${script_path}/setup-vm.ps1" "${node_name}":"C:/setup-vm.ps1"
+gcloud compute ssh "${node_name}" --command="powershell /c C:/setup-vm.ps1"
+
+log "Reboot the test instance to refresh environment variables"
+gcloud compute ssh "${node_name}" --command="powershell /c Restart-Computer"
+
+log "Wait for ssh to be ready"
+retry 180 gcloud compute ssh "${node_name}" --command="echo ssh ready"
+
+log "Run test on the test instance"
+cri_tar="/tmp/cri.tar.gz"
+tar -zcf "${cri_tar}" -C "${root}" . --owner=0 --group=0
+retry 5 gcloud compute scp "${script_path}/test.sh" "${node_name}":"C:/test.sh"
+retry 5 gcloud compute scp "${cri_tar}" "${node_name}":"C:/cri.tar.gz"
+rm "${cri_tar}"
+# git-bash doesn't return test exit code, the command should
+# succeed. We'll collect test exit code from _artifacts/.
+gcloud compute ssh "${node_name}" --command='powershell /c "Start-Process -FilePath \"C:\Program Files\Git\git-bash.exe\" -ArgumentList \"-elc\",\"`\"/c/test.sh &> /c/test.log`\"\" -Wait"'
+
+log "Collect test logs"
+mkdir -p "${ARTIFACTS}"
+retry 5 gcloud compute scp "${node_name}":"C:/test.log" "${ARTIFACTS}"
+retry 5 gcloud compute scp --recurse "${node_name}":"C:/_artifacts/*" "${ARTIFACTS}"
+
+log "Test output:"
+cat "${ARTIFACTS}/test.log"
+
+exit_code="$(cat "${ARTIFACTS}/exitcode")"
+exit "${exit_code}"

test/windows/setup-ssh.ps1

@@ -0,0 +1,32 @@
+#   Copyright The containerd Authors.
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+$ProgressPreference = 'SilentlyContinue'
+$k8sversion = ("v1.16.0-beta.2")
+
+$url = ("https://raw.githubusercontent.com/kubernetes/kubernetes/$k8sversion/cluster/gce/windows/testonly/user-profile.psm1")
+Invoke-WebRequest $url -OutFile C:\user-profile.psm1
+
+$url = ("https://raw.githubusercontent.com/kubernetes/kubernetes/$k8sversion/cluster/gce/windows/common.psm1")
+Invoke-WebRequest $url -OutFile C:\common.psm1
+
+$url = ("https://raw.githubusercontent.com/kubernetes/kubernetes/$k8sversion/cluster/gce/windows/testonly/install-ssh.psm1")
+Invoke-WebRequest $url -OutFile C:\install-ssh.psm1
+
+Import-Module -Force C:\install-ssh.psm1
+
+InstallAndStart-OpenSsh
+
+StartProcess-WriteSshKeys

test/windows/setup-vm.ps1

@@ -0,0 +1,23 @@
+#   Copyright The containerd Authors.
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+
+Set-ExecutionPolicy Bypass -Scope Process -Force; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))
+
+choco install -y --no-progress git
+
+choco install -y --no-progress golang
+
+choco install -y --no-progress make
+
+choco install -y --no-progress mingw

test/windows/test.sh

@@ -0,0 +1,45 @@
+#!/bin/bash
+
+# Copyright The containerd Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+export PATH="/c/Program Files/Containerd:$PATH"
+REPO_TAR="${REPO_TAR:-"/c/cri.tar.gz"}"
+FOCUS="${FOCUS:-"Conformance"}"
+SKIP="${SKIP:-"portforward"}"
+REPORT_DIR="${REPORT_DIR:-"/c/_artifacts"}"
+
+repo="$GOPATH/src/github.com/containerd/cri"
+mkdir -p "${repo}"
+cd "${repo}"
+tar -xzf "${REPO_TAR}"
+
+make install.deps
+make install -e BINDIR="/c/Program Files/Containerd"
+
+mkdir -p "${REPORT_DIR}"
+containerd -log-level debug &> "${REPORT_DIR}/containerd.log" &
+pid=$!
+ctr version
+
+set +o errexit
+critest --runtime-endpoint=npipe:////./pipe/containerd-containerd --ginkgo.focus="${FOCUS}" --ginkgo.skip="${SKIP}" --report-dir="${REPORT_DIR}" --report-prefix="windows"
+TEST_RC=$?
+set -o errexit
+kill -9 $pid
+echo -n "${TEST_RC}" > "${REPORT_DIR}/exitcode"

vendor.conf

@@ -5,11 +5,12 @@ github.com/docker/docker 86f080cff0914e9694068ed78d503701667c4c00
 github.com/docker/distribution 0d3efadf0154c2b8a4e7b6621fff9809655cc580
 
 # containerd dependencies
-go.etcd.io/bbolt 2eb7227adea1d5cf85f0bc2a82b7059b13c2fa68
+go.opencensus.io v0.22.0
-google.golang.org/grpc 25c4f928eaa6d96443009bd842389fb4fa48664e # v1.20.1
+go.etcd.io/bbolt v1.3.3
+google.golang.org/grpc 6eaf6f47437a6b4e2153a190160ef39a92c7eceb # v1.23.0
 google.golang.org/genproto d80a6e20e776b0b17a324d0ba1ab50a39c8e8944
 golang.org/x/text 19e51611da83d6be54ddafce4a4af510cb3e9ea4
-golang.org/x/sys 4c4f7f33c9ed00de01c4c741d2177abfcfe19307 https://github.com/golang/sys
+golang.org/x/sys fb81701db80f1745f51259b1f286de3fe2ec80c8 https://github.com/golang/sys # TODO(windows): update this in containerd/containerd
 golang.org/x/sync 42b317875d0fa942474b76e1b46a6060d720ae6e
 golang.org/x/net f3200d17e092c607f615320ecaad13d87ad9a2b3
 github.com/urfave/cli 7bc6a0acffa589f415f88aca16cc1de5ffd66f9c
@@ -26,6 +27,8 @@ github.com/opencontainers/image-spec v1.0.1
 github.com/opencontainers/go-digest c9281466c8b2f606084ac71339773efd177436e7
 github.com/matttproud/golang_protobuf_extensions v1.0.1
 github.com/konsorten/go-windows-terminal-sequences v1.0.1
+github.com/imdario/mergo v0.3.7
+github.com/hashicorp/golang-lru v0.5.3
 github.com/grpc-ecosystem/go-grpc-prometheus v1.1
 github.com/google/uuid v1.1.1
 github.com/golang/protobuf v1.2.0
@@ -37,15 +40,15 @@ github.com/docker/go-metrics 4ea375f7759c82740c893fc030bc37088d2ec098
 github.com/docker/go-events 9461782956ad83b30282bf90e31fa6a70c255ba9
 github.com/coreos/go-systemd v14
 github.com/containerd/typeurl a93fcdb778cd272c6e9b3028b2f42d813e785d40
-github.com/containerd/ttrpc 1fb3814edf44a76e0ccf503decf726d994919a9a
+github.com/containerd/ttrpc 92c8520ef9f86600c650dd540266a007bf03670f
 github.com/containerd/go-runc 9007c2405372fe28918845901a3276c0915689a1
-github.com/containerd/fifo 3d5202aec260678c48179c56f40e6f38a095738c
+github.com/containerd/fifo bda0ff6ed73c67bfb5e62bc9c697f146b7fd7f13
-github.com/containerd/continuity bd77b46c8352f74eb12c85bdc01f4b90f69d66b4
+github.com/containerd/continuity f2a389ac0a02ce21c09edd7344677a601970f41c
-github.com/containerd/containerd a3a30635ef713b544ea7feff0d12a768fd1ed636
+github.com/containerd/containerd 59a625defb21c958c25424fa5cc806167e22382e
 github.com/containerd/console 0650fd9eeb50bab4fc99dceb9f2e14cf58f36e7f
 github.com/containerd/cgroups c4b9ac5c7601384c965b9646fc515884e091ebb9
 github.com/beorn7/perks 4c0e84591b9aa9e6dcfdf3e020114cd81f89d5f9
-github.com/Microsoft/hcsshim 8abdbb8205e4192c68b5f84c31197156f31be517
+github.com/Microsoft/hcsshim 1354cb2e878d37d2f5c11595634290ea9e2600a1 # TODO(windows): update this in containerd/containerd
 github.com/Microsoft/go-winio v0.4.14
 github.com/BurntSushi/toml v0.3.1
 

vendor/github.com/Microsoft/hcsshim/cmd/containerd-shim-runhcs-v1/options/doc.go

@@ -0,0 +1 @@
+package options

vendor/github.com/Microsoft/hcsshim/cmd/containerd-shim-runhcs-v1/options/runhcs.proto

@@ -0,0 +1,63 @@
+syntax = "proto3";
+
+package containerd.runhcs.v1;
+
+import weak "gogoproto/gogo.proto";
+import "google/protobuf/timestamp.proto";
+
+option go_package = "github.com/Microsoft/hcsshim/cmd/containerd-shim-runhcs-v1/options;options";
+
+// Options are the set of customizations that can be passed at Create time.
+message Options {
+	// enable debug tracing
+	bool debug = 1;
+
+	enum DebugType {
+		NPIPE = 0;
+		FILE = 1;
+		ETW = 2;
+	}
+
+	// debug tracing output type
+	DebugType debug_type = 2;
+
+	// registry key root for storage of the runhcs container state
+	string registry_root = 3;
+
+	// sandbox_image is the image to use for the sandbox that matches the
+	// sandbox_platform.
+	string sandbox_image = 4;
+
+	// sandbox_platform is a CRI setting that specifies the platform
+	// architecture for all sandbox's in this runtime. Values are
+	// 'windows/amd64' and 'linux/amd64'.
+	string sandbox_platform = 5;
+
+	enum SandboxIsolation {
+		PROCESS = 0;
+		HYPERVISOR = 1;
+	}
+
+	// sandbox_isolation is a CRI setting that specifies the isolation level of
+	// the sandbox. For Windows runtime PROCESS and HYPERVISOR are valid. For
+	// LCOW only HYPERVISOR is valid and default if omitted.
+	SandboxIsolation sandbox_isolation = 6;
+
+	// boot_files_root_path is the path to the directory containing the LCOW
+	// kernel and root FS files.
+	string boot_files_root_path = 7;
+}
+
+// ProcessDetails contains additional information about a process. This is the additional
+// info returned in the Pids query.
+message ProcessDetails {
+	string image_name = 1;
+	google.protobuf.Timestamp created_at = 2 [(gogoproto.stdtime) = true, (gogoproto.nullable) = false];
+	uint64 kernel_time_100_ns = 3;
+	uint64 memory_commit_bytes = 4;
+	uint64 memory_working_set_private_bytes = 5;
+	uint64 memory_working_set_shared_bytes = 6;
+	uint32 process_id = 7;
+	uint64 user_time_100_ns = 8;
+	string exec_id = 9;
+}

vendor/github.com/Microsoft/hcsshim/container.go

@@ -1,8 +1,10 @@
 package hcsshim
 
 import (
+	"context"
 	"fmt"
 	"os"
+	"sync"
 	"time"
 
 	"github.com/Microsoft/hcsshim/internal/hcs"
@@ -53,6 +55,9 @@ type ResourceModificationRequestResponse = schema1.ResourceModificationRequestRe
 
 type container struct {
 	system   *hcs.System
+	waitOnce sync.Once
+	waitErr  error
+	waitCh   chan struct{}
 }
 
 // createComputeSystemAdditionalJSON is read from the environment at initialisation
@@ -71,61 +76,87 @@ func CreateContainer(id string, c *ContainerConfig) (Container, error) {
 		return nil, fmt.Errorf("failed to merge additional JSON '%s': %s", createContainerAdditionalJSON, err)
 	}
 
-	system, err := hcs.CreateComputeSystem(id, fullConfig)
+	system, err := hcs.CreateComputeSystem(context.Background(), id, fullConfig)
 	if err != nil {
 		return nil, err
 	}
-	return &container{system}, err
+	return &container{system: system}, err
 }
 
 // OpenContainer opens an existing container by ID.
 func OpenContainer(id string) (Container, error) {
-	system, err := hcs.OpenComputeSystem(id)
+	system, err := hcs.OpenComputeSystem(context.Background(), id)
 	if err != nil {
 		return nil, err
 	}
-	return &container{system}, err
+	return &container{system: system}, err
 }
 
 // GetContainers gets a list of the containers on the system that match the query
 func GetContainers(q ComputeSystemQuery) ([]ContainerProperties, error) {
-	return hcs.GetComputeSystems(q)
+	return hcs.GetComputeSystems(context.Background(), q)
 }
 
 // Start synchronously starts the container.
 func (container *container) Start() error {
-	return convertSystemError(container.system.Start(), container)
+	return convertSystemError(container.system.Start(context.Background()), container)
 }
 
 // Shutdown requests a container shutdown, but it may not actually be shutdown until Wait() succeeds.
 func (container *container) Shutdown() error {
-	return convertSystemError(container.system.Shutdown(), container)
+	err := container.system.Shutdown(context.Background())
+	if err != nil {
+		return convertSystemError(err, container)
+	}
+	return &ContainerError{Container: container, Err: ErrVmcomputeOperationPending, Operation: "hcsshim::ComputeSystem::Shutdown"}
 }
 
 // Terminate requests a container terminate, but it may not actually be terminated until Wait() succeeds.
 func (container *container) Terminate() error {
-	return convertSystemError(container.system.Terminate(), container)
+	err := container.system.Terminate(context.Background())
+	if err != nil {
+		return convertSystemError(err, container)
+	}
+	return &ContainerError{Container: container, Err: ErrVmcomputeOperationPending, Operation: "hcsshim::ComputeSystem::Terminate"}
 }
 
 // Waits synchronously waits for the container to shutdown or terminate.
 func (container *container) Wait() error {
-	return convertSystemError(container.system.Wait(), container)
+	err := container.system.Wait()
+	if err == nil {
+		err = container.system.ExitError()
+	}
+	return convertSystemError(err, container)
 }
 
 // WaitTimeout synchronously waits for the container to terminate or the duration to elapse. It
 // returns false if timeout occurs.
-func (container *container) WaitTimeout(t time.Duration) error {
+func (container *container) WaitTimeout(timeout time.Duration) error {
-	return convertSystemError(container.system.WaitTimeout(t), container)
+	container.waitOnce.Do(func() {
+		container.waitCh = make(chan struct{})
+		go func() {
+			container.waitErr = container.Wait()
+			close(container.waitCh)
+		}()
+	})
+	t := time.NewTimer(timeout)
+	defer t.Stop()
+	select {
+	case <-t.C:
+		return &ContainerError{Container: container, Err: ErrTimeout, Operation: "hcsshim::ComputeSystem::Wait"}
+	case <-container.waitCh:
+		return container.waitErr
+	}
 }
 
 // Pause pauses the execution of a container.
 func (container *container) Pause() error {
-	return convertSystemError(container.system.Pause(), container)
+	return convertSystemError(container.system.Pause(context.Background()), container)
 }
 
 // Resume resumes the execution of a container.
 func (container *container) Resume() error {
-	return convertSystemError(container.system.Resume(), container)
+	return convertSystemError(container.system.Resume(context.Background()), container)
 }
 
 // HasPendingUpdates returns true if the container has updates pending to install
@@ -135,7 +166,7 @@ func (container *container) HasPendingUpdates() (bool, error) {
 
 // Statistics returns statistics for the container. This is a legacy v1 call
 func (container *container) Statistics() (Statistics, error) {
-	properties, err := container.system.Properties(schema1.PropertyTypeStatistics)
+	properties, err := container.system.Properties(context.Background(), schema1.PropertyTypeStatistics)
 	if err != nil {
 		return Statistics{}, convertSystemError(err, container)
 	}
@@ -145,7 +176,7 @@ func (container *container) Statistics() (Statistics, error) {
 
 // ProcessList returns an array of ProcessListItems for the container. This is a legacy v1 call
 func (container *container) ProcessList() ([]ProcessListItem, error) {
-	properties, err := container.system.Properties(schema1.PropertyTypeProcessList)
+	properties, err := container.system.Properties(context.Background(), schema1.PropertyTypeProcessList)
 	if err != nil {
 		return nil, convertSystemError(err, container)
 	}
@@ -155,7 +186,7 @@ func (container *container) ProcessList() ([]ProcessListItem, error) {
 
 // This is a legacy v1 call
 func (container *container) MappedVirtualDisks() (map[int]MappedVirtualDiskController, error) {
-	properties, err := container.system.Properties(schema1.PropertyTypeMappedVirtualDisk)
+	properties, err := container.system.Properties(context.Background(), schema1.PropertyTypeMappedVirtualDisk)
 	if err != nil {
 		return nil, convertSystemError(err, container)
 	}
@@ -165,20 +196,20 @@ func (container *container) MappedVirtualDisks() (map[int]MappedVirtualDiskContr
 
 // CreateProcess launches a new process within the container.
 func (container *container) CreateProcess(c *ProcessConfig) (Process, error) {
-	p, err := container.system.CreateProcess(c)
+	p, err := container.system.CreateProcessNoStdio(c)
 	if err != nil {
 		return nil, convertSystemError(err, container)
 	}
-	return &process{p}, nil
+	return &process{p: p.(*hcs.Process)}, nil
 }
 
 // OpenProcess gets an interface to an existing process within the container.
 func (container *container) OpenProcess(pid int) (Process, error) {
-	p, err := container.system.OpenProcess(pid)
+	p, err := container.system.OpenProcess(context.Background(), pid)
 	if err != nil {
 		return nil, convertSystemError(err, container)
 	}
-	return &process{p}, nil
+	return &process{p: p}, nil
 }
 
 // Close cleans up any state associated with the container but does not terminate or wait for it.
@@ -188,5 +219,5 @@ func (container *container) Close() error {
 
 // Modify the System
 func (container *container) Modify(config *ResourceModificationRequestResponse) error {
-	return convertSystemError(container.system.Modify(config), container)
+	return convertSystemError(container.system.Modify(context.Background(), config), container)
 }

vendor/github.com/Microsoft/hcsshim/go.mod

@@ -0,0 +1,39 @@
+module github.com/Microsoft/hcsshim
+
+go 1.12
+
+require (
+	github.com/Microsoft/go-winio v0.4.14
+	github.com/blang/semver v3.1.0+incompatible // indirect
+	github.com/containerd/console v0.0.0-20180822173158-c12b1e7919c1
+	github.com/containerd/containerd v1.3.0-beta.2.0.20190828155532-0293cbd26c69
+	github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc // indirect
+	github.com/containerd/fifo v0.0.0-20190226154929-a9fb20d87448 // indirect
+	github.com/containerd/go-runc v0.0.0-20180907222934-5a6d9f37cfa3
+	github.com/containerd/ttrpc v0.0.0-20190826154248-f969a7f076a2
+	github.com/containerd/typeurl v0.0.0-20180627222232-a93fcdb778cd
+	github.com/docker/distribution v2.7.1+incompatible // indirect
+	github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c // indirect
+	github.com/gogo/googleapis v1.2.0 // indirect
+	github.com/gogo/protobuf v1.2.1
+	github.com/hashicorp/errwrap v0.0.0-20141028054710-7554cd9344ce // indirect
+	github.com/hashicorp/go-multierror v0.0.0-20161216184304-ed905158d874 // indirect
+	github.com/opencontainers/go-digest v0.0.0-20180430190053-c9281466c8b2 // indirect
+	github.com/opencontainers/image-spec v1.0.1 // indirect
+	github.com/opencontainers/runc v0.0.0-20190115041553-12f6a991201f // indirect
+	github.com/opencontainers/runtime-spec v0.0.0-20190207185410-29686dbc5559
+	github.com/opencontainers/runtime-tools v0.0.0-20181011054405-1d69bd0f9c39
+	github.com/pkg/errors v0.8.1
+	github.com/sirupsen/logrus v1.4.1
+	github.com/syndtr/gocapability v0.0.0-20170704070218-db04d3cc01c8 // indirect
+	github.com/urfave/cli v0.0.0-20171014202726-7bc6a0acffa5
+	github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f // indirect
+	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
+	github.com/xeipuuv/gojsonschema v0.0.0-20180618132009-1d523034197f // indirect
+	go.opencensus.io v0.22.0
+	golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6
+	golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b
+	google.golang.org/grpc v1.20.1
+	gotest.tools v2.2.0+incompatible // indirect
+	k8s.io/kubernetes v1.13.0
+)

vendor/github.com/Microsoft/hcsshim/hcn/hcn.go

@@ -0,0 +1,177 @@
+// Package hcn is a shim for the Host Compute Networking (HCN) service, which manages networking for Windows Server
+// containers and Hyper-V containers. Previous to RS5, HCN was referred to as Host Networking Service (HNS).
+package hcn
+
+import (
+	"encoding/json"
+	"fmt"
+	"syscall"
+
+	"github.com/Microsoft/go-winio/pkg/guid"
+)
+
+//go:generate go run ../mksyscall_windows.go -output zsyscall_windows.go hcn.go
+
+/// HNS V1 API
+
+//sys SetCurrentThreadCompartmentId(compartmentId uint32) (hr error) = iphlpapi.SetCurrentThreadCompartmentId
+//sys _hnsCall(method string, path string, object string, response **uint16) (hr error) = vmcompute.HNSCall?
+
+/// HCN V2 API
+
+// Network
+//sys hcnEnumerateNetworks(query string, networks **uint16, result **uint16) (hr error) = computenetwork.HcnEnumerateNetworks?
+//sys hcnCreateNetwork(id *_guid, settings string, network *hcnNetwork, result **uint16) (hr error) = computenetwork.HcnCreateNetwork?
+//sys hcnOpenNetwork(id *_guid, network *hcnNetwork, result **uint16) (hr error) = computenetwork.HcnOpenNetwork?
+//sys hcnModifyNetwork(network hcnNetwork, settings string, result **uint16) (hr error) = computenetwork.HcnModifyNetwork?
+//sys hcnQueryNetworkProperties(network hcnNetwork, query string, properties **uint16, result **uint16) (hr error) = computenetwork.HcnQueryNetworkProperties?
+//sys hcnDeleteNetwork(id *_guid, result **uint16) (hr error) = computenetwork.HcnDeleteNetwork?
+//sys hcnCloseNetwork(network hcnNetwork) (hr error) = computenetwork.HcnCloseNetwork?
+
+// Endpoint
+//sys hcnEnumerateEndpoints(query string, endpoints **uint16, result **uint16) (hr error) = computenetwork.HcnEnumerateEndpoints?
+//sys hcnCreateEndpoint(network hcnNetwork, id *_guid, settings string, endpoint *hcnEndpoint, result **uint16) (hr error) = computenetwork.HcnCreateEndpoint?
+//sys hcnOpenEndpoint(id *_guid, endpoint *hcnEndpoint, result **uint16) (hr error) = computenetwork.HcnOpenEndpoint?
+//sys hcnModifyEndpoint(endpoint hcnEndpoint, settings string, result **uint16) (hr error) = computenetwork.HcnModifyEndpoint?
+//sys hcnQueryEndpointProperties(endpoint hcnEndpoint, query string, properties **uint16, result **uint16) (hr error) = computenetwork.HcnQueryEndpointProperties?
+//sys hcnDeleteEndpoint(id *_guid, result **uint16) (hr error) = computenetwork.HcnDeleteEndpoint?
+//sys hcnCloseEndpoint(endpoint hcnEndpoint) (hr error) = computenetwork.HcnCloseEndpoint?
+
+// Namespace
+//sys hcnEnumerateNamespaces(query string, namespaces **uint16, result **uint16) (hr error) = computenetwork.HcnEnumerateNamespaces?
+//sys hcnCreateNamespace(id *_guid, settings string, namespace *hcnNamespace, result **uint16) (hr error) = computenetwork.HcnCreateNamespace?
+//sys hcnOpenNamespace(id *_guid, namespace *hcnNamespace, result **uint16) (hr error) = computenetwork.HcnOpenNamespace?
+//sys hcnModifyNamespace(namespace hcnNamespace, settings string, result **uint16) (hr error) = computenetwork.HcnModifyNamespace?
+//sys hcnQueryNamespaceProperties(namespace hcnNamespace, query string, properties **uint16, result **uint16) (hr error) = computenetwork.HcnQueryNamespaceProperties?
+//sys hcnDeleteNamespace(id *_guid, result **uint16) (hr error) = computenetwork.HcnDeleteNamespace?
+//sys hcnCloseNamespace(namespace hcnNamespace) (hr error) = computenetwork.HcnCloseNamespace?
+
+// LoadBalancer
+//sys hcnEnumerateLoadBalancers(query string, loadBalancers **uint16, result **uint16) (hr error) = computenetwork.HcnEnumerateLoadBalancers?
+//sys hcnCreateLoadBalancer(id *_guid, settings string, loadBalancer *hcnLoadBalancer, result **uint16) (hr error) = computenetwork.HcnCreateLoadBalancer?
+//sys hcnOpenLoadBalancer(id *_guid, loadBalancer *hcnLoadBalancer, result **uint16) (hr error) = computenetwork.HcnOpenLoadBalancer?
+//sys hcnModifyLoadBalancer(loadBalancer hcnLoadBalancer, settings string, result **uint16) (hr error) = computenetwork.HcnModifyLoadBalancer?
+//sys hcnQueryLoadBalancerProperties(loadBalancer hcnLoadBalancer, query string, properties **uint16, result **uint16) (hr error) = computenetwork.HcnQueryLoadBalancerProperties?
+//sys hcnDeleteLoadBalancer(id *_guid, result **uint16) (hr error) = computenetwork.HcnDeleteLoadBalancer?
+//sys hcnCloseLoadBalancer(loadBalancer hcnLoadBalancer) (hr error) = computenetwork.HcnCloseLoadBalancer?
+
+// Service
+//sys hcnOpenService(service *hcnService, result **uint16) (hr error) = computenetwork.HcnOpenService?
+//sys hcnRegisterServiceCallback(service hcnService, callback int32, context int32, callbackHandle *hcnCallbackHandle) (hr error) = computenetwork.HcnRegisterServiceCallback?
+//sys hcnUnregisterServiceCallback(callbackHandle hcnCallbackHandle) (hr error) = computenetwork.HcnUnregisterServiceCallback?
+//sys hcnCloseService(service hcnService) (hr error) = computenetwork.HcnCloseService?
+
+type _guid = guid.GUID
+
+type hcnNetwork syscall.Handle
+type hcnEndpoint syscall.Handle
+type hcnNamespace syscall.Handle
+type hcnLoadBalancer syscall.Handle
+type hcnService syscall.Handle
+type hcnCallbackHandle syscall.Handle
+
+// SchemaVersion for HCN Objects/Queries.
+type SchemaVersion = Version // hcnglobals.go
+
+// HostComputeQueryFlags are passed in to a HostComputeQuery to determine which
+// properties of an object are returned.
+type HostComputeQueryFlags uint32
+
+var (
+	// HostComputeQueryFlagsNone returns an object with the standard properties.
+	HostComputeQueryFlagsNone HostComputeQueryFlags
+	// HostComputeQueryFlagsDetailed returns an object with all properties.
+	HostComputeQueryFlagsDetailed HostComputeQueryFlags = 1
+)
+
+// HostComputeQuery is the format for HCN queries.
+type HostComputeQuery struct {
+	SchemaVersion SchemaVersion         `json:""`
+	Flags         HostComputeQueryFlags `json:",omitempty"`
+	Filter        string                `json:",omitempty"`
+}
+
+// defaultQuery generates HCN Query.
+// Passed into get/enumerate calls to filter results.
+func defaultQuery() HostComputeQuery {
+	query := HostComputeQuery{
+		SchemaVersion: SchemaVersion{
+			Major: 2,
+			Minor: 0,
+		},
+		Flags: HostComputeQueryFlagsNone,
+	}
+	return query
+}
+
+func defaultQueryJson() string {
+	query := defaultQuery()
+	queryJson, err := json.Marshal(query)
+	if err != nil {
+		return ""
+	}
+	return string(queryJson)
+}
+
+// PlatformDoesNotSupportError happens when users are attempting to use a newer shim on an older OS
+func platformDoesNotSupportError(featureName string) error {
+	return fmt.Errorf("Platform does not support feature %s", featureName)
+}
+
+// V2ApiSupported returns an error if the HCN version does not support the V2 Apis.
+func V2ApiSupported() error {
+	supported := GetSupportedFeatures()
+	if supported.Api.V2 {
+		return nil
+	}
+	return platformDoesNotSupportError("V2 Api/Schema")
+}
+
+func V2SchemaVersion() SchemaVersion {
+	return SchemaVersion{
+		Major: 2,
+		Minor: 0,
+	}
+}
+
+// RemoteSubnetSupported returns an error if the HCN version does not support Remote Subnet policies.
+func RemoteSubnetSupported() error {
+	supported := GetSupportedFeatures()
+	if supported.RemoteSubnet {
+		return nil
+	}
+	return platformDoesNotSupportError("Remote Subnet")
+}
+
+// HostRouteSupported returns an error if the HCN version does not support Host Route policies.
+func HostRouteSupported() error {
+	supported := GetSupportedFeatures()
+	if supported.HostRoute {
+		return nil
+	}
+	return platformDoesNotSupportError("Host Route")
+}
+
+// DSRSupported returns an error if the HCN version does not support Direct Server Return.
+func DSRSupported() error {
+	supported := GetSupportedFeatures()
+	if supported.DSR {
+		return nil
+	}
+	return platformDoesNotSupportError("Direct Server Return (DSR)")
+}
+
+// RequestType are the different operations performed to settings.
+// Used to update the settings of Endpoint/Namespace objects.
+type RequestType string
+
+var (
+	// RequestTypeAdd adds the provided settings object.
+	RequestTypeAdd RequestType = "Add"
+	// RequestTypeRemove removes the provided settings object.
+	RequestTypeRemove RequestType = "Remove"
+	// RequestTypeUpdate replaces settings with the ones provided.
+	RequestTypeUpdate RequestType = "Update"
+	// RequestTypeRefresh refreshes the settings provided.
+	RequestTypeRefresh RequestType = "Refresh"
+)

vendor/github.com/Microsoft/hcsshim/hcn/hcnendpoint.go

@@ -0,0 +1,380 @@
+package hcn
+
+import (
+	"encoding/json"
+	"errors"
+
+	"github.com/Microsoft/go-winio/pkg/guid"
+	"github.com/Microsoft/hcsshim/internal/interop"
+	"github.com/sirupsen/logrus"
+)
+
+// IpConfig is assoicated with an endpoint
+type IpConfig struct {
+	IpAddress    string `json:",omitempty"`
+	PrefixLength uint8  `json:",omitempty"`
+}
+
+// EndpointFlags are special settings on an endpoint.
+type EndpointFlags uint32
+
+var (
+	// EndpointFlagsNone is the default.
+	EndpointFlagsNone EndpointFlags
+	// EndpointFlagsRemoteEndpoint means that an endpoint is on another host.
+	EndpointFlagsRemoteEndpoint EndpointFlags = 1
+)
+
+// HostComputeEndpoint represents a network endpoint
+type HostComputeEndpoint struct {
+	Id                   string           `json:"ID,omitempty"`
+	Name                 string           `json:",omitempty"`
+	HostComputeNetwork   string           `json:",omitempty"` // GUID
+	HostComputeNamespace string           `json:",omitempty"` // GUID
+	Policies             []EndpointPolicy `json:",omitempty"`
+	IpConfigurations     []IpConfig       `json:",omitempty"`
+	Dns                  Dns              `json:",omitempty"`
+	Routes               []Route          `json:",omitempty"`
+	MacAddress           string           `json:",omitempty"`
+	Flags                EndpointFlags    `json:",omitempty"`
+	SchemaVersion        SchemaVersion    `json:",omitempty"`
+}
+
+// EndpointResourceType are the two different Endpoint settings resources.
+type EndpointResourceType string
+
+var (
+	// EndpointResourceTypePolicy is for Endpoint Policies. Ex: ACL, NAT
+	EndpointResourceTypePolicy EndpointResourceType = "Policy"
+	// EndpointResourceTypePort is for Endpoint Port settings.
+	EndpointResourceTypePort EndpointResourceType = "Port"
+)
+
+// ModifyEndpointSettingRequest is the structure used to send request to modify an endpoint.
+// Used to update policy/port on an endpoint.
+type ModifyEndpointSettingRequest struct {
+	ResourceType EndpointResourceType `json:",omitempty"` // Policy, Port
+	RequestType  RequestType          `json:",omitempty"` // Add, Remove, Update, Refresh
+	Settings     json.RawMessage      `json:",omitempty"`
+}
+
+type PolicyEndpointRequest struct {
+	Policies []EndpointPolicy `json:",omitempty"`
+}
+
+func getEndpoint(endpointGuid guid.GUID, query string) (*HostComputeEndpoint, error) {
+	// Open endpoint.
+	var (
+		endpointHandle   hcnEndpoint
+		resultBuffer     *uint16
+		propertiesBuffer *uint16
+	)
+	hr := hcnOpenEndpoint(&endpointGuid, &endpointHandle, &resultBuffer)
+	if err := checkForErrors("hcnOpenEndpoint", hr, resultBuffer); err != nil {
+		return nil, err
+	}
+	// Query endpoint.
+	hr = hcnQueryEndpointProperties(endpointHandle, query, &propertiesBuffer, &resultBuffer)
+	if err := checkForErrors("hcnQueryEndpointProperties", hr, resultBuffer); err != nil {
+		return nil, err
+	}
+	properties := interop.ConvertAndFreeCoTaskMemString(propertiesBuffer)
+	// Close endpoint.
+	hr = hcnCloseEndpoint(endpointHandle)
+	if err := checkForErrors("hcnCloseEndpoint", hr, nil); err != nil {
+		return nil, err
+	}
+	// Convert output to HostComputeEndpoint
+	var outputEndpoint HostComputeEndpoint
+	if err := json.Unmarshal([]byte(properties), &outputEndpoint); err != nil {
+		return nil, err
+	}
+	return &outputEndpoint, nil
+}
+
+func enumerateEndpoints(query string) ([]HostComputeEndpoint, error) {
+	// Enumerate all Endpoint Guids
+	var (
+		resultBuffer   *uint16
+		endpointBuffer *uint16
+	)
+	hr := hcnEnumerateEndpoints(query, &endpointBuffer, &resultBuffer)
+	if err := checkForErrors("hcnEnumerateEndpoints", hr, resultBuffer); err != nil {
+		return nil, err
+	}
+
+	endpoints := interop.ConvertAndFreeCoTaskMemString(endpointBuffer)
+	var endpointIds []guid.GUID
+	err := json.Unmarshal([]byte(endpoints), &endpointIds)
+	if err != nil {
+		return nil, err
+	}
+
+	var outputEndpoints []HostComputeEndpoint
+	for _, endpointGuid := range endpointIds {
+		endpoint, err := getEndpoint(endpointGuid, query)
+		if err != nil {
+			return nil, err
+		}
+		outputEndpoints = append(outputEndpoints, *endpoint)
+	}
+	return outputEndpoints, nil
+}
+
+func createEndpoint(networkId string, endpointSettings string) (*HostComputeEndpoint, error) {
+	networkGuid, err := guid.FromString(networkId)
+	if err != nil {
+		return nil, errInvalidNetworkID
+	}
+	// Open network.
+	var networkHandle hcnNetwork
+	var resultBuffer *uint16
+	hr := hcnOpenNetwork(&networkGuid, &networkHandle, &resultBuffer)
+	if err := checkForErrors("hcnOpenNetwork", hr, resultBuffer); err != nil {
+		return nil, err
+	}
+	// Create endpoint.
+	endpointId := guid.GUID{}
+	var endpointHandle hcnEndpoint
+	hr = hcnCreateEndpoint(networkHandle, &endpointId, endpointSettings, &endpointHandle, &resultBuffer)
+	if err := checkForErrors("hcnCreateEndpoint", hr, resultBuffer); err != nil {
+		return nil, err
+	}
+	// Query endpoint.
+	hcnQuery := defaultQuery()
+	query, err := json.Marshal(hcnQuery)
+	if err != nil {
+		return nil, err
+	}
+	var propertiesBuffer *uint16
+	hr = hcnQueryEndpointProperties(endpointHandle, string(query), &propertiesBuffer, &resultBuffer)
+	if err := checkForErrors("hcnQueryEndpointProperties", hr, resultBuffer); err != nil {
+		return nil, err
+	}
+	properties := interop.ConvertAndFreeCoTaskMemString(propertiesBuffer)
+	// Close endpoint.
+	hr = hcnCloseEndpoint(endpointHandle)
+	if err := checkForErrors("hcnCloseEndpoint", hr, nil); err != nil {
+		return nil, err
+	}
+	// Close network.
+	hr = hcnCloseNetwork(networkHandle)
+	if err := checkForErrors("hcnCloseNetwork", hr, nil); err != nil {
+		return nil, err
+	}
+	// Convert output to HostComputeEndpoint
+	var outputEndpoint HostComputeEndpoint
+	if err := json.Unmarshal([]byte(properties), &outputEndpoint); err != nil {
+		return nil, err
+	}
+	return &outputEndpoint, nil
+}
+
+func modifyEndpoint(endpointId string, settings string) (*HostComputeEndpoint, error) {
+	endpointGuid, err := guid.FromString(endpointId)
+	if err != nil {
+		return nil, errInvalidEndpointID
+	}
+	// Open endpoint
+	var (
+		endpointHandle   hcnEndpoint
+		resultBuffer     *uint16
+		propertiesBuffer *uint16
+	)
+	hr := hcnOpenEndpoint(&endpointGuid, &endpointHandle, &resultBuffer)
+	if err := checkForErrors("hcnOpenEndpoint", hr, resultBuffer); err != nil {
+		return nil, err
+	}
+	// Modify endpoint
+	hr = hcnModifyEndpoint(endpointHandle, settings, &resultBuffer)
+	if err := checkForErrors("hcnModifyEndpoint", hr, resultBuffer); err != nil {
+		return nil, err
+	}
+	// Query endpoint.
+	hcnQuery := defaultQuery()
+	query, err := json.Marshal(hcnQuery)
+	if err != nil {
+		return nil, err
+	}
+	hr = hcnQueryEndpointProperties(endpointHandle, string(query), &propertiesBuffer, &resultBuffer)
+	if err := checkForErrors("hcnQueryEndpointProperties", hr, resultBuffer); err != nil {
+		return nil, err
+	}
+	properties := interop.ConvertAndFreeCoTaskMemString(propertiesBuffer)
+	// Close endpoint.
+	hr = hcnCloseEndpoint(endpointHandle)
+	if err := checkForErrors("hcnCloseEndpoint", hr, nil); err != nil {
+		return nil, err
+	}
+	// Convert output to HostComputeEndpoint
+	var outputEndpoint HostComputeEndpoint
+	if err := json.Unmarshal([]byte(properties), &outputEndpoint); err != nil {
+		return nil, err
+	}
+	return &outputEndpoint, nil
+}
+
+func deleteEndpoint(endpointId string) error {
+	endpointGuid, err := guid.FromString(endpointId)
+	if err != nil {
+		return errInvalidEndpointID
+	}
+	var resultBuffer *uint16
+	hr := hcnDeleteEndpoint(&endpointGuid, &resultBuffer)
+	if err := checkForErrors("hcnDeleteEndpoint", hr, resultBuffer); err != nil {
+		return err
+	}
+	return nil
+}
+
+// ListEndpoints makes a call to list all available endpoints.
+func ListEndpoints() ([]HostComputeEndpoint, error) {
+	hcnQuery := defaultQuery()
+	endpoints, err := ListEndpointsQuery(hcnQuery)
+	if err != nil {
+		return nil, err
+	}
+	return endpoints, nil
+}
+
+// ListEndpointsQuery makes a call to query the list of available endpoints.
+func ListEndpointsQuery(query HostComputeQuery) ([]HostComputeEndpoint, error) {
+	queryJson, err := json.Marshal(query)
+	if err != nil {
+		return nil, err
+	}
+
+	endpoints, err := enumerateEndpoints(string(queryJson))
+	if err != nil {
+		return nil, err
+	}
+	return endpoints, nil
+}
+
+// ListEndpointsOfNetwork queries the list of endpoints on a network.
+func ListEndpointsOfNetwork(networkId string) ([]HostComputeEndpoint, error) {
+	hcnQuery := defaultQuery()
+	// TODO: Once query can convert schema, change to {HostComputeNetwork:networkId}
+	mapA := map[string]string{"VirtualNetwork": networkId}
+	filter, err := json.Marshal(mapA)
+	if err != nil {
+		return nil, err
+	}
+	hcnQuery.Filter = string(filter)
+
+	return ListEndpointsQuery(hcnQuery)
+}
+
+// GetEndpointByID returns an endpoint specified by Id
+func GetEndpointByID(endpointId string) (*HostComputeEndpoint, error) {
+	hcnQuery := defaultQuery()
+	mapA := map[string]string{"ID": endpointId}
+	filter, err := json.Marshal(mapA)
+	if err != nil {
+		return nil, err
+	}
+	hcnQuery.Filter = string(filter)
+
+	endpoints, err := ListEndpointsQuery(hcnQuery)
+	if err != nil {
+		return nil, err
+	}
+	if len(endpoints) == 0 {
+		return nil, EndpointNotFoundError{EndpointID: endpointId}
+	}
+	return &endpoints[0], err
+}
+
+// GetEndpointByName returns an endpoint specified by Name
+func GetEndpointByName(endpointName string) (*HostComputeEndpoint, error) {
+	hcnQuery := defaultQuery()
+	mapA := map[string]string{"Name": endpointName}
+	filter, err := json.Marshal(mapA)
+	if err != nil {
+		return nil, err
+	}
+	hcnQuery.Filter = string(filter)
+
+	endpoints, err := ListEndpointsQuery(hcnQuery)
+	if err != nil {
+		return nil, err
+	}
+	if len(endpoints) == 0 {
+		return nil, EndpointNotFoundError{EndpointName: endpointName}
+	}
+	return &endpoints[0], err
+}
+
+// Create Endpoint.
+func (endpoint *HostComputeEndpoint) Create() (*HostComputeEndpoint, error) {
+	logrus.Debugf("hcn::HostComputeEndpoint::Create id=%s", endpoint.Id)
+
+	if endpoint.HostComputeNamespace != "" {
+		return nil, errors.New("endpoint create error, endpoint json HostComputeNamespace is read only and should not be set")
+	}
+
+	jsonString, err := json.Marshal(endpoint)
+	if err != nil {
+		return nil, err
+	}
+
+	logrus.Debugf("hcn::HostComputeEndpoint::Create JSON: %s", jsonString)
+	endpoint, hcnErr := createEndpoint(endpoint.HostComputeNetwork, string(jsonString))
+	if hcnErr != nil {
+		return nil, hcnErr
+	}
+	return endpoint, nil
+}
+
+// Delete Endpoint.
+func (endpoint *HostComputeEndpoint) Delete() error {
+	logrus.Debugf("hcn::HostComputeEndpoint::Delete id=%s", endpoint.Id)
+
+	if err := deleteEndpoint(endpoint.Id); err != nil {
+		return err
+	}
+	return nil
+}
+
+// ModifyEndpointSettings updates the Port/Policy of an Endpoint.
+func ModifyEndpointSettings(endpointId string, request *ModifyEndpointSettingRequest) error {
+	logrus.Debugf("hcn::HostComputeEndpoint::ModifyEndpointSettings id=%s", endpointId)
+
+	endpointSettingsRequest, err := json.Marshal(request)
+	if err != nil {
+		return err
+	}
+
+	_, err = modifyEndpoint(endpointId, string(endpointSettingsRequest))
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+// ApplyPolicy applies a Policy (ex: ACL) on the Endpoint.
+func (endpoint *HostComputeEndpoint) ApplyPolicy(requestType RequestType, endpointPolicy PolicyEndpointRequest) error {
+	logrus.Debugf("hcn::HostComputeEndpoint::ApplyPolicy id=%s", endpoint.Id)
+
+	settingsJson, err := json.Marshal(endpointPolicy)
+	if err != nil {
+		return err
+	}
+	requestMessage := &ModifyEndpointSettingRequest{
+		ResourceType: EndpointResourceTypePolicy,
+		RequestType:  requestType,
+		Settings:     settingsJson,
+	}
+
+	return ModifyEndpointSettings(endpoint.Id, requestMessage)
+}
+
+// NamespaceAttach modifies a Namespace to add an endpoint.
+func (endpoint *HostComputeEndpoint) NamespaceAttach(namespaceId string) error {
+	return AddNamespaceEndpoint(namespaceId, endpoint.Id)
+}
+
+// NamespaceDetach modifies a Namespace to remove an endpoint.
+func (endpoint *HostComputeEndpoint) NamespaceDetach(namespaceId string) error {
+	return RemoveNamespaceEndpoint(namespaceId, endpoint.Id)
+}

vendor/github.com/Microsoft/hcsshim/hcn/hcnerrors.go

@@ -0,0 +1,106 @@
+// Package hcn is a shim for the Host Compute Networking (HCN) service, which manages networking for Windows Server
+// containers and Hyper-V containers. Previous to RS5, HCN was referred to as Host Networking Service (HNS).
+package hcn
+
+import (
+	"errors"
+	"fmt"
+
+	"github.com/Microsoft/hcsshim/internal/hcs"
+	"github.com/Microsoft/hcsshim/internal/hcserror"
+	"github.com/Microsoft/hcsshim/internal/interop"
+	"github.com/sirupsen/logrus"
+)
+
+var (
+	errInvalidNetworkID      = errors.New("invalid network ID")
+	errInvalidEndpointID     = errors.New("invalid endpoint ID")
+	errInvalidNamespaceID    = errors.New("invalid namespace ID")
+	errInvalidLoadBalancerID = errors.New("invalid load balancer ID")
+)
+
+func checkForErrors(methodName string, hr error, resultBuffer *uint16) error {
+	errorFound := false
+
+	if hr != nil {
+		errorFound = true
+	}
+
+	result := ""
+	if resultBuffer != nil {
+		result = interop.ConvertAndFreeCoTaskMemString(resultBuffer)
+		if result != "" {
+			errorFound = true
+		}
+	}
+
+	if errorFound {
+		returnError := hcserror.New(hr, methodName, result)
+		logrus.Debugf(returnError.Error()) // HCN errors logged for debugging.
+		return returnError
+	}
+
+	return nil
+}
+
+// NetworkNotFoundError results from a failed seach for a network by Id or Name
+type NetworkNotFoundError struct {
+	NetworkName string
+	NetworkID   string
+}
+
+func (e NetworkNotFoundError) Error() string {
+	if e.NetworkName == "" {
+		return fmt.Sprintf("Network Name %s not found", e.NetworkName)
+	}
+	return fmt.Sprintf("Network Id %s not found", e.NetworkID)
+}
+
+// EndpointNotFoundError results from a failed seach for an endpoint by Id or Name
+type EndpointNotFoundError struct {
+	EndpointName string
+	EndpointID   string
+}
+
+func (e EndpointNotFoundError) Error() string {
+	if e.EndpointName == "" {
+		return fmt.Sprintf("Endpoint Name %s not found", e.EndpointName)
+	}
+	return fmt.Sprintf("Endpoint Id %s not found", e.EndpointID)
+}
+
+// NamespaceNotFoundError results from a failed seach for a namsepace by Id
+type NamespaceNotFoundError struct {
+	NamespaceID string
+}
+
+func (e NamespaceNotFoundError) Error() string {
+	return fmt.Sprintf("Namespace %s not found", e.NamespaceID)
+}
+
+// LoadBalancerNotFoundError results from a failed seach for a loadbalancer by Id
+type LoadBalancerNotFoundError struct {
+	LoadBalancerId string
+}
+
+func (e LoadBalancerNotFoundError) Error() string {
+	return fmt.Sprintf("LoadBalancer %s not found", e.LoadBalancerId)
+}
+
+// IsNotFoundError returns a boolean indicating whether the error was caused by
+// a resource not being found.
+func IsNotFoundError(err error) bool {
+	switch pe := err.(type) {
+	case NetworkNotFoundError:
+		return true
+	case EndpointNotFoundError:
+		return true
+	case NamespaceNotFoundError:
+		return true
+	case LoadBalancerNotFoundError:
+		return true
+	case *hcserror.HcsError:
+		return pe.Err == hcs.ErrElementNotFound
+	}
+	return false
+}

vendor/github.com/Microsoft/hcsshim/hcn/hcnglobals.go

@@ -0,0 +1,87 @@
+package hcn
+
+import (
+	"encoding/json"
+	"fmt"
+
+	"github.com/Microsoft/hcsshim/internal/hcserror"
+	"github.com/Microsoft/hcsshim/internal/interop"
+	"github.com/sirupsen/logrus"
+)
+
+// Globals are all global properties of the HCN Service.
+type Globals struct {
+	Version Version `json:"Version"`
+}
+
+// Version is the HCN Service version.
+type Version struct {
+	Major int `json:"Major"`
+	Minor int `json:"Minor"`
+}
+
+var (
+	// HNSVersion1803 added ACL functionality.
+	HNSVersion1803 = Version{Major: 7, Minor: 2}
+	// V2ApiSupport allows the use of V2 Api calls and V2 Schema.
+	V2ApiSupport = Version{Major: 9, Minor: 2}
+	// Remote Subnet allows for Remote Subnet policies on Overlay networks
+	RemoteSubnetVersion = Version{Major: 9, Minor: 2}
+	// A Host Route policy allows for local container to local host communication Overlay networks
+	HostRouteVersion = Version{Major: 9, Minor: 2}
+	// HNS 10.2 allows for Direct Server Return for loadbalancing
+	DSRVersion = Version{Major: 10, Minor: 2}
+)
+
+// GetGlobals returns the global properties of the HCN Service.
+func GetGlobals() (*Globals, error) {
+	var version Version
+	err := hnsCall("GET", "/globals/version", "", &version)
+	if err != nil {
+		return nil, err
+	}
+
+	globals := &Globals{
+		Version: version,
+	}
+
+	return globals, nil
+}
+
+type hnsResponse struct {
+	Success bool
+	Error   string
+	Output  json.RawMessage
+}
+
+func hnsCall(method, path, request string, returnResponse interface{}) error {
+	var responseBuffer *uint16
+	logrus.Debugf("[%s]=>[%s] Request : %s", method, path, request)
+
+	err := _hnsCall(method, path, request, &responseBuffer)
+	if err != nil {
+		return hcserror.New(err, "hnsCall ", "")
+	}
+	response := interop.ConvertAndFreeCoTaskMemString(responseBuffer)
+
+	hnsresponse := &hnsResponse{}
+	if err = json.Unmarshal([]byte(response), &hnsresponse); err != nil {
+		return err
+	}
+
+	if !hnsresponse.Success {
+		return fmt.Errorf("HNS failed with error : %s", hnsresponse.Error)
+	}
+
+	if len(hnsresponse.Output) == 0 {
+		return nil
+	}
+
+	logrus.Debugf("Network Response : %s", hnsresponse.Output)
+	err = json.Unmarshal(hnsresponse.Output, returnResponse)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}

vendor/github.com/Microsoft/hcsshim/hcn/hcnloadbalancer.go

@@ -0,0 +1,341 @@
+package hcn
+
+import (
+	"encoding/json"
+
+	"github.com/Microsoft/go-winio/pkg/guid"
+	"github.com/Microsoft/hcsshim/internal/interop"
+	"github.com/sirupsen/logrus"
+)
+
+// LoadBalancerPortMapping is associated with HostComputeLoadBalancer
+type LoadBalancerPortMapping struct {
+	Protocol     uint32                       `json:",omitempty"` // EX: TCP = 6, UDP = 17
+	InternalPort uint16                       `json:",omitempty"`
+	ExternalPort uint16                       `json:",omitempty"`
+	Flags        LoadBalancerPortMappingFlags `json:",omitempty"`
+}
+
+// HostComputeLoadBalancer represents software load balancer.
+type HostComputeLoadBalancer struct {
+	Id                   string                    `json:"ID,omitempty"`
+	HostComputeEndpoints []string                  `json:",omitempty"`
+	SourceVIP            string                    `json:",omitempty"`
+	FrontendVIPs         []string                  `json:",omitempty"`
+	PortMappings         []LoadBalancerPortMapping `json:",omitempty"`
+	SchemaVersion        SchemaVersion             `json:",omitempty"`
+	Flags                LoadBalancerFlags         `json:",omitempty"` // 0: None, 1: EnableDirectServerReturn
+}
+
+//LoadBalancerFlags modify settings for a loadbalancer.
+type LoadBalancerFlags uint32
+
+var (
+	// LoadBalancerFlagsNone is the default.
+	LoadBalancerFlagsNone LoadBalancerFlags = 0
+	// LoadBalancerFlagsDSR enables Direct Server Return (DSR)
+	LoadBalancerFlagsDSR LoadBalancerFlags = 1
+)
+
+// LoadBalancerPortMappingFlags are special settings on a loadbalancer.
+type LoadBalancerPortMappingFlags uint32
+
+var (
+	// LoadBalancerPortMappingFlagsNone is the default.
+	LoadBalancerPortMappingFlagsNone LoadBalancerPortMappingFlags
+	// LoadBalancerPortMappingFlagsILB enables internal loadbalancing.
+	LoadBalancerPortMappingFlagsILB LoadBalancerPortMappingFlags = 1
+	// LoadBalancerPortMappingFlagsLocalRoutedVIP enables VIP access from the host.
+	LoadBalancerPortMappingFlagsLocalRoutedVIP LoadBalancerPortMappingFlags = 2
+	// LoadBalancerPortMappingFlagsUseMux enables DSR for NodePort access of VIP.
+	LoadBalancerPortMappingFlagsUseMux LoadBalancerPortMappingFlags = 4
+	// LoadBalancerPortMappingFlagsPreserveDIP delivers packets with destination IP as the VIP.
+	LoadBalancerPortMappingFlagsPreserveDIP LoadBalancerPortMappingFlags = 8
+)
+
+func getLoadBalancer(loadBalancerGuid guid.GUID, query string) (*HostComputeLoadBalancer, error) {
+	// Open loadBalancer.
+	var (
+		loadBalancerHandle hcnLoadBalancer
+		resultBuffer       *uint16
+		propertiesBuffer   *uint16
+	)
+	hr := hcnOpenLoadBalancer(&loadBalancerGuid, &loadBalancerHandle, &resultBuffer)
+	if err := checkForErrors("hcnOpenLoadBalancer", hr, resultBuffer); err != nil {
+		return nil, err
+	}
+	// Query loadBalancer.
+	hr = hcnQueryLoadBalancerProperties(loadBalancerHandle, query, &propertiesBuffer, &resultBuffer)
+	if err := checkForErrors("hcnQueryLoadBalancerProperties", hr, resultBuffer); err != nil {
+		return nil, err
+	}
+	properties := interop.ConvertAndFreeCoTaskMemString(propertiesBuffer)
+	// Close loadBalancer.
+	hr = hcnCloseLoadBalancer(loadBalancerHandle)
+	if err := checkForErrors("hcnCloseLoadBalancer", hr, nil); err != nil {
+		return nil, err
+	}
+	// Convert output to HostComputeLoadBalancer
+	var outputLoadBalancer HostComputeLoadBalancer
+	if err := json.Unmarshal([]byte(properties), &outputLoadBalancer); err != nil {
+		return nil, err
+	}
+	return &outputLoadBalancer, nil
+}
+
+func enumerateLoadBalancers(query string) ([]HostComputeLoadBalancer, error) {
+	// Enumerate all LoadBalancer Guids
+	var (
+		resultBuffer       *uint16
+		loadBalancerBuffer *uint16
+	)
+	hr := hcnEnumerateLoadBalancers(query, &loadBalancerBuffer, &resultBuffer)
+	if err := checkForErrors("hcnEnumerateLoadBalancers", hr, resultBuffer); err != nil {
+		return nil, err
+	}
+
+	loadBalancers := interop.ConvertAndFreeCoTaskMemString(loadBalancerBuffer)
+	var loadBalancerIds []guid.GUID
+	if err := json.Unmarshal([]byte(loadBalancers), &loadBalancerIds); err != nil {
+		return nil, err
+	}
+
+	var outputLoadBalancers []HostComputeLoadBalancer
+	for _, loadBalancerGuid := range loadBalancerIds {
+		loadBalancer, err := getLoadBalancer(loadBalancerGuid, query)
+		if err != nil {
+			return nil, err
+		}
+		outputLoadBalancers = append(outputLoadBalancers, *loadBalancer)
+	}
+	return outputLoadBalancers, nil
+}
+
+func createLoadBalancer(settings string) (*HostComputeLoadBalancer, error) {
+	// Create new loadBalancer.
+	var (
+		loadBalancerHandle hcnLoadBalancer
+		resultBuffer       *uint16
+		propertiesBuffer   *uint16
+	)
+	loadBalancerGuid := guid.GUID{}
+	hr := hcnCreateLoadBalancer(&loadBalancerGuid, settings, &loadBalancerHandle, &resultBuffer)
+	if err := checkForErrors("hcnCreateLoadBalancer", hr, resultBuffer); err != nil {
+		return nil, err
+	}
+	// Query loadBalancer.
+	hcnQuery := defaultQuery()
+	query, err := json.Marshal(hcnQuery)
+	if err != nil {
+		return nil, err
+	}
+	hr = hcnQueryLoadBalancerProperties(loadBalancerHandle, string(query), &propertiesBuffer, &resultBuffer)
+	if err := checkForErrors("hcnQueryLoadBalancerProperties", hr, resultBuffer); err != nil {
+		return nil, err
+	}
+	properties := interop.ConvertAndFreeCoTaskMemString(propertiesBuffer)
+	// Close loadBalancer.
+	hr = hcnCloseLoadBalancer(loadBalancerHandle)
+	if err := checkForErrors("hcnCloseLoadBalancer", hr, nil); err != nil {
+		return nil, err
+	}
+	// Convert output to HostComputeLoadBalancer
+	var outputLoadBalancer HostComputeLoadBalancer
+	if err := json.Unmarshal([]byte(properties), &outputLoadBalancer); err != nil {
+		return nil, err
+	}
+	return &outputLoadBalancer, nil
+}
+
+func modifyLoadBalancer(loadBalancerId string, settings string) (*HostComputeLoadBalancer, error) {
+	loadBalancerGuid, err := guid.FromString(loadBalancerId)
+	if err != nil {
+		return nil, errInvalidLoadBalancerID
+	}
+	// Open loadBalancer.
+	var (
+		loadBalancerHandle hcnLoadBalancer
+		resultBuffer       *uint16
+		propertiesBuffer   *uint16
+	)
+	hr := hcnOpenLoadBalancer(&loadBalancerGuid, &loadBalancerHandle, &resultBuffer)
+	if err := checkForErrors("hcnOpenLoadBalancer", hr, resultBuffer); err != nil {
+		return nil, err
+	}
+	// Modify loadBalancer.
+	hr = hcnModifyLoadBalancer(loadBalancerHandle, settings, &resultBuffer)
+	if err := checkForErrors("hcnModifyLoadBalancer", hr, resultBuffer); err != nil {
+		return nil, err
+	}
+	// Query loadBalancer.
+	hcnQuery := defaultQuery()
+	query, err := json.Marshal(hcnQuery)
+	if err != nil {
+		return nil, err
+	}
+	hr = hcnQueryLoadBalancerProperties(loadBalancerHandle, string(query), &propertiesBuffer, &resultBuffer)
+	if err := checkForErrors("hcnQueryLoadBalancerProperties", hr, resultBuffer); err != nil {
+		return nil, err
+	}
+	properties := interop.ConvertAndFreeCoTaskMemString(propertiesBuffer)
+	// Close loadBalancer.
+	hr = hcnCloseLoadBalancer(loadBalancerHandle)
+	if err := checkForErrors("hcnCloseLoadBalancer", hr, nil); err != nil {
+		return nil, err
+	}
+	// Convert output to LoadBalancer
+	var outputLoadBalancer HostComputeLoadBalancer
+	if err := json.Unmarshal([]byte(properties), &outputLoadBalancer); err != nil {
+		return nil, err
+	}
+	return &outputLoadBalancer, nil
+}
+
+func deleteLoadBalancer(loadBalancerId string) error {
+	loadBalancerGuid, err := guid.FromString(loadBalancerId)
+	if err != nil {
+		return errInvalidLoadBalancerID
+	}
+	var resultBuffer *uint16
+	hr := hcnDeleteLoadBalancer(&loadBalancerGuid, &resultBuffer)
+	if err := checkForErrors("hcnDeleteLoadBalancer", hr, resultBuffer); err != nil {
+		return err
+	}
+	return nil
+}
+
+// ListLoadBalancers makes a call to list all available loadBalancers.
+func ListLoadBalancers() ([]HostComputeLoadBalancer, error) {
+	hcnQuery := defaultQuery()
+	loadBalancers, err := ListLoadBalancersQuery(hcnQuery)
+	if err != nil {
+		return nil, err
+	}
+	return loadBalancers, nil
+}
+
+// ListLoadBalancersQuery makes a call to query the list of available loadBalancers.
+func ListLoadBalancersQuery(query HostComputeQuery) ([]HostComputeLoadBalancer, error) {
+	queryJson, err := json.Marshal(query)
+	if err != nil {
+		return nil, err
+	}
+
+	loadBalancers, err := enumerateLoadBalancers(string(queryJson))
+	if err != nil {
+		return nil, err
+	}
+	return loadBalancers, nil
+}
+
+// GetLoadBalancerByID returns the LoadBalancer specified by Id.
+func GetLoadBalancerByID(loadBalancerId string) (*HostComputeLoadBalancer, error) {
+	hcnQuery := defaultQuery()
+	mapA := map[string]string{"ID": loadBalancerId}
+	filter, err := json.Marshal(mapA)
+	if err != nil {
+		return nil, err
+	}
+	hcnQuery.Filter = string(filter)
+
+	loadBalancers, err := ListLoadBalancersQuery(hcnQuery)
+	if err != nil {
+		return nil, err
+	}
+	if len(loadBalancers) == 0 {
+		return nil, LoadBalancerNotFoundError{LoadBalancerId: loadBalancerId}
+	}
+	return &loadBalancers[0], err
+}
+
+// Create LoadBalancer.
+func (loadBalancer *HostComputeLoadBalancer) Create() (*HostComputeLoadBalancer, error) {
+	logrus.Debugf("hcn::HostComputeLoadBalancer::Create id=%s", loadBalancer.Id)
+
+	jsonString, err := json.Marshal(loadBalancer)
+	if err != nil {
+		return nil, err
+	}
+
+	logrus.Debugf("hcn::HostComputeLoadBalancer::Create JSON: %s", jsonString)
+	loadBalancer, hcnErr := createLoadBalancer(string(jsonString))
+	if hcnErr != nil {
+		return nil, hcnErr
+	}
+	return loadBalancer, nil
+}
+
+// Delete LoadBalancer.
+func (loadBalancer *HostComputeLoadBalancer) Delete() error {
+	logrus.Debugf("hcn::HostComputeLoadBalancer::Delete id=%s", loadBalancer.Id)
+
+	if err := deleteLoadBalancer(loadBalancer.Id); err != nil {
+		return err
+	}
+	return nil
+}
+
+// AddEndpoint add an endpoint to a LoadBalancer
+func (loadBalancer *HostComputeLoadBalancer) AddEndpoint(endpoint *HostComputeEndpoint) (*HostComputeLoadBalancer, error) {
+	logrus.Debugf("hcn::HostComputeLoadBalancer::AddEndpoint loadBalancer=%s endpoint=%s", loadBalancer.Id, endpoint.Id)
+
+	err := loadBalancer.Delete()
+	if err != nil {
+		return nil, err
+	}
+
+	// Add Endpoint to the Existing List
+	loadBalancer.HostComputeEndpoints = append(loadBalancer.HostComputeEndpoints, endpoint.Id)
+
+	return loadBalancer.Create()
+}
+
+// RemoveEndpoint removes an endpoint from a LoadBalancer
+func (loadBalancer *HostComputeLoadBalancer) RemoveEndpoint(endpoint *HostComputeEndpoint) (*HostComputeLoadBalancer, error) {
+	logrus.Debugf("hcn::HostComputeLoadBalancer::RemoveEndpoint loadBalancer=%s endpoint=%s", loadBalancer.Id, endpoint.Id)
+
+	err := loadBalancer.Delete()
+	if err != nil {
+		return nil, err
+	}
+
+	// Create a list of all the endpoints besides the one being removed
+	var endpoints []string
+	for _, endpointReference := range loadBalancer.HostComputeEndpoints {
+		if endpointReference == endpoint.Id {
+			continue
+		}
+		endpoints = append(endpoints, endpointReference)
+	}
+	loadBalancer.HostComputeEndpoints = endpoints
+	return loadBalancer.Create()
+}
+
+// AddLoadBalancer for the specified endpoints
+func AddLoadBalancer(endpoints []HostComputeEndpoint, flags LoadBalancerFlags, portMappingFlags LoadBalancerPortMappingFlags, sourceVIP string, frontendVIPs []string, protocol uint16, internalPort uint16, externalPort uint16) (*HostComputeLoadBalancer, error) {
+	logrus.Debugf("hcn::HostComputeLoadBalancer::AddLoadBalancer endpointId=%v, LoadBalancerFlags=%v, LoadBalancerPortMappingFlags=%v, sourceVIP=%s, frontendVIPs=%v, protocol=%v, internalPort=%v, externalPort=%v", endpoints, flags, portMappingFlags, sourceVIP, frontendVIPs, protocol, internalPort, externalPort)
+
+	loadBalancer := &HostComputeLoadBalancer{
+		SourceVIP: sourceVIP,
+		PortMappings: []LoadBalancerPortMapping{
+			{
+				Protocol:     uint32(protocol),
+				InternalPort: internalPort,
+				ExternalPort: externalPort,
+				Flags:        portMappingFlags,
+			},
+		},
+		FrontendVIPs: frontendVIPs,
+		SchemaVersion: SchemaVersion{
+			Major: 2,
+			Minor: 0,
+		},
+		Flags: flags,
+	}
+
+	for _, endpoint := range endpoints {
+		loadBalancer.HostComputeEndpoints = append(loadBalancer.HostComputeEndpoints, endpoint.Id)
+	}
+
+	return loadBalancer.Create()
+}

vendor/github.com/Microsoft/hcsshim/hcn/hcnnamespace.go

@@ -0,0 +1,434 @@
+package hcn
+
+import (
+	"encoding/json"
+	"os"
+	"syscall"
+
+	"github.com/Microsoft/go-winio/pkg/guid"
+	icni "github.com/Microsoft/hcsshim/internal/cni"
+	"github.com/Microsoft/hcsshim/internal/interop"
+	"github.com/Microsoft/hcsshim/internal/regstate"
+	"github.com/Microsoft/hcsshim/internal/runhcs"
+	"github.com/sirupsen/logrus"
+)
+
+// NamespaceResourceEndpoint represents an Endpoint attached to a Namespace.
+type NamespaceResourceEndpoint struct {
+	Id string `json:"ID,"`
+}
+
+// NamespaceResourceContainer represents a Container attached to a Namespace.
+type NamespaceResourceContainer struct {
+	Id string `json:"ID,"`
+}
+
+// NamespaceResourceType determines whether the Namespace resource is a Container or Endpoint.
+type NamespaceResourceType string
+
+var (
+	// NamespaceResourceTypeContainer are contianers associated with a Namespace.
+	NamespaceResourceTypeContainer NamespaceResourceType = "Container"
+	// NamespaceResourceTypeEndpoint are endpoints associated with a Namespace.
+	NamespaceResourceTypeEndpoint NamespaceResourceType = "Endpoint"
+)
+
+// NamespaceResource is associated with a namespace
+type NamespaceResource struct {
+	Type NamespaceResourceType `json:","` // Container, Endpoint
+	Data json.RawMessage       `json:","`
+}
+
+// NamespaceType determines whether the Namespace is for a Host or Guest
+type NamespaceType string
+
+var (
+	// NamespaceTypeHost are host namespaces.
+	NamespaceTypeHost NamespaceType = "Host"
+	// NamespaceTypeHostDefault are host namespaces in the default compartment.
+	NamespaceTypeHostDefault NamespaceType = "HostDefault"
+	// NamespaceTypeGuest are guest namespaces.
+	NamespaceTypeGuest NamespaceType = "Guest"
+	// NamespaceTypeGuestDefault are guest namespaces in the default compartment.
+	NamespaceTypeGuestDefault NamespaceType = "GuestDefault"
+)
+
+// HostComputeNamespace represents a namespace (AKA compartment) in
+type HostComputeNamespace struct {
+	Id            string              `json:"ID,omitempty"`
+	NamespaceId   uint32              `json:",omitempty"`
+	Type          NamespaceType       `json:",omitempty"` // Host, HostDefault, Guest, GuestDefault
+	Resources     []NamespaceResource `json:",omitempty"`
+	SchemaVersion SchemaVersion       `json:",omitempty"`
+}
+
+// ModifyNamespaceSettingRequest is the structure used to send request to modify a namespace.
+// Used to Add/Remove an endpoints and containers to/from a namespace.
+type ModifyNamespaceSettingRequest struct {
+	ResourceType NamespaceResourceType `json:",omitempty"` // Container, Endpoint
+	RequestType  RequestType           `json:",omitempty"` // Add, Remove, Update, Refresh
+	Settings     json.RawMessage       `json:",omitempty"`
+}
+
+func getNamespace(namespaceGuid guid.GUID, query string) (*HostComputeNamespace, error) {
+	// Open namespace.
+	var (
+		namespaceHandle  hcnNamespace
+		resultBuffer     *uint16
+		propertiesBuffer *uint16
+	)
+	hr := hcnOpenNamespace(&namespaceGuid, &namespaceHandle, &resultBuffer)
+	if err := checkForErrors("hcnOpenNamespace", hr, resultBuffer); err != nil {
+		return nil, err
+	}
+	// Query namespace.
+	hr = hcnQueryNamespaceProperties(namespaceHandle, query, &propertiesBuffer, &resultBuffer)
+	if err := checkForErrors("hcnQueryNamespaceProperties", hr, resultBuffer); err != nil {
+		return nil, err
+	}
+	properties := interop.ConvertAndFreeCoTaskMemString(propertiesBuffer)
+	// Close namespace.
+	hr = hcnCloseNamespace(namespaceHandle)
+	if err := checkForErrors("hcnCloseNamespace", hr, nil); err != nil {
+		return nil, err
+	}
+	// Convert output to HostComputeNamespace
+	var outputNamespace HostComputeNamespace
+	if err := json.Unmarshal([]byte(properties), &outputNamespace); err != nil {
+		return nil, err
+	}
+	return &outputNamespace, nil
+}
+
+func enumerateNamespaces(query string) ([]HostComputeNamespace, error) {
+	// Enumerate all Namespace Guids
+	var (
+		resultBuffer    *uint16
+		namespaceBuffer *uint16
+	)
+	hr := hcnEnumerateNamespaces(query, &namespaceBuffer, &resultBuffer)
+	if err := checkForErrors("hcnEnumerateNamespaces", hr, resultBuffer); err != nil {
+		return nil, err
+	}
+
+	namespaces := interop.ConvertAndFreeCoTaskMemString(namespaceBuffer)
+	var namespaceIds []guid.GUID
+	if err := json.Unmarshal([]byte(namespaces), &namespaceIds); err != nil {
+		return nil, err
+	}
+
+	var outputNamespaces []HostComputeNamespace
+	for _, namespaceGuid := range namespaceIds {
+		namespace, err := getNamespace(namespaceGuid, query)
+		if err != nil {
+			return nil, err
+		}
+		outputNamespaces = append(outputNamespaces, *namespace)
+	}
+	return outputNamespaces, nil
+}
+
+func createNamespace(settings string) (*HostComputeNamespace, error) {
+	// Create new namespace.
+	var (
+		namespaceHandle  hcnNamespace
+		resultBuffer     *uint16
+		propertiesBuffer *uint16
+	)
+	namespaceGuid := guid.GUID{}
+	hr := hcnCreateNamespace(&namespaceGuid, settings, &namespaceHandle, &resultBuffer)
+	if err := checkForErrors("hcnCreateNamespace", hr, resultBuffer); err != nil {
+		return nil, err
+	}
+	// Query namespace.
+	hcnQuery := defaultQuery()
+	query, err := json.Marshal(hcnQuery)
+	if err != nil {
+		return nil, err
+	}
+	hr = hcnQueryNamespaceProperties(namespaceHandle, string(query), &propertiesBuffer, &resultBuffer)
+	if err := checkForErrors("hcnQueryNamespaceProperties", hr, resultBuffer); err != nil {
+		return nil, err
+	}
+	properties := interop.ConvertAndFreeCoTaskMemString(propertiesBuffer)
+	// Close namespace.
+	hr = hcnCloseNamespace(namespaceHandle)
+	if err := checkForErrors("hcnCloseNamespace", hr, nil); err != nil {
+		return nil, err
+	}
+	// Convert output to HostComputeNamespace
+	var outputNamespace HostComputeNamespace
+	if err := json.Unmarshal([]byte(properties), &outputNamespace); err != nil {
+		return nil, err
+	}
+	return &outputNamespace, nil
+}
+
+func modifyNamespace(namespaceId string, settings string) (*HostComputeNamespace, error) {
+	namespaceGuid, err := guid.FromString(namespaceId)
+	if err != nil {
+		return nil, errInvalidNamespaceID
+	}
+	// Open namespace.
+	var (
+		namespaceHandle  hcnNamespace
+		resultBuffer     *uint16
+		propertiesBuffer *uint16
+	)
+	hr := hcnOpenNamespace(&namespaceGuid, &namespaceHandle, &resultBuffer)
+	if err := checkForErrors("hcnOpenNamespace", hr, resultBuffer); err != nil {
+		return nil, err
+	}
+	// Modify namespace.
+	hr = hcnModifyNamespace(namespaceHandle, settings, &resultBuffer)
+	if err := checkForErrors("hcnModifyNamespace", hr, resultBuffer); err != nil {
+		return nil, err
+	}
+	// Query namespace.
+	hcnQuery := defaultQuery()
+	query, err := json.Marshal(hcnQuery)
+	if err != nil {
+		return nil, err
+	}
+	hr = hcnQueryNamespaceProperties(namespaceHandle, string(query), &propertiesBuffer, &resultBuffer)
+	if err := checkForErrors("hcnQueryNamespaceProperties", hr, resultBuffer); err != nil {
+		return nil, err
+	}
+	properties := interop.ConvertAndFreeCoTaskMemString(propertiesBuffer)
+	// Close namespace.
+	hr = hcnCloseNamespace(namespaceHandle)
+	if err := checkForErrors("hcnCloseNamespace", hr, nil); err != nil {
+		return nil, err
+	}
+	// Convert output to Namespace
+	var outputNamespace HostComputeNamespace
+	if err := json.Unmarshal([]byte(properties), &outputNamespace); err != nil {
+		return nil, err
+	}
+	return &outputNamespace, nil
+}
+
+func deleteNamespace(namespaceId string) error {
+	namespaceGuid, err := guid.FromString(namespaceId)
+	if err != nil {
+		return errInvalidNamespaceID
+	}
+	var resultBuffer *uint16
+	hr := hcnDeleteNamespace(&namespaceGuid, &resultBuffer)
+	if err := checkForErrors("hcnDeleteNamespace", hr, resultBuffer); err != nil {
+		return err
+	}
+	return nil
+}
+
+// ListNamespaces makes a call to list all available namespaces.
+func ListNamespaces() ([]HostComputeNamespace, error) {
+	hcnQuery := defaultQuery()
+	namespaces, err := ListNamespacesQuery(hcnQuery)
+	if err != nil {
+		return nil, err
+	}
+	return namespaces, nil
+}
+
+// ListNamespacesQuery makes a call to query the list of available namespaces.
+func ListNamespacesQuery(query HostComputeQuery) ([]HostComputeNamespace, error) {
+	queryJson, err := json.Marshal(query)
+	if err != nil {
+		return nil, err
+	}
+
+	namespaces, err := enumerateNamespaces(string(queryJson))
+	if err != nil {
+		return nil, err
+	}
+	return namespaces, nil
+}
+
+// GetNamespaceByID returns the Namespace specified by Id.
+func GetNamespaceByID(namespaceId string) (*HostComputeNamespace, error) {
+	g, err := guid.FromString(namespaceId)
+	if err != nil {
+		return nil, errInvalidNamespaceID
+	}
+	return getNamespace(g, defaultQueryJson())
+}
+
+// GetNamespaceEndpointIds returns the endpoints of the Namespace specified by Id.
+func GetNamespaceEndpointIds(namespaceId string) ([]string, error) {
+	namespace, err := GetNamespaceByID(namespaceId)
+	if err != nil {
+		return nil, err
+	}
+	var endpointsIds []string
+	for _, resource := range namespace.Resources {
+		if resource.Type == "Endpoint" {
+			var endpointResource NamespaceResourceEndpoint
+			if err := json.Unmarshal([]byte(resource.Data), &endpointResource); err != nil {
+				return nil, err
+			}
+			endpointsIds = append(endpointsIds, endpointResource.Id)
+		}
+	}
+	return endpointsIds, nil
+}
+
+// GetNamespaceContainerIds returns the containers of the Namespace specified by Id.
+func GetNamespaceContainerIds(namespaceId string) ([]string, error) {
+	namespace, err := GetNamespaceByID(namespaceId)
+	if err != nil {
+		return nil, err
+	}
+	var containerIds []string
+	for _, resource := range namespace.Resources {
+		if resource.Type == "Container" {
+			var contaienrResource NamespaceResourceContainer
+			if err := json.Unmarshal([]byte(resource.Data), &contaienrResource); err != nil {
+				return nil, err
+			}
+			containerIds = append(containerIds, contaienrResource.Id)
+		}
+	}
+	return containerIds, nil
+}
+
+// NewNamespace creates a new Namespace object
+func NewNamespace(nsType NamespaceType) *HostComputeNamespace {
+	return &HostComputeNamespace{
+		Type:          nsType,
+		SchemaVersion: V2SchemaVersion(),
+	}
+}
+
+// Create Namespace.
+func (namespace *HostComputeNamespace) Create() (*HostComputeNamespace, error) {
+	logrus.Debugf("hcn::HostComputeNamespace::Create id=%s", namespace.Id)
+
+	jsonString, err := json.Marshal(namespace)
+	if err != nil {
+		return nil, err
+	}
+
+	logrus.Debugf("hcn::HostComputeNamespace::Create JSON: %s", jsonString)
+	namespace, hcnErr := createNamespace(string(jsonString))
+	if hcnErr != nil {
+		return nil, hcnErr
+	}
+	return namespace, nil
+}
+
+// Delete Namespace.
+func (namespace *HostComputeNamespace) Delete() error {
+	logrus.Debugf("hcn::HostComputeNamespace::Delete id=%s", namespace.Id)
+
+	if err := deleteNamespace(namespace.Id); err != nil {
+		return err
+	}
+	return nil
+}
+
+// Sync Namespace endpoints with the appropriate sandbox container holding the
+// network namespace open. If no sandbox container is found for this namespace
+// this method is determined to be a success and will not return an error in
+// this case. If the sandbox container is found and a sync is initiated any
+// failures will be returned via this method.
+//
+// This call initiates a sync between endpoints and the matching UtilityVM
+// hosting those endpoints. It is safe to call for any `NamespaceType` but
+// `NamespaceTypeGuest` is the only case when a sync will actually occur. For
+// `NamespaceTypeHost` the process container will be automatically synchronized
+// when the the endpoint is added via `AddNamespaceEndpoint`.
+//
+// Note: This method sync's both additions and removals of endpoints from a
+// `NamespaceTypeGuest` namespace.
+func (namespace *HostComputeNamespace) Sync() error {
+	logrus.WithField("id", namespace.Id).Debugf("hcs::HostComputeNamespace::Sync")
+
+	// We only attempt a sync for namespace guest.
+	if namespace.Type != NamespaceTypeGuest {
+		return nil
+	}
+
+	// Look in the registry for the key to map from namespace id to pod-id
+	cfg, err := icni.LoadPersistedNamespaceConfig(namespace.Id)
+	if err != nil {
+		if regstate.IsNotFoundError(err) {
+			return nil
+		}
+		return err
+	}
+	req := runhcs.VMRequest{
+		ID: cfg.ContainerID,
+		Op: runhcs.OpSyncNamespace,
+	}
+	shimPath := runhcs.VMPipePath(cfg.HostUniqueID)
+	if err := runhcs.IssueVMRequest(shimPath, &req); err != nil {
+		// The shim is likey gone. Simply ignore the sync as if it didn't exist.
+		if perr, ok := err.(*os.PathError); ok && perr.Err == syscall.ERROR_FILE_NOT_FOUND {
+			// Remove the reg key there is no point to try again
+			cfg.Remove()
+			return nil
+		}
+		f := map[string]interface{}{
+			"id":           namespace.Id,
+			"container-id": cfg.ContainerID,
+		}
+		logrus.WithFields(f).
+			WithError(err).
+			Debugf("hcs::HostComputeNamespace::Sync failed to connect to shim pipe: '%s'", shimPath)
+		return err
+	}
+	return nil
+}
+
+// ModifyNamespaceSettings updates the Endpoints/Containers of a Namespace.
+func ModifyNamespaceSettings(namespaceId string, request *ModifyNamespaceSettingRequest) error {
+	logrus.Debugf("hcn::HostComputeNamespace::ModifyNamespaceSettings id=%s", namespaceId)
+
+	namespaceSettings, err := json.Marshal(request)
+	if err != nil {
+		return err
+	}
+
+	_, err = modifyNamespace(namespaceId, string(namespaceSettings))
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+// AddNamespaceEndpoint adds an endpoint to a Namespace.
+func AddNamespaceEndpoint(namespaceId string, endpointId string) error {
+	logrus.Debugf("hcn::HostComputeEndpoint::AddNamespaceEndpoint id=%s", endpointId)
+
+	mapA := map[string]string{"EndpointId": endpointId}
+	settingsJson, err := json.Marshal(mapA)
+	if err != nil {
+		return err
+	}
+	requestMessage := &ModifyNamespaceSettingRequest{
+		ResourceType: NamespaceResourceTypeEndpoint,
+		RequestType:  RequestTypeAdd,
+		Settings:     settingsJson,
+	}
+
+	return ModifyNamespaceSettings(namespaceId, requestMessage)
+}
+
+// RemoveNamespaceEndpoint removes an endpoint from a Namespace.
+func RemoveNamespaceEndpoint(namespaceId string, endpointId string) error {
+	logrus.Debugf("hcn::HostComputeNamespace::RemoveNamespaceEndpoint id=%s", endpointId)
+
+	mapA := map[string]string{"EndpointId": endpointId}
+	settingsJson, err := json.Marshal(mapA)
+	if err != nil {
+		return err
+	}
+	requestMessage := &ModifyNamespaceSettingRequest{
+		ResourceType: NamespaceResourceTypeEndpoint,
+		RequestType:  RequestTypeRemove,
+		Settings:     settingsJson,
+	}
+
+	return ModifyNamespaceSettings(namespaceId, requestMessage)
+}

vendor/github.com/Microsoft/hcsshim/hcn/hcnnetwork.go

@@ -0,0 +1,461 @@
+package hcn
+
+import (
+	"encoding/json"
+	"errors"
+
+	"github.com/Microsoft/go-winio/pkg/guid"
+	"github.com/Microsoft/hcsshim/internal/interop"
+	"github.com/sirupsen/logrus"
+)
+
+// Route is assoicated with a subnet.
+type Route struct {
+	NextHop           string `json:",omitempty"`
+	DestinationPrefix string `json:",omitempty"`
+	Metric            uint16 `json:",omitempty"`
+}
+
+// Subnet is assoicated with a Ipam.
+type Subnet struct {
+	IpAddressPrefix string            `json:",omitempty"`
+	Policies        []json.RawMessage `json:",omitempty"`
+	Routes          []Route           `json:",omitempty"`
+}
+
+// Ipam (Internet Protocol Addres Management) is assoicated with a network
+// and represents the address space(s) of a network.
+type Ipam struct {
+	Type    string   `json:",omitempty"` // Ex: Static, DHCP
+	Subnets []Subnet `json:",omitempty"`
+}
+
+// MacRange is associated with MacPool and respresents the start and end addresses.
+type MacRange struct {
+	StartMacAddress string `json:",omitempty"`
+	EndMacAddress   string `json:",omitempty"`
+}
+
+// MacPool is assoicated with a network and represents pool of MacRanges.
+type MacPool struct {
+	Ranges []MacRange `json:",omitempty"`
+}
+
+// Dns (Domain Name System is associated with a network.
+type Dns struct {
+	Domain     string   `json:",omitempty"`
+	Search     []string `json:",omitempty"`
+	ServerList []string `json:",omitempty"`
+	Options    []string `json:",omitempty"`
+}
+
+// NetworkType are various networks.
+type NetworkType string
+
+// NetworkType const
+const (
+	NAT         NetworkType = "NAT"
+	Transparent NetworkType = "Transparent"
+	L2Bridge    NetworkType = "L2Bridge"
+	L2Tunnel    NetworkType = "L2Tunnel"
+	ICS         NetworkType = "ICS"
+	Private     NetworkType = "Private"
+	Overlay     NetworkType = "Overlay"
+)
+
+// NetworkFlags are various network flags.
+type NetworkFlags uint32
+
+// NetworkFlags const
+const (
+	None                NetworkFlags = 0
+	EnableNonPersistent NetworkFlags = 8
+)
+
+// HostComputeNetwork represents a network
+type HostComputeNetwork struct {
+	Id            string          `json:"ID,omitempty"`
+	Name          string          `json:",omitempty"`
+	Type          NetworkType     `json:",omitempty"`
+	Policies      []NetworkPolicy `json:",omitempty"`
+	MacPool       MacPool         `json:",omitempty"`
+	Dns           Dns             `json:",omitempty"`
+	Ipams         []Ipam          `json:",omitempty"`
+	Flags         NetworkFlags    `json:",omitempty"` // 0: None
+	SchemaVersion SchemaVersion   `json:",omitempty"`
+}
+
+// NetworkResourceType are the 3 different Network settings resources.
+type NetworkResourceType string
+
+var (
+	// NetworkResourceTypePolicy is for Network's policies. Ex: RemoteSubnet
+	NetworkResourceTypePolicy NetworkResourceType = "Policy"
+	// NetworkResourceTypeDNS is for Network's DNS settings.
+	NetworkResourceTypeDNS NetworkResourceType = "DNS"
+	// NetworkResourceTypeExtension is for Network's extension settings.
+	NetworkResourceTypeExtension NetworkResourceType = "Extension"
+)
+
+// ModifyNetworkSettingRequest is the structure used to send request to modify an network.
+// Used to update DNS/extension/policy on an network.
+type ModifyNetworkSettingRequest struct {
+	ResourceType NetworkResourceType `json:",omitempty"` // Policy, DNS, Extension
+	RequestType  RequestType         `json:",omitempty"` // Add, Remove, Update, Refresh
+	Settings     json.RawMessage     `json:",omitempty"`
+}
+
+type PolicyNetworkRequest struct {
+	Policies []NetworkPolicy `json:",omitempty"`
+}
+
+func getNetwork(networkGuid guid.GUID, query string) (*HostComputeNetwork, error) {
+	// Open network.
+	var (
+		networkHandle    hcnNetwork
+		resultBuffer     *uint16
+		propertiesBuffer *uint16
+	)
+	hr := hcnOpenNetwork(&networkGuid, &networkHandle, &resultBuffer)
+	if err := checkForErrors("hcnOpenNetwork", hr, resultBuffer); err != nil {
+		return nil, err
+	}
+	// Query network.
+	hr = hcnQueryNetworkProperties(networkHandle, query, &propertiesBuffer, &resultBuffer)
+	if err := checkForErrors("hcnQueryNetworkProperties", hr, resultBuffer); err != nil {
+		return nil, err
+	}
+	properties := interop.ConvertAndFreeCoTaskMemString(propertiesBuffer)
+	// Close network.
+	hr = hcnCloseNetwork(networkHandle)
+	if err := checkForErrors("hcnCloseNetwork", hr, nil); err != nil {
+		return nil, err
+	}
+	// Convert output to HostComputeNetwork
+	var outputNetwork HostComputeNetwork
+
+	// If HNS sets the network type to NAT (i.e. '0' in HNS.Schema.Network.NetworkMode),
+	// the value will be omitted from the JSON blob. We therefore need to initialize NAT here before
+	// unmarshaling the JSON blob.
+	outputNetwork.Type = NAT
+
+	if err := json.Unmarshal([]byte(properties), &outputNetwork); err != nil {
+		return nil, err
+	}
+	return &outputNetwork, nil
+}
+
+func enumerateNetworks(query string) ([]HostComputeNetwork, error) {
+	// Enumerate all Network Guids
+	var (
+		resultBuffer  *uint16
+		networkBuffer *uint16
+	)
+	hr := hcnEnumerateNetworks(query, &networkBuffer, &resultBuffer)
+	if err := checkForErrors("hcnEnumerateNetworks", hr, resultBuffer); err != nil {
+		return nil, err
+	}
+
+	networks := interop.ConvertAndFreeCoTaskMemString(networkBuffer)
+	var networkIds []guid.GUID
+	if err := json.Unmarshal([]byte(networks), &networkIds); err != nil {
+		return nil, err
+	}
+
+	var outputNetworks []HostComputeNetwork
+	for _, networkGuid := range networkIds {
+		network, err := getNetwork(networkGuid, query)
+		if err != nil {
+			return nil, err
+		}
+		outputNetworks = append(outputNetworks, *network)
+	}
+	return outputNetworks, nil
+}
+
+func createNetwork(settings string) (*HostComputeNetwork, error) {
+	// Create new network.
+	var (
+		networkHandle    hcnNetwork
+		resultBuffer     *uint16
+		propertiesBuffer *uint16
+	)
+	networkGuid := guid.GUID{}
+	hr := hcnCreateNetwork(&networkGuid, settings, &networkHandle, &resultBuffer)
+	if err := checkForErrors("hcnCreateNetwork", hr, resultBuffer); err != nil {
+		return nil, err
+	}
+	// Query network.
+	hcnQuery := defaultQuery()
+	query, err := json.Marshal(hcnQuery)
+	if err != nil {
+		return nil, err
+	}
+	hr = hcnQueryNetworkProperties(networkHandle, string(query), &propertiesBuffer, &resultBuffer)
+	if err := checkForErrors("hcnQueryNetworkProperties", hr, resultBuffer); err != nil {
+		return nil, err
+	}
+	properties := interop.ConvertAndFreeCoTaskMemString(propertiesBuffer)
+	// Close network.
+	hr = hcnCloseNetwork(networkHandle)
+	if err := checkForErrors("hcnCloseNetwork", hr, nil); err != nil {
+		return nil, err
+	}
+	// Convert output to HostComputeNetwork
+	var outputNetwork HostComputeNetwork
+
+	// If HNS sets the network type to NAT (i.e. '0' in HNS.Schema.Network.NetworkMode),
+	// the value will be omitted from the JSON blob. We therefore need to initialize NAT here before
+	// unmarshaling the JSON blob.
+	outputNetwork.Type = NAT
+
+	if err := json.Unmarshal([]byte(properties), &outputNetwork); err != nil {
+		return nil, err
+	}
+	return &outputNetwork, nil
+}
+
+func modifyNetwork(networkId string, settings string) (*HostComputeNetwork, error) {
+	networkGuid, err := guid.FromString(networkId)
+	if err != nil {
+		return nil, errInvalidNetworkID
+	}
+	// Open Network
+	var (
+		networkHandle    hcnNetwork
+		resultBuffer     *uint16
+		propertiesBuffer *uint16
+	)
+	hr := hcnOpenNetwork(&networkGuid, &networkHandle, &resultBuffer)
+	if err := checkForErrors("hcnOpenNetwork", hr, resultBuffer); err != nil {
+		return nil, err
+	}
+	// Modify Network
+	hr = hcnModifyNetwork(networkHandle, settings, &resultBuffer)
+	if err := checkForErrors("hcnModifyNetwork", hr, resultBuffer); err != nil {
+		return nil, err
+	}
+	// Query network.
+	hcnQuery := defaultQuery()
+	query, err := json.Marshal(hcnQuery)
+	if err != nil {
+		return nil, err
+	}
+	hr = hcnQueryNetworkProperties(networkHandle, string(query), &propertiesBuffer, &resultBuffer)
+	if err := checkForErrors("hcnQueryNetworkProperties", hr, resultBuffer); err != nil {
+		return nil, err
+	}
+	properties := interop.ConvertAndFreeCoTaskMemString(propertiesBuffer)
+	// Close network.
+	hr = hcnCloseNetwork(networkHandle)
+	if err := checkForErrors("hcnCloseNetwork", hr, nil); err != nil {
+		return nil, err
+	}
+	// Convert output to HostComputeNetwork
+	var outputNetwork HostComputeNetwork
+
+	// If HNS sets the network type to NAT (i.e. '0' in HNS.Schema.Network.NetworkMode),
+	// the value will be omitted from the JSON blob. We therefore need to initialize NAT here before
+	// unmarshaling the JSON blob.
+	outputNetwork.Type = NAT
+
+	if err := json.Unmarshal([]byte(properties), &outputNetwork); err != nil {
+		return nil, err
+	}
+	return &outputNetwork, nil
+}
+
+func deleteNetwork(networkId string) error {
+	networkGuid, err := guid.FromString(networkId)
+	if err != nil {
+		return errInvalidNetworkID
+	}
+	var resultBuffer *uint16
+	hr := hcnDeleteNetwork(&networkGuid, &resultBuffer)
+	if err := checkForErrors("hcnDeleteNetwork", hr, resultBuffer); err != nil {
+		return err
+	}
+	return nil
+}
+
+// ListNetworks makes a call to list all available networks.
+func ListNetworks() ([]HostComputeNetwork, error) {
+	hcnQuery := defaultQuery()
+	networks, err := ListNetworksQuery(hcnQuery)
+	if err != nil {
+		return nil, err
+	}
+	return networks, nil
+}
+
+// ListNetworksQuery makes a call to query the list of available networks.
+func ListNetworksQuery(query HostComputeQuery) ([]HostComputeNetwork, error) {
+	queryJson, err := json.Marshal(query)
+	if err != nil {
+		return nil, err
+	}
+
+	networks, err := enumerateNetworks(string(queryJson))
+	if err != nil {
+		return nil, err
+	}
+	return networks, nil
+}
+
+// GetNetworkByID returns the network specified by Id.
+func GetNetworkByID(networkID string) (*HostComputeNetwork, error) {
+	hcnQuery := defaultQuery()
+	mapA := map[string]string{"ID": networkID}
+	filter, err := json.Marshal(mapA)
+	if err != nil {
+		return nil, err
+	}
+	hcnQuery.Filter = string(filter)
+
+	networks, err := ListNetworksQuery(hcnQuery)
+	if err != nil {
+		return nil, err
+	}
+	if len(networks) == 0 {
+		return nil, NetworkNotFoundError{NetworkID: networkID}
+	}
+	return &networks[0], err
+}
+
+// GetNetworkByName returns the network specified by Name.
+func GetNetworkByName(networkName string) (*HostComputeNetwork, error) {
+	hcnQuery := defaultQuery()
+	mapA := map[string]string{"Name": networkName}
+	filter, err := json.Marshal(mapA)
+	if err != nil {
+		return nil, err
+	}
+	hcnQuery.Filter = string(filter)
+
+	networks, err := ListNetworksQuery(hcnQuery)
+	if err != nil {
+		return nil, err
+	}
+	if len(networks) == 0 {
+		return nil, NetworkNotFoundError{NetworkName: networkName}
+	}
+	return &networks[0], err
+}
+
+// Create Network.
+func (network *HostComputeNetwork) Create() (*HostComputeNetwork, error) {
+	logrus.Debugf("hcn::HostComputeNetwork::Create id=%s", network.Id)
+	for _, ipam := range network.Ipams {
+		for _, subnet := range ipam.Subnets {
+			if subnet.IpAddressPrefix != "" {
+				hasDefault := false
+				for _, route := range subnet.Routes {
+					if route.NextHop == "" {
+						return nil, errors.New("network create error, subnet has address prefix but no gateway specified")
+					}
+					if route.DestinationPrefix == "0.0.0.0/0" || route.DestinationPrefix == "::/0" {
+						hasDefault = true
+					}
+				}
+				if !hasDefault {
+					return nil, errors.New("network create error, no default gateway")
+				}
+			}
+		}
+	}
+
+	jsonString, err := json.Marshal(network)
+	if err != nil {
+		return nil, err
+	}
+
+	logrus.Debugf("hcn::HostComputeNetwork::Create JSON: %s", jsonString)
+	network, hcnErr := createNetwork(string(jsonString))
+	if hcnErr != nil {
+		return nil, hcnErr
+	}
+	return network, nil
+}
+
+// Delete Network.
+func (network *HostComputeNetwork) Delete() error {
+	logrus.Debugf("hcn::HostComputeNetwork::Delete id=%s", network.Id)
+
+	if err := deleteNetwork(network.Id); err != nil {
+		return err
+	}
+	return nil
+}
+
+// ModifyNetworkSettings updates the Policy for a network.
+func (network *HostComputeNetwork) ModifyNetworkSettings(request *ModifyNetworkSettingRequest) error {
+	logrus.Debugf("hcn::HostComputeNetwork::ModifyNetworkSettings id=%s", network.Id)
+
+	networkSettingsRequest, err := json.Marshal(request)
+	if err != nil {
+		return err
+	}
+
+	_, err = modifyNetwork(network.Id, string(networkSettingsRequest))
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+// AddPolicy applies a Policy (ex: RemoteSubnet) on the Network.
+func (network *HostComputeNetwork) AddPolicy(networkPolicy PolicyNetworkRequest) error {
+	logrus.Debugf("hcn::HostComputeNetwork::AddPolicy id=%s", network.Id)
+
+	settingsJson, err := json.Marshal(networkPolicy)
+	if err != nil {
+		return err
+	}
+	requestMessage := &ModifyNetworkSettingRequest{
+		ResourceType: NetworkResourceTypePolicy,
+		RequestType:  RequestTypeAdd,
+		Settings:     settingsJson,
+	}
+
+	return network.ModifyNetworkSettings(requestMessage)
+}
+
+// RemovePolicy removes a Policy (ex: RemoteSubnet) from the Network.
+func (network *HostComputeNetwork) RemovePolicy(networkPolicy PolicyNetworkRequest) error {
+	logrus.Debugf("hcn::HostComputeNetwork::RemovePolicy id=%s", network.Id)
+
+	settingsJson, err := json.Marshal(networkPolicy)
+	if err != nil {
+		return err
+	}
+	requestMessage := &ModifyNetworkSettingRequest{
+		ResourceType: NetworkResourceTypePolicy,
+		RequestType:  RequestTypeRemove,
+		Settings:     settingsJson,
+	}
+
+	return network.ModifyNetworkSettings(requestMessage)
+}
+
+// CreateEndpoint creates an endpoint on the Network.
+func (network *HostComputeNetwork) CreateEndpoint(endpoint *HostComputeEndpoint) (*HostComputeEndpoint, error) {
+	isRemote := endpoint.Flags&EndpointFlagsRemoteEndpoint != 0
+	logrus.Debugf("hcn::HostComputeNetwork::CreatEndpoint, networkId=%s remote=%t", network.Id, isRemote)
+
+	endpoint.HostComputeNetwork = network.Id
+	endpointSettings, err := json.Marshal(endpoint)
+	if err != nil {
+		return nil, err
+	}
+	newEndpoint, err := createEndpoint(network.Id, string(endpointSettings))
+	if err != nil {
+		return nil, err
+	}
+	return newEndpoint, nil
+}
+
+// CreateRemoteEndpoint creates a remote endpoint on the Network.
+func (network *HostComputeNetwork) CreateRemoteEndpoint(endpoint *HostComputeEndpoint) (*HostComputeEndpoint, error) {
+	endpoint.Flags = EndpointFlagsRemoteEndpoint | endpoint.Flags
+	return network.CreateEndpoint(endpoint)
+}

vendor/github.com/Microsoft/hcsshim/hcn/hcnpolicy.go

@@ -0,0 +1,249 @@
+package hcn
+
+import (
+	"encoding/json"
+)
+
+// EndpointPolicyType are the potential Policies that apply to Endpoints.
+type EndpointPolicyType string
+
+// EndpointPolicyType const
+const (
+	PortMapping   EndpointPolicyType = "PortMapping"
+	ACL           EndpointPolicyType = "ACL"
+	QOS           EndpointPolicyType = "QOS"
+	L2Driver      EndpointPolicyType = "L2Driver"
+	OutBoundNAT   EndpointPolicyType = "OutBoundNAT"
+	SDNRoute      EndpointPolicyType = "SDNRoute"
+	L4Proxy       EndpointPolicyType = "L4Proxy"
+	PortName      EndpointPolicyType = "PortName"
+	EncapOverhead EndpointPolicyType = "EncapOverhead"
+	// Endpoint and Network have InterfaceConstraint and ProviderAddress
+	NetworkProviderAddress     EndpointPolicyType = "ProviderAddress"
+	NetworkInterfaceConstraint EndpointPolicyType = "InterfaceConstraint"
+)
+
+// EndpointPolicy is a collection of Policy settings for an Endpoint.
+type EndpointPolicy struct {
+	Type     EndpointPolicyType `json:""`
+	Settings json.RawMessage    `json:",omitempty"`
+}
+
+// NetworkPolicyType are the potential Policies that apply to Networks.
+type NetworkPolicyType string
+
+// NetworkPolicyType const
+const (
+	SourceMacAddress    NetworkPolicyType = "SourceMacAddress"
+	NetAdapterName      NetworkPolicyType = "NetAdapterName"
+	VSwitchExtension    NetworkPolicyType = "VSwitchExtension"
+	DrMacAddress        NetworkPolicyType = "DrMacAddress"
+	AutomaticDNS        NetworkPolicyType = "AutomaticDNS"
+	InterfaceConstraint NetworkPolicyType = "InterfaceConstraint"
+	ProviderAddress     NetworkPolicyType = "ProviderAddress"
+	RemoteSubnetRoute   NetworkPolicyType = "RemoteSubnetRoute"
+	HostRoute           NetworkPolicyType = "HostRoute"
+)
+
+// NetworkPolicy is a collection of Policy settings for a Network.
+type NetworkPolicy struct {
+	Type     NetworkPolicyType `json:""`
+	Settings json.RawMessage   `json:",omitempty"`
+}
+
+// SubnetPolicyType are the potential Policies that apply to Subnets.
+type SubnetPolicyType string
+
+// SubnetPolicyType const
+const (
+	VLAN SubnetPolicyType = "VLAN"
+	VSID SubnetPolicyType = "VSID"
+)
+
+// SubnetPolicy is a collection of Policy settings for a Subnet.
+type SubnetPolicy struct {
+	Type     SubnetPolicyType `json:""`
+	Settings json.RawMessage  `json:",omitempty"`
+}
+
+// NatFlags are flags for portmappings.
+type NatFlags uint32
+
+/// Endpoint Policy objects
+
+// PortMappingPolicySetting defines Port Mapping (NAT)
+type PortMappingPolicySetting struct {
+	Protocol     uint32   `json:",omitempty"` // EX: TCP = 6, UDP = 17
+	InternalPort uint16   `json:",omitempty"`
+	ExternalPort uint16   `json:",omitempty"`
+	VIP          string   `json:",omitempty"`
+	Flags        NatFlags `json:",omitempty"`
+}
+
+// ActionType associated with ACLs. Value is either Allow or Block.
+type ActionType string
+
+// DirectionType associated with ACLs. Value is either In or Out.
+type DirectionType string
+
+// RuleType associated with ACLs. Value is either Host (WFP) or Switch (VFP).
+type RuleType string
+
+const (
+	// Allow traffic
+	ActionTypeAllow ActionType = "Allow"
+	// Block traffic
+	ActionTypeBlock ActionType = "Block"
+
+	// In is traffic coming to the Endpoint
+	DirectionTypeIn DirectionType = "In"
+	// Out is traffic leaving the Endpoint
+	DirectionTypeOut DirectionType = "Out"
+
+	// Host creates WFP (Windows Firewall) rules
+	RuleTypeHost RuleType = "Host"
+	// Switch creates VFP (Virtual Filter Platform) rules
+	RuleTypeSwitch RuleType = "Switch"
+)
+
+// AclPolicySetting creates firewall rules on an endpoint
+type AclPolicySetting struct {
+	Protocols       string        `json:",omitempty"` // EX: 6 (TCP), 17 (UDP), 1 (ICMPv4), 58 (ICMPv6), 2 (IGMP)
+	Action          ActionType    `json:","`
+	Direction       DirectionType `json:","`
+	LocalAddresses  string        `json:",omitempty"`
+	RemoteAddresses string        `json:",omitempty"`
+	LocalPorts      string        `json:",omitempty"`
+	RemotePorts     string        `json:",omitempty"`
+	RuleType        RuleType      `json:",omitempty"`
+	Priority        uint16        `json:",omitempty"`
+}
+
+// QosPolicySetting sets Quality of Service bandwidth caps on an Endpoint.
+type QosPolicySetting struct {
+	MaximumOutgoingBandwidthInBytes uint64
+}
+
+// OutboundNatPolicySetting sets outbound Network Address Translation on an Endpoint.
+type OutboundNatPolicySetting struct {
+	VirtualIP  string   `json:",omitempty"`
+	Exceptions []string `json:",omitempty"`
+}
+
+// SDNRoutePolicySetting sets SDN Route on an Endpoint.
+type SDNRoutePolicySetting struct {
+	DestinationPrefix string `json:",omitempty"`
+	NextHop           string `json:",omitempty"`
+	NeedEncap         bool   `json:",omitempty"`
+}
+
+// A ProxyType is a type of proxy used by the L4 proxy policy.
+type ProxyType int
+
+const (
+	// ProxyTypeVFP specifies a Virtual Filtering Protocol proxy.
+	ProxyTypeVFP ProxyType = iota
+	// ProxyTypeWFP specifies a Windows Filtering Platform proxy.
+	ProxyTypeWFP
+)
+
+// FiveTuple is nested in L4ProxyPolicySetting for WFP support.
+type FiveTuple struct {
+	Protocols       string `json:",omitempty"`
+	LocalAddresses  string `json:",omitempty"`
+	RemoteAddresses string `json:",omitempty"`
+	LocalPorts      string `json:",omitempty"`
+	RemotePorts     string `json:",omitempty"`
+	Priority        uint16 `json:",omitempty"`
+}
+
+// L4ProxyPolicySetting sets Layer-4 Proxy on an endpoint.
+type L4ProxyPolicySetting struct {
+	IP            string   `json:",omitempty"`
+	Port          string   `json:",omitempty"`
+	Protocol      uint32   `json:",omitempty"` // EX: TCP = 6, UDP = 17
+	ExceptionList []string `json:",omitempty"`
+	Destination   string   `json:","`
+	OutboundNat   bool     `json:",omitempty"`
+
+	// For the WFP proxy
+	FilterTuple   FiveTuple `json:",omitempty"`
+	ProxyType     ProxyType `json:",omitempty"`
+	UserSID       string    `json:",omitempty"`
+	CompartmentID uint32    `json:",omitempty"`
+}
+
+// PortnameEndpointPolicySetting sets the port name for an endpoint.
+type PortnameEndpointPolicySetting struct {
+	Name string `json:",omitempty"`
+}
+
+// EncapOverheadEndpointPolicySetting sets the encap overhead for an endpoint.
+type EncapOverheadEndpointPolicySetting struct {
+	Overhead uint16 `json:",omitempty"`
+}
+
+/// Endpoint and Network Policy objects
+
+// ProviderAddressEndpointPolicySetting sets the PA for an endpoint.
+type ProviderAddressEndpointPolicySetting struct {
+	ProviderAddress string `json:",omitempty"`
+}
+
+// InterfaceConstraintPolicySetting limits an Endpoint or Network to a specific Nic.
+type InterfaceConstraintPolicySetting struct {
+	InterfaceGuid        string `json:",omitempty"`
+	InterfaceLuid        uint64 `json:",omitempty"`
+	InterfaceIndex       uint32 `json:",omitempty"`
+	InterfaceMediaType   uint32 `json:",omitempty"`
+	InterfaceAlias       string `json:",omitempty"`
+	InterfaceDescription string `json:",omitempty"`
+}
+
+/// Network Policy objects
+
+// SourceMacAddressNetworkPolicySetting sets source MAC for a network.
+type SourceMacAddressNetworkPolicySetting struct {
+	SourceMacAddress string `json:",omitempty"`
+}
+
+// NetAdapterNameNetworkPolicySetting sets network adapter of a network.
+type NetAdapterNameNetworkPolicySetting struct {
+	NetworkAdapterName string `json:",omitempty"`
+}
+
+// VSwitchExtensionNetworkPolicySetting enables/disabled VSwitch extensions for a network.
+type VSwitchExtensionNetworkPolicySetting struct {
+	ExtensionID string `json:",omitempty"`
+	Enable      bool   `json:",omitempty"`
+}
+
+// DrMacAddressNetworkPolicySetting sets the DR MAC for a network.
+type DrMacAddressNetworkPolicySetting struct {
+	Address string `json:",omitempty"`
+}
+
+// AutomaticDNSNetworkPolicySetting enables/disables automatic DNS on a network.
+type AutomaticDNSNetworkPolicySetting struct {
+	Enable bool `json:",omitempty"`
+}
+
+/// Subnet Policy objects
+
+// VlanPolicySetting isolates a subnet with VLAN tagging.
+type VlanPolicySetting struct {
+	IsolationId uint32 `json:","`
+}
+
+// VsidPolicySetting isolates a subnet with VSID tagging.
+type VsidPolicySetting struct {
+	IsolationId uint32 `json:","`
+}
+
+// RemoteSubnetRoutePolicySetting creates remote subnet route rules on a network
+type RemoteSubnetRoutePolicySetting struct {
+	DestinationPrefix           string
+	IsolationId                 uint16
+	ProviderAddress             string
+	DistributedRouterMacAddress string
+}

vendor/github.com/Microsoft/hcsshim/hcn/hcnsupport.go

@@ -0,0 +1,71 @@
+package hcn
+
+import (
+	"github.com/sirupsen/logrus"
+)
+
+// SupportedFeatures are the features provided by the Service.
+type SupportedFeatures struct {
+	Acl          AclFeatures `json:"ACL"`
+	Api          ApiSupport  `json:"API"`
+	RemoteSubnet bool        `json:"RemoteSubnet"`
+	HostRoute    bool        `json:"HostRoute"`
+	DSR          bool        `json:"DSR"`
+}
+
+// AclFeatures are the supported ACL possibilities.
+type AclFeatures struct {
+	AclAddressLists       bool `json:"AclAddressLists"`
+	AclNoHostRulePriority bool `json:"AclHostRulePriority"`
+	AclPortRanges         bool `json:"AclPortRanges"`
+	AclRuleId             bool `json:"AclRuleId"`
+}
+
+// ApiSupport lists the supported API versions.
+type ApiSupport struct {
+	V1 bool `json:"V1"`
+	V2 bool `json:"V2"`
+}
+
+// GetSupportedFeatures returns the features supported by the Service.
+func GetSupportedFeatures() SupportedFeatures {
+	var features SupportedFeatures
+
+	globals, err := GetGlobals()
+	if err != nil {
+		// Expected on pre-1803 builds, all features will be false/unsupported
+		logrus.Debugf("Unable to obtain globals: %s", err)
+		return features
+	}
+
+	features.Acl = AclFeatures{
+		AclAddressLists:       isFeatureSupported(globals.Version, HNSVersion1803),
+		AclNoHostRulePriority: isFeatureSupported(globals.Version, HNSVersion1803),
+		AclPortRanges:         isFeatureSupported(globals.Version, HNSVersion1803),
+		AclRuleId:             isFeatureSupported(globals.Version, HNSVersion1803),
+	}
+
+	features.Api = ApiSupport{
+		V2: isFeatureSupported(globals.Version, V2ApiSupport),
+		V1: true, // HNSCall is still available.
+	}
+
+	features.RemoteSubnet = isFeatureSupported(globals.Version, RemoteSubnetVersion)
+	features.HostRoute = isFeatureSupported(globals.Version, HostRouteVersion)
+	features.DSR = isFeatureSupported(globals.Version, DSRVersion)
+
+	return features
+}
+
+func isFeatureSupported(currentVersion Version, minVersionSupported Version) bool {
+	if currentVersion.Major < minVersionSupported.Major {
+		return false
+	}
+	if currentVersion.Major > minVersionSupported.Major {
+		return true
+	}
+	if currentVersion.Minor < minVersionSupported.Minor {
+		return false
+	}
+	return true
+}

vendor/github.com/Microsoft/hcsshim/hcn/zsyscall_windows.go

@@ -0,0 +1,714 @@
+// Code generated mksyscall_windows.exe DO NOT EDIT
+
+package hcn
+
+import (
+	"syscall"
+	"unsafe"
+
+	"golang.org/x/sys/windows"
+)
+
+var _ unsafe.Pointer
+
+// Do the interface allocations only once for common
+// Errno values.
+const (
+	errnoERROR_IO_PENDING = 997
+)
+
+var (
+	errERROR_IO_PENDING error = syscall.Errno(errnoERROR_IO_PENDING)
+)
+
+// errnoErr returns common boxed Errno values, to prevent
+// allocations at runtime.
+func errnoErr(e syscall.Errno) error {
+	switch e {
+	case 0:
+		return nil
+	case errnoERROR_IO_PENDING:
+		return errERROR_IO_PENDING
+	}
+	// TODO: add more here, after collecting data on the common
+	// error values see on Windows. (perhaps when running
+	// all.bat?)
+	return e
+}
+
+var (
+	modiphlpapi       = windows.NewLazySystemDLL("iphlpapi.dll")
+	modvmcompute      = windows.NewLazySystemDLL("vmcompute.dll")
+	modcomputenetwork = windows.NewLazySystemDLL("computenetwork.dll")
+
+	procSetCurrentThreadCompartmentId  = modiphlpapi.NewProc("SetCurrentThreadCompartmentId")
+	procHNSCall                        = modvmcompute.NewProc("HNSCall")
+	procHcnEnumerateNetworks           = modcomputenetwork.NewProc("HcnEnumerateNetworks")
+	procHcnCreateNetwork               = modcomputenetwork.NewProc("HcnCreateNetwork")
+	procHcnOpenNetwork                 = modcomputenetwork.NewProc("HcnOpenNetwork")
+	procHcnModifyNetwork               = modcomputenetwork.NewProc("HcnModifyNetwork")
+	procHcnQueryNetworkProperties      = modcomputenetwork.NewProc("HcnQueryNetworkProperties")
+	procHcnDeleteNetwork               = modcomputenetwork.NewProc("HcnDeleteNetwork")
+	procHcnCloseNetwork                = modcomputenetwork.NewProc("HcnCloseNetwork")
+	procHcnEnumerateEndpoints          = modcomputenetwork.NewProc("HcnEnumerateEndpoints")
+	procHcnCreateEndpoint              = modcomputenetwork.NewProc("HcnCreateEndpoint")
+	procHcnOpenEndpoint                = modcomputenetwork.NewProc("HcnOpenEndpoint")
+	procHcnModifyEndpoint              = modcomputenetwork.NewProc("HcnModifyEndpoint")
+	procHcnQueryEndpointProperties     = modcomputenetwork.NewProc("HcnQueryEndpointProperties")
+	procHcnDeleteEndpoint              = modcomputenetwork.NewProc("HcnDeleteEndpoint")
+	procHcnCloseEndpoint               = modcomputenetwork.NewProc("HcnCloseEndpoint")
+	procHcnEnumerateNamespaces         = modcomputenetwork.NewProc("HcnEnumerateNamespaces")
+	procHcnCreateNamespace             = modcomputenetwork.NewProc("HcnCreateNamespace")
+	procHcnOpenNamespace               = modcomputenetwork.NewProc("HcnOpenNamespace")
+	procHcnModifyNamespace             = modcomputenetwork.NewProc("HcnModifyNamespace")
+	procHcnQueryNamespaceProperties    = modcomputenetwork.NewProc("HcnQueryNamespaceProperties")
+	procHcnDeleteNamespace             = modcomputenetwork.NewProc("HcnDeleteNamespace")
+	procHcnCloseNamespace              = modcomputenetwork.NewProc("HcnCloseNamespace")
+	procHcnEnumerateLoadBalancers      = modcomputenetwork.NewProc("HcnEnumerateLoadBalancers")
+	procHcnCreateLoadBalancer          = modcomputenetwork.NewProc("HcnCreateLoadBalancer")
+	procHcnOpenLoadBalancer            = modcomputenetwork.NewProc("HcnOpenLoadBalancer")
+	procHcnModifyLoadBalancer          = modcomputenetwork.NewProc("HcnModifyLoadBalancer")
+	procHcnQueryLoadBalancerProperties = modcomputenetwork.NewProc("HcnQueryLoadBalancerProperties")
+	procHcnDeleteLoadBalancer          = modcomputenetwork.NewProc("HcnDeleteLoadBalancer")
+	procHcnCloseLoadBalancer           = modcomputenetwork.NewProc("HcnCloseLoadBalancer")
+	procHcnOpenService                 = modcomputenetwork.NewProc("HcnOpenService")
+	procHcnRegisterServiceCallback     = modcomputenetwork.NewProc("HcnRegisterServiceCallback")
+	procHcnUnregisterServiceCallback   = modcomputenetwork.NewProc("HcnUnregisterServiceCallback")
+	procHcnCloseService                = modcomputenetwork.NewProc("HcnCloseService")
+)
+
+func SetCurrentThreadCompartmentId(compartmentId uint32) (hr error) {
+	r0, _, _ := syscall.Syscall(procSetCurrentThreadCompartmentId.Addr(), 1, uintptr(compartmentId), 0, 0)
+	if int32(r0) < 0 {
+		if r0&0x1fff0000 == 0x00070000 {
+			r0 &= 0xffff
+		}
+		hr = syscall.Errno(r0)
+	}
+	return
+}
+
+func _hnsCall(method string, path string, object string, response **uint16) (hr error) {
+	var _p0 *uint16
+	_p0, hr = syscall.UTF16PtrFromString(method)
+	if hr != nil {
+		return
+	}
+	var _p1 *uint16
+	_p1, hr = syscall.UTF16PtrFromString(path)
+	if hr != nil {
+		return
+	}
+	var _p2 *uint16
+	_p2, hr = syscall.UTF16PtrFromString(object)
+	if hr != nil {
+		return
+	}
+	return __hnsCall(_p0, _p1, _p2, response)
+}
+
+func __hnsCall(method *uint16, path *uint16, object *uint16, response **uint16) (hr error) {
+	if hr = procHNSCall.Find(); hr != nil {
+		return
+	}
+	r0, _, _ := syscall.Syscall6(procHNSCall.Addr(), 4, uintptr(unsafe.Pointer(method)), uintptr(unsafe.Pointer(path)), uintptr(unsafe.Pointer(object)), uintptr(unsafe.Pointer(response)), 0, 0)
+	if int32(r0) < 0 {
+		if r0&0x1fff0000 == 0x00070000 {
+			r0 &= 0xffff
+		}
+		hr = syscall.Errno(r0)
+	}
+	return
+}
+
+func hcnEnumerateNetworks(query string, networks **uint16, result **uint16) (hr error) {
+	var _p0 *uint16
+	_p0, hr = syscall.UTF16PtrFromString(query)
+	if hr != nil {
+		return
+	}
+	return _hcnEnumerateNetworks(_p0, networks, result)
+}
+
+func _hcnEnumerateNetworks(query *uint16, networks **uint16, result **uint16) (hr error) {
+	if hr = procHcnEnumerateNetworks.Find(); hr != nil {
+		return
+	}
+	r0, _, _ := syscall.Syscall(procHcnEnumerateNetworks.Addr(), 3, uintptr(unsafe.Pointer(query)), uintptr(unsafe.Pointer(networks)), uintptr(unsafe.Pointer(result)))
+	if int32(r0) < 0 {
+		if r0&0x1fff0000 == 0x00070000 {
+			r0 &= 0xffff
+		}
+		hr = syscall.Errno(r0)
+	}
+	return
+}
+
+func hcnCreateNetwork(id *_guid, settings string, network *hcnNetwork, result **uint16) (hr error) {
+	var _p0 *uint16
+	_p0, hr = syscall.UTF16PtrFromString(settings)
+	if hr != nil {
+		return
+	}
+	return _hcnCreateNetwork(id, _p0, network, result)
+}
+
+func _hcnCreateNetwork(id *_guid, settings *uint16, network *hcnNetwork, result **uint16) (hr error) {
+	if hr = procHcnCreateNetwork.Find(); hr != nil {
+		return
+	}
+	r0, _, _ := syscall.Syscall6(procHcnCreateNetwork.Addr(), 4, uintptr(unsafe.Pointer(id)), uintptr(unsafe.Pointer(settings)), uintptr(unsafe.Pointer(network)), uintptr(unsafe.Pointer(result)), 0, 0)
+	if int32(r0) < 0 {
+		if r0&0x1fff0000 == 0x00070000 {
+			r0 &= 0xffff
+		}
+		hr = syscall.Errno(r0)
+	}
+	return
+}
+
+func hcnOpenNetwork(id *_guid, network *hcnNetwork, result **uint16) (hr error) {
+	if hr = procHcnOpenNetwork.Find(); hr != nil {
+		return
+	}
+	r0, _, _ := syscall.Syscall(procHcnOpenNetwork.Addr(), 3, uintptr(unsafe.Pointer(id)), uintptr(unsafe.Pointer(network)), uintptr(unsafe.Pointer(result)))
+	if int32(r0) < 0 {
+		if r0&0x1fff0000 == 0x00070000 {
+			r0 &= 0xffff
+		}
+		hr = syscall.Errno(r0)
+	}
+	return
+}
+
+func hcnModifyNetwork(network hcnNetwork, settings string, result **uint16) (hr error) {
+	var _p0 *uint16
+	_p0, hr = syscall.UTF16PtrFromString(settings)
+	if hr != nil {
+		return
+	}
+	return _hcnModifyNetwork(network, _p0, result)
+}
+
+func _hcnModifyNetwork(network hcnNetwork, settings *uint16, result **uint16) (hr error) {
+	if hr = procHcnModifyNetwork.Find(); hr != nil {
+		return
+	}
+	r0, _, _ := syscall.Syscall(procHcnModifyNetwork.Addr(), 3, uintptr(network), uintptr(unsafe.Pointer(settings)), uintptr(unsafe.Pointer(result)))
+	if int32(r0) < 0 {
+		if r0&0x1fff0000 == 0x00070000 {
+			r0 &= 0xffff
+		}
+		hr = syscall.Errno(r0)
+	}
+	return
+}
+
+func hcnQueryNetworkProperties(network hcnNetwork, query string, properties **uint16, result **uint16) (hr error) {
+	var _p0 *uint16
+	_p0, hr = syscall.UTF16PtrFromString(query)
+	if hr != nil {
+		return
+	}
+	return _hcnQueryNetworkProperties(network, _p0, properties, result)
+}
+
+func _hcnQueryNetworkProperties(network hcnNetwork, query *uint16, properties **uint16, result **uint16) (hr error) {
+	if hr = procHcnQueryNetworkProperties.Find(); hr != nil {
+		return
+	}
+	r0, _, _ := syscall.Syscall6(procHcnQueryNetworkProperties.Addr(), 4, uintptr(network), uintptr(unsafe.Pointer(query)), uintptr(unsafe.Pointer(properties)), uintptr(unsafe.Pointer(result)), 0, 0)
+	if int32(r0) < 0 {
+		if r0&0x1fff0000 == 0x00070000 {
+			r0 &= 0xffff
+		}
+		hr = syscall.Errno(r0)
+	}
+	return
+}
+
+func hcnDeleteNetwork(id *_guid, result **uint16) (hr error) {
+	if hr = procHcnDeleteNetwork.Find(); hr != nil {
+		return
+	}
+	r0, _, _ := syscall.Syscall(procHcnDeleteNetwork.Addr(), 2, uintptr(unsafe.Pointer(id)), uintptr(unsafe.Pointer(result)), 0)
+	if int32(r0) < 0 {
+		if r0&0x1fff0000 == 0x00070000 {
+			r0 &= 0xffff
+		}
+		hr = syscall.Errno(r0)
+	}
+	return
+}
+
+func hcnCloseNetwork(network hcnNetwork) (hr error) {
+	if hr = procHcnCloseNetwork.Find(); hr != nil {
+		return
+	}
+	r0, _, _ := syscall.Syscall(procHcnCloseNetwork.Addr(), 1, uintptr(network), 0, 0)
+	if int32(r0) < 0 {
+		if r0&0x1fff0000 == 0x00070000 {
+			r0 &= 0xffff
+		}
+		hr = syscall.Errno(r0)
+	}
+	return
+}
+
+func hcnEnumerateEndpoints(query string, endpoints **uint16, result **uint16) (hr error) {
+	var _p0 *uint16
+	_p0, hr = syscall.UTF16PtrFromString(query)
+	if hr != nil {
+		return
+	}
+	return _hcnEnumerateEndpoints(_p0, endpoints, result)
+}
+
+func _hcnEnumerateEndpoints(query *uint16, endpoints **uint16, result **uint16) (hr error) {
+	if hr = procHcnEnumerateEndpoints.Find(); hr != nil {
+		return
+	}
+	r0, _, _ := syscall.Syscall(procHcnEnumerateEndpoints.Addr(), 3, uintptr(unsafe.Pointer(query)), uintptr(unsafe.Pointer(endpoints)), uintptr(unsafe.Pointer(result)))
+	if int32(r0) < 0 {
+		if r0&0x1fff0000 == 0x00070000 {
+			r0 &= 0xffff
+		}
+		hr = syscall.Errno(r0)
+	}
+	return
+}
+
+func hcnCreateEndpoint(network hcnNetwork, id *_guid, settings string, endpoint *hcnEndpoint, result **uint16) (hr error) {
+	var _p0 *uint16
+	_p0, hr = syscall.UTF16PtrFromString(settings)
+	if hr != nil {
+		return
+	}
+	return _hcnCreateEndpoint(network, id, _p0, endpoint, result)
+}
+
+func _hcnCreateEndpoint(network hcnNetwork, id *_guid, settings *uint16, endpoint *hcnEndpoint, result **uint16) (hr error) {
+	if hr = procHcnCreateEndpoint.Find(); hr != nil {
+		return
+	}
+	r0, _, _ := syscall.Syscall6(procHcnCreateEndpoint.Addr(), 5, uintptr(network), uintptr(unsafe.Pointer(id)), uintptr(unsafe.Pointer(settings)), uintptr(unsafe.Pointer(endpoint)), uintptr(unsafe.Pointer(result)), 0)
+	if int32(r0) < 0 {
+		if r0&0x1fff0000 == 0x00070000 {
+			r0 &= 0xffff
+		}
+		hr = syscall.Errno(r0)
+	}
+	return
+}
+
+func hcnOpenEndpoint(id *_guid, endpoint *hcnEndpoint, result **uint16) (hr error) {
+	if hr = procHcnOpenEndpoint.Find(); hr != nil {
+		return
+	}
+	r0, _, _ := syscall.Syscall(procHcnOpenEndpoint.Addr(), 3, uintptr(unsafe.Pointer(id)), uintptr(unsafe.Pointer(endpoint)), uintptr(unsafe.Pointer(result)))
+	if int32(r0) < 0 {
+		if r0&0x1fff0000 == 0x00070000 {
+			r0 &= 0xffff
+		}
+		hr = syscall.Errno(r0)
+	}
+	return
+}
+
+func hcnModifyEndpoint(endpoint hcnEndpoint, settings string, result **uint16) (hr error) {
+	var _p0 *uint16
+	_p0, hr = syscall.UTF16PtrFromString(settings)
+	if hr != nil {
+		return
+	}
+	return _hcnModifyEndpoint(endpoint, _p0, result)
+}
+
+func _hcnModifyEndpoint(endpoint hcnEndpoint, settings *uint16, result **uint16) (hr error) {
+	if hr = procHcnModifyEndpoint.Find(); hr != nil {
+		return
+	}
+	r0, _, _ := syscall.Syscall(procHcnModifyEndpoint.Addr(), 3, uintptr(endpoint), uintptr(unsafe.Pointer(settings)), uintptr(unsafe.Pointer(result)))
+	if int32(r0) < 0 {
+		if r0&0x1fff0000 == 0x00070000 {
+			r0 &= 0xffff
+		}
+		hr = syscall.Errno(r0)
+	}
+	return
+}
+
+func hcnQueryEndpointProperties(endpoint hcnEndpoint, query string, properties **uint16, result **uint16) (hr error) {
+	var _p0 *uint16
+	_p0, hr = syscall.UTF16PtrFromString(query)
+	if hr != nil {
+		return
+	}
+	return _hcnQueryEndpointProperties(endpoint, _p0, properties, result)
+}
+
+func _hcnQueryEndpointProperties(endpoint hcnEndpoint, query *uint16, properties **uint16, result **uint16) (hr error) {
+	if hr = procHcnQueryEndpointProperties.Find(); hr != nil {
+		return
+	}
+	r0, _, _ := syscall.Syscall6(procHcnQueryEndpointProperties.Addr(), 4, uintptr(endpoint), uintptr(unsafe.Pointer(query)), uintptr(unsafe.Pointer(properties)), uintptr(unsafe.Pointer(result)), 0, 0)
+	if int32(r0) < 0 {
+		if r0&0x1fff0000 == 0x00070000 {
+			r0 &= 0xffff
+		}
+		hr = syscall.Errno(r0)
+	}
+	return
+}
+
+func hcnDeleteEndpoint(id *_guid, result **uint16) (hr error) {
+	if hr = procHcnDeleteEndpoint.Find(); hr != nil {
+		return
+	}
+	r0, _, _ := syscall.Syscall(procHcnDeleteEndpoint.Addr(), 2, uintptr(unsafe.Pointer(id)), uintptr(unsafe.Pointer(result)), 0)
+	if int32(r0) < 0 {
+		if r0&0x1fff0000 == 0x00070000 {
+			r0 &= 0xffff
+		}
+		hr = syscall.Errno(r0)
+	}
+	return
+}
+
+func hcnCloseEndpoint(endpoint hcnEndpoint) (hr error) {
+	if hr = procHcnCloseEndpoint.Find(); hr != nil {
+		return
+	}
+	r0, _, _ := syscall.Syscall(procHcnCloseEndpoint.Addr(), 1, uintptr(endpoint), 0, 0)
+	if int32(r0) < 0 {
+		if r0&0x1fff0000 == 0x00070000 {
+			r0 &= 0xffff
+		}
+		hr = syscall.Errno(r0)
+	}
+	return
+}
+
+func hcnEnumerateNamespaces(query string, namespaces **uint16, result **uint16) (hr error) {
+	var _p0 *uint16
+	_p0, hr = syscall.UTF16PtrFromString(query)
+	if hr != nil {
+		return
+	}
+	return _hcnEnumerateNamespaces(_p0, namespaces, result)
+}
+
+func _hcnEnumerateNamespaces(query *uint16, namespaces **uint16, result **uint16) (hr error) {
+	if hr = procHcnEnumerateNamespaces.Find(); hr != nil {
+		return
+	}
+	r0, _, _ := syscall.Syscall(procHcnEnumerateNamespaces.Addr(), 3, uintptr(unsafe.Pointer(query)), uintptr(unsafe.Pointer(namespaces)), uintptr(unsafe.Pointer(result)))
+	if int32(r0) < 0 {
+		if r0&0x1fff0000 == 0x00070000 {
+			r0 &= 0xffff
+		}
+		hr = syscall.Errno(r0)
+	}
+	return
+}
+
+func hcnCreateNamespace(id *_guid, settings string, namespace *hcnNamespace, result **uint16) (hr error) {
+	var _p0 *uint16
+	_p0, hr = syscall.UTF16PtrFromString(settings)
+	if hr != nil {
+		return
+	}
+	return _hcnCreateNamespace(id, _p0, namespace, result)
+}
+
+func _hcnCreateNamespace(id *_guid, settings *uint16, namespace *hcnNamespace, result **uint16) (hr error) {
+	if hr = procHcnCreateNamespace.Find(); hr != nil {
+		return
+	}
+	r0, _, _ := syscall.Syscall6(procHcnCreateNamespace.Addr(), 4, uintptr(unsafe.Pointer(id)), uintptr(unsafe.Pointer(settings)), uintptr(unsafe.Pointer(namespace)), uintptr(unsafe.Pointer(result)), 0, 0)
+	if int32(r0) < 0 {
+		if r0&0x1fff0000 == 0x00070000 {
+			r0 &= 0xffff
+		}
+		hr = syscall.Errno(r0)
+	}
+	return
+}
+
+func hcnOpenNamespace(id *_guid, namespace *hcnNamespace, result **uint16) (hr error) {
+	if hr = procHcnOpenNamespace.Find(); hr != nil {
+		return
+	}
+	r0, _, _ := syscall.Syscall(procHcnOpenNamespace.Addr(), 3, uintptr(unsafe.Pointer(id)), uintptr(unsafe.Pointer(namespace)), uintptr(unsafe.Pointer(result)))
+	if int32(r0) < 0 {
+		if r0&0x1fff0000 == 0x00070000 {
+			r0 &= 0xffff
+		}
+		hr = syscall.Errno(r0)
+	}
+	return
+}
+
+func hcnModifyNamespace(namespace hcnNamespace, settings string, result **uint16) (hr error) {
+	var _p0 *uint16
+	_p0, hr = syscall.UTF16PtrFromString(settings)
+	if hr != nil {
+		return
+	}
+	return _hcnModifyNamespace(namespace, _p0, result)
+}
+
+func _hcnModifyNamespace(namespace hcnNamespace, settings *uint16, result **uint16) (hr error) {
+	if hr = procHcnModifyNamespace.Find(); hr != nil {
+		return
+	}
+	r0, _, _ := syscall.Syscall(procHcnModifyNamespace.Addr(), 3, uintptr(namespace), uintptr(unsafe.Pointer(settings)), uintptr(unsafe.Pointer(result)))
+	if int32(r0) < 0 {
+		if r0&0x1fff0000 == 0x00070000 {
+			r0 &= 0xffff
+		}
+		hr = syscall.Errno(r0)
+	}
+	return
+}
+
+func hcnQueryNamespaceProperties(namespace hcnNamespace, query string, properties **uint16, result **uint16) (hr error) {
+	var _p0 *uint16
+	_p0, hr = syscall.UTF16PtrFromString(query)
+	if hr != nil {
+		return
+	}
+	return _hcnQueryNamespaceProperties(namespace, _p0, properties, result)
+}
+
+func _hcnQueryNamespaceProperties(namespace hcnNamespace, query *uint16, properties **uint16, result **uint16) (hr error) {
+	if hr = procHcnQueryNamespaceProperties.Find(); hr != nil {
+		return
+	}
+	r0, _, _ := syscall.Syscall6(procHcnQueryNamespaceProperties.Addr(), 4, uintptr(namespace), uintptr(unsafe.Pointer(query)), uintptr(unsafe.Pointer(properties)), uintptr(unsafe.Pointer(result)), 0, 0)
+	if int32(r0) < 0 {
+		if r0&0x1fff0000 == 0x00070000 {
+			r0 &= 0xffff
+		}
+		hr = syscall.Errno(r0)
+	}
+	return
+}
+
+func hcnDeleteNamespace(id *_guid, result **uint16) (hr error) {
+	if hr = procHcnDeleteNamespace.Find(); hr != nil {
+		return
+	}
+	r0, _, _ := syscall.Syscall(procHcnDeleteNamespace.Addr(), 2, uintptr(unsafe.Pointer(id)), uintptr(unsafe.Pointer(result)), 0)
+	if int32(r0) < 0 {
+		if r0&0x1fff0000 == 0x00070000 {
+			r0 &= 0xffff
+		}
+		hr = syscall.Errno(r0)
+	}
+	return
+}
+
+func hcnCloseNamespace(namespace hcnNamespace) (hr error) {
+	if hr = procHcnCloseNamespace.Find(); hr != nil {
+		return
+	}
+	r0, _, _ := syscall.Syscall(procHcnCloseNamespace.Addr(), 1, uintptr(namespace), 0, 0)
+	if int32(r0) < 0 {
+		if r0&0x1fff0000 == 0x00070000 {
+			r0 &= 0xffff
+		}
+		hr = syscall.Errno(r0)
+	}
+	return
+}
+
+func hcnEnumerateLoadBalancers(query string, loadBalancers **uint16, result **uint16) (hr error) {
+	var _p0 *uint16
+	_p0, hr = syscall.UTF16PtrFromString(query)
+	if hr != nil {
+		return
+	}
+	return _hcnEnumerateLoadBalancers(_p0, loadBalancers, result)
+}
+
+func _hcnEnumerateLoadBalancers(query *uint16, loadBalancers **uint16, result **uint16) (hr error) {
+	if hr = procHcnEnumerateLoadBalancers.Find(); hr != nil {
+		return
+	}
+	r0, _, _ := syscall.Syscall(procHcnEnumerateLoadBalancers.Addr(), 3, uintptr(unsafe.Pointer(query)), uintptr(unsafe.Pointer(loadBalancers)), uintptr(unsafe.Pointer(result)))
+	if int32(r0) < 0 {
+		if r0&0x1fff0000 == 0x00070000 {
+			r0 &= 0xffff
+		}
+		hr = syscall.Errno(r0)
+	}
+	return
+}
+
+func hcnCreateLoadBalancer(id *_guid, settings string, loadBalancer *hcnLoadBalancer, result **uint16) (hr error) {
+	var _p0 *uint16
+	_p0, hr = syscall.UTF16PtrFromString(settings)
+	if hr != nil {
+		return
+	}
+	return _hcnCreateLoadBalancer(id, _p0, loadBalancer, result)
+}
+
+func _hcnCreateLoadBalancer(id *_guid, settings *uint16, loadBalancer *hcnLoadBalancer, result **uint16) (hr error) {
+	if hr = procHcnCreateLoadBalancer.Find(); hr != nil {
+		return
+	}
+	r0, _, _ := syscall.Syscall6(procHcnCreateLoadBalancer.Addr(), 4, uintptr(unsafe.Pointer(id)), uintptr(unsafe.Pointer(settings)), uintptr(unsafe.Pointer(loadBalancer)), uintptr(unsafe.Pointer(result)), 0, 0)
+	if int32(r0) < 0 {
+		if r0&0x1fff0000 == 0x00070000 {
+			r0 &= 0xffff
+		}
+		hr = syscall.Errno(r0)
+	}
+	return
+}
+
+func hcnOpenLoadBalancer(id *_guid, loadBalancer *hcnLoadBalancer, result **uint16) (hr error) {
+	if hr = procHcnOpenLoadBalancer.Find(); hr != nil {
+		return
+	}
+	r0, _, _ := syscall.Syscall(procHcnOpenLoadBalancer.Addr(), 3, uintptr(unsafe.Pointer(id)), uintptr(unsafe.Pointer(loadBalancer)), uintptr(unsafe.Pointer(result)))
+	if int32(r0) < 0 {
+		if r0&0x1fff0000 == 0x00070000 {
+			r0 &= 0xffff
+		}
+		hr = syscall.Errno(r0)
+	}
+	return
+}
+
+func hcnModifyLoadBalancer(loadBalancer hcnLoadBalancer, settings string, result **uint16) (hr error) {
+	var _p0 *uint16
+	_p0, hr = syscall.UTF16PtrFromString(settings)
+	if hr != nil {
+		return
+	}
+	return _hcnModifyLoadBalancer(loadBalancer, _p0, result)
+}
+
+func _hcnModifyLoadBalancer(loadBalancer hcnLoadBalancer, settings *uint16, result **uint16) (hr error) {
+	if hr = procHcnModifyLoadBalancer.Find(); hr != nil {
+		return
+	}
+	r0, _, _ := syscall.Syscall(procHcnModifyLoadBalancer.Addr(), 3, uintptr(loadBalancer), uintptr(unsafe.Pointer(settings)), uintptr(unsafe.Pointer(result)))
+	if int32(r0) < 0 {
+		if r0&0x1fff0000 == 0x00070000 {
+			r0 &= 0xffff
+		}
+		hr = syscall.Errno(r0)
+	}
+	return
+}
+
+func hcnQueryLoadBalancerProperties(loadBalancer hcnLoadBalancer, query string, properties **uint16, result **uint16) (hr error) {
+	var _p0 *uint16
+	_p0, hr = syscall.UTF16PtrFromString(query)
+	if hr != nil {
+		return
+	}
+	return _hcnQueryLoadBalancerProperties(loadBalancer, _p0, properties, result)
+}
+
+func _hcnQueryLoadBalancerProperties(loadBalancer hcnLoadBalancer, query *uint16, properties **uint16, result **uint16) (hr error) {
+	if hr = procHcnQueryLoadBalancerProperties.Find(); hr != nil {
+		return
+	}
+	r0, _, _ := syscall.Syscall6(procHcnQueryLoadBalancerProperties.Addr(), 4, uintptr(loadBalancer), uintptr(unsafe.Pointer(query)), uintptr(unsafe.Pointer(properties)), uintptr(unsafe.Pointer(result)), 0, 0)
+	if int32(r0) < 0 {
+		if r0&0x1fff0000 == 0x00070000 {
+			r0 &= 0xffff
+		}
+		hr = syscall.Errno(r0)
+	}
+	return
+}
+
+func hcnDeleteLoadBalancer(id *_guid, result **uint16) (hr error) {
+	if hr = procHcnDeleteLoadBalancer.Find(); hr != nil {
+		return
+	}
+	r0, _, _ := syscall.Syscall(procHcnDeleteLoadBalancer.Addr(), 2, uintptr(unsafe.Pointer(id)), uintptr(unsafe.Pointer(result)), 0)
+	if int32(r0) < 0 {
+		if r0&0x1fff0000 == 0x00070000 {
+			r0 &= 0xffff
+		}
+		hr = syscall.Errno(r0)
+	}
+	return
+}
+
+func hcnCloseLoadBalancer(loadBalancer hcnLoadBalancer) (hr error) {
+	if hr = procHcnCloseLoadBalancer.Find(); hr != nil {
+		return
+	}
+	r0, _, _ := syscall.Syscall(procHcnCloseLoadBalancer.Addr(), 1, uintptr(loadBalancer), 0, 0)
+	if int32(r0) < 0 {
+		if r0&0x1fff0000 == 0x00070000 {
+			r0 &= 0xffff
+		}
+		hr = syscall.Errno(r0)
+	}
+	return
+}
+
+func hcnOpenService(service *hcnService, result **uint16) (hr error) {
+	if hr = procHcnOpenService.Find(); hr != nil {
+		return
+	}
+	r0, _, _ := syscall.Syscall(procHcnOpenService.Addr(), 2, uintptr(unsafe.Pointer(service)), uintptr(unsafe.Pointer(result)), 0)
+	if int32(r0) < 0 {
+		if r0&0x1fff0000 == 0x00070000 {
+			r0 &= 0xffff
+		}
+		hr = syscall.Errno(r0)
+	}
+	return
+}
+
+func hcnRegisterServiceCallback(service hcnService, callback int32, context int32, callbackHandle *hcnCallbackHandle) (hr error) {
+	if hr = procHcnRegisterServiceCallback.Find(); hr != nil {
+		return
+	}
+	r0, _, _ := syscall.Syscall6(procHcnRegisterServiceCallback.Addr(), 4, uintptr(service), uintptr(callback), uintptr(context), uintptr(unsafe.Pointer(callbackHandle)), 0, 0)
+	if int32(r0) < 0 {
+		if r0&0x1fff0000 == 0x00070000 {
+			r0 &= 0xffff
+		}
+		hr = syscall.Errno(r0)
+	}
+	return
+}
+
+func hcnUnregisterServiceCallback(callbackHandle hcnCallbackHandle) (hr error) {
+	if hr = procHcnUnregisterServiceCallback.Find(); hr != nil {
+		return
+	}
+	r0, _, _ := syscall.Syscall(procHcnUnregisterServiceCallback.Addr(), 1, uintptr(callbackHandle), 0, 0)
+	if int32(r0) < 0 {
+		if r0&0x1fff0000 == 0x00070000 {
+			r0 &= 0xffff
+		}
+		hr = syscall.Errno(r0)
+	}
+	return
+}
+
+func hcnCloseService(service hcnService) (hr error) {
+	if hr = procHcnCloseService.Find(); hr != nil {
+		return
+	}
+	r0, _, _ := syscall.Syscall(procHcnCloseService.Addr(), 1, uintptr(service), 0, 0)
+	if int32(r0) < 0 {
+		if r0&0x1fff0000 == 0x00070000 {
+			r0 &= 0xffff
+		}
+		hr = syscall.Errno(r0)
+	}
+	return
+}

vendor/github.com/Microsoft/hcsshim/hnsendpoint.go

@@ -39,11 +39,21 @@ func HNSListEndpointRequest() ([]HNSEndpoint, error) {
 
 // HotAttachEndpoint makes a HCS Call to attach the endpoint to the container
 func HotAttachEndpoint(containerID string, endpointID string) error {
+	endpoint, err := GetHNSEndpointByID(endpointID)
+	isAttached, err := endpoint.IsAttached(containerID)
+	if isAttached {
+		return err
+	}
 	return modifyNetworkEndpoint(containerID, endpointID, Add)
 }
 
 // HotDetachEndpoint makes a HCS Call to detach the endpoint from the container
 func HotDetachEndpoint(containerID string, endpointID string) error {
+	endpoint, err := GetHNSEndpointByID(endpointID)
+	isAttached, err := endpoint.IsAttached(containerID)
+	if !isAttached {
+		return err
+	}
 	return modifyNetworkEndpoint(containerID, endpointID, Remove)
 }
 

vendor/github.com/Microsoft/hcsshim/internal/cni/registry.go

@@ -0,0 +1,110 @@
+package cni
+
+import (
+	"errors"
+
+	"github.com/Microsoft/go-winio/pkg/guid"
+	"github.com/Microsoft/hcsshim/internal/regstate"
+)
+
+const (
+	cniRoot = "cni"
+	cniKey  = "cfg"
+)
+
+// PersistedNamespaceConfig is the registry version of the `NamespaceID` to UVM
+// map.
+type PersistedNamespaceConfig struct {
+	namespaceID string
+	stored      bool
+
+	ContainerID  string
+	HostUniqueID guid.GUID
+}
+
+// NewPersistedNamespaceConfig creates an in-memory namespace config that can be
+// persisted to the registry.
+func NewPersistedNamespaceConfig(namespaceID, containerID string, containerHostUniqueID guid.GUID) *PersistedNamespaceConfig {
+	return &PersistedNamespaceConfig{
+		namespaceID:  namespaceID,
+		ContainerID:  containerID,
+		HostUniqueID: containerHostUniqueID,
+	}
+}
+
+// LoadPersistedNamespaceConfig loads a persisted config from the registry that matches
+// `namespaceID`. If not found returns `regstate.NotFoundError`
+func LoadPersistedNamespaceConfig(namespaceID string) (*PersistedNamespaceConfig, error) {
+	sk, err := regstate.Open(cniRoot, false)
+	if err != nil {
+		return nil, err
+	}
+	defer sk.Close()
+
+	pnc := PersistedNamespaceConfig{
+		namespaceID: namespaceID,
+		stored:      true,
+	}
+	if err := sk.Get(namespaceID, cniKey, &pnc); err != nil {
+		return nil, err
+	}
+	return &pnc, nil
+}
+
+// Store stores or updates the in-memory config to its registry state. If the
+// store failes returns the store error.
+func (pnc *PersistedNamespaceConfig) Store() error {
+	if pnc.namespaceID == "" {
+		return errors.New("invalid namespaceID ''")
+	}
+	if pnc.ContainerID == "" {
+		return errors.New("invalid containerID ''")
+	}
+	empty := guid.GUID{}
+	if pnc.HostUniqueID == empty {
+		return errors.New("invalid containerHostUniqueID 'empy'")
+	}
+	sk, err := regstate.Open(cniRoot, false)
+	if err != nil {
+		return err
+	}
+	defer sk.Close()
+
+	if pnc.stored {
+		if err := sk.Set(pnc.namespaceID, cniKey, pnc); err != nil {
+			return err
+		}
+	} else {
+		if err := sk.Create(pnc.namespaceID, cniKey, pnc); err != nil {
+			return err
+		}
+	}
+	pnc.stored = true
+	return nil
+}
+
+// Remove removes any persisted state associated with this config. If the config
+// is not found in the registery `Remove` returns no error.
+func (pnc *PersistedNamespaceConfig) Remove() error {
+	if pnc.stored {
+		sk, err := regstate.Open(cniRoot, false)
+		if err != nil {
+			if regstate.IsNotFoundError(err) {
+				pnc.stored = false
+				return nil
+			}
+			return err
+		}
+		defer sk.Close()
+
+		if err := sk.Remove(pnc.namespaceID); err != nil {
+			if regstate.IsNotFoundError(err) {
+				pnc.stored = false
+				return nil
+			}
+			return err
+		}
+	}
+	pnc.stored = false
+	return nil
+}

vendor/github.com/Microsoft/hcsshim/internal/cow/cow.go

@@ -0,0 +1,80 @@
+package cow
+
+import (
+	"context"
+	"io"
+
+	"github.com/Microsoft/hcsshim/internal/schema1"
+)
+
+// Process is the interface for an OS process running in a container or utility VM.
+type Process interface {
+	// Close releases resources associated with the process and closes the
+	// writer and readers returned by Stdio. Depending on the implementation,
+	// this may also terminate the process.
+	Close() error
+	// CloseStdin causes the process's stdin handle to receive EOF/EPIPE/whatever
+	// is appropriate to indicate that no more data is available.
+	CloseStdin(ctx context.Context) error
+	// Pid returns the process ID.
+	Pid() int
+	// Stdio returns the stdio streams for a process. These may be nil if a stream
+	// was not requested during CreateProcess.
+	Stdio() (_ io.Writer, _ io.Reader, _ io.Reader)
+	// ResizeConsole resizes the virtual terminal associated with the process.
+	ResizeConsole(ctx context.Context, width, height uint16) error
+	// Kill sends a SIGKILL or equivalent signal to the process and returns whether
+	// the signal was delivered. It does not wait for the process to terminate.
+	Kill(ctx context.Context) (bool, error)
+	// Signal sends a signal to the process and returns whether the signal was
+	// delivered. The input is OS specific (either
+	// guestrequest.SignalProcessOptionsWCOW or
+	// guestrequest.SignalProcessOptionsLCOW). It does not wait for the process
+	// to terminate.
+	Signal(ctx context.Context, options interface{}) (bool, error)
+	// Wait waits for the process to complete, or for a connection to the process to be
+	// terminated by some error condition (including calling Close).
+	Wait() error
+	// ExitCode returns the exit code of the process. Returns an error if the process is
+	// not running.
+	ExitCode() (int, error)
+}
+
+// ProcessHost is the interface for creating processes.
+type ProcessHost interface {
+	// CreateProcess creates a process. The configuration is host specific
+	// (either hcsschema.ProcessParameters or lcow.ProcessParameters).
+	CreateProcess(ctx context.Context, config interface{}) (Process, error)
+	// OS returns the host's operating system, "linux" or "windows".
+	OS() string
+	// IsOCI specifies whether this is an OCI-compliant process host. If true,
+	// then the configuration passed to CreateProcess should have an OCI process
+	// spec (or nil if this is the initial process in an OCI container).
+	// Otherwise, it should have the HCS-specific process parameters.
+	IsOCI() bool
+}
+
+// Container is the interface for container objects, either running on the host or
+// in a utility VM.
+type Container interface {
+	ProcessHost
+	// Close releases the resources associated with the container. Depending on
+	// the implementation, this may also terminate the container.
+	Close() error
+	// ID returns the container ID.
+	ID() string
+	// Properties returns the requested container properties.
+	Properties(ctx context.Context, types ...schema1.PropertyType) (*schema1.ContainerProperties, error)
+	// Start starts a container.
+	Start(ctx context.Context) error
+	// Shutdown sends a shutdown request to the container (but does not wait for
+	// the shutdown to complete).
+	Shutdown(ctx context.Context) error
+	// Terminate sends a terminate request to the container (but does not wait
+	// for the terminate to complete).
+	Terminate(ctx context.Context) error
+	// Wait waits for the container to terminate, or for the connection to the
+	// container to be terminated by some error condition (including calling
+	// Close).
+	Wait() error
+}

vendor/github.com/Microsoft/hcsshim/internal/guestrequest/types.go

@@ -1,100 +0,0 @@
-package guestrequest
-
-import (
-	"github.com/Microsoft/hcsshim/internal/schema2"
-)
-
-// Arguably, many of these (at least CombinedLayers) should have been generated
-// by swagger.
-//
-// This will also change package name due to an inbound breaking change.
-
-// This class is used by a modify request to add or remove a combined layers
-// structure in the guest. For windows, the GCS applies a filter in ContainerRootPath
-// using the specified layers as the parent content. Ignores property ScratchPath
-// since the container path is already the scratch path. For linux, the GCS unions
-// the specified layers and ScratchPath together, placing the resulting union
-// filesystem at ContainerRootPath.
-type CombinedLayers struct {
-	ContainerRootPath string            `json:"ContainerRootPath,omitempty"`
-	Layers            []hcsschema.Layer `json:"Layers,omitempty"`
-	ScratchPath       string            `json:"ScratchPath,omitempty"`
-}
-
-// Defines the schema for hosted settings passed to GCS and/or OpenGCS
-
-// SCSI. Scratch space for remote file-system commands, or R/W layer for containers
-type LCOWMappedVirtualDisk struct {
-	MountPath  string `json:"MountPath,omitempty"` // /tmp/scratch for an LCOW utility VM being used as a service VM
-	Lun        uint8  `json:"Lun,omitempty"`
-	Controller uint8  `json:"Controller,omitempty"`
-	ReadOnly   bool   `json:"ReadOnly,omitempty"`
-}
-
-type WCOWMappedVirtualDisk struct {
-	ContainerPath string `json:"ContainerPath,omitempty"`
-	Lun           int32  `json:"Lun,omitempty"`
-}
-
-type LCOWMappedDirectory struct {
-	MountPath string `json:"MountPath,omitempty"`
-	Port      int32  `json:"Port,omitempty"`
-	ShareName string `json:"ShareName,omitempty"` // If empty not using ANames (not currently supported)
-	ReadOnly  bool   `json:"ReadOnly,omitempty"`
-}
-
-// Read-only layers over VPMem
-type LCOWMappedVPMemDevice struct {
-	DeviceNumber uint32 `json:"DeviceNumber,omitempty"`
-	MountPath    string `json:"MountPath,omitempty"` // /tmp/pN
-}
-
-type LCOWNetworkAdapter struct {
-	NamespaceID     string `json:",omitempty"`
-	ID              string `json:",omitempty"`
-	MacAddress      string `json:",omitempty"`
-	IPAddress       string `json:",omitempty"`
-	PrefixLength    uint8  `json:",omitempty"`
-	GatewayAddress  string `json:",omitempty"`
-	DNSSuffix       string `json:",omitempty"`
-	DNSServerList   string `json:",omitempty"`
-	EnableLowMetric bool   `json:",omitempty"`
-	EncapOverhead   uint16 `json:",omitempty"`
-}
-
-type ResourceType string
-
-const (
-	// These are constants for v2 schema modify guest requests.
-	ResourceTypeMappedDirectory   ResourceType = "MappedDirectory"
-	ResourceTypeMappedVirtualDisk ResourceType = "MappedVirtualDisk"
-	ResourceTypeNetwork           ResourceType = "Network"
-	ResourceTypeNetworkNamespace  ResourceType = "NetworkNamespace"
-	ResourceTypeCombinedLayers    ResourceType = "CombinedLayers"
-	ResourceTypeVPMemDevice       ResourceType = "VPMemDevice"
-)
-
-// GuestRequest is for modify commands passed to the guest.
-type GuestRequest struct {
-	RequestType  string       `json:"RequestType,omitempty"`
-	ResourceType ResourceType `json:"ResourceType,omitempty"`
-	Settings     interface{}  `json:"Settings,omitempty"`
-}
-
-type NetworkModifyRequest struct {
-	AdapterId   string      `json:"AdapterId,omitempty"`
-	RequestType string      `json:"RequestType,omitempty"`
-	Settings    interface{} `json:"Settings,omitempty"`
-}
-
-type RS4NetworkModifyRequest struct {
-	AdapterInstanceId string      `json:"AdapterInstanceId,omitempty"`
-	RequestType       string      `json:"RequestType,omitempty"`
-	Settings          interface{} `json:"Settings,omitempty"`
-}
-
-// SignalProcessOptions is the options passed to either WCOW or LCOW
-// to signal a given process.
-type SignalProcessOptions struct {
-	Signal int `json:,omitempty`
-}

vendor/github.com/Microsoft/hcsshim/internal/guid/guid.go

@@ -1,69 +0,0 @@
-package guid
-
-import (
-	"crypto/rand"
-	"encoding/json"
-	"fmt"
-	"io"
-	"strconv"
-	"strings"
-)
-
-var _ = (json.Marshaler)(&GUID{})
-var _ = (json.Unmarshaler)(&GUID{})
-
-type GUID [16]byte
-
-func New() GUID {
-	g := GUID{}
-	_, err := io.ReadFull(rand.Reader, g[:])
-	if err != nil {
-		panic(err)
-	}
-	return g
-}
-
-func (g GUID) String() string {
-	return fmt.Sprintf("%02x%02x%02x%02x-%02x%02x-%02x%02x-%02x-%02x", g[3], g[2], g[1], g[0], g[5], g[4], g[7], g[6], g[8:10], g[10:])
-}
-
-func FromString(s string) GUID {
-	if len(s) != 36 {
-		panic(fmt.Sprintf("invalid GUID length: %d", len(s)))
-	}
-	if s[8] != '-' || s[13] != '-' || s[18] != '-' || s[23] != '-' {
-		panic("invalid GUID format")
-	}
-	indexOrder := [16]int{
-		0, 2, 4, 6,
-		9, 11,
-		14, 16,
-		19, 21,
-		24, 26, 28, 30, 32, 34,
-	}
-	byteOrder := [16]int{
-		3, 2, 1, 0,
-		5, 4,
-		7, 6,
-		8, 9,
-		10, 11, 12, 13, 14, 15,
-	}
-	var g GUID
-	for i, x := range indexOrder {
-		b, err := strconv.ParseInt(s[x:x+2], 16, 16)
-		if err != nil {
-			panic(err)
-		}
-		g[byteOrder[i]] = byte(b)
-	}
-	return g
-}
-
-func (g GUID) MarshalJSON() ([]byte, error) {
-	return json.Marshal(g.String())
-}
-
-func (g *GUID) UnmarshalJSON(data []byte) error {
-	*g = FromString(strings.Trim(string(data), "\""))
-	return nil
-}

vendor/github.com/Microsoft/hcsshim/internal/hcs/callback.go

@@ -1,10 +1,13 @@
 package hcs
 
 import (
+	"fmt"
 	"sync"
 	"syscall"
 
 	"github.com/Microsoft/hcsshim/internal/interop"
+	"github.com/Microsoft/hcsshim/internal/logfields"
+	"github.com/Microsoft/hcsshim/internal/vmcompute"
 	"github.com/sirupsen/logrus"
 )
 
@@ -40,35 +43,83 @@ var (
 )
 
 type hcsNotification uint32
+
+func (hn hcsNotification) String() string {
+	switch hn {
+	case hcsNotificationSystemExited:
+		return "SystemExited"
+	case hcsNotificationSystemCreateCompleted:
+		return "SystemCreateCompleted"
+	case hcsNotificationSystemStartCompleted:
+		return "SystemStartCompleted"
+	case hcsNotificationSystemPauseCompleted:
+		return "SystemPauseCompleted"
+	case hcsNotificationSystemResumeCompleted:
+		return "SystemResumeCompleted"
+	case hcsNotificationSystemCrashReport:
+		return "SystemCrashReport"
+	case hcsNotificationSystemSiloJobCreated:
+		return "SystemSiloJobCreated"
+	case hcsNotificationSystemSaveCompleted:
+		return "SystemSaveCompleted"
+	case hcsNotificationSystemRdpEnhancedModeStateChanged:
+		return "SystemRdpEnhancedModeStateChanged"
+	case hcsNotificationSystemShutdownFailed:
+		return "SystemShutdownFailed"
+	case hcsNotificationSystemGetPropertiesCompleted:
+		return "SystemGetPropertiesCompleted"
+	case hcsNotificationSystemModifyCompleted:
+		return "SystemModifyCompleted"
+	case hcsNotificationSystemCrashInitiated:
+		return "SystemCrashInitiated"
+	case hcsNotificationSystemGuestConnectionClosed:
+		return "SystemGuestConnectionClosed"
+	case hcsNotificationProcessExited:
+		return "ProcessExited"
+	case hcsNotificationInvalid:
+		return "Invalid"
+	case hcsNotificationServiceDisconnect:
+		return "ServiceDisconnect"
+	default:
+		return fmt.Sprintf("Unknown: %d", hn)
+	}
+}
+
 type notificationChannel chan error
 
 type notifcationWatcherContext struct {
 	channels notificationChannels
-	handle   hcsCallback
+	handle   vmcompute.HcsCallback
+
+	systemID  string
+	processID int
 }
 
 type notificationChannels map[hcsNotification]notificationChannel
 
-func newChannels() notificationChannels {
+func newSystemChannels() notificationChannels {
 	channels := make(notificationChannels)
+	for _, notif := range []hcsNotification{
+		hcsNotificationServiceDisconnect,
+		hcsNotificationSystemExited,
+		hcsNotificationSystemCreateCompleted,
+		hcsNotificationSystemStartCompleted,
+		hcsNotificationSystemPauseCompleted,
+		hcsNotificationSystemResumeCompleted,
+	} {
+		channels[notif] = make(notificationChannel, 1)
+	}
+	return channels
+}
 
-	channels[hcsNotificationSystemExited] = make(notificationChannel, 1)
+func newProcessChannels() notificationChannels {
-	channels[hcsNotificationSystemCreateCompleted] = make(notificationChannel, 1)
+	channels := make(notificationChannels)
-	channels[hcsNotificationSystemStartCompleted] = make(notificationChannel, 1)
+	for _, notif := range []hcsNotification{
-	channels[hcsNotificationSystemPauseCompleted] = make(notificationChannel, 1)
+		hcsNotificationServiceDisconnect,
-	channels[hcsNotificationSystemResumeCompleted] = make(notificationChannel, 1)
+		hcsNotificationProcessExited,
-	channels[hcsNotificationProcessExited] = make(notificationChannel, 1)
+	} {
-	channels[hcsNotificationServiceDisconnect] = make(notificationChannel, 1)
+		channels[notif] = make(notificationChannel, 1)
-	channels[hcsNotificationSystemCrashReport] = make(notificationChannel, 1)
+	}
-	channels[hcsNotificationSystemSiloJobCreated] = make(notificationChannel, 1)
-	channels[hcsNotificationSystemSaveCompleted] = make(notificationChannel, 1)
-	channels[hcsNotificationSystemRdpEnhancedModeStateChanged] = make(notificationChannel, 1)
-	channels[hcsNotificationSystemShutdownFailed] = make(notificationChannel, 1)
-	channels[hcsNotificationSystemGetPropertiesCompleted] = make(notificationChannel, 1)
-	channels[hcsNotificationSystemModifyCompleted] = make(notificationChannel, 1)
-	channels[hcsNotificationSystemCrashInitiated] = make(notificationChannel, 1)
-	channels[hcsNotificationSystemGuestConnectionClosed] = make(notificationChannel, 1)
-
 	return channels
 }
 
@@ -92,12 +143,17 @@ func notificationWatcher(notificationType hcsNotification, callbackNumber uintpt
 		return 0
 	}
 
+	log := logrus.WithFields(logrus.Fields{
+		"notification-type": notificationType.String(),
+		"system-id":         context.systemID,
+	})
+	if context.processID != 0 {
+		log.Data[logfields.ProcessID] = context.processID
+	}
+	log.Debug("HCS notification")
+
 	if channel, ok := context.channels[notificationType]; ok {
 		channel <- result
-	} else {
-		logrus.WithFields(logrus.Fields{
-			"notification-type": notificationType,
-		}).Warn("Received a callback of an unsupported type")
 	}
 
 	return 0

vendor/github.com/Microsoft/hcsshim/internal/hcs/errors.go

@@ -1,14 +1,14 @@
 package hcs
 
 import (
+	"context"
 	"encoding/json"
 	"errors"
 	"fmt"
+	"net"
 	"syscall"
 
-	"github.com/Microsoft/hcsshim/internal/interop"
+	"github.com/Microsoft/hcsshim/internal/log"
-	"github.com/Microsoft/hcsshim/internal/logfields"
-	"github.com/sirupsen/logrus"
 )
 
 var (
@@ -117,17 +117,11 @@ func (ev *ErrorEvent) String() string {
 	return evs
 }
 
-func processHcsResult(resultp *uint16) []ErrorEvent {
+func processHcsResult(ctx context.Context, resultJSON string) []ErrorEvent {
-	if resultp != nil {
+	if resultJSON != "" {
-		resultj := interop.ConvertAndFreeCoTaskMemString(resultp)
-		logrus.WithField(logfields.JSON, resultj).
-			Debug("HCS Result")
 		result := &hcsResult{}
-		if err := json.Unmarshal([]byte(resultj), result); err != nil {
+		if err := json.Unmarshal([]byte(resultJSON), result); err != nil {
-			logrus.WithFields(logrus.Fields{
+			log.G(ctx).WithError(err).Warning("Could not unmarshal HCS result")
-				logfields.JSON:  resultj,
-				logrus.ErrorKey: err,
-			}).Warning("Could not unmarshal HCS result")
 			return nil
 		}
 		return result.ErrorEvents
@@ -141,6 +135,8 @@ type HcsError struct {
 	Events []ErrorEvent
 }
 
+var _ net.Error = &HcsError{}
+
 func (e *HcsError) Error() string {
 	s := e.Op + ": " + e.Err.Error()
 	for _, ev := range e.Events {
@@ -149,6 +145,16 @@ func (e *HcsError) Error() string {
 	return s
 }
 
+func (e *HcsError) Temporary() bool {
+	err, ok := e.Err.(net.Error)
+	return ok && err.Temporary()
+}
+
+func (e *HcsError) Timeout() bool {
+	err, ok := e.Err.(net.Error)
+	return ok && err.Timeout()
+}
+
 // ProcessError is an error encountered in HCS during an operation on a Process object
 type ProcessError struct {
 	SystemID string
@@ -158,6 +164,8 @@ type ProcessError struct {
 	Events   []ErrorEvent
 }
 
+var _ net.Error = &ProcessError{}
+
 // SystemError is an error encountered in HCS during an operation on a Container object
 type SystemError struct {
 	ID     string
@@ -167,6 +175,8 @@ type SystemError struct {
 	Events []ErrorEvent
 }
 
+var _ net.Error = &SystemError{}
+
 func (e *SystemError) Error() string {
 	s := e.Op + " " + e.ID + ": " + e.Err.Error()
 	for _, ev := range e.Events {
@@ -178,6 +188,16 @@ func (e *SystemError) Error() string {
 	return s
 }
 
+func (e *SystemError) Temporary() bool {
+	err, ok := e.Err.(net.Error)
+	return ok && err.Temporary()
+}
+
+func (e *SystemError) Timeout() bool {
+	err, ok := e.Err.(net.Error)
+	return ok && err.Timeout()
+}
+
 func makeSystemError(system *System, op string, extra string, err error, events []ErrorEvent) error {
 	// Don't double wrap errors
 	if _, ok := err.(*SystemError); ok {
@@ -200,6 +220,16 @@ func (e *ProcessError) Error() string {
 	return s
 }
 
+func (e *ProcessError) Temporary() bool {
+	err, ok := e.Err.(net.Error)
+	return ok && err.Temporary()
+}
+
+func (e *ProcessError) Timeout() bool {
+	err, ok := e.Err.(net.Error)
+	return ok && err.Timeout()
+}
+
 func makeProcessError(process *Process, op string, err error, events []ErrorEvent) error {
 	// Don't double wrap errors
 	if _, ok := err.(*ProcessError); ok {
@@ -242,6 +272,9 @@ func IsPending(err error) bool {
 // IsTimeout returns a boolean indicating whether the error is caused by
 // a timeout waiting for the operation to complete.
 func IsTimeout(err error) bool {
+	if err, ok := err.(net.Error); ok && err.Timeout() {
+		return true
+	}
 	err = getInnerError(err)
 	return err == ErrTimeout
 }
@@ -272,6 +305,13 @@ func IsNotSupported(err error) bool {
 		err == ErrVmcomputeUnknownMessage
 }
 
+// IsOperationInvalidState returns true when err is caused by
+// `ErrVmcomputeOperationInvalidState`.
+func IsOperationInvalidState(err error) bool {
+	err = getInnerError(err)
+	return err == ErrVmcomputeOperationInvalidState
+}
+
 func getInnerError(err error) error {
 	switch pe := err.(type) {
 	case nil:
@@ -285,3 +325,12 @@ func getInnerError(err error) error {
 	}
 	return err
 }
+
+func getOperationLogResult(err error) (string, error) {
+	switch err {
+	case nil:
+		return "Success", nil
+	default:
+		return "Error", err
+	}
+}

vendor/github.com/Microsoft/hcsshim/internal/hcs/hcs.go

@@ -1,48 +0,0 @@
-// Shim for the Host Compute Service (HCS) to manage Windows Server
-// containers and Hyper-V containers.
-
-package hcs
-
-import (
-	"syscall"
-)
-
-//go:generate go run ../../mksyscall_windows.go -output zsyscall_windows.go hcs.go
-
-//sys hcsEnumerateComputeSystems(query string, computeSystems **uint16, result **uint16) (hr error) = vmcompute.HcsEnumerateComputeSystems?
-//sys hcsCreateComputeSystem(id string, configuration string, identity syscall.Handle, computeSystem *hcsSystem, result **uint16) (hr error) = vmcompute.HcsCreateComputeSystem?
-//sys hcsOpenComputeSystem(id string, computeSystem *hcsSystem, result **uint16) (hr error) = vmcompute.HcsOpenComputeSystem?
-//sys hcsCloseComputeSystem(computeSystem hcsSystem) (hr error) = vmcompute.HcsCloseComputeSystem?
-//sys hcsStartComputeSystem(computeSystem hcsSystem, options string, result **uint16) (hr error) = vmcompute.HcsStartComputeSystem?
-//sys hcsShutdownComputeSystem(computeSystem hcsSystem, options string, result **uint16) (hr error) = vmcompute.HcsShutdownComputeSystem?
-//sys hcsTerminateComputeSystem(computeSystem hcsSystem, options string, result **uint16) (hr error) = vmcompute.HcsTerminateComputeSystem?
-//sys hcsPauseComputeSystem(computeSystem hcsSystem, options string, result **uint16) (hr error) = vmcompute.HcsPauseComputeSystem?
-//sys hcsResumeComputeSystem(computeSystem hcsSystem, options string, result **uint16) (hr error) = vmcompute.HcsResumeComputeSystem?
-//sys hcsGetComputeSystemProperties(computeSystem hcsSystem, propertyQuery string, properties **uint16, result **uint16) (hr error) = vmcompute.HcsGetComputeSystemProperties?
-//sys hcsModifyComputeSystem(computeSystem hcsSystem, configuration string, result **uint16) (hr error) = vmcompute.HcsModifyComputeSystem?
-//sys hcsRegisterComputeSystemCallback(computeSystem hcsSystem, callback uintptr, context uintptr, callbackHandle *hcsCallback) (hr error) = vmcompute.HcsRegisterComputeSystemCallback?
-//sys hcsUnregisterComputeSystemCallback(callbackHandle hcsCallback) (hr error) = vmcompute.HcsUnregisterComputeSystemCallback?
-
-//sys hcsCreateProcess(computeSystem hcsSystem, processParameters string, processInformation *hcsProcessInformation, process *hcsProcess, result **uint16) (hr error) = vmcompute.HcsCreateProcess?
-//sys hcsOpenProcess(computeSystem hcsSystem, pid uint32, process *hcsProcess, result **uint16) (hr error) = vmcompute.HcsOpenProcess?
-//sys hcsCloseProcess(process hcsProcess) (hr error) = vmcompute.HcsCloseProcess?
-//sys hcsTerminateProcess(process hcsProcess, result **uint16) (hr error) = vmcompute.HcsTerminateProcess?
-//sys hcsSignalProcess(process hcsProcess, options string, result **uint16) (hr error) = vmcompute.HcsTerminateProcess?
-//sys hcsGetProcessInfo(process hcsProcess, processInformation *hcsProcessInformation, result **uint16) (hr error) = vmcompute.HcsGetProcessInfo?
-//sys hcsGetProcessProperties(process hcsProcess, processProperties **uint16, result **uint16) (hr error) = vmcompute.HcsGetProcessProperties?
-//sys hcsModifyProcess(process hcsProcess, settings string, result **uint16) (hr error) = vmcompute.HcsModifyProcess?
-//sys hcsGetServiceProperties(propertyQuery string, properties **uint16, result **uint16) (hr error) = vmcompute.HcsGetServiceProperties?
-//sys hcsRegisterProcessCallback(process hcsProcess, callback uintptr, context uintptr, callbackHandle *hcsCallback) (hr error) = vmcompute.HcsRegisterProcessCallback?
-//sys hcsUnregisterProcessCallback(callbackHandle hcsCallback) (hr error) = vmcompute.HcsUnregisterProcessCallback?
-
-type hcsSystem syscall.Handle
-type hcsProcess syscall.Handle
-type hcsCallback syscall.Handle
-
-type hcsProcessInformation struct {
-	ProcessId uint32
-	Reserved  uint32
-	StdInput  syscall.Handle
-	StdOutput syscall.Handle
-	StdError  syscall.Handle
-}

vendor/github.com/Microsoft/hcsshim/internal/hcs/log.go

@@ -1,20 +0,0 @@
-package hcs
-
-import "github.com/sirupsen/logrus"
-
-func logOperationBegin(ctx logrus.Fields, msg string) {
-	logrus.WithFields(ctx).Debug(msg)
-}
-
-func logOperationEnd(ctx logrus.Fields, msg string, err error) {
-	// Copy the log and fields first.
-	log := logrus.WithFields(ctx)
-	if err == nil {
-		log.Debug(msg)
-	} else {
-		// Edit only the copied field data to avoid race conditions on the
-		// write.
-		log.Data[logrus.ErrorKey] = err
-		log.Error(msg)
-	}
-}

vendor/github.com/Microsoft/hcsshim/internal/hcs/process.go

@@ -1,52 +1,45 @@
 package hcs
 
 import (
+	"context"
 	"encoding/json"
 	"io"
 	"sync"
 	"syscall"
 	"time"
 
-	"github.com/Microsoft/hcsshim/internal/guestrequest"
+	"github.com/Microsoft/hcsshim/internal/log"
-	"github.com/Microsoft/hcsshim/internal/interop"
+	"github.com/Microsoft/hcsshim/internal/oc"
-	"github.com/Microsoft/hcsshim/internal/logfields"
+	"github.com/Microsoft/hcsshim/internal/vmcompute"
-	"github.com/sirupsen/logrus"
+	"go.opencensus.io/trace"
 )
 
 // ContainerError is an error encountered in HCS
 type Process struct {
 	handleLock     sync.RWMutex
-	handle         hcsProcess
+	handle         vmcompute.HcsProcess
 	processID      int
 	system         *System
-	cachedPipes    *cachedPipes
+	stdin          io.WriteCloser
+	stdout         io.ReadCloser
+	stderr         io.ReadCloser
 	callbackNumber uintptr
 
-	logctx logrus.Fields
+	closedWaitOnce sync.Once
-
 	waitBlock      chan struct{}
+	exitCode       int
 	waitError      error
 }
 
-func newProcess(process hcsProcess, processID int, computeSystem *System) *Process {
+func newProcess(process vmcompute.HcsProcess, processID int, computeSystem *System) *Process {
 	return &Process{
 		handle:    process,
 		processID: processID,
 		system:    computeSystem,
-		logctx: logrus.Fields{
-			logfields.ContainerID: computeSystem.ID(),
-			logfields.ProcessID:   processID,
-		},
 		waitBlock: make(chan struct{}),
 	}
 }
 
-type cachedPipes struct {
-	stdIn  syscall.Handle
-	stdOut syscall.Handle
-	stdErr syscall.Handle
-}
-
 type processModifyRequest struct {
 	Operation   string
 	ConsoleSize *consoleSize `json:",omitempty"`
@@ -62,7 +55,7 @@ type closeHandle struct {
 	Handle string
 }
 
-type ProcessStatus struct {
+type processStatus struct {
 	ProcessID      uint32
 	Exited         bool
 	ExitCode       uint32
@@ -90,134 +83,153 @@ func (process *Process) SystemID() string {
 	return process.system.ID()
 }
 
-func (process *Process) logOperationBegin(operation string) {
+func (process *Process) processSignalResult(ctx context.Context, err error) (bool, error) {
-	logOperationBegin(
+	switch err {
-		process.logctx,
+	case nil:
-		operation+" - Begin Operation")
+		return true, nil
+	case ErrVmcomputeOperationInvalidState, ErrComputeSystemDoesNotExist, ErrElementNotFound:
+		select {
+		case <-process.waitBlock:
+			// The process exit notification has already arrived.
+		default:
+			// The process should be gone, but we have not received the notification.
+			// After a second, force unblock the process wait to work around a possible
+			// deadlock in the HCS.
+			go func() {
+				time.Sleep(time.Second)
+				process.closedWaitOnce.Do(func() {
+					log.G(ctx).WithError(err).Warn("force unblocking process waits")
+					process.exitCode = -1
+					process.waitError = err
+					close(process.waitBlock)
+				})
+			}()
 		}
-
+		return false, nil
-func (process *Process) logOperationEnd(operation string, err error) {
+	default:
-	var result string
+		return false, err
-	if err == nil {
-		result = "Success"
-	} else {
-		result = "Error"
 	}
-
-	logOperationEnd(
-		process.logctx,
-		operation+" - End Operation - "+result,
-		err)
 }
 
 // Signal signals the process with `options`.
-func (process *Process) Signal(options guestrequest.SignalProcessOptions) (err error) {
+//
+// For LCOW `guestrequest.SignalProcessOptionsLCOW`.
+//
+// For WCOW `guestrequest.SignalProcessOptionsWCOW`.
+func (process *Process) Signal(ctx context.Context, options interface{}) (bool, error) {
 	process.handleLock.RLock()
 	defer process.handleLock.RUnlock()
 
 	operation := "hcsshim::Process::Signal"
-	process.logOperationBegin(operation)
-	defer func() { process.logOperationEnd(operation, err) }()
 
 	if process.handle == 0 {
-		return makeProcessError(process, operation, ErrAlreadyClosed, nil)
+		return false, makeProcessError(process, operation, ErrAlreadyClosed, nil)
 	}
 
 	optionsb, err := json.Marshal(options)
 	if err != nil {
-		return err
+		return false, err
 	}
 
-	optionsStr := string(optionsb)
+	resultJSON, err := vmcompute.HcsSignalProcess(ctx, process.handle, string(optionsb))
-
+	events := processHcsResult(ctx, resultJSON)
-	var resultp *uint16
+	delivered, err := process.processSignalResult(ctx, err)
-	syscallWatcher(process.logctx, func() {
-		err = hcsSignalProcess(process.handle, optionsStr, &resultp)
-	})
-	events := processHcsResult(resultp)
 	if err != nil {
-		return makeProcessError(process, operation, err, events)
+		err = makeProcessError(process, operation, err, events)
 	}
-
+	return delivered, err
-	return nil
 }
 
 // Kill signals the process to terminate but does not wait for it to finish terminating.
-func (process *Process) Kill() (err error) {
+func (process *Process) Kill(ctx context.Context) (bool, error) {
 	process.handleLock.RLock()
 	defer process.handleLock.RUnlock()
 
 	operation := "hcsshim::Process::Kill"
-	process.logOperationBegin(operation)
-	defer func() { process.logOperationEnd(operation, err) }()
 
 	if process.handle == 0 {
-		return makeProcessError(process, operation, ErrAlreadyClosed, nil)
+		return false, makeProcessError(process, operation, ErrAlreadyClosed, nil)
 	}
 
-	var resultp *uint16
+	resultJSON, err := vmcompute.HcsTerminateProcess(ctx, process.handle)
-	syscallWatcher(process.logctx, func() {
+	events := processHcsResult(ctx, resultJSON)
-		err = hcsTerminateProcess(process.handle, &resultp)
+	delivered, err := process.processSignalResult(ctx, err)
-	})
-	events := processHcsResult(resultp)
 	if err != nil {
-		return makeProcessError(process, operation, err, events)
+		err = makeProcessError(process, operation, err, events)
 	}
-
+	return delivered, err
-	return nil
 }
 
 // waitBackground waits for the process exit notification. Once received sets
-// `process.waitError` (if any) and unblocks all `Wait` and `WaitTimeout` calls.
+// `process.waitError` (if any) and unblocks all `Wait` calls.
 //
-// This MUST be called exactly once per `process.handle` but `Wait` and
+// This MUST be called exactly once per `process.handle` but `Wait` is safe to
-// `WaitTimeout` are safe to call multiple times.
+// call multiple times.
 func (process *Process) waitBackground() {
-	process.waitError = waitForNotification(process.callbackNumber, hcsNotificationProcessExited, nil)
+	operation := "hcsshim::Process::waitBackground"
+	ctx, span := trace.StartSpan(context.Background(), operation)
+	defer span.End()
+	span.AddAttributes(
+		trace.StringAttribute("cid", process.SystemID()),
+		trace.Int64Attribute("pid", int64(process.processID)))
+
+	var (
+		err      error
+		exitCode = -1
+	)
+
+	err = waitForNotification(ctx, process.callbackNumber, hcsNotificationProcessExited, nil)
+	if err != nil {
+		err = makeProcessError(process, operation, err, nil)
+		log.G(ctx).WithError(err).Error("failed wait")
+	} else {
+		process.handleLock.RLock()
+		defer process.handleLock.RUnlock()
+
+		// Make sure we didnt race with Close() here
+		if process.handle != 0 {
+			propertiesJSON, resultJSON, err := vmcompute.HcsGetProcessProperties(ctx, process.handle)
+			events := processHcsResult(ctx, resultJSON)
+			if err != nil {
+				err = makeProcessError(process, operation, err, events)
+			} else {
+				properties := &processStatus{}
+				err = json.Unmarshal([]byte(propertiesJSON), properties)
+				if err != nil {
+					err = makeProcessError(process, operation, err, nil)
+				} else {
+					if properties.LastWaitResult != 0 {
+						log.G(ctx).WithField("wait-result", properties.LastWaitResult).Warning("non-zero last wait result")
+					} else {
+						exitCode = int(properties.ExitCode)
+					}
+				}
+			}
+		}
+	}
+	log.G(ctx).WithField("exitCode", exitCode).Debug("process exited")
+
+	process.closedWaitOnce.Do(func() {
+		process.exitCode = exitCode
+		process.waitError = err
 		close(process.waitBlock)
+	})
+	oc.SetSpanStatus(span, err)
 }
 
 // Wait waits for the process to exit. If the process has already exited returns
 // the pervious error (if any).
-func (process *Process) Wait() (err error) {
+func (process *Process) Wait() error {
-	operation := "hcsshim::Process::Wait"
-	process.logOperationBegin(operation)
-	defer func() { process.logOperationEnd(operation, err) }()
-
 	<-process.waitBlock
-	if process.waitError != nil {
+	return process.waitError
-		return makeProcessError(process, operation, err, nil)
-	}
-	return nil
-}
-
-// WaitTimeout waits for the process to exit or the duration to elapse. If the
-// process has already exited returns the pervious error (if any). If a timeout
-// occurs returns `ErrTimeout`.
-func (process *Process) WaitTimeout(timeout time.Duration) (err error) {
-	operation := "hcssshim::Process::WaitTimeout"
-	process.logOperationBegin(operation)
-	defer func() { process.logOperationEnd(operation, err) }()
-
-	select {
-	case <-process.waitBlock:
-		if process.waitError != nil {
-			return makeProcessError(process, operation, process.waitError, nil)
-		}
-		return nil
-	case <-time.After(timeout):
-		return makeProcessError(process, operation, ErrTimeout, nil)
-	}
 }
 
 // ResizeConsole resizes the console of the process.
-func (process *Process) ResizeConsole(width, height uint16) (err error) {
+func (process *Process) ResizeConsole(ctx context.Context, width, height uint16) error {
 	process.handleLock.RLock()
 	defer process.handleLock.RUnlock()
 
 	operation := "hcsshim::Process::ResizeConsole"
-	process.logOperationBegin(operation)
-	defer func() { process.logOperationEnd(operation, err) }()
 
 	if process.handle == 0 {
 		return makeProcessError(process, operation, ErrAlreadyClosed, nil)
@@ -236,11 +248,8 @@ func (process *Process) ResizeConsole(width, height uint16) (err error) {
 		return err
 	}
 
-	modifyRequestStr := string(modifyRequestb)
+	resultJSON, err := vmcompute.HcsModifyProcess(ctx, process.handle, string(modifyRequestb))
-
+	events := processHcsResult(ctx, resultJSON)
-	var resultp *uint16
-	err = hcsModifyProcess(process.handle, modifyRequestStr, &resultp)
-	events := processHcsResult(resultp)
 	if err != nil {
 		return makeProcessError(process, operation, err, events)
 	}
@@ -248,109 +257,46 @@ func (process *Process) ResizeConsole(width, height uint16) (err error) {
 	return nil
 }
 
-func (process *Process) Properties() (_ *ProcessStatus, err error) {
-	process.handleLock.RLock()
-	defer process.handleLock.RUnlock()
-
-	operation := "hcsshim::Process::Properties"
-	process.logOperationBegin(operation)
-	defer func() { process.logOperationEnd(operation, err) }()
-
-	if process.handle == 0 {
-		return nil, makeProcessError(process, operation, ErrAlreadyClosed, nil)
-	}
-
-	var (
-		resultp     *uint16
-		propertiesp *uint16
-	)
-	syscallWatcher(process.logctx, func() {
-		err = hcsGetProcessProperties(process.handle, &propertiesp, &resultp)
-	})
-	events := processHcsResult(resultp)
-	if err != nil {
-		return nil, makeProcessError(process, operation, err, events)
-	}
-
-	if propertiesp == nil {
-		return nil, ErrUnexpectedValue
-	}
-	propertiesRaw := interop.ConvertAndFreeCoTaskMemBytes(propertiesp)
-
-	properties := &ProcessStatus{}
-	if err := json.Unmarshal(propertiesRaw, properties); err != nil {
-		return nil, makeProcessError(process, operation, err, nil)
-	}
-
-	return properties, nil
-}
-
 // ExitCode returns the exit code of the process. The process must have
 // already terminated.
-func (process *Process) ExitCode() (_ int, err error) {
+func (process *Process) ExitCode() (int, error) {
-	operation := "hcsshim::Process::ExitCode"
+	select {
-	process.logOperationBegin(operation)
+	case <-process.waitBlock:
-	defer func() { process.logOperationEnd(operation, err) }()
+		if process.waitError != nil {
-
+			return -1, process.waitError
-	properties, err := process.Properties()
+		}
-	if err != nil {
+		return process.exitCode, nil
-		return -1, makeProcessError(process, operation, err, nil)
+	default:
+		return -1, makeProcessError(process, "hcsshim::Process::ExitCode", ErrInvalidProcessState, nil)
+	}
 }
 
-	if properties.Exited == false {
+// StdioLegacy returns the stdin, stdout, and stderr pipes, respectively. Closing
-		return -1, makeProcessError(process, operation, ErrInvalidProcessState, nil)
+// these pipes does not close the underlying pipes; but this function can only
-	}
+// be called once on each Process.
+func (process *Process) StdioLegacy() (_ io.WriteCloser, _ io.ReadCloser, _ io.ReadCloser, err error) {
+	operation := "hcsshim::Process::StdioLegacy"
+	ctx, span := trace.StartSpan(context.Background(), operation)
+	defer span.End()
+	defer func() { oc.SetSpanStatus(span, err) }()
+	span.AddAttributes(
+		trace.StringAttribute("cid", process.SystemID()),
+		trace.Int64Attribute("pid", int64(process.processID)))
 
-	if properties.LastWaitResult != 0 {
-		logrus.WithFields(logrus.Fields{
-			logfields.ContainerID: process.SystemID(),
-			logfields.ProcessID:   process.processID,
-			"wait-result":         properties.LastWaitResult,
-		}).Warn("hcsshim::Process::ExitCode - Non-zero last wait result")
-		return -1, nil
-	}
-
-	return int(properties.ExitCode), nil
-}
-
-// Stdio returns the stdin, stdout, and stderr pipes, respectively. Closing
-// these pipes does not close the underlying pipes; it should be possible to
-// call this multiple times to get multiple interfaces.
-func (process *Process) Stdio() (_ io.WriteCloser, _ io.ReadCloser, _ io.ReadCloser, err error) {
 	process.handleLock.RLock()
 	defer process.handleLock.RUnlock()
 
-	operation := "hcsshim::Process::Stdio"
-	process.logOperationBegin(operation)
-	defer func() { process.logOperationEnd(operation, err) }()
-
 	if process.handle == 0 {
 		return nil, nil, nil, makeProcessError(process, operation, ErrAlreadyClosed, nil)
 	}
 
-	var stdIn, stdOut, stdErr syscall.Handle
+	processInfo, resultJSON, err := vmcompute.HcsGetProcessInfo(ctx, process.handle)
-
+	events := processHcsResult(ctx, resultJSON)
-	if process.cachedPipes == nil {
-		var (
-			processInfo hcsProcessInformation
-			resultp     *uint16
-		)
-		err = hcsGetProcessInfo(process.handle, &processInfo, &resultp)
-		events := processHcsResult(resultp)
 	if err != nil {
 		return nil, nil, nil, makeProcessError(process, operation, err, events)
 	}
 
-		stdIn, stdOut, stdErr = processInfo.StdInput, processInfo.StdOutput, processInfo.StdError
+	pipes, err := makeOpenFiles([]syscall.Handle{processInfo.StdInput, processInfo.StdOutput, processInfo.StdError})
-	} else {
-		// Use cached pipes
-		stdIn, stdOut, stdErr = process.cachedPipes.stdIn, process.cachedPipes.stdOut, process.cachedPipes.stdErr
-
-		// Invalidate the cache
-		process.cachedPipes = nil
-	}
-
-	pipes, err := makeOpenFiles([]syscall.Handle{stdIn, stdOut, stdErr})
 	if err != nil {
 		return nil, nil, nil, makeProcessError(process, operation, err, nil)
 	}
@@ -358,15 +304,19 @@ func (process *Process) Stdio() (_ io.WriteCloser, _ io.ReadCloser, _ io.ReadClo
 	return pipes[0], pipes[1], pipes[2], nil
 }
 
+// Stdio returns the stdin, stdout, and stderr pipes, respectively.
+// To close them, close the process handle.
+func (process *Process) Stdio() (stdin io.Writer, stdout, stderr io.Reader) {
+	return process.stdin, process.stdout, process.stderr
+}
+
 // CloseStdin closes the write side of the stdin pipe so that the process is
 // notified on the read side that there is no more data in stdin.
-func (process *Process) CloseStdin() (err error) {
+func (process *Process) CloseStdin(ctx context.Context) error {
 	process.handleLock.RLock()
 	defer process.handleLock.RUnlock()
 
 	operation := "hcsshim::Process::CloseStdin"
-	process.logOperationBegin(operation)
-	defer func() { process.logOperationEnd(operation, err) }()
 
 	if process.handle == 0 {
 		return makeProcessError(process, operation, ErrAlreadyClosed, nil)
@@ -384,93 +334,113 @@ func (process *Process) CloseStdin() (err error) {
 		return err
 	}
 
-	modifyRequestStr := string(modifyRequestb)
+	resultJSON, err := vmcompute.HcsModifyProcess(ctx, process.handle, string(modifyRequestb))
-
+	events := processHcsResult(ctx, resultJSON)
-	var resultp *uint16
-	err = hcsModifyProcess(process.handle, modifyRequestStr, &resultp)
-	events := processHcsResult(resultp)
 	if err != nil {
 		return makeProcessError(process, operation, err, events)
 	}
 
+	if process.stdin != nil {
+		process.stdin.Close()
+	}
 	return nil
 }
 
 // Close cleans up any state associated with the process but does not kill
 // or wait on it.
 func (process *Process) Close() (err error) {
+	operation := "hcsshim::Process::Close"
+	ctx, span := trace.StartSpan(context.Background(), operation)
+	defer span.End()
+	defer func() { oc.SetSpanStatus(span, err) }()
+	span.AddAttributes(
+		trace.StringAttribute("cid", process.SystemID()),
+		trace.Int64Attribute("pid", int64(process.processID)))
+
 	process.handleLock.Lock()
 	defer process.handleLock.Unlock()
 
-	operation := "hcsshim::Process::Close"
-	process.logOperationBegin(operation)
-	defer func() { process.logOperationEnd(operation, err) }()
-
 	// Don't double free this
 	if process.handle == 0 {
 		return nil
 	}
 
-	if err = process.unregisterCallback(); err != nil {
+	if process.stdin != nil {
+		process.stdin.Close()
+	}
+	if process.stdout != nil {
+		process.stdout.Close()
+	}
+	if process.stderr != nil {
+		process.stderr.Close()
+	}
+
+	if err = process.unregisterCallback(ctx); err != nil {
 		return makeProcessError(process, operation, err, nil)
 	}
 
-	if err = hcsCloseProcess(process.handle); err != nil {
+	if err = vmcompute.HcsCloseProcess(ctx, process.handle); err != nil {
 		return makeProcessError(process, operation, err, nil)
 	}
 
 	process.handle = 0
+	process.closedWaitOnce.Do(func() {
+		process.exitCode = -1
+		process.waitError = ErrAlreadyClosed
+		close(process.waitBlock)
+	})
 
 	return nil
 }
 
-func (process *Process) registerCallback() error {
+func (process *Process) registerCallback(ctx context.Context) error {
-	context := &notifcationWatcherContext{
+	callbackContext := &notifcationWatcherContext{
-		channels: newChannels(),
+		channels:  newProcessChannels(),
+		systemID:  process.SystemID(),
+		processID: process.processID,
 	}
 
 	callbackMapLock.Lock()
 	callbackNumber := nextCallback
 	nextCallback++
-	callbackMap[callbackNumber] = context
+	callbackMap[callbackNumber] = callbackContext
 	callbackMapLock.Unlock()
 
-	var callbackHandle hcsCallback
+	callbackHandle, err := vmcompute.HcsRegisterProcessCallback(ctx, process.handle, notificationWatcherCallback, callbackNumber)
-	err := hcsRegisterProcessCallback(process.handle, notificationWatcherCallback, callbackNumber, &callbackHandle)
 	if err != nil {
 		return err
 	}
-	context.handle = callbackHandle
+	callbackContext.handle = callbackHandle
 	process.callbackNumber = callbackNumber
 
 	return nil
 }
 
-func (process *Process) unregisterCallback() error {
+func (process *Process) unregisterCallback(ctx context.Context) error {
 	callbackNumber := process.callbackNumber
 
 	callbackMapLock.RLock()
-	context := callbackMap[callbackNumber]
+	callbackContext := callbackMap[callbackNumber]
 	callbackMapLock.RUnlock()
 
-	if context == nil {
+	if callbackContext == nil {
 		return nil
 	}
 
-	handle := context.handle
+	handle := callbackContext.handle
 
 	if handle == 0 {
 		return nil
 	}
 
-	// hcsUnregisterProcessCallback has its own syncronization
+	// vmcompute.HcsUnregisterProcessCallback has its own synchronization to
-	// to wait for all callbacks to complete. We must NOT hold the callbackMapLock.
+	// wait for all callbacks to complete. We must NOT hold the callbackMapLock.
-	err := hcsUnregisterProcessCallback(handle)
+	err := vmcompute.HcsUnregisterProcessCallback(ctx, handle)
 	if err != nil {
 		return err
 	}
 
-	closeChannels(context.channels)
+	closeChannels(callbackContext.channels)
 
 	callbackMapLock.Lock()
 	delete(callbackMap, callbackNumber)

vendor/github.com/Microsoft/hcsshim/internal/hcs/system.go

@@ -1,18 +1,23 @@
 package hcs
 
 import (
+	"context"
 	"encoding/json"
+	"errors"
 	"os"
 	"strconv"
+	"strings"
 	"sync"
 	"syscall"
 	"time"
 
-	"github.com/Microsoft/hcsshim/internal/interop"
+	"github.com/Microsoft/hcsshim/internal/cow"
-	"github.com/Microsoft/hcsshim/internal/logfields"
+	"github.com/Microsoft/hcsshim/internal/log"
+	"github.com/Microsoft/hcsshim/internal/oc"
 	"github.com/Microsoft/hcsshim/internal/schema1"
 	"github.com/Microsoft/hcsshim/internal/timeout"
-	"github.com/sirupsen/logrus"
+	"github.com/Microsoft/hcsshim/internal/vmcompute"
+	"go.opencensus.io/trace"
 )
 
 // currentContainerStarts is used to limit the number of concurrent container
@@ -38,53 +43,37 @@ func init() {
 
 type System struct {
 	handleLock     sync.RWMutex
-	handle         hcsSystem
+	handle         vmcompute.HcsSystem
 	id             string
 	callbackNumber uintptr
 
-	logctx logrus.Fields
+	closedWaitOnce sync.Once
-
 	waitBlock      chan struct{}
 	waitError      error
+	exitError      error
+
+	os, typ string
 }
 
 func newSystem(id string) *System {
 	return &System{
 		id:        id,
-		logctx: logrus.Fields{
-			logfields.ContainerID: id,
-		},
 		waitBlock: make(chan struct{}),
 	}
 }
 
-func (computeSystem *System) logOperationBegin(operation string) {
-	logOperationBegin(
-		computeSystem.logctx,
-		operation+" - Begin Operation")
-}
-
-func (computeSystem *System) logOperationEnd(operation string, err error) {
-	var result string
-	if err == nil {
-		result = "Success"
-	} else {
-		result = "Error"
-	}
-
-	logOperationEnd(
-		computeSystem.logctx,
-		operation+" - End Operation - "+result,
-		err)
-}
-
 // CreateComputeSystem creates a new compute system with the given configuration but does not start it.
-func CreateComputeSystem(id string, hcsDocumentInterface interface{}) (_ *System, err error) {
+func CreateComputeSystem(ctx context.Context, id string, hcsDocumentInterface interface{}) (_ *System, err error) {
 	operation := "hcsshim::CreateComputeSystem"
 
+	// hcsCreateComputeSystemContext is an async operation. Start the outer span
+	// here to measure the full create time.
+	ctx, span := trace.StartSpan(ctx, operation)
+	defer span.End()
+	defer func() { oc.SetSpanStatus(span, err) }()
+	span.AddAttributes(trace.StringAttribute("cid", id))
+
 	computeSystem := newSystem(id)
-	computeSystem.logOperationBegin(operation)
-	defer func() { computeSystem.logOperationEnd(operation, err) }()
 
 	hcsDocumentB, err := json.Marshal(hcsDocumentInterface)
 	if err != nil {
@@ -93,129 +82,114 @@ func CreateComputeSystem(id string, hcsDocumentInterface interface{}) (_ *System
 
 	hcsDocument := string(hcsDocumentB)
 
-	logrus.WithFields(computeSystem.logctx).
-		WithField(logfields.JSON, hcsDocument).
-		Debug("HCS ComputeSystem Document")
-
 	var (
-		resultp     *uint16
 		identity    syscall.Handle
+		resultJSON  string
 		createError error
 	)
-	syscallWatcher(computeSystem.logctx, func() {
+	computeSystem.handle, resultJSON, createError = vmcompute.HcsCreateComputeSystem(ctx, id, hcsDocument, identity)
-		createError = hcsCreateComputeSystem(id, hcsDocument, identity, &computeSystem.handle, &resultp)
-	})
-
 	if createError == nil || IsPending(createError) {
-		if err = computeSystem.registerCallback(); err != nil {
+		defer func() {
+			if err != nil {
+				computeSystem.Close()
+			}
+		}()
+		if err = computeSystem.registerCallback(ctx); err != nil {
 			// Terminate the compute system if it still exists. We're okay to
 			// ignore a failure here.
-			computeSystem.Terminate()
+			computeSystem.Terminate(ctx)
 			return nil, makeSystemError(computeSystem, operation, "", err, nil)
 		}
 	}
 
-	events, err := processAsyncHcsResult(createError, resultp, computeSystem.callbackNumber, hcsNotificationSystemCreateCompleted, &timeout.SystemCreate)
+	events, err := processAsyncHcsResult(ctx, createError, resultJSON, computeSystem.callbackNumber, hcsNotificationSystemCreateCompleted, &timeout.SystemCreate)
 	if err != nil {
 		if err == ErrTimeout {
 			// Terminate the compute system if it still exists. We're okay to
 			// ignore a failure here.
-			computeSystem.Terminate()
+			computeSystem.Terminate(ctx)
 		}
 		return nil, makeSystemError(computeSystem, operation, hcsDocument, err, events)
 	}
-
 	go computeSystem.waitBackground()
-
+	if err = computeSystem.getCachedProperties(ctx); err != nil {
+		return nil, err
+	}
 	return computeSystem, nil
 }
 
 // OpenComputeSystem opens an existing compute system by ID.
-func OpenComputeSystem(id string) (_ *System, err error) {
+func OpenComputeSystem(ctx context.Context, id string) (*System, error) {
 	operation := "hcsshim::OpenComputeSystem"
 
 	computeSystem := newSystem(id)
-	computeSystem.logOperationBegin(operation)
+	handle, resultJSON, err := vmcompute.HcsOpenComputeSystem(ctx, id)
-	defer func() {
+	events := processHcsResult(ctx, resultJSON)
-		if IsNotExist(err) {
-			computeSystem.logOperationEnd(operation, nil)
-		} else {
-			computeSystem.logOperationEnd(operation, err)
-		}
-	}()
-
-	var (
-		handle  hcsSystem
-		resultp *uint16
-	)
-	err = hcsOpenComputeSystem(id, &handle, &resultp)
-	events := processHcsResult(resultp)
 	if err != nil {
 		return nil, makeSystemError(computeSystem, operation, "", err, events)
 	}
-
 	computeSystem.handle = handle
-
+	defer func() {
-	if err = computeSystem.registerCallback(); err != nil {
+		if err != nil {
+			computeSystem.Close()
+		}
+	}()
+	if err = computeSystem.registerCallback(ctx); err != nil {
 		return nil, makeSystemError(computeSystem, operation, "", err, nil)
 	}
 	go computeSystem.waitBackground()
-
+	if err = computeSystem.getCachedProperties(ctx); err != nil {
+		return nil, err
+	}
 	return computeSystem, nil
 }
 
-// GetComputeSystems gets a list of the compute systems on the system that match the query
+func (computeSystem *System) getCachedProperties(ctx context.Context) error {
-func GetComputeSystems(q schema1.ComputeSystemQuery) (_ []schema1.ContainerProperties, err error) {
+	props, err := computeSystem.Properties(ctx)
-	operation := "hcsshim::GetComputeSystems"
+	if err != nil {
-	fields := logrus.Fields{}
+		return err
-	logOperationBegin(
+	}
-		fields,
+	computeSystem.typ = strings.ToLower(props.SystemType)
-		operation+" - Begin Operation")
+	computeSystem.os = strings.ToLower(props.RuntimeOSType)
-
+	if computeSystem.os == "" && computeSystem.typ == "container" {
-	defer func() {
+		// Pre-RS5 HCS did not return the OS, but it only supported containers
-		var result string
+		// that ran Windows.
-		if err == nil {
+		computeSystem.os = "windows"
-			result = "Success"
+	}
-		} else {
+	return nil
-			result = "Error"
 }
 
-		logOperationEnd(
+// OS returns the operating system of the compute system, "linux" or "windows".
-			fields,
+func (computeSystem *System) OS() string {
-			operation+" - End Operation - "+result,
+	return computeSystem.os
-			err)
+}
-	}()
+
+// IsOCI returns whether processes in the compute system should be created via
+// OCI.
+func (computeSystem *System) IsOCI() bool {
+	return computeSystem.os == "linux" && computeSystem.typ == "container"
+}
+
+// GetComputeSystems gets a list of the compute systems on the system that match the query
+func GetComputeSystems(ctx context.Context, q schema1.ComputeSystemQuery) ([]schema1.ContainerProperties, error) {
+	operation := "hcsshim::GetComputeSystems"
 
 	queryb, err := json.Marshal(q)
 	if err != nil {
 		return nil, err
 	}
 
-	query := string(queryb)
+	computeSystemsJSON, resultJSON, err := vmcompute.HcsEnumerateComputeSystems(ctx, string(queryb))
-
+	events := processHcsResult(ctx, resultJSON)
-	logrus.WithFields(fields).
-		WithField(logfields.JSON, query).
-		Debug("HCS ComputeSystem Query")
-
-	var (
-		resultp         *uint16
-		computeSystemsp *uint16
-	)
-
-	syscallWatcher(fields, func() {
-		err = hcsEnumerateComputeSystems(query, &computeSystemsp, &resultp)
-	})
-	events := processHcsResult(resultp)
 	if err != nil {
 		return nil, &HcsError{Op: operation, Err: err, Events: events}
 	}
 
-	if computeSystemsp == nil {
+	if computeSystemsJSON == "" {
 		return nil, ErrUnexpectedValue
 	}
-	computeSystemsRaw := interop.ConvertAndFreeCoTaskMemBytes(computeSystemsp)
 	computeSystems := []schema1.ContainerProperties{}
-	if err = json.Unmarshal(computeSystemsRaw, &computeSystems); err != nil {
+	if err = json.Unmarshal([]byte(computeSystemsJSON), &computeSystems); err != nil {
 		return nil, err
 	}
 
@@ -223,16 +197,21 @@ func GetComputeSystems(q schema1.ComputeSystemQuery) (_ []schema1.ContainerPrope
 }
 
 // Start synchronously starts the computeSystem.
-func (computeSystem *System) Start() (err error) {
+func (computeSystem *System) Start(ctx context.Context) (err error) {
+	operation := "hcsshim::System::Start"
+
+	// hcsStartComputeSystemContext is an async operation. Start the outer span
+	// here to measure the full start time.
+	ctx, span := trace.StartSpan(ctx, operation)
+	defer span.End()
+	defer func() { oc.SetSpanStatus(span, err) }()
+	span.AddAttributes(trace.StringAttribute("cid", computeSystem.id))
+
 	computeSystem.handleLock.RLock()
 	defer computeSystem.handleLock.RUnlock()
 
-	operation := "hcsshim::ComputeSystem::Start"
-	computeSystem.logOperationBegin(operation)
-	defer func() { computeSystem.logOperationEnd(operation, err) }()
-
 	if computeSystem.handle == 0 {
-		return makeSystemError(computeSystem, "Start", "", ErrAlreadyClosed, nil)
+		return makeSystemError(computeSystem, operation, "", ErrAlreadyClosed, nil)
 	}
 
 	// This is a very simple backoff-retry loop to limit the number
@@ -261,13 +240,10 @@ func (computeSystem *System) Start() (err error) {
 		}()
 	}
 
-	var resultp *uint16
+	resultJSON, err := vmcompute.HcsStartComputeSystem(ctx, computeSystem.handle, "")
-	syscallWatcher(computeSystem.logctx, func() {
+	events, err := processAsyncHcsResult(ctx, err, resultJSON, computeSystem.callbackNumber, hcsNotificationSystemStartCompleted, &timeout.SystemStart)
-		err = hcsStartComputeSystem(computeSystem.handle, "", &resultp)
-	})
-	events, err := processAsyncHcsResult(err, resultp, computeSystem.callbackNumber, hcsNotificationSystemStartCompleted, &timeout.SystemStart)
 	if err != nil {
-		return makeSystemError(computeSystem, "Start", "", err, events)
+		return makeSystemError(computeSystem, operation, "", err, events)
 	}
 
 	return nil
@@ -278,270 +254,258 @@ func (computeSystem *System) ID() string {
 	return computeSystem.id
 }
 
-// Shutdown requests a compute system shutdown, if IsPending() on the error returned is true,
+// Shutdown requests a compute system shutdown.
-// it may not actually be shut down until Wait() succeeds.
+func (computeSystem *System) Shutdown(ctx context.Context) error {
-func (computeSystem *System) Shutdown() (err error) {
 	computeSystem.handleLock.RLock()
 	defer computeSystem.handleLock.RUnlock()
 
-	operation := "hcsshim::ComputeSystem::Shutdown"
+	operation := "hcsshim::System::Shutdown"
-	computeSystem.logOperationBegin(operation)
-	defer func() {
-		if IsAlreadyStopped(err) || IsPending(err) {
-			computeSystem.logOperationEnd(operation, nil)
-		} else {
-			computeSystem.logOperationEnd(operation, err)
-		}
-	}()
 
 	if computeSystem.handle == 0 {
-		return makeSystemError(computeSystem, "Shutdown", "", ErrAlreadyClosed, nil)
-	}
-
-	var resultp *uint16
-	syscallWatcher(computeSystem.logctx, func() {
-		err = hcsShutdownComputeSystem(computeSystem.handle, "", &resultp)
-	})
-	events := processHcsResult(resultp)
-	if err != nil {
-		return makeSystemError(computeSystem, "Shutdown", "", err, events)
-	}
-
 		return nil
 	}
 
-// Terminate requests a compute system terminate, if IsPending() on the error returned is true,
+	resultJSON, err := vmcompute.HcsShutdownComputeSystem(ctx, computeSystem.handle, "")
-// it may not actually be shut down until Wait() succeeds.
+	events := processHcsResult(ctx, resultJSON)
-func (computeSystem *System) Terminate() (err error) {
+	switch err {
+	case nil, ErrVmcomputeAlreadyStopped, ErrComputeSystemDoesNotExist, ErrVmcomputeOperationPending:
+	default:
+		return makeSystemError(computeSystem, operation, "", err, events)
+	}
+	return nil
+}
+
+// Terminate requests a compute system terminate.
+func (computeSystem *System) Terminate(ctx context.Context) error {
 	computeSystem.handleLock.RLock()
 	defer computeSystem.handleLock.RUnlock()
 
-	operation := "hcsshim::ComputeSystem::Terminate"
+	operation := "hcsshim::System::Terminate"
-	computeSystem.logOperationBegin(operation)
-	defer func() {
-		if IsPending(err) {
-			computeSystem.logOperationEnd(operation, nil)
-		} else {
-			computeSystem.logOperationEnd(operation, err)
-		}
-	}()
 
 	if computeSystem.handle == 0 {
-		return makeSystemError(computeSystem, "Terminate", "", ErrAlreadyClosed, nil)
+		return nil
 	}
 
-	var resultp *uint16
+	resultJSON, err := vmcompute.HcsTerminateComputeSystem(ctx, computeSystem.handle, "")
-	syscallWatcher(computeSystem.logctx, func() {
+	events := processHcsResult(ctx, resultJSON)
-		err = hcsTerminateComputeSystem(computeSystem.handle, "", &resultp)
+	switch err {
-	})
+	case nil, ErrVmcomputeAlreadyStopped, ErrComputeSystemDoesNotExist, ErrVmcomputeOperationPending:
-	events := processHcsResult(resultp)
+	default:
-	if err != nil && err != ErrVmcomputeAlreadyStopped {
+		return makeSystemError(computeSystem, operation, "", err, events)
-		return makeSystemError(computeSystem, "Terminate", "", err, events)
 	}
-
 	return nil
 }
 
 // waitBackground waits for the compute system exit notification. Once received
-// sets `computeSystem.waitError` (if any) and unblocks all `Wait`,
+// sets `computeSystem.waitError` (if any) and unblocks all `Wait` calls.
-// `WaitExpectedError`, and `WaitTimeout` calls.
 //
-// This MUST be called exactly once per `computeSystem.handle` but `Wait`,
+// This MUST be called exactly once per `computeSystem.handle` but `Wait` is
-// `WaitExpectedError`, and `WaitTimeout` are safe to call multiple times.
+// safe to call multiple times.
 func (computeSystem *System) waitBackground() {
-	computeSystem.waitError = waitForNotification(computeSystem.callbackNumber, hcsNotificationSystemExited, nil)
+	operation := "hcsshim::System::waitBackground"
+	ctx, span := trace.StartSpan(context.Background(), operation)
+	defer span.End()
+	span.AddAttributes(trace.StringAttribute("cid", computeSystem.id))
+
+	err := waitForNotification(ctx, computeSystem.callbackNumber, hcsNotificationSystemExited, nil)
+	switch err {
+	case nil:
+		log.G(ctx).Debug("system exited")
+	case ErrVmcomputeUnexpectedExit:
+		log.G(ctx).Debug("unexpected system exit")
+		computeSystem.exitError = makeSystemError(computeSystem, operation, "", err, nil)
+		err = nil
+	default:
+		err = makeSystemError(computeSystem, operation, "", err, nil)
+	}
+	computeSystem.closedWaitOnce.Do(func() {
+		computeSystem.waitError = err
 		close(computeSystem.waitBlock)
+	})
+	oc.SetSpanStatus(span, err)
 }
 
 // Wait synchronously waits for the compute system to shutdown or terminate. If
 // the compute system has already exited returns the previous error (if any).
-func (computeSystem *System) Wait() (err error) {
+func (computeSystem *System) Wait() error {
-	operation := "hcsshim::ComputeSystem::Wait"
-	computeSystem.logOperationBegin(operation)
-	defer func() { computeSystem.logOperationEnd(operation, err) }()
-
 	<-computeSystem.waitBlock
-	if computeSystem.waitError != nil {
+	return computeSystem.waitError
-		return makeSystemError(computeSystem, "Wait", "", computeSystem.waitError, nil)
 }
 
-	return nil
+// ExitError returns an error describing the reason the compute system terminated.
-}
+func (computeSystem *System) ExitError() error {
-
-// WaitExpectedError synchronously waits for the compute system to shutdown or
-// terminate and returns the error (if any) as long as it does not match
-// `expected`. If the compute system has already exited returns the previous
-// error (if any) as long as it does not match `expected`.
-func (computeSystem *System) WaitExpectedError(expected error) (err error) {
-	operation := "hcsshim::ComputeSystem::WaitExpectedError"
-	computeSystem.logOperationBegin(operation)
-	defer func() { computeSystem.logOperationEnd(operation, err) }()
-
-	<-computeSystem.waitBlock
-	if computeSystem.waitError != nil && getInnerError(computeSystem.waitError) != expected {
-		return makeSystemError(computeSystem, "WaitExpectedError", "", computeSystem.waitError, nil)
-	}
-	return nil
-}
-
-// WaitTimeout synchronously waits for the compute system to terminate or the
-// duration to elapse. If the timeout expires, `IsTimeout(err) == true`. If
-// the compute system has already exited returns the previous error (if any).
-func (computeSystem *System) WaitTimeout(timeout time.Duration) (err error) {
-	operation := "hcsshim::ComputeSystem::WaitTimeout"
-	computeSystem.logOperationBegin(operation)
-	defer func() { computeSystem.logOperationEnd(operation, err) }()
-
 	select {
 	case <-computeSystem.waitBlock:
 		if computeSystem.waitError != nil {
-			return makeSystemError(computeSystem, "WaitTimeout", "", computeSystem.waitError, nil)
+			return computeSystem.waitError
 		}
-		return nil
+		return computeSystem.exitError
-	case <-time.After(timeout):
+	default:
-		return makeSystemError(computeSystem, "WaitTimeout", "", ErrTimeout, nil)
+		return errors.New("container not exited")
 	}
 }
 
-func (computeSystem *System) Properties(types ...schema1.PropertyType) (_ *schema1.ContainerProperties, err error) {
+func (computeSystem *System) Properties(ctx context.Context, types ...schema1.PropertyType) (*schema1.ContainerProperties, error) {
 	computeSystem.handleLock.RLock()
 	defer computeSystem.handleLock.RUnlock()
 
-	operation := "hcsshim::ComputeSystem::Properties"
+	operation := "hcsshim::System::Properties"
-	computeSystem.logOperationBegin(operation)
-	defer func() { computeSystem.logOperationEnd(operation, err) }()
 
-	queryj, err := json.Marshal(schema1.PropertyQuery{types})
+	queryBytes, err := json.Marshal(schema1.PropertyQuery{PropertyTypes: types})
 	if err != nil {
-		return nil, makeSystemError(computeSystem, "Properties", "", err, nil)
+		return nil, makeSystemError(computeSystem, operation, "", err, nil)
 	}
 
-	logrus.WithFields(computeSystem.logctx).
+	propertiesJSON, resultJSON, err := vmcompute.HcsGetComputeSystemProperties(ctx, computeSystem.handle, string(queryBytes))
-		WithField(logfields.JSON, queryj).
+	events := processHcsResult(ctx, resultJSON)
-		Debug("HCS ComputeSystem Properties Query")
-
-	var resultp, propertiesp *uint16
-	syscallWatcher(computeSystem.logctx, func() {
-		err = hcsGetComputeSystemProperties(computeSystem.handle, string(queryj), &propertiesp, &resultp)
-	})
-	events := processHcsResult(resultp)
 	if err != nil {
-		return nil, makeSystemError(computeSystem, "Properties", "", err, events)
+		return nil, makeSystemError(computeSystem, operation, "", err, events)
 	}
 
-	if propertiesp == nil {
+	if propertiesJSON == "" {
 		return nil, ErrUnexpectedValue
 	}
-	propertiesRaw := interop.ConvertAndFreeCoTaskMemBytes(propertiesp)
 	properties := &schema1.ContainerProperties{}
-	if err := json.Unmarshal(propertiesRaw, properties); err != nil {
+	if err := json.Unmarshal([]byte(propertiesJSON), properties); err != nil {
-		return nil, makeSystemError(computeSystem, "Properties", "", err, nil)
+		return nil, makeSystemError(computeSystem, operation, "", err, nil)
 	}
 
 	return properties, nil
 }
 
 // Pause pauses the execution of the computeSystem. This feature is not enabled in TP5.
-func (computeSystem *System) Pause() (err error) {
+func (computeSystem *System) Pause(ctx context.Context) (err error) {
+	operation := "hcsshim::System::Pause"
+
+	// hcsPauseComputeSystemContext is an async peration. Start the outer span
+	// here to measure the full pause time.
+	ctx, span := trace.StartSpan(ctx, operation)
+	defer span.End()
+	defer func() { oc.SetSpanStatus(span, err) }()
+	span.AddAttributes(trace.StringAttribute("cid", computeSystem.id))
+
 	computeSystem.handleLock.RLock()
 	defer computeSystem.handleLock.RUnlock()
 
-	operation := "hcsshim::ComputeSystem::Pause"
-	computeSystem.logOperationBegin(operation)
-	defer func() { computeSystem.logOperationEnd(operation, err) }()
-
 	if computeSystem.handle == 0 {
-		return makeSystemError(computeSystem, "Pause", "", ErrAlreadyClosed, nil)
+		return makeSystemError(computeSystem, operation, "", ErrAlreadyClosed, nil)
 	}
 
-	var resultp *uint16
+	resultJSON, err := vmcompute.HcsPauseComputeSystem(ctx, computeSystem.handle, "")
-	syscallWatcher(computeSystem.logctx, func() {
+	events, err := processAsyncHcsResult(ctx, err, resultJSON, computeSystem.callbackNumber, hcsNotificationSystemPauseCompleted, &timeout.SystemPause)
-		err = hcsPauseComputeSystem(computeSystem.handle, "", &resultp)
-	})
-	events, err := processAsyncHcsResult(err, resultp, computeSystem.callbackNumber, hcsNotificationSystemPauseCompleted, &timeout.SystemPause)
 	if err != nil {
-		return makeSystemError(computeSystem, "Pause", "", err, events)
+		return makeSystemError(computeSystem, operation, "", err, events)
 	}
 
 	return nil
 }
 
 // Resume resumes the execution of the computeSystem. This feature is not enabled in TP5.
-func (computeSystem *System) Resume() (err error) {
+func (computeSystem *System) Resume(ctx context.Context) (err error) {
+	operation := "hcsshim::System::Resume"
+
+	// hcsResumeComputeSystemContext is an async operation. Start the outer span
+	// here to measure the full restore time.
+	ctx, span := trace.StartSpan(ctx, operation)
+	defer span.End()
+	defer func() { oc.SetSpanStatus(span, err) }()
+	span.AddAttributes(trace.StringAttribute("cid", computeSystem.id))
+
 	computeSystem.handleLock.RLock()
 	defer computeSystem.handleLock.RUnlock()
 
-	operation := "hcsshim::ComputeSystem::Resume"
-	computeSystem.logOperationBegin(operation)
-	defer func() { computeSystem.logOperationEnd(operation, err) }()
-
 	if computeSystem.handle == 0 {
-		return makeSystemError(computeSystem, "Resume", "", ErrAlreadyClosed, nil)
+		return makeSystemError(computeSystem, operation, "", ErrAlreadyClosed, nil)
 	}
 
-	var resultp *uint16
+	resultJSON, err := vmcompute.HcsResumeComputeSystem(ctx, computeSystem.handle, "")
-	syscallWatcher(computeSystem.logctx, func() {
+	events, err := processAsyncHcsResult(ctx, err, resultJSON, computeSystem.callbackNumber, hcsNotificationSystemResumeCompleted, &timeout.SystemResume)
-		err = hcsResumeComputeSystem(computeSystem.handle, "", &resultp)
-	})
-	events, err := processAsyncHcsResult(err, resultp, computeSystem.callbackNumber, hcsNotificationSystemResumeCompleted, &timeout.SystemResume)
 	if err != nil {
-		return makeSystemError(computeSystem, "Resume", "", err, events)
+		return makeSystemError(computeSystem, operation, "", err, events)
 	}
 
 	return nil
 }
 
-// CreateProcess launches a new process within the computeSystem.
+func (computeSystem *System) createProcess(ctx context.Context, operation string, c interface{}) (*Process, *vmcompute.HcsProcessInformation, error) {
-func (computeSystem *System) CreateProcess(c interface{}) (_ *Process, err error) {
 	computeSystem.handleLock.RLock()
 	defer computeSystem.handleLock.RUnlock()
 
-	operation := "hcsshim::ComputeSystem::CreateProcess"
-	computeSystem.logOperationBegin(operation)
-	defer func() { computeSystem.logOperationEnd(operation, err) }()
-
-	var (
-		processInfo   hcsProcessInformation
-		processHandle hcsProcess
-		resultp       *uint16
-	)
-
 	if computeSystem.handle == 0 {
-		return nil, makeSystemError(computeSystem, "CreateProcess", "", ErrAlreadyClosed, nil)
+		return nil, nil, makeSystemError(computeSystem, operation, "", ErrAlreadyClosed, nil)
 	}
 
 	configurationb, err := json.Marshal(c)
 	if err != nil {
-		return nil, makeSystemError(computeSystem, "CreateProcess", "", err, nil)
+		return nil, nil, makeSystemError(computeSystem, operation, "", err, nil)
 	}
 
 	configuration := string(configurationb)
-
+	processInfo, processHandle, resultJSON, err := vmcompute.HcsCreateProcess(ctx, computeSystem.handle, configuration)
-	logrus.WithFields(computeSystem.logctx).
+	events := processHcsResult(ctx, resultJSON)
-		WithField(logfields.JSON, configuration).
-		Debug("HCS ComputeSystem Process Document")
-
-	syscallWatcher(computeSystem.logctx, func() {
-		err = hcsCreateProcess(computeSystem.handle, configuration, &processInfo, &processHandle, &resultp)
-	})
-	events := processHcsResult(resultp)
 	if err != nil {
-		return nil, makeSystemError(computeSystem, "CreateProcess", configuration, err, events)
+		return nil, nil, makeSystemError(computeSystem, operation, configuration, err, events)
 	}
 
-	logrus.WithFields(computeSystem.logctx).
+	log.G(ctx).WithField("pid", processInfo.ProcessId).Debug("created process pid")
-		WithField(logfields.ProcessID, processInfo.ProcessId).
+	return newProcess(processHandle, int(processInfo.ProcessId), computeSystem), &processInfo, nil
-		Debug("HCS ComputeSystem CreateProcess PID")
-
-	process := newProcess(processHandle, int(processInfo.ProcessId), computeSystem)
-	process.cachedPipes = &cachedPipes{
-		stdIn:  processInfo.StdInput,
-		stdOut: processInfo.StdOutput,
-		stdErr: processInfo.StdError,
 }
 
-	if err = process.registerCallback(); err != nil {
+// CreateProcessNoStdio launches a new process within the computeSystem. The
-		return nil, makeSystemError(computeSystem, "CreateProcess", "", err, nil)
+// Stdio handles are not cached on the process struct.
+func (computeSystem *System) CreateProcessNoStdio(c interface{}) (_ cow.Process, err error) {
+	operation := "hcsshim::System::CreateProcessNoStdio"
+	ctx, span := trace.StartSpan(context.Background(), operation)
+	defer span.End()
+	defer func() { oc.SetSpanStatus(span, err) }()
+	span.AddAttributes(trace.StringAttribute("cid", computeSystem.id))
+
+	process, processInfo, err := computeSystem.createProcess(ctx, operation, c)
+	if err != nil {
+		return nil, err
+	}
+	defer func() {
+		if err != nil {
+			process.Close()
+		}
+	}()
+
+	// We don't do anything with these handles. Close them so they don't leak.
+	syscall.Close(processInfo.StdInput)
+	syscall.Close(processInfo.StdOutput)
+	syscall.Close(processInfo.StdError)
+
+	if err = process.registerCallback(ctx); err != nil {
+		return nil, makeSystemError(computeSystem, operation, "", err, nil)
+	}
+	go process.waitBackground()
+
+	return process, nil
+}
+
+// CreateProcess launches a new process within the computeSystem.
+func (computeSystem *System) CreateProcess(ctx context.Context, c interface{}) (cow.Process, error) {
+	operation := "hcsshim::System::CreateProcess"
+	process, processInfo, err := computeSystem.createProcess(ctx, operation, c)
+	if err != nil {
+		return nil, err
+	}
+	defer func() {
+		if err != nil {
+			process.Close()
+		}
+	}()
+
+	pipes, err := makeOpenFiles([]syscall.Handle{processInfo.StdInput, processInfo.StdOutput, processInfo.StdError})
+	if err != nil {
+		return nil, makeSystemError(computeSystem, operation, "", err, nil)
+	}
+	process.stdin = pipes[0]
+	process.stdout = pipes[1]
+	process.stderr = pipes[2]
+
+	if err = process.registerCallback(ctx); err != nil {
+		return nil, makeSystemError(computeSystem, operation, "", err, nil)
 	}
 	go process.waitBackground()
 
@@ -549,38 +513,25 @@ func (computeSystem *System) CreateProcess(c interface{}) (_ *Process, err error
 }
 
 // OpenProcess gets an interface to an existing process within the computeSystem.
-func (computeSystem *System) OpenProcess(pid int) (_ *Process, err error) {
+func (computeSystem *System) OpenProcess(ctx context.Context, pid int) (*Process, error) {
 	computeSystem.handleLock.RLock()
 	defer computeSystem.handleLock.RUnlock()
 
-	// Add PID for the context of this operation
+	operation := "hcsshim::System::OpenProcess"
-	computeSystem.logctx[logfields.ProcessID] = pid
-	defer delete(computeSystem.logctx, logfields.ProcessID)
-
-	operation := "hcsshim::ComputeSystem::OpenProcess"
-	computeSystem.logOperationBegin(operation)
-	defer func() { computeSystem.logOperationEnd(operation, err) }()
-
-	var (
-		processHandle hcsProcess
-		resultp       *uint16
-	)
 
 	if computeSystem.handle == 0 {
-		return nil, makeSystemError(computeSystem, "OpenProcess", "", ErrAlreadyClosed, nil)
+		return nil, makeSystemError(computeSystem, operation, "", ErrAlreadyClosed, nil)
 	}
 
-	syscallWatcher(computeSystem.logctx, func() {
+	processHandle, resultJSON, err := vmcompute.HcsOpenProcess(ctx, computeSystem.handle, uint32(pid))
-		err = hcsOpenProcess(computeSystem.handle, uint32(pid), &processHandle, &resultp)
+	events := processHcsResult(ctx, resultJSON)
-	})
-	events := processHcsResult(resultp)
 	if err != nil {
-		return nil, makeSystemError(computeSystem, "OpenProcess", "", err, events)
+		return nil, makeSystemError(computeSystem, operation, "", err, events)
 	}
 
 	process := newProcess(processHandle, pid, computeSystem)
-	if err = process.registerCallback(); err != nil {
+	if err = process.registerCallback(ctx); err != nil {
-		return nil, makeSystemError(computeSystem, "OpenProcess", "", err, nil)
+		return nil, makeSystemError(computeSystem, operation, "", err, nil)
 	}
 	go process.waitBackground()
 
@@ -589,68 +540,72 @@ func (computeSystem *System) OpenProcess(pid int) (_ *Process, err error) {
 
 // Close cleans up any state associated with the compute system but does not terminate or wait for it.
 func (computeSystem *System) Close() (err error) {
+	operation := "hcsshim::System::Close"
+	ctx, span := trace.StartSpan(context.Background(), operation)
+	defer span.End()
+	defer func() { oc.SetSpanStatus(span, err) }()
+	span.AddAttributes(trace.StringAttribute("cid", computeSystem.id))
+
 	computeSystem.handleLock.Lock()
 	defer computeSystem.handleLock.Unlock()
 
-	operation := "hcsshim::ComputeSystem::Close"
-	computeSystem.logOperationBegin(operation)
-	defer func() { computeSystem.logOperationEnd(operation, err) }()
-
 	// Don't double free this
 	if computeSystem.handle == 0 {
 		return nil
 	}
 
-	if err = computeSystem.unregisterCallback(); err != nil {
+	if err = computeSystem.unregisterCallback(ctx); err != nil {
-		return makeSystemError(computeSystem, "Close", "", err, nil)
+		return makeSystemError(computeSystem, operation, "", err, nil)
 	}
 
-	syscallWatcher(computeSystem.logctx, func() {
+	err = vmcompute.HcsCloseComputeSystem(ctx, computeSystem.handle)
-		err = hcsCloseComputeSystem(computeSystem.handle)
-	})
 	if err != nil {
-		return makeSystemError(computeSystem, "Close", "", err, nil)
+		return makeSystemError(computeSystem, operation, "", err, nil)
 	}
 
 	computeSystem.handle = 0
+	computeSystem.closedWaitOnce.Do(func() {
+		computeSystem.waitError = ErrAlreadyClosed
+		close(computeSystem.waitBlock)
+	})
 
 	return nil
 }
 
-func (computeSystem *System) registerCallback() error {
+func (computeSystem *System) registerCallback(ctx context.Context) error {
-	context := &notifcationWatcherContext{
+	callbackContext := &notifcationWatcherContext{
-		channels: newChannels(),
+		channels: newSystemChannels(),
+		systemID: computeSystem.id,
 	}
 
 	callbackMapLock.Lock()
 	callbackNumber := nextCallback
 	nextCallback++
-	callbackMap[callbackNumber] = context
+	callbackMap[callbackNumber] = callbackContext
 	callbackMapLock.Unlock()
 
-	var callbackHandle hcsCallback
+	callbackHandle, err := vmcompute.HcsRegisterComputeSystemCallback(ctx, computeSystem.handle, notificationWatcherCallback, callbackNumber)
-	err := hcsRegisterComputeSystemCallback(computeSystem.handle, notificationWatcherCallback, callbackNumber, &callbackHandle)
 	if err != nil {
 		return err
 	}
-	context.handle = callbackHandle
+	callbackContext.handle = callbackHandle
 	computeSystem.callbackNumber = callbackNumber
 
 	return nil
 }
 
-func (computeSystem *System) unregisterCallback() error {
+func (computeSystem *System) unregisterCallback(ctx context.Context) error {
 	callbackNumber := computeSystem.callbackNumber
 
 	callbackMapLock.RLock()
-	context := callbackMap[callbackNumber]
+	callbackContext := callbackMap[callbackNumber]
 	callbackMapLock.RUnlock()
 
-	if context == nil {
+	if callbackContext == nil {
 		return nil
 	}
 
-	handle := context.handle
+	handle := callbackContext.handle
 
 	if handle == 0 {
 		return nil
@@ -658,12 +613,12 @@ func (computeSystem *System) unregisterCallback() error {
 
 	// hcsUnregisterComputeSystemCallback has its own syncronization
 	// to wait for all callbacks to complete. We must NOT hold the callbackMapLock.
-	err := hcsUnregisterComputeSystemCallback(handle)
+	err := vmcompute.HcsUnregisterComputeSystemCallback(ctx, handle)
 	if err != nil {
 		return err
 	}
 
-	closeChannels(context.channels)
+	closeChannels(callbackContext.channels)
 
 	callbackMapLock.Lock()
 	delete(callbackMap, callbackNumber)
@@ -675,36 +630,26 @@ func (computeSystem *System) unregisterCallback() error {
 }
 
 // Modify the System by sending a request to HCS
-func (computeSystem *System) Modify(config interface{}) (err error) {
+func (computeSystem *System) Modify(ctx context.Context, config interface{}) error {
 	computeSystem.handleLock.RLock()
 	defer computeSystem.handleLock.RUnlock()
 
-	operation := "hcsshim::ComputeSystem::Modify"
+	operation := "hcsshim::System::Modify"
-	computeSystem.logOperationBegin(operation)
-	defer func() { computeSystem.logOperationEnd(operation, err) }()
 
 	if computeSystem.handle == 0 {
-		return makeSystemError(computeSystem, "Modify", "", ErrAlreadyClosed, nil)
+		return makeSystemError(computeSystem, operation, "", ErrAlreadyClosed, nil)
 	}
 
-	requestJSON, err := json.Marshal(config)
+	requestBytes, err := json.Marshal(config)
 	if err != nil {
 		return err
 	}
 
-	requestString := string(requestJSON)
+	requestJSON := string(requestBytes)
-
+	resultJSON, err := vmcompute.HcsModifyComputeSystem(ctx, computeSystem.handle, requestJSON)
-	logrus.WithFields(computeSystem.logctx).
+	events := processHcsResult(ctx, resultJSON)
-		WithField(logfields.JSON, requestString).
-		Debug("HCS ComputeSystem Modify Document")
-
-	var resultp *uint16
-	syscallWatcher(computeSystem.logctx, func() {
-		err = hcsModifyComputeSystem(computeSystem.handle, requestString, &resultp)
-	})
-	events := processHcsResult(resultp)
 	if err != nil {
-		return makeSystemError(computeSystem, "Modify", requestString, err, events)
+		return makeSystemError(computeSystem, operation, requestJSON, err, events)
 	}
 
 	return nil

vendor/github.com/Microsoft/hcsshim/internal/hcs/waithelper.go

@@ -1,25 +1,26 @@
 package hcs
 
 import (
+	"context"
 	"time"
 
-	"github.com/sirupsen/logrus"
+	"github.com/Microsoft/hcsshim/internal/log"
 )
 
-func processAsyncHcsResult(err error, resultp *uint16, callbackNumber uintptr, expectedNotification hcsNotification, timeout *time.Duration) ([]ErrorEvent, error) {
+func processAsyncHcsResult(ctx context.Context, err error, resultJSON string, callbackNumber uintptr, expectedNotification hcsNotification, timeout *time.Duration) ([]ErrorEvent, error) {
-	events := processHcsResult(resultp)
+	events := processHcsResult(ctx, resultJSON)
 	if IsPending(err) {
-		return nil, waitForNotification(callbackNumber, expectedNotification, timeout)
+		return nil, waitForNotification(ctx, callbackNumber, expectedNotification, timeout)
 	}
 
 	return events, err
 }
 
-func waitForNotification(callbackNumber uintptr, expectedNotification hcsNotification, timeout *time.Duration) error {
+func waitForNotification(ctx context.Context, callbackNumber uintptr, expectedNotification hcsNotification, timeout *time.Duration) error {
 	callbackMapLock.RLock()
 	if _, ok := callbackMap[callbackNumber]; !ok {
 		callbackMapLock.RUnlock()
-		logrus.Errorf("failed to waitForNotification: callbackNumber %d does not exist in callbackMap", callbackNumber)
+		log.G(ctx).WithField("callbackNumber", callbackNumber).Error("failed to waitForNotification: callbackNumber does not exist in callbackMap")
 		return ErrHandleClose
 	}
 	channels := callbackMap[callbackNumber].channels
@@ -27,7 +28,7 @@ func waitForNotification(callbackNumber uintptr, expectedNotification hcsNotific
 
 	expectedChannel := channels[expectedNotification]
 	if expectedChannel == nil {
-		logrus.Errorf("unknown notification type in waitForNotification %x", expectedNotification)
+		log.G(ctx).WithField("type", expectedNotification).Error("unknown notification type in waitForNotification")
 		return ErrInvalidNotificationType
 	}
 

vendor/github.com/Microsoft/hcsshim/internal/hcs/watcher.go

@@ -1,41 +0,0 @@
-package hcs
-
-import (
-	"context"
-
-	"github.com/Microsoft/hcsshim/internal/logfields"
-	"github.com/Microsoft/hcsshim/internal/timeout"
-	"github.com/sirupsen/logrus"
-)
-
-// syscallWatcher is used as a very simple goroutine around calls into
-// the platform. In some cases, we have seen HCS APIs not returning due to
-// various bugs, and the goroutine making the syscall ends up not returning,
-// prior to its async callback. By spinning up a syscallWatcher, it allows
-// us to at least log a warning if a syscall doesn't complete in a reasonable
-// amount of time.
-//
-// Usage is:
-//
-// syscallWatcher(logContext, func() {
-//    err = <syscall>(args...)
-// })
-//
-
-func syscallWatcher(logContext logrus.Fields, syscallLambda func()) {
-	ctx, cancel := context.WithTimeout(context.Background(), timeout.SyscallWatcher)
-	defer cancel()
-	go watchFunc(ctx, logContext)
-	syscallLambda()
-}
-
-func watchFunc(ctx context.Context, logContext logrus.Fields) {
-	select {
-	case <-ctx.Done():
-		if ctx.Err() != context.Canceled {
-			logrus.WithFields(logContext).
-				WithField(logfields.Timeout, timeout.SyscallWatcher).
-				Warning("Syscall did not complete within operation timeout. This may indicate a platform issue. If it appears to be making no forward progress, obtain the stacks and see if there is a syscall stuck in the platform API for a significant length of time.")
-		}
-	}
-}

vendor/github.com/Microsoft/hcsshim/internal/hns/hnsendpoint.go

@@ -3,6 +3,7 @@ package hns
 import (
 	"encoding/json"
 	"net"
+	"strings"
 
 	"github.com/sirupsen/logrus"
 )
@@ -94,6 +95,27 @@ func GetHNSEndpointByName(endpointName string) (*HNSEndpoint, error) {
 	return nil, EndpointNotFoundError{EndpointName: endpointName}
 }
 
+type endpointAttachInfo struct {
+	SharedContainers json.RawMessage `json:",omitempty"`
+}
+
+func (endpoint *HNSEndpoint) IsAttached(vID string) (bool, error) {
+	attachInfo := endpointAttachInfo{}
+	err := hnsCall("GET", "/endpoints/"+endpoint.Id, "", &attachInfo)
+
+	// Return false allows us to just return the err
+	if err != nil {
+		return false, err
+	}
+
+	if strings.Contains(strings.ToLower(string(attachInfo.SharedContainers)), strings.ToLower(vID)) {
+		return true, nil
+	}
+
+	return false, nil
+
+}
+
 // Create Endpoint by sending EndpointRequest to HNS. TODO: Create a separate HNS interface to place all these methods
 func (endpoint *HNSEndpoint) Create() (*HNSEndpoint, error) {
 	operation := "Create"

vendor/github.com/Microsoft/hcsshim/internal/hns/hnsfuncs.go

@@ -9,23 +9,30 @@ import (
 	"github.com/sirupsen/logrus"
 )
 
-func hnsCall(method, path, request string, returnResponse interface{}) error {
+func hnsCallRawResponse(method, path, request string) (*hnsResponse, error) {
 	var responseBuffer *uint16
 	logrus.Debugf("[%s]=>[%s] Request : %s", method, path, request)
 
 	err := _hnsCall(method, path, request, &responseBuffer)
 	if err != nil {
-		return hcserror.New(err, "hnsCall ", "")
+		return nil, hcserror.New(err, "hnsCall ", "")
 	}
 	response := interop.ConvertAndFreeCoTaskMemString(responseBuffer)
 
 	hnsresponse := &hnsResponse{}
 	if err = json.Unmarshal([]byte(response), &hnsresponse); err != nil {
-		return err
+		return nil, err
+	}
+	return hnsresponse, nil
 }
 
+func hnsCall(method, path, request string, returnResponse interface{}) error {
+	hnsresponse, err := hnsCallRawResponse(method, path, request)
+	if err != nil {
+		return fmt.Errorf("failed during hnsCallRawResponse: %v", err)
+	}
 	if !hnsresponse.Success {
-		return fmt.Errorf("HNS failed with error : %s", hnsresponse.Error)
+		return fmt.Errorf("hns failed with error : %s", hnsresponse.Error)
 	}
 
 	if len(hnsresponse.Output) == 0 {

vendor/github.com/Microsoft/hcsshim/internal/interop/interop.go

@@ -15,10 +15,6 @@ func ConvertAndFreeCoTaskMemString(buffer *uint16) string {
 	return str
 }
 
-func ConvertAndFreeCoTaskMemBytes(buffer *uint16) []byte {
-	return []byte(ConvertAndFreeCoTaskMemString(buffer))
-}
-
 func Win32FromHresult(hr uintptr) syscall.Errno {
 	if hr&0x1fff0000 == 0x00070000 {
 		return syscall.Errno(hr & 0xffff)

vendor/github.com/Microsoft/hcsshim/internal/log/g.go

@@ -0,0 +1,23 @@
+package log
+
+import (
+	"context"
+
+	"github.com/sirupsen/logrus"
+	"go.opencensus.io/trace"
+)
+
+// G returns a `logrus.Entry` with the `TraceID, SpanID` from `ctx` if `ctx`
+// contains an OpenCensus `trace.Span`.
+func G(ctx context.Context) *logrus.Entry {
+	span := trace.FromContext(ctx)
+	if span != nil {
+		sctx := span.SpanContext()
+		return logrus.WithFields(logrus.Fields{
+			"traceID": sctx.TraceID.String(),
+			"spanID":  sctx.SpanID.String(),
+			// "parentSpanID": TODO: JTERRY75 - Try to convince OC to export this?
+		})
+	}
+	return logrus.NewEntry(logrus.StandardLogger())
+}

vendor/github.com/Microsoft/hcsshim/internal/oc/exporter.go

@@ -0,0 +1,43 @@
+package oc
+
+import (
+	"github.com/sirupsen/logrus"
+	"go.opencensus.io/trace"
+)
+
+var _ = (trace.Exporter)(&LogrusExporter{})
+
+// LogrusExporter is an OpenCensus `trace.Exporter` that exports
+// `trace.SpanData` to logrus output.
+type LogrusExporter struct {
+}
+
+// ExportSpan exports `s` based on the the following rules:
+//
+// 1. All output will contain `s.Attributes`, `s.TraceID`, `s.SpanID`,
+// `s.ParentSpanID` for correlation
+//
+// 2. Any calls to .Annotate will not be supported.
+//
+// 3. The span itself will be written at `logrus.InfoLevel` unless
+// `s.Status.Code != 0` in which case it will be written at `logrus.ErrorLevel`
+// providing `s.Status.Message` as the error value.
+func (le *LogrusExporter) ExportSpan(s *trace.SpanData) {
+	// Combine all span annotations with traceID, spanID, parentSpanID
+	baseEntry := logrus.WithFields(logrus.Fields(s.Attributes))
+	baseEntry.Data["traceID"] = s.TraceID.String()
+	baseEntry.Data["spanID"] = s.SpanID.String()
+	baseEntry.Data["parentSpanID"] = s.ParentSpanID.String()
+	baseEntry.Data["startTime"] = s.StartTime
+	baseEntry.Data["endTime"] = s.EndTime
+	baseEntry.Data["duration"] = s.EndTime.Sub(s.StartTime).String()
+	baseEntry.Data["name"] = s.Name
+	baseEntry.Time = s.StartTime
+
+	level := logrus.InfoLevel
+	if s.Status.Code != 0 {
+		level = logrus.ErrorLevel
+		baseEntry.Data[logrus.ErrorKey] = s.Status.Message
+	}
+	baseEntry.Log(level, "Span")
+}

vendor/github.com/Microsoft/hcsshim/internal/oc/span.go

@@ -0,0 +1,17 @@
+package oc
+
+import (
+	"go.opencensus.io/trace"
+)
+
+// SetSpanStatus sets `span.SetStatus` to the proper status depending on `err`. If
+// `err` is `nil` assumes `trace.StatusCodeOk`.
+func SetSpanStatus(span *trace.Span, err error) {
+	status := trace.Status{}
+	if err != nil {
+		// TODO: JTERRY75 - Handle errors in a non-generic way
+		status.Code = trace.StatusCodeUnknown
+		status.Message = err.Error()
+	}
+	span.SetStatus(status)
+}

vendor/github.com/Microsoft/hcsshim/internal/regstate/regstate.go

@@ -0,0 +1,287 @@
+package regstate
+
+import (
+	"encoding/json"
+	"fmt"
+	"net/url"
+	"os"
+	"path/filepath"
+	"reflect"
+	"syscall"
+
+	"golang.org/x/sys/windows/registry"
+)
+
+//go:generate go run $GOROOT/src/syscall/mksyscall_windows.go -output zsyscall_windows.go regstate.go
+
+//sys	regCreateKeyEx(key syscall.Handle, subkey *uint16, reserved uint32, class *uint16, options uint32, desired uint32, sa *syscall.SecurityAttributes, result *syscall.Handle, disposition *uint32) (regerrno error) = advapi32.RegCreateKeyExW
+
+const (
+	_REG_OPTION_VOLATILE = 1
+
+	_REG_CREATED_NEW_KEY     = 1
+	_REG_OPENED_EXISTING_KEY = 2
+)
+
+type Key struct {
+	registry.Key
+	Name string
+}
+
+var localMachine = &Key{registry.LOCAL_MACHINE, "HKEY_LOCAL_MACHINE"}
+var localUser = &Key{registry.CURRENT_USER, "HKEY_CURRENT_USER"}
+
+var rootPath = `SOFTWARE\Microsoft\runhcs`
+
+type NotFoundError struct {
+	Id string
+}
+
+func (err *NotFoundError) Error() string {
+	return fmt.Sprintf("ID '%s' was not found", err.Id)
+}
+
+func IsNotFoundError(err error) bool {
+	_, ok := err.(*NotFoundError)
+	return ok
+}
+
+type NoStateError struct {
+	ID  string
+	Key string
+}
+
+func (err *NoStateError) Error() string {
+	return fmt.Sprintf("state '%s' is not present for ID '%s'", err.Key, err.ID)
+}
+
+func createVolatileKey(k *Key, path string, access uint32) (newk *Key, openedExisting bool, err error) {
+	var (
+		h syscall.Handle
+		d uint32
+	)
+	fullpath := filepath.Join(k.Name, path)
+	err = regCreateKeyEx(syscall.Handle(k.Key), syscall.StringToUTF16Ptr(path), 0, nil, _REG_OPTION_VOLATILE, access, nil, &h, &d)
+	if err != nil {
+		return nil, false, &os.PathError{Op: "RegCreateKeyEx", Path: fullpath, Err: err}
+	}
+	return &Key{registry.Key(h), fullpath}, d == _REG_OPENED_EXISTING_KEY, nil
+}
+
+func hive(perUser bool) *Key {
+	r := localMachine
+	if perUser {
+		r = localUser
+	}
+	return r
+}
+
+func Open(root string, perUser bool) (*Key, error) {
+	k, _, err := createVolatileKey(hive(perUser), rootPath, registry.ALL_ACCESS)
+	if err != nil {
+		return nil, err
+	}
+	defer k.Close()
+
+	k2, _, err := createVolatileKey(k, url.PathEscape(root), registry.ALL_ACCESS)
+	if err != nil {
+		return nil, err
+	}
+	return k2, nil
+}
+
+func RemoveAll(root string, perUser bool) error {
+	k, err := hive(perUser).open(rootPath)
+	if err != nil {
+		return err
+	}
+	defer k.Close()
+	r, err := k.open(url.PathEscape(root))
+	if err != nil {
+		return err
+	}
+	defer r.Close()
+	ids, err := r.Enumerate()
+	if err != nil {
+		return err
+	}
+	for _, id := range ids {
+		err = r.Remove(id)
+		if err != nil {
+			return err
+		}
+	}
+	r.Close()
+	return k.Remove(root)
+}
+
+func (k *Key) Close() error {
+	err := k.Key.Close()
+	k.Key = 0
+	return err
+}
+
+func (k *Key) Enumerate() ([]string, error) {
+	escapedIDs, err := k.ReadSubKeyNames(0)
+	if err != nil {
+		return nil, err
+	}
+	var ids []string
+	for _, e := range escapedIDs {
+		id, err := url.PathUnescape(e)
+		if err == nil {
+			ids = append(ids, id)
+		}
+	}
+	return ids, nil
+}
+
+func (k *Key) open(name string) (*Key, error) {
+	fullpath := filepath.Join(k.Name, name)
+	nk, err := registry.OpenKey(k.Key, name, registry.ALL_ACCESS)
+	if err != nil {
+		return nil, &os.PathError{Op: "RegOpenKey", Path: fullpath, Err: err}
+	}
+	return &Key{nk, fullpath}, nil
+}
+
+func (k *Key) openid(id string) (*Key, error) {
+	escaped := url.PathEscape(id)
+	fullpath := filepath.Join(k.Name, escaped)
+	nk, err := k.open(escaped)
+	if perr, ok := err.(*os.PathError); ok && perr.Err == syscall.ERROR_FILE_NOT_FOUND {
+		return nil, &NotFoundError{id}
+	}
+	if err != nil {
+		return nil, &os.PathError{Op: "RegOpenKey", Path: fullpath, Err: err}
+	}
+	return nk, nil
+}
+
+func (k *Key) Remove(id string) error {
+	escaped := url.PathEscape(id)
+	err := registry.DeleteKey(k.Key, escaped)
+	if err != nil {
+		if err == syscall.ERROR_FILE_NOT_FOUND {
+			return &NotFoundError{id}
+		}
+		return &os.PathError{Op: "RegDeleteKey", Path: filepath.Join(k.Name, escaped), Err: err}
+	}
+	return nil
+}
+
+func (k *Key) set(id string, create bool, key string, state interface{}) error {
+	var sk *Key
+	var err error
+	if create {
+		var existing bool
+		eid := url.PathEscape(id)
+		sk, existing, err = createVolatileKey(k, eid, registry.ALL_ACCESS)
+		if err != nil {
+			return err
+		}
+		defer sk.Close()
+		if existing {
+			sk.Close()
+			return fmt.Errorf("container %s already exists", id)
+		}
+	} else {
+		sk, err = k.openid(id)
+		if err != nil {
+			return err
+		}
+		defer sk.Close()
+	}
+	switch reflect.TypeOf(state).Kind() {
+	case reflect.Bool:
+		v := uint32(0)
+		if state.(bool) {
+			v = 1
+		}
+		err = sk.SetDWordValue(key, v)
+	case reflect.Int:
+		err = sk.SetQWordValue(key, uint64(state.(int)))
+	case reflect.String:
+		err = sk.SetStringValue(key, state.(string))
+	default:
+		var js []byte
+		js, err = json.Marshal(state)
+		if err != nil {
+			return err
+		}
+		err = sk.SetBinaryValue(key, js)
+	}
+	if err != nil {
+		if err == syscall.ERROR_FILE_NOT_FOUND {
+			return &NoStateError{id, key}
+		}
+		return &os.PathError{Op: "RegSetValueEx", Path: sk.Name + ":" + key, Err: err}
+	}
+	return nil
+}
+
+func (k *Key) Create(id, key string, state interface{}) error {
+	return k.set(id, true, key, state)
+}
+
+func (k *Key) Set(id, key string, state interface{}) error {
+	return k.set(id, false, key, state)
+}
+
+func (k *Key) Clear(id, key string) error {
+	sk, err := k.openid(id)
+	if err != nil {
+		return err
+	}
+	defer sk.Close()
+	err = sk.DeleteValue(key)
+	if err != nil {
+		if err == syscall.ERROR_FILE_NOT_FOUND {
+			return &NoStateError{id, key}
+		}
+		return &os.PathError{Op: "RegDeleteValue", Path: sk.Name + ":" + key, Err: err}
+	}
+	return nil
+}
+
+func (k *Key) Get(id, key string, state interface{}) error {
+	sk, err := k.openid(id)
+	if err != nil {
+		return err
+	}
+	defer sk.Close()
+
+	var js []byte
+	switch reflect.TypeOf(state).Elem().Kind() {
+	case reflect.Bool:
+		var v uint64
+		v, _, err = sk.GetIntegerValue(key)
+		if err == nil {
+			*state.(*bool) = v != 0
+		}
+	case reflect.Int:
+		var v uint64
+		v, _, err = sk.GetIntegerValue(key)
+		if err == nil {
+			*state.(*int) = int(v)
+		}
+	case reflect.String:
+		var v string
+		v, _, err = sk.GetStringValue(key)
+		if err == nil {
+			*state.(*string) = string(v)
+		}
+	default:
+		js, _, err = sk.GetBinaryValue(key)
+	}
+	if err != nil {
+		if err == syscall.ERROR_FILE_NOT_FOUND {
+			return &NoStateError{id, key}
+		}
+		return &os.PathError{Op: "RegQueryValueEx", Path: sk.Name + ":" + key, Err: err}
+	}
+	if js != nil {
+		err = json.Unmarshal(js, state)
+	}
+	return err
+}

vendor/github.com/Microsoft/hcsshim/internal/regstate/zsyscall_windows.go

@@ -0,0 +1,51 @@
+// Code generated by 'go generate'; DO NOT EDIT.
+
+package regstate
+
+import (
+	"syscall"
+	"unsafe"
+
+	"golang.org/x/sys/windows"
+)
+
+var _ unsafe.Pointer
+
+// Do the interface allocations only once for common
+// Errno values.
+const (
+	errnoERROR_IO_PENDING = 997
+)
+
+var (
+	errERROR_IO_PENDING error = syscall.Errno(errnoERROR_IO_PENDING)
+)
+
+// errnoErr returns common boxed Errno values, to prevent
+// allocations at runtime.
+func errnoErr(e syscall.Errno) error {
+	switch e {
+	case 0:
+		return nil
+	case errnoERROR_IO_PENDING:
+		return errERROR_IO_PENDING
+	}
+	// TODO: add more here, after collecting data on the common
+	// error values see on Windows. (perhaps when running
+	// all.bat?)
+	return e
+}
+
+var (
+	modadvapi32 = windows.NewLazySystemDLL("advapi32.dll")
+
+	procRegCreateKeyExW = modadvapi32.NewProc("RegCreateKeyExW")
+)
+
+func regCreateKeyEx(key syscall.Handle, subkey *uint16, reserved uint32, class *uint16, options uint32, desired uint32, sa *syscall.SecurityAttributes, result *syscall.Handle, disposition *uint32) (regerrno error) {
+	r0, _, _ := syscall.Syscall9(procRegCreateKeyExW.Addr(), 9, uintptr(key), uintptr(unsafe.Pointer(subkey)), uintptr(reserved), uintptr(unsafe.Pointer(class)), uintptr(options), uintptr(desired), uintptr(unsafe.Pointer(sa)), uintptr(unsafe.Pointer(result)), uintptr(unsafe.Pointer(disposition)))
+	if r0 != 0 {
+		regerrno = syscall.Errno(r0)
+	}
+	return
+}

vendor/github.com/Microsoft/hcsshim/internal/runhcs/container.go

@@ -0,0 +1,71 @@
+package runhcs
+
+import (
+	"bytes"
+	"errors"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"os"
+	"syscall"
+	"time"
+
+	"github.com/Microsoft/go-winio/pkg/guid"
+)
+
+// ContainerState represents the platform agnostic pieces relating to a
+// running container's status and state
+type ContainerState struct {
+	// Version is the OCI version for the container
+	Version string `json:"ociVersion"`
+	// ID is the container ID
+	ID string `json:"id"`
+	// InitProcessPid is the init process id in the parent namespace
+	InitProcessPid int `json:"pid"`
+	// Status is the current status of the container, running, paused, ...
+	Status string `json:"status"`
+	// Bundle is the path on the filesystem to the bundle
+	Bundle string `json:"bundle"`
+	// Rootfs is a path to a directory containing the container's root filesystem.
+	Rootfs string `json:"rootfs"`
+	// Created is the unix timestamp for the creation time of the container in UTC
+	Created time.Time `json:"created"`
+	// Annotations is the user defined annotations added to the config.
+	Annotations map[string]string `json:"annotations,omitempty"`
+	// The owner of the state directory (the owner of the container).
+	Owner string `json:"owner"`
+}
+
+// GetErrorFromPipe returns reads from `pipe` and verifies if the operation
+// returned success or error. If error converts that to an error and returns. If
+// `p` is not nill will issue a `Kill` and `Wait` for exit.
+func GetErrorFromPipe(pipe io.Reader, p *os.Process) error {
+	serr, err := ioutil.ReadAll(pipe)
+	if err != nil {
+		return err
+	}
+
+	if bytes.Equal(serr, ShimSuccess) {
+		return nil
+	}
+
+	extra := ""
+	if p != nil {
+		p.Kill()
+		state, err := p.Wait()
+		if err != nil {
+			panic(err)
+		}
+		extra = fmt.Sprintf(", exit code %d", state.Sys().(syscall.WaitStatus).ExitCode)
+	}
+	if len(serr) == 0 {
+		return fmt.Errorf("unknown shim failure%s", extra)
+	}
+
+	return errors.New(string(serr))
+}
+
+// VMPipePath returns the named pipe path for the vm shim.
+func VMPipePath(hostUniqueID guid.GUID) string {
+	return SafePipePath("runhcs-vm-" + hostUniqueID.String())
+}

vendor/github.com/Microsoft/hcsshim/internal/runhcs/util.go

@@ -0,0 +1,16 @@
+package runhcs
+
+import "net/url"
+
+const (
+	SafePipePrefix = `\\.\pipe\ProtectedPrefix\Administrators\`
+)
+
+// ShimSuccess is the byte stream returned on a successful operation.
+var ShimSuccess = []byte{0, 'O', 'K', 0}
+
+func SafePipePath(name string) string {
+	// Use a pipe in the Administrators protected prefixed to prevent malicious
+	// squatting.
+	return SafePipePrefix + url.PathEscape(name)
+}

vendor/github.com/Microsoft/hcsshim/internal/runhcs/vm.go

@@ -0,0 +1,43 @@
+package runhcs
+
+import (
+	"encoding/json"
+
+	"github.com/Microsoft/go-winio"
+)
+
+// VMRequestOp is an operation that can be issued to a VM shim.
+type VMRequestOp string
+
+const (
+	// OpCreateContainer is a create container request.
+	OpCreateContainer VMRequestOp = "create"
+	// OpSyncNamespace is a `cni.NamespaceTypeGuest` sync request with the UVM.
+	OpSyncNamespace VMRequestOp = "sync"
+	// OpUnmountContainer is a container unmount request.
+	OpUnmountContainer VMRequestOp = "unmount"
+	// OpUnmountContainerDiskOnly is a container unmount disk request.
+	OpUnmountContainerDiskOnly VMRequestOp = "unmount-disk"
+)
+
+// VMRequest is an operation request that is issued to a VM shim.
+type VMRequest struct {
+	ID string
+	Op VMRequestOp
+}
+
+// IssueVMRequest issues a request to a shim at the given pipe.
+func IssueVMRequest(pipepath string, req *VMRequest) error {
+	pipe, err := winio.DialPipe(pipepath, nil)
+	if err != nil {
+		return err
+	}
+	defer pipe.Close()
+	if err := json.NewEncoder(pipe).Encode(req); err != nil {
+		return err
+	}
+	if err := GetErrorFromPipe(pipe, nil); err != nil {
+		return err
+	}
+	return nil
+}

vendor/github.com/Microsoft/hcsshim/internal/schema1/schema1.go

@@ -4,7 +4,8 @@ import (
 	"encoding/json"
 	"time"
 
-	"github.com/Microsoft/hcsshim/internal/schema2"
+	"github.com/Microsoft/go-winio/pkg/guid"
+	hcsschema "github.com/Microsoft/hcsshim/internal/schema2"
 )
 
 // ProcessConfig is used as both the input of Container.CreateProcess
@@ -62,7 +63,7 @@ type MappedVirtualDisk struct {
 	CreateInUtilityVM bool   `json:",omitempty"`
 	ReadOnly          bool   `json:",omitempty"`
 	Cache             string `json:",omitempty"` // "" (Unspecified); "Disabled"; "Enabled"; "Private"; "PrivateAllowSharing"
-	AttachOnly        bool   `json:",omitempty:`
+	AttachOnly        bool   `json:",omitempty"`
 }
 
 // AssignedDevice represents a device that has been directly assigned to a container
@@ -133,9 +134,10 @@ type ContainerProperties struct {
 	State                        string
 	Name                         string
 	SystemType                   string
+	RuntimeOSType                string `json:"RuntimeOsType,omitempty"`
 	Owner                        string
 	SiloGUID                     string                              `json:"SiloGuid,omitempty"`
-	RuntimeID                    string                              `json:"RuntimeId,omitempty"`
+	RuntimeID                    guid.GUID                           `json:"RuntimeId,omitempty"`
 	IsRuntimeTemplate            bool                                `json:",omitempty"`
 	RuntimeImagePath             string                              `json:",omitempty"`
 	Stopped                      bool                                `json:",omitempty"`
@@ -214,6 +216,7 @@ type MappedVirtualDiskController struct {
 type GuestDefinedCapabilities struct {
 	NamespaceAddRequestSupported bool `json:",omitempty"`
 	SignalProcessSupported       bool `json:",omitempty"`
+	DumpStacksSupported          bool `json:",omitempty"`
 }
 
 // GuestConnectionInfo is the structure of an iterm return by a GuestConnection call on a utility VM

vendor/github.com/Microsoft/hcsshim/internal/schema2/attachment.go

@@ -10,7 +10,6 @@
 package hcsschema
 
 type Attachment struct {
-
 	Type_ string `json:"Type,omitempty"`
 
 	Path string `json:"Path,omitempty"`

vendor/github.com/Microsoft/hcsshim/internal/schema2/cache_query_stats_response.go

@@ -10,7 +10,6 @@
 package hcsschema
 
 type CacheQueryStatsResponse struct {
-
 	L3OccupancyBytes int32 `json:"L3OccupancyBytes,omitempty"`
 
 	L3TotalBwBytes int32 `json:"L3TotalBwBytes,omitempty"`

vendor/github.com/Microsoft/hcsshim/internal/schema2/close_handle.go

@@ -10,6 +10,5 @@
 package hcsschema
 
 type CloseHandle struct {
-
 	Handle string `json:"Handle,omitempty"`
 }

vendor/github.com/Microsoft/hcsshim/internal/schema2/com_port.go

@@ -11,7 +11,6 @@ package hcsschema
 
 //  ComPort specifies the named pipe that will be used for the port, with empty string indicating a disconnected port.
 type ComPort struct {
-
 	NamedPipe string `json:"NamedPipe,omitempty"`
 
 	OptimizeForDebugger bool `json:"OptimizeForDebugger,omitempty"`

vendor/github.com/Microsoft/hcsshim/internal/schema2/compute_system.go

@@ -10,14 +10,13 @@
 package hcsschema
 
 type ComputeSystem struct {
-
 	Owner string `json:"Owner,omitempty"`
 
 	SchemaVersion *Version `json:"SchemaVersion,omitempty"`
 
 	HostingSystemId string `json:"HostingSystemId,omitempty"`
 
-	HostedSystem *HostedSystem `json:"HostedSystem,omitempty"`
+	HostedSystem interface{} `json:"HostedSystem,omitempty"`
 
 	Container *Container `json:"Container,omitempty"`
 

vendor/github.com/Microsoft/hcsshim/internal/schema2/console_size.go

@@ -10,7 +10,6 @@
 package hcsschema
 
 type ConsoleSize struct {
-
 	Height int32 `json:"Height,omitempty"`
 
 	Width int32 `json:"Width,omitempty"`

vendor/github.com/Microsoft/hcsshim/internal/schema2/container.go

@@ -10,7 +10,6 @@
 package hcsschema
 
 type Container struct {
-
 	GuestOs *GuestOs `json:"GuestOs,omitempty"`
 
 	Storage *Storage `json:"Storage,omitempty"`

vendor/github.com/Microsoft/hcsshim/internal/schema2/container_memory_information.go

@@ -11,7 +11,6 @@ package hcsschema
 
 //  memory usage as viewed from within the container
 type ContainerMemoryInformation struct {
-
 	TotalPhysicalBytes int32 `json:"TotalPhysicalBytes,omitempty"`
 
 	TotalUsage int32 `json:"TotalUsage,omitempty"`

vendor/github.com/Microsoft/hcsshim/internal/schema2/devices.go

@@ -10,7 +10,6 @@
 package hcsschema
 
 type Devices struct {
-
 	ComPorts map[string]ComPort `json:"ComPorts,omitempty"`
 
 	Scsi map[string]Scsi `json:"Scsi,omitempty"`

vendor/github.com/Microsoft/hcsshim/internal/schema2/enhanced_mode_video.go

@@ -10,6 +10,5 @@
 package hcsschema
 
 type EnhancedModeVideo struct {
-
 	ConnectionOptions *RdpConnectionOptions `json:"ConnectionOptions,omitempty"`
 }

vendor/github.com/Microsoft/hcsshim/internal/schema2/flexible_io_device.go

@@ -10,7 +10,6 @@
 package hcsschema
 
 type FlexibleIoDevice struct {
-
 	EmulatorId string `json:"EmulatorId,omitempty"`
 
 	HostingModel string `json:"HostingModel,omitempty"`

vendor/github.com/Microsoft/hcsshim/internal/schema2/guest_crash_reporting.go

@@ -10,6 +10,5 @@
 package hcsschema
 
 type GuestCrashReporting struct {
-
 	WindowsCrashSettings *WindowsCrashReporting `json:"WindowsCrashSettings,omitempty"`
 }

vendor/github.com/Microsoft/hcsshim/internal/schema2/guest_os.go

@@ -10,6 +10,5 @@
 package hcsschema
 
 type GuestOs struct {
-
 	HostName string `json:"HostName,omitempty"`
 }

vendor/github.com/Microsoft/hcsshim/internal/schema2/hosted_system.go

@@ -10,7 +10,6 @@
 package hcsschema
 
 type HostedSystem struct {
-
 	SchemaVersion *Version `json:"SchemaVersion,omitempty"`
 
 	Container *Container `json:"Container,omitempty"`

vendor/github.com/Microsoft/hcsshim/internal/schema2/hv_socket.go

@@ -10,7 +10,6 @@
 package hcsschema
 
 type HvSocket struct {
-
 	Config *HvSocketSystemConfig `json:"Config,omitempty"`
 
 	EnablePowerShellDirect bool `json:"EnablePowerShellDirect,omitempty"`