Update github.com/Microsoft/hcsshim to v0.8.10

Brings in a variety of changes, mostly to the containerd shim.

There is also a change to the Windows layer unpack code which fixes #4301.

Release link: https://github.com/microsoft/hcsshim/releases/tag/v0.8.10

Signed-off-by: Kevin Parsons <kevpar@microsoft.com>

vendor.conf

@@ -29,7 +29,7 @@ github.com/imdario/mergo                            v0.3.7
 github.com/konsorten/go-windows-terminal-sequences  v1.0.3
 github.com/matttproud/golang_protobuf_extensions    v1.0.1
 github.com/Microsoft/go-winio                       v0.4.14
-github.com/Microsoft/hcsshim                        v0.8.9
+github.com/Microsoft/hcsshim                        v0.8.10
 github.com/opencontainers/go-digest                 v1.0.0
 github.com/opencontainers/image-spec                v1.0.1
 github.com/opencontainers/runc                      v1.0.0-rc92

vendor/github.com/Microsoft/hcsshim/cmd/containerd-shim-runhcs-v1/options/runhcs.pb.go

@@ -115,7 +115,7 @@ type Options struct {
 	VmMemorySizeInMb int32 `protobuf:"varint,9,opt,name=vm_memory_size_in_mb,json=vmMemorySizeInMb,proto3" json:"vm_memory_size_in_mb,omitempty"`
 	// GPUVHDPath is the path to the gpu vhd to add to the uvm
 	// when a container requests a gpu
-	GPUVHDPath           string   `protobuf:"bytes,10,opt,name=GPUVHDPath,json=gPUVHDPath,proto3" json:"GPUVHDPath,omitempty"`
+	GPUVHDPath           string   `protobuf:"bytes,10,opt,name=GPUVHDPath,proto3" json:"GPUVHDPath,omitempty"`
 	XXX_NoUnkeyedLiteral struct{} `json:"-"`
 	XXX_unrecognized     []byte   `json:"-"`
 	XXX_sizecache        int32    `json:"-"`
@@ -214,56 +214,56 @@ func init() {
 }
 
 var fileDescriptor_b643df6839c75082 = []byte{
-	// 777 bytes of a gzipped FileDescriptorProto
+	// 775 bytes of a gzipped FileDescriptorProto
 	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xa4, 0x54, 0xcd, 0x6f, 0xdb, 0x36,
-	0x1c, 0xb5, 0x9a, 0xf8, 0x43, 0xbf, 0x2e, 0xa9, 0xc2, 0xf9, 0x20, 0x64, 0x9b, 0x6d, 0xa4, 0x87,
+	0x1c, 0xb5, 0x1a, 0x7f, 0xe9, 0xd7, 0x25, 0x75, 0x38, 0x1f, 0x84, 0x6c, 0xb3, 0x8d, 0xf4, 0xd0,
-	0xa6, 0x58, 0x23, 0x25, 0xdd, 0x71, 0xa7, 0x39, 0x76, 0x56, 0x0d, 0x4b, 0x22, 0xc8, 0x59, 0xbb,
+	0x14, 0x6b, 0xa4, 0xa4, 0x3b, 0xee, 0x34, 0xc7, 0xce, 0xaa, 0x61, 0x49, 0x04, 0x39, 0x6b, 0xf7,
-	0x8f, 0x03, 0xa1, 0x0f, 0x46, 0x26, 0x6a, 0x8a, 0x02, 0x49, 0x7b, 0x71, 0x4f, 0xfb, 0x13, 0xf6,
+	0x71, 0x20, 0xf4, 0xc1, 0xc8, 0x44, 0x4d, 0x51, 0x20, 0x69, 0x2f, 0xee, 0x69, 0x7f, 0xc2, 0xfe,
-	0x47, 0xed, 0x90, 0xe3, 0x8e, 0x03, 0x06, 0x64, 0xab, 0xff, 0x92, 0x81, 0x94, 0x94, 0x62, 0x45,
+	0xa8, 0x1d, 0x72, 0xdc, 0x71, 0xc0, 0x80, 0x6c, 0xf5, 0x5f, 0x32, 0x90, 0x92, 0xd2, 0xad, 0x08,
-	0xb1, 0xcb, 0x4e, 0xa6, 0xde, 0x7b, 0x7c, 0xbf, 0x0f, 0x3e, 0x18, 0x2e, 0x73, 0xaa, 0xe6, 0xcb,
+	0x76, 0xe9, 0xc9, 0xd4, 0x7b, 0x8f, 0xef, 0xf7, 0xc1, 0x07, 0xc3, 0x45, 0x46, 0xd5, 0x7c, 0x19,
-	0xc4, 0x4b, 0x39, 0xf3, 0xcf, 0x69, 0x2a, 0xb8, 0xe4, 0xd7, 0xca, 0x9f, 0xa7, 0x52, 0xce, 0x29,
+	0xbb, 0x09, 0x67, 0xde, 0x19, 0x4d, 0x04, 0x97, 0xfc, 0x4a, 0x79, 0xf3, 0x44, 0xca, 0x39, 0x65,
-	0xf3, 0x53, 0x96, 0xf9, 0x29, 0x2f, 0x54, 0x4c, 0x0b, 0x22, 0xb2, 0x23, 0x8d, 0x1d, 0x89, 0x65,
+	0x5e, 0xc2, 0x52, 0x2f, 0xe1, 0xb9, 0x8a, 0x68, 0x4e, 0x44, 0x7a, 0xa8, 0xb1, 0x43, 0xb1, 0xcc,
-	0x31, 0x4f, 0xe5, 0xd1, 0xea, 0xc4, 0xe7, 0xa5, 0xa2, 0xbc, 0x90, 0x7e, 0x85, 0x78, 0xa5, 0xe0,
+	0xe7, 0x89, 0x3c, 0x5c, 0x1d, 0x7b, 0xbc, 0x50, 0x94, 0xe7, 0xd2, 0x2b, 0x11, 0xb7, 0x10, 0x5c,
-	0x8a, 0xa3, 0xfe, 0x3b, 0xbd, 0x57, 0x13, 0xab, 0x93, 0xfd, 0x7e, 0xce, 0x73, 0x6e, 0x04, 0xbe,
+	0x71, 0xd4, 0x7f, 0xa7, 0x77, 0x2b, 0x62, 0x75, 0xbc, 0xd7, 0xcf, 0x78, 0xc6, 0x8d, 0xc0, 0xd3,
-	0x3e, 0x55, 0xda, 0xfd, 0x61, 0xce, 0x79, 0xbe, 0x20, 0xbe, 0xf9, 0x4a, 0x96, 0xd7, 0xbe, 0xa2,
+	0xa7, 0x52, 0xbb, 0x37, 0xcc, 0x38, 0xcf, 0x16, 0xc4, 0x33, 0x5f, 0xf1, 0xf2, 0xca, 0x53, 0x94,
-	0x8c, 0x48, 0x15, 0xb3, 0xb2, 0x12, 0x1c, 0xfc, 0xb6, 0x0d, 0xdd, 0xcb, 0xaa, 0x0a, 0xea, 0x43,
+	0x11, 0xa9, 0x22, 0x56, 0x94, 0x82, 0xfd, 0xdf, 0x9a, 0xd0, 0xb9, 0x28, 0xab, 0xa0, 0x3e, 0xb4,
-	0x3b, 0x23, 0xc9, 0x32, 0x77, 0xad, 0x91, 0x75, 0xd8, 0x8b, 0xaa, 0x0f, 0x74, 0x06, 0x60, 0x0e,
+	0x52, 0x12, 0x2f, 0x33, 0xc7, 0x1a, 0x59, 0x07, 0xdd, 0xb0, 0xfc, 0x40, 0xa7, 0x00, 0xe6, 0x80,
-	0x58, 0xad, 0x4b, 0xe2, 0x3e, 0x18, 0x59, 0x87, 0xbb, 0xcf, 0x9f, 0x78, 0x1f, 0xea, 0xc1, 0xab,
+	0xd5, 0xba, 0x20, 0xce, 0x83, 0x91, 0x75, 0xb0, 0xf3, 0xfc, 0x89, 0x7b, 0x5f, 0x0f, 0x6e, 0x65,
-	0x8d, 0xbc, 0x89, 0xd6, 0x5f, 0xad, 0x4b, 0x12, 0xd9, 0x59, 0x73, 0x44, 0x8f, 0x61, 0x47, 0x90,
+	0xe4, 0x4e, 0xb4, 0xfe, 0x72, 0x5d, 0x90, 0xd0, 0x4e, 0xeb, 0x23, 0x7a, 0x0c, 0xdb, 0x82, 0x64,
-	0x9c, 0x4a, 0x25, 0xd6, 0x58, 0x70, 0xae, 0xdc, 0xad, 0x91, 0x75, 0x68, 0x47, 0x1f, 0x35, 0x60,
+	0x54, 0x2a, 0xb1, 0xc6, 0x82, 0x73, 0xe5, 0x6c, 0x8d, 0xac, 0x03, 0x3b, 0xfc, 0xa8, 0x06, 0x43,
-	0xc4, 0xb9, 0xd2, 0x22, 0x19, 0x17, 0x59, 0xc2, 0x6f, 0x30, 0x65, 0x71, 0x4e, 0xdc, 0xed, 0x4a,
+	0xce, 0x95, 0x16, 0xc9, 0x28, 0x4f, 0x63, 0x7e, 0x8d, 0x29, 0x8b, 0x32, 0xe2, 0x34, 0x4b, 0x51,
-	0x54, 0x83, 0x81, 0xc6, 0xd0, 0x53, 0x70, 0x1a, 0x51, 0xb9, 0x88, 0xd5, 0x35, 0x17, 0xcc, 0x6d,
+	0x05, 0xfa, 0x1a, 0x43, 0x4f, 0xa1, 0x57, 0x8b, 0x8a, 0x45, 0xa4, 0xae, 0xb8, 0x60, 0x4e, 0xcb,
-	0x1b, 0xdd, 0xa3, 0x1a, 0x0f, 0x6b, 0x18, 0xfd, 0x04, 0x7b, 0xf7, 0x7e, 0x92, 0x2f, 0x62, 0xdd,
+	0xe8, 0x1e, 0x55, 0x78, 0x50, 0xc1, 0xe8, 0x27, 0xd8, 0xbd, 0xf3, 0x93, 0x7c, 0x11, 0xe9, 0xfe,
-	0x9f, 0xdb, 0x31, 0x33, 0x78, 0xff, 0x3d, 0xc3, 0xac, 0xae, 0xd8, 0xdc, 0x8a, 0x9a, 0x9a, 0xf7,
+	0x9c, 0xb6, 0x99, 0xc1, 0xfd, 0xff, 0x19, 0x66, 0x55, 0xc5, 0xfa, 0x56, 0x58, 0xd7, 0xbc, 0x43,
-	0x08, 0xf2, 0xa1, 0x9f, 0x70, 0xae, 0xf0, 0x35, 0x5d, 0x10, 0x69, 0x66, 0xc2, 0x65, 0xac, 0xe6,
+	0x90, 0x07, 0xfd, 0x98, 0x73, 0x85, 0xaf, 0xe8, 0x82, 0x48, 0x33, 0x13, 0x2e, 0x22, 0x35, 0x77,
-	0x6e, 0xd7, 0xf4, 0xb2, 0xa7, 0xb9, 0x33, 0x4d, 0xe9, 0xc9, 0xc2, 0x58, 0xcd, 0xd1, 0x33, 0x40,
+	0x3a, 0xa6, 0x97, 0x5d, 0xcd, 0x9d, 0x6a, 0x4a, 0x4f, 0x16, 0x44, 0x6a, 0x8e, 0x9e, 0x01, 0x5a,
-	0x2b, 0x86, 0x4b, 0xc1, 0x53, 0x22, 0x25, 0x17, 0x38, 0xe5, 0xcb, 0x42, 0xb9, 0xbd, 0x91, 0x75,
+	0x31, 0x5c, 0x08, 0x9e, 0x10, 0x29, 0xb9, 0xc0, 0x09, 0x5f, 0xe6, 0xca, 0xe9, 0x8e, 0xac, 0x83,
-	0xd8, 0x8e, 0x9c, 0x15, 0x0b, 0x1b, 0xe2, 0x54, 0xe3, 0xc8, 0x83, 0xfe, 0x8a, 0x61, 0x46, 0x18,
+	0x56, 0xd8, 0x5b, 0xb1, 0xa0, 0x26, 0x4e, 0x34, 0x8e, 0x5c, 0xe8, 0xaf, 0x18, 0x66, 0x84, 0x71,
-	0x17, 0x6b, 0x2c, 0xe9, 0x1b, 0x82, 0x69, 0x81, 0x59, 0xe2, 0xda, 0x8d, 0xfe, 0xdc, 0x50, 0x33,
+	0xb1, 0xc6, 0x92, 0xbe, 0x21, 0x98, 0xe6, 0x98, 0xc5, 0x8e, 0x5d, 0xeb, 0xcf, 0x0c, 0x35, 0xa3,
-	0xfa, 0x86, 0x04, 0xc5, 0x79, 0x82, 0x06, 0x00, 0x5f, 0x87, 0xdf, 0xbd, 0x7c, 0x31, 0xd1, 0xb5,
+	0x6f, 0x88, 0x9f, 0x9f, 0xc5, 0x68, 0x00, 0xf0, 0x75, 0xf0, 0xdd, 0xcb, 0x17, 0x13, 0x5d, 0xcb,
-	0x5c, 0x30, 0x4d, 0x40, 0x7e, 0x8f, 0x1c, 0x3c, 0x05, 0xfb, 0xfe, 0x61, 0x90, 0x0d, 0xed, 0x8b,
+	0x01, 0xd3, 0xc4, 0xbf, 0x90, 0xfd, 0xa7, 0x60, 0xdf, 0x3d, 0x0c, 0xb2, 0xa1, 0x75, 0x1e, 0xf8,
-	0x30, 0x08, 0xa7, 0x4e, 0x0b, 0xf5, 0x60, 0xfb, 0x2c, 0xf8, 0x76, 0xea, 0x58, 0xa8, 0x0b, 0x5b,
+	0xc1, 0xb4, 0xd7, 0x40, 0x5d, 0x68, 0x9e, 0xfa, 0xdf, 0x4e, 0x7b, 0x16, 0xea, 0xc0, 0xd6, 0xf4,
-	0xd3, 0xab, 0x57, 0xce, 0x83, 0x03, 0x1f, 0x9c, 0xf7, 0xe7, 0x47, 0x0f, 0xa1, 0x1b, 0x46, 0x97,
+	0xf2, 0x55, 0xef, 0xc1, 0xbe, 0x07, 0xbd, 0xf7, 0xe7, 0x47, 0x0f, 0xa1, 0x13, 0x84, 0x17, 0x27,
-	0xa7, 0xd3, 0xd9, 0xcc, 0x69, 0xa1, 0x5d, 0x80, 0x17, 0x3f, 0x84, 0xd3, 0xe8, 0x65, 0x30, 0xbb,
+	0xd3, 0xd9, 0xac, 0xd7, 0x40, 0x3b, 0x00, 0x2f, 0x7e, 0x08, 0xa6, 0xe1, 0x4b, 0x7f, 0x76, 0x11,
-	0x8c, 0x1c, 0xeb, 0xe0, 0xcf, 0x2d, 0xd8, 0xad, 0xdb, 0x9f, 0x10, 0x15, 0xd3, 0x85, 0x44, 0x9f,
+	0xf6, 0xac, 0xfd, 0x3f, 0xb7, 0x60, 0xa7, 0x6a, 0x7f, 0x42, 0x54, 0x44, 0x17, 0x12, 0x7d, 0x06,
-	0x01, 0x98, 0x27, 0xc4, 0x45, 0xcc, 0x88, 0x89, 0x94, 0x1d, 0xd9, 0x06, 0xb9, 0x88, 0x19, 0x41,
+	0x60, 0x9e, 0x10, 0xe7, 0x11, 0x23, 0x26, 0x52, 0x76, 0x68, 0x1b, 0xe4, 0x3c, 0x62, 0x04, 0x9d,
-	0xa7, 0x00, 0xa9, 0x20, 0xb1, 0x22, 0x19, 0x8e, 0x95, 0x89, 0xd5, 0xc3, 0xe7, 0xfb, 0x5e, 0x15,
+	0x00, 0x24, 0x82, 0x44, 0x8a, 0xa4, 0x38, 0x52, 0x26, 0x56, 0x0f, 0x9f, 0xef, 0xb9, 0x65, 0x5c,
-	0x57, 0xaf, 0x89, 0xab, 0x77, 0xd5, 0xc4, 0x75, 0xdc, 0xbb, 0xbd, 0x1b, 0xb6, 0x7e, 0xfd, 0x6b,
+	0xdd, 0x3a, 0xae, 0xee, 0x65, 0x1d, 0xd7, 0x71, 0xf7, 0xe6, 0x76, 0xd8, 0xf8, 0xf5, 0xaf, 0xa1,
-	0x68, 0x45, 0x76, 0x7d, 0xef, 0x2b, 0x85, 0x3e, 0x07, 0xf4, 0x9a, 0x88, 0x82, 0x2c, 0xb0, 0xce,
+	0x15, 0xda, 0xd5, 0xbd, 0xaf, 0x14, 0xfa, 0x1c, 0xd0, 0x6b, 0x22, 0x72, 0xb2, 0xc0, 0x3a, 0xd7,
-	0x35, 0x3e, 0x39, 0x3e, 0xc6, 0x85, 0x34, 0xc1, 0xda, 0x8e, 0x1e, 0x55, 0x8c, 0x76, 0x38, 0x39,
+	0xf8, 0xf8, 0xe8, 0x08, 0xe7, 0xd2, 0x04, 0xab, 0x19, 0x3e, 0x2a, 0x19, 0xed, 0x70, 0x7c, 0x74,
-	0x3e, 0xbe, 0x90, 0xc8, 0x83, 0x8f, 0xeb, 0x65, 0xa6, 0x9c, 0x31, 0xaa, 0x70, 0xb2, 0x56, 0x44,
+	0x74, 0x2e, 0x91, 0x0b, 0x1f, 0x57, 0xcb, 0x4c, 0x38, 0x63, 0x54, 0xe1, 0x78, 0xad, 0x88, 0x34,
-	0x9a, 0x84, 0x6d, 0x47, 0x7b, 0x15, 0x75, 0x6a, 0x98, 0xb1, 0x26, 0xd0, 0x19, 0x8c, 0x6a, 0xfd,
+	0x09, 0x6b, 0x86, 0xbb, 0x25, 0x75, 0x62, 0x98, 0xb1, 0x26, 0xd0, 0x29, 0x8c, 0x2a, 0xfd, 0xcf,
-	0xcf, 0x5c, 0xbc, 0xa6, 0x45, 0x8e, 0x25, 0x51, 0xb8, 0x14, 0x74, 0x15, 0x2b, 0x52, 0x5f, 0x6e,
+	0x5c, 0xbc, 0xa6, 0x79, 0x86, 0x25, 0x51, 0xb8, 0x10, 0x74, 0x15, 0x29, 0x52, 0x5d, 0x6e, 0x99,
-	0x9b, 0xcb, 0x9f, 0x56, 0xba, 0x57, 0x95, 0x6c, 0x46, 0x54, 0x58, 0x89, 0x2a, 0x9f, 0x09, 0x0c,
+	0xcb, 0x9f, 0x96, 0xba, 0x57, 0xa5, 0x6c, 0x46, 0x54, 0x50, 0x8a, 0x4a, 0x9f, 0x09, 0x0c, 0xef,
-	0x3f, 0xe0, 0x23, 0xe7, 0xb1, 0x20, 0x59, 0x6d, 0xd3, 0x31, 0x36, 0x9f, 0xbc, 0x6f, 0x33, 0x33,
+	0xf1, 0x91, 0xf3, 0x48, 0x90, 0xb4, 0xb2, 0x69, 0x1b, 0x9b, 0x4f, 0xde, 0xb7, 0x99, 0x19, 0x4d,
-	0x9a, 0xca, 0xe5, 0x19, 0x40, 0x1d, 0x1c, 0x4c, 0x33, 0x13, 0xb1, 0x9d, 0xf1, 0xce, 0xe6, 0x6e,
+	0xe9, 0xf2, 0x0c, 0xa0, 0x0a, 0x0e, 0xa6, 0xa9, 0x89, 0xd8, 0xf6, 0x78, 0x7b, 0x73, 0x3b, 0xb4,
-	0x68, 0xd7, 0x6b, 0x0f, 0x26, 0x91, 0x5d, 0x0b, 0x82, 0x0c, 0x3d, 0x01, 0x67, 0x29, 0x89, 0xf8,
+	0xab, 0xb5, 0xfb, 0x93, 0xd0, 0xae, 0x04, 0x7e, 0x8a, 0x9e, 0x40, 0x6f, 0x29, 0x89, 0xf8, 0xcf,
-	0xd7, 0x5a, 0x7a, 0xa6, 0xc8, 0x8e, 0xc6, 0xdf, 0x2d, 0xe5, 0x31, 0x74, 0xc9, 0x0d, 0x49, 0xb5,
+	0x5a, 0xba, 0xa6, 0xc8, 0xb6, 0xc6, 0xdf, 0x2d, 0xe5, 0x31, 0x74, 0xc8, 0x35, 0x49, 0xb4, 0xa7,
-	0xa7, 0xce, 0x95, 0x3d, 0x86, 0xcd, 0xdd, 0xb0, 0x33, 0xbd, 0x21, 0x69, 0x30, 0x89, 0x3a, 0x9a,
+	0xce, 0x95, 0x3d, 0x86, 0xcd, 0xed, 0xb0, 0x3d, 0xbd, 0x26, 0x89, 0x3f, 0x09, 0xdb, 0x9a, 0xf2,
-	0x0a, 0xb2, 0x71, 0x76, 0xfb, 0x76, 0xd0, 0xfa, 0xe3, 0xed, 0xa0, 0xf5, 0xcb, 0x66, 0x60, 0xdd,
+	0xd3, 0x71, 0x7a, 0xf3, 0x76, 0xd0, 0xf8, 0xe3, 0xed, 0xa0, 0xf1, 0xcb, 0x66, 0x60, 0xdd, 0x6c,
-	0x6e, 0x06, 0xd6, 0xef, 0x9b, 0x81, 0xf5, 0xf7, 0x66, 0x60, 0xfd, 0xf8, 0xcd, 0xff, 0xff, 0x73,
+	0x06, 0xd6, 0xef, 0x9b, 0x81, 0xf5, 0xf7, 0x66, 0x60, 0xfd, 0xf8, 0xcd, 0x87, 0xff, 0xb9, 0x7d,
-	0xfb, 0xb2, 0xfe, 0xfd, 0xbe, 0x95, 0x74, 0xcc, 0xbb, 0x7f, 0xf1, 0x4f, 0x00, 0x00, 0x00, 0xff,
+	0x59, 0xfd, 0x7e, 0xdf, 0x88, 0xdb, 0xe6, 0xdd, 0xbf, 0xf8, 0x27, 0x00, 0x00, 0xff, 0xff, 0x75,
-	0xff, 0xc9, 0xeb, 0xae, 0x6f, 0x33, 0x05, 0x00, 0x00,
+	0x1f, 0x14, 0xf4, 0x33, 0x05, 0x00, 0x00,
 }
 
 func (m *Options) Marshal() (dAtA []byte, err error) {

vendor/github.com/Microsoft/hcsshim/go.mod

@@ -3,8 +3,8 @@ module github.com/Microsoft/hcsshim
 go 1.13
 
 require (
-	github.com/Microsoft/go-winio v0.4.15-0.20190919025122-fc70bd9a86b5
+	github.com/Microsoft/go-winio v0.4.15-0.20200908182639-5b44b70ab3ab
-	github.com/containerd/cgroups v0.0.0-20190919134610-bf292b21730f
+	github.com/containerd/cgroups v0.0.0-20200531161412-0dbf7f05ba59
 	github.com/containerd/console v0.0.0-20180822173158-c12b1e7919c1
 	github.com/containerd/containerd v1.3.2
 	github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc // indirect
@@ -17,16 +17,16 @@ require (
 	github.com/kr/pretty v0.1.0 // indirect
 	github.com/opencontainers/go-digest v0.0.0-20180430190053-c9281466c8b2 // indirect
 	github.com/opencontainers/runc v0.0.0-20190115041553-12f6a991201f // indirect
-	github.com/opencontainers/runtime-spec v0.1.2-0.20190507144316-5b71a03e2700
+	github.com/opencontainers/runtime-spec v1.0.2
-	github.com/pkg/errors v0.8.1
+	github.com/pkg/errors v0.9.1
 	github.com/prometheus/procfs v0.0.0-20180125133057-cb4147076ac7 // indirect
 	github.com/sirupsen/logrus v1.4.2
 	github.com/stretchr/testify v1.4.0 // indirect
-	github.com/urfave/cli v0.0.0-20171014202726-7bc6a0acffa5
+	github.com/urfave/cli v1.22.2
 	go.opencensus.io v0.22.0
 	golang.org/x/net v0.0.0-20191004110552-13f9640d40b9 // indirect
 	golang.org/x/sync v0.0.0-20190423024810-112230192c58
-	golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3
+	golang.org/x/sys v0.0.0-20200120151820-655fe14d7479
 	google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873 // indirect
 	google.golang.org/grpc v1.23.1
 	gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 // indirect

vendor/github.com/Microsoft/hcsshim/hcn/hcn.go

@@ -207,6 +207,42 @@ func IPv6DualStackSupported() error {
 	return platformDoesNotSupportError("IPv6 DualStack")
 }
 
+//L4proxySupported returns an error if the HCN verison does not support L4Proxy
+func L4proxyPolicySupported() error {
+	supported := GetSupportedFeatures()
+	if supported.L4Proxy {
+		return nil
+	}
+	return platformDoesNotSupportError("L4ProxyPolicy")
+}
+
+// L4WfpProxySupported returns an error if the HCN verison does not support L4WfpProxy
+func L4WfpProxyPolicySupported() error {
+	supported := GetSupportedFeatures()
+	if supported.L4WfpProxy {
+		return nil
+	}
+	return platformDoesNotSupportError("L4WfpProxyPolicy")
+}
+
+// SetPolicySupported returns an error if the HCN version does not support SetPolicy.
+func SetPolicySupported() error {
+	supported := GetSupportedFeatures()
+	if supported.SetPolicy {
+		return nil
+	}
+	return platformDoesNotSupportError("SetPolicy")
+}
+
+// VxlanPortSupported returns an error if the HCN version does not support configuring the VXLAN TCP port.
+func VxlanPortSupported() error {
+	supported := GetSupportedFeatures()
+	if supported.VxlanPort {
+		return nil
+	}
+	return platformDoesNotSupportError("VXLAN port configuration")
+}
+
 // RequestType are the different operations performed to settings.
 // Used to update the settings of Endpoint/Namespace objects.
 type RequestType string

vendor/github.com/Microsoft/hcsshim/hcn/hcnglobals.go

@@ -37,8 +37,11 @@ var (
 	RemoteSubnetVersion = VersionRanges{VersionRange{MinVersion: Version{Major: 9, Minor: 2}, MaxVersion: Version{Major: math.MaxInt32, Minor: math.MaxInt32}}}
 	// A Host Route policy allows for local container to local host communication Overlay networks
 	HostRouteVersion = VersionRanges{VersionRange{MinVersion: Version{Major: 9, Minor: 2}, MaxVersion: Version{Major: math.MaxInt32, Minor: math.MaxInt32}}}
-	// HNS 10.2 allows for Direct Server Return for loadbalancing
+	// HNS 9.3 through 10.0 (not included), and 10.2+ allows for Direct Server Return for loadbalancing
-	DSRVersion = VersionRanges{VersionRange{MinVersion: Version{Major: 10, Minor: 2}, MaxVersion: Version{Major: math.MaxInt32, Minor: math.MaxInt32}}}
+	DSRVersion = VersionRanges{
+		VersionRange{MinVersion: Version{Major: 9, Minor: 3}, MaxVersion: Version{Major: 9, Minor: math.MaxInt32}},
+		VersionRange{MinVersion: Version{Major: 10, Minor: 2}, MaxVersion: Version{Major: math.MaxInt32, Minor: math.MaxInt32}},
+	}
 	// HNS 9.3 through 10.0 (not included) and, 10.4+ provide support for configuring endpoints with /32 prefixes
 	Slash32EndpointPrefixesVersion = VersionRanges{
 		VersionRange{MinVersion: Version{Major: 9, Minor: 3}, MaxVersion: Version{Major: 9, Minor: math.MaxInt32}},
@@ -46,8 +49,7 @@ var (
 	}
 	// HNS 9.3 through 10.0 (not included) and, 10.4+ allow for HNS ACL Policies to support protocol 252 for VXLAN
 	AclSupportForProtocol252Version = VersionRanges{
-		VersionRange{MinVersion: Version{Major: 9, Minor: 3}, MaxVersion: Version{Major: 9, Minor: math.MaxInt32}},
+		VersionRange{MinVersion: Version{Major: 11, Minor: 0}, MaxVersion: Version{Major: math.MaxInt32, Minor: math.MaxInt32}},
-		VersionRange{MinVersion: Version{Major: 10, Minor: 4}, MaxVersion: Version{Major: math.MaxInt32, Minor: math.MaxInt32}},
 	}
 	// HNS 12.0 allows for session affinity for loadbalancing
 	SessionAffinityVersion = VersionRanges{VersionRange{MinVersion: Version{Major: 12, Minor: 0}, MaxVersion: Version{Major: math.MaxInt32, Minor: math.MaxInt32}}}
@@ -56,6 +58,16 @@ var (
 		VersionRange{MinVersion: Version{Major: 10, Minor: 5}, MaxVersion: Version{Major: 10, Minor: math.MaxInt32}},
 		VersionRange{MinVersion: Version{Major: 12, Minor: 0}, MaxVersion: Version{Major: math.MaxInt32, Minor: math.MaxInt32}},
 	}
+	// HNS 13.0 allows for Set Policy support
+	SetPolicyVersion = VersionRanges{VersionRange{MinVersion: Version{Major: 13, Minor: 0}, MaxVersion: Version{Major: math.MaxInt32, Minor: math.MaxInt32}}}
+	// HNS 10.3 allows for VXLAN ports
+	VxlanPortVersion = VersionRanges{VersionRange{MinVersion: Version{Major: 10, Minor: 3}, MaxVersion: Version{Major: math.MaxInt32, Minor: math.MaxInt32}}}
+
+	//HNS 13.1 allows for L4Proxy Policy support
+	L4ProxyPolicyVersion = VersionRanges{VersionRange{MinVersion: Version{Major: 13, Minor: 1}, MaxVersion: Version{Major: math.MaxInt32, Minor: math.MaxInt32}}}
+
+	//HNS 13.2 allows for L4WfpProxy Policy support
+	L4WfpProxyPolicyVersion = VersionRanges{VersionRange{MinVersion: Version{Major: 13, Minor: 2}, MaxVersion: Version{Major: math.MaxInt32, Minor: math.MaxInt32}}}
 )
 
 // GetGlobals returns the global properties of the HCN Service.

vendor/github.com/Microsoft/hcsshim/hcn/hcnpolicy.go

@@ -43,7 +43,10 @@ const (
 	InterfaceConstraint NetworkPolicyType = "InterfaceConstraint"
 	ProviderAddress     NetworkPolicyType = "ProviderAddress"
 	RemoteSubnetRoute   NetworkPolicyType = "RemoteSubnetRoute"
+	VxlanPort           NetworkPolicyType = "VxlanPort"
 	HostRoute           NetworkPolicyType = "HostRoute"
+	SetPolicy           NetworkPolicyType = "SetPolicy"
+	NetworkL4Proxy      NetworkPolicyType = "L4Proxy"
 )
 
 // NetworkPolicy is a collection of Policy settings for a Network.
@@ -230,3 +233,45 @@ type RemoteSubnetRoutePolicySetting struct {
 	ProviderAddress             string
 	DistributedRouterMacAddress string
 }
+
+// SetPolicyTypes associated with SetPolicy. Value is IPSET.
+type SetPolicyType string
+
+const (
+	SetPolicyTypeIpSet SetPolicyType = "IPSET"
+)
+
+// SetPolicySetting creates IPSets on network
+type SetPolicySetting struct {
+	Id     string
+	Name   string
+	Type   SetPolicyType
+	Values string
+}
+
+// VxlanPortPolicySetting allows configuring the VXLAN TCP port
+type VxlanPortPolicySetting struct {
+	Port uint16
+}
+
+// ProtocolType associated with L4ProxyPolicy
+type ProtocolType uint32
+
+const (
+	ProtocolTypeUnknown ProtocolType = 0
+	ProtocolTypeICMPv4  ProtocolType = 1
+	ProtocolTypeIGMP    ProtocolType = 2
+	ProtocolTypeTCP     ProtocolType = 6
+	ProtocolTypeUDP     ProtocolType = 17
+	ProtocolTypeICMPv6  ProtocolType = 58
+)
+
+//L4ProxyPolicySetting applies proxy policy on network/endpoint
+type L4ProxyPolicySetting struct {
+	IP          string       `json:",omitempty"`
+	Port        string       `json:",omitempty"`
+	Protocol    ProtocolType `json:",omitempty"`
+	Exceptions  []string     `json:",omitempty"`
+	Destination string
+	OutboundNAT bool `json:",omitempty"`
+}

vendor/github.com/Microsoft/hcsshim/hcn/hcnsupport.go

@@ -15,6 +15,10 @@ type SupportedFeatures struct {
 	AclSupportForProtocol252 bool        `json:"AclSupportForProtocol252"`
 	SessionAffinity          bool        `json:"SessionAffinity"`
 	IPv6DualStack            bool        `json:"IPv6DualStack"`
+	SetPolicy                bool        `json:"SetPolicy"`
+	VxlanPort                bool        `json:"VxlanPort"`
+	L4Proxy                  bool        `json:"L4Proxy"`    // network policy that applies VFP rules to all endpoints on the network to redirect traffic
+	L4WfpProxy               bool        `json:"L4WfpProxy"` // endpoint policy that applies WFP filters to redirect traffic to/from that endpoint
 }
 
 // AclFeatures are the supported ACL possibilities.
@@ -61,6 +65,10 @@ func GetSupportedFeatures() SupportedFeatures {
 	features.AclSupportForProtocol252 = isFeatureSupported(globals.Version, AclSupportForProtocol252Version)
 	features.SessionAffinity = isFeatureSupported(globals.Version, SessionAffinityVersion)
 	features.IPv6DualStack = isFeatureSupported(globals.Version, IPv6DualStackVersion)
+	features.SetPolicy = isFeatureSupported(globals.Version, SetPolicyVersion)
+	features.VxlanPort = isFeatureSupported(globals.Version, VxlanPortVersion)
+	features.L4Proxy = isFeatureSupported(globals.Version, L4ProxyPolicyVersion)
+	features.L4WfpProxy = isFeatureSupported(globals.Version, L4WfpProxyPolicyVersion)
 
 	return features
 }

vendor/github.com/Microsoft/hcsshim/internal/hcs/service.go

@@ -0,0 +1,49 @@
+package hcs
+
+import (
+	"context"
+	"encoding/json"
+
+	hcsschema "github.com/Microsoft/hcsshim/internal/schema2"
+	"github.com/Microsoft/hcsshim/internal/vmcompute"
+)
+
+// GetServiceProperties returns properties of the host compute service.
+func GetServiceProperties(ctx context.Context, q hcsschema.PropertyQuery) (*hcsschema.ServiceProperties, error) {
+	operation := "hcsshim::GetServiceProperties"
+
+	queryb, err := json.Marshal(q)
+	if err != nil {
+		return nil, err
+	}
+	propertiesJSON, resultJSON, err := vmcompute.HcsGetServiceProperties(ctx, string(queryb))
+	events := processHcsResult(ctx, resultJSON)
+	if err != nil {
+		return nil, &HcsError{Op: operation, Err: err, Events: events}
+	}
+
+	if propertiesJSON == "" {
+		return nil, ErrUnexpectedValue
+	}
+	properties := &hcsschema.ServiceProperties{}
+	if err := json.Unmarshal([]byte(propertiesJSON), properties); err != nil {
+		return nil, err
+	}
+	return properties, nil
+}
+
+// ModifyServiceSettings modifies settings of the host compute service.
+func ModifyServiceSettings(ctx context.Context, settings hcsschema.ModificationRequest) error {
+	operation := "hcsshim::ModifyServiceSettings"
+
+	settingsJSON, err := json.Marshal(settings)
+	if err != nil {
+		return err
+	}
+	resultJSON, err := vmcompute.HcsModifyServiceSettings(ctx, string(settingsJSON))
+	events := processHcsResult(ctx, resultJSON)
+	if err != nil {
+		return &HcsError{Op: operation, Err: err, Events: events}
+	}
+	return nil
+}

vendor/github.com/Microsoft/hcsshim/internal/hcs/system.go

@@ -28,7 +28,6 @@ type System struct {
 	waitBlock      chan struct{}
 	waitError      error
 	exitError      error
-
 	os, typ        string
 }
 

vendor/github.com/Microsoft/hcsshim/internal/hns/hnsendpoint.go

@@ -17,12 +17,15 @@ type HNSEndpoint struct {
 	Policies           []json.RawMessage `json:",omitempty"`
 	MacAddress         string            `json:",omitempty"`
 	IPAddress          net.IP            `json:",omitempty"`
+	IPv6Address        net.IP            `json:",omitempty"`
 	DNSSuffix          string            `json:",omitempty"`
 	DNSServerList      string            `json:",omitempty"`
 	GatewayAddress     string            `json:",omitempty"`
+	GatewayAddressV6   string            `json:",omitempty"`
 	EnableInternalDNS  bool              `json:",omitempty"`
 	DisableICC         bool              `json:",omitempty"`
 	PrefixLength       uint8             `json:",omitempty"`
+	IPv6PrefixLength   uint8             `json:",omitempty"`
 	IsRemoteEndpoint   bool              `json:",omitempty"`
 	EnableLowMetric    bool              `json:",omitempty"`
 	Namespace          *Namespace        `json:",omitempty"`

vendor/github.com/Microsoft/hcsshim/internal/safefile/safeopen.go

@@ -11,72 +11,11 @@ import (
 	"unsafe"
 
 	"github.com/Microsoft/hcsshim/internal/longpath"
+	"github.com/Microsoft/hcsshim/internal/winapi"
 
 	winio "github.com/Microsoft/go-winio"
 )
 
-//go:generate go run $GOROOT\src\syscall\mksyscall_windows.go -output zsyscall_windows.go safeopen.go
-
-//sys ntCreateFile(handle *uintptr, accessMask uint32, oa *objectAttributes, iosb *ioStatusBlock, allocationSize *uint64, fileAttributes uint32, shareAccess uint32, createDisposition uint32, createOptions uint32, eaBuffer *byte, eaLength uint32) (status uint32) = ntdll.NtCreateFile
-//sys ntSetInformationFile(handle uintptr, iosb *ioStatusBlock, information uintptr, length uint32, class uint32) (status uint32) = ntdll.NtSetInformationFile
-//sys rtlNtStatusToDosError(status uint32) (winerr error) = ntdll.RtlNtStatusToDosErrorNoTeb
-//sys localAlloc(flags uint32, size int) (ptr uintptr) = kernel32.LocalAlloc
-//sys localFree(ptr uintptr) = kernel32.LocalFree
-
-type ioStatusBlock struct {
-	Status, Information uintptr
-}
-
-type objectAttributes struct {
-	Length             uintptr
-	RootDirectory      uintptr
-	ObjectName         uintptr
-	Attributes         uintptr
-	SecurityDescriptor uintptr
-	SecurityQoS        uintptr
-}
-
-type unicodeString struct {
-	Length        uint16
-	MaximumLength uint16
-	Buffer        uintptr
-}
-
-type fileLinkInformation struct {
-	ReplaceIfExists bool
-	RootDirectory   uintptr
-	FileNameLength  uint32
-	FileName        [1]uint16
-}
-
-type fileDispositionInformationEx struct {
-	Flags uintptr
-}
-
-const (
-	_FileLinkInformation          = 11
-	_FileDispositionInformationEx = 64
-
-	FILE_READ_ATTRIBUTES  = 0x0080
-	FILE_WRITE_ATTRIBUTES = 0x0100
-	DELETE                = 0x10000
-
-	FILE_OPEN   = 1
-	FILE_CREATE = 2
-
-	FILE_DIRECTORY_FILE          = 0x00000001
-	FILE_SYNCHRONOUS_IO_NONALERT = 0x00000020
-	FILE_DELETE_ON_CLOSE         = 0x00001000
-	FILE_OPEN_FOR_BACKUP_INTENT  = 0x00004000
-	FILE_OPEN_REPARSE_POINT      = 0x00200000
-
-	FILE_DISPOSITION_DELETE = 0x00000001
-
-	_OBJ_DONT_REPARSE = 0x1000
-
-	_STATUS_REPARSE_POINT_ENCOUNTERED = 0xC000050B
-)
-
 func OpenRoot(path string) (*os.File, error) {
 	longpath, err := longpath.LongAbs(path)
 	if err != nil {
@@ -85,16 +24,24 @@ func OpenRoot(path string) (*os.File, error) {
 	return winio.OpenForBackup(longpath, syscall.GENERIC_READ, syscall.FILE_SHARE_READ|syscall.FILE_SHARE_WRITE|syscall.FILE_SHARE_DELETE, syscall.OPEN_EXISTING)
 }
 
-func ntRelativePath(path string) ([]uint16, error) {
+func cleanGoStringRelativePath(path string) (string, error) {
 	path = filepath.Clean(path)
 	if strings.Contains(path, ":") {
 		// Since alternate data streams must follow the file they
 		// are attached to, finding one here (out of order) is invalid.
-		return nil, errors.New("path contains invalid character `:`")
+		return "", errors.New("path contains invalid character `:`")
 	}
 	fspath := filepath.FromSlash(path)
 	if len(fspath) > 0 && fspath[0] == '\\' {
-		return nil, errors.New("expected relative path")
+		return "", errors.New("expected relative path")
+	}
+	return fspath, nil
+}
+
+func ntRelativePath(path string) ([]uint16, error) {
+	fspath, err := cleanGoStringRelativePath(path)
+	if err != nil {
+		return nil, err
 	}
 
 	path16 := utf16.Encode(([]rune)(fspath))
@@ -110,11 +57,11 @@ func ntRelativePath(path string) ([]uint16, error) {
 func openRelativeInternal(path string, root *os.File, accessMask uint32, shareFlags uint32, createDisposition uint32, flags uint32) (*os.File, error) {
 	var (
 		h    uintptr
-		iosb ioStatusBlock
+		iosb winapi.IOStatusBlock
-		oa   objectAttributes
+		oa   winapi.ObjectAttributes
 	)
 
-	path16, err := ntRelativePath(path)
+	cleanRelativePath, err := cleanGoStringRelativePath(path)
 	if err != nil {
 		return nil, err
 	}
@@ -123,20 +70,16 @@ func openRelativeInternal(path string, root *os.File, accessMask uint32, shareFl
 		return nil, errors.New("missing root directory")
 	}
 
-	upathBuffer := localAlloc(0, int(unsafe.Sizeof(unicodeString{}))+len(path16)*2)
+	pathUnicode, err := winapi.NewUnicodeString(cleanRelativePath)
-	defer localFree(upathBuffer)
+	if err != nil {
-
+		return nil, err
-	upath := (*unicodeString)(unsafe.Pointer(upathBuffer))
+	}
-	upath.Length = uint16(len(path16) * 2)
-	upath.MaximumLength = upath.Length
-	upath.Buffer = upathBuffer + unsafe.Sizeof(*upath)
-	copy((*[32768]uint16)(unsafe.Pointer(upath.Buffer))[:], path16)
 
 	oa.Length = unsafe.Sizeof(oa)
-	oa.ObjectName = upathBuffer
+	oa.ObjectName = uintptr(unsafe.Pointer(pathUnicode))
 	oa.RootDirectory = uintptr(root.Fd())
-	oa.Attributes = _OBJ_DONT_REPARSE
+	oa.Attributes = winapi.OBJ_DONT_REPARSE
-	status := ntCreateFile(
+	status := winapi.NtCreateFile(
 		&h,
 		accessMask|syscall.SYNCHRONIZE,
 		&oa,
@@ -145,12 +88,12 @@ func openRelativeInternal(path string, root *os.File, accessMask uint32, shareFl
 		0,
 		shareFlags,
 		createDisposition,
-		FILE_OPEN_FOR_BACKUP_INTENT|FILE_SYNCHRONOUS_IO_NONALERT|flags,
+		winapi.FILE_OPEN_FOR_BACKUP_INTENT|winapi.FILE_SYNCHRONOUS_IO_NONALERT|flags,
 		nil,
 		0,
 	)
 	if status != 0 {
-		return nil, rtlNtStatusToDosError(status)
+		return nil, winapi.RtlNtStatusToDosError(status)
 	}
 
 	fullPath, err := longpath.LongAbs(filepath.Join(root.Name(), path))
@@ -182,7 +125,7 @@ func LinkRelative(oldname string, oldroot *os.File, newname string, newroot *os.
 		oldroot,
 		syscall.FILE_WRITE_ATTRIBUTES,
 		syscall.FILE_SHARE_READ|syscall.FILE_SHARE_WRITE|syscall.FILE_SHARE_DELETE,
-		FILE_OPEN,
+		winapi.FILE_OPEN,
 		0,
 	)
 	if err != nil {
@@ -199,8 +142,8 @@ func LinkRelative(oldname string, oldroot *os.File, newname string, newroot *os.
 			newroot,
 			syscall.GENERIC_READ,
 			syscall.FILE_SHARE_READ|syscall.FILE_SHARE_WRITE|syscall.FILE_SHARE_DELETE,
-			FILE_OPEN,
+			winapi.FILE_OPEN,
-			FILE_DIRECTORY_FILE)
+			winapi.FILE_DIRECTORY_FILE)
 		if err != nil {
 			return &os.LinkError{Op: "link", Old: oldf.Name(), New: filepath.Join(newroot.Name(), newname), Err: err}
 		}
@@ -211,7 +154,7 @@ func LinkRelative(oldname string, oldroot *os.File, newname string, newroot *os.
 			return err
 		}
 		if (fi.FileAttributes & syscall.FILE_ATTRIBUTE_REPARSE_POINT) != 0 {
-			return &os.LinkError{Op: "link", Old: oldf.Name(), New: filepath.Join(newroot.Name(), newname), Err: rtlNtStatusToDosError(_STATUS_REPARSE_POINT_ENCOUNTERED)}
+			return &os.LinkError{Op: "link", Old: oldf.Name(), New: filepath.Join(newroot.Name(), newname), Err: winapi.RtlNtStatusToDosError(winapi.STATUS_REPARSE_POINT_ENCOUNTERED)}
 		}
 
 	} else {
@@ -227,24 +170,25 @@ func LinkRelative(oldname string, oldroot *os.File, newname string, newroot *os.
 		return err
 	}
 
-	size := int(unsafe.Offsetof(fileLinkInformation{}.FileName)) + len(newbase16)*2
+	size := int(unsafe.Offsetof(winapi.FileLinkInformation{}.FileName)) + len(newbase16)*2
-	linkinfoBuffer := localAlloc(0, size)
+	linkinfoBuffer := winapi.LocalAlloc(0, size)
-	defer localFree(linkinfoBuffer)
+	defer winapi.LocalFree(linkinfoBuffer)
-	linkinfo := (*fileLinkInformation)(unsafe.Pointer(linkinfoBuffer))
+
+	linkinfo := (*winapi.FileLinkInformation)(unsafe.Pointer(linkinfoBuffer))
 	linkinfo.RootDirectory = parent.Fd()
 	linkinfo.FileNameLength = uint32(len(newbase16) * 2)
 	copy((*[32768]uint16)(unsafe.Pointer(&linkinfo.FileName[0]))[:], newbase16)
 
-	var iosb ioStatusBlock
+	var iosb winapi.IOStatusBlock
-	status := ntSetInformationFile(
+	status := winapi.NtSetInformationFile(
 		oldf.Fd(),
 		&iosb,
 		linkinfoBuffer,
 		uint32(size),
-		_FileLinkInformation,
+		winapi.FileLinkInformationClass,
 	)
 	if status != 0 {
-		return &os.LinkError{Op: "link", Old: oldf.Name(), New: filepath.Join(parent.Name(), newbase), Err: rtlNtStatusToDosError(status)}
+		return &os.LinkError{Op: "link", Old: oldf.Name(), New: filepath.Join(parent.Name(), newbase), Err: winapi.RtlNtStatusToDosError(status)}
 	}
 
 	return nil
@@ -252,17 +196,17 @@ func LinkRelative(oldname string, oldroot *os.File, newname string, newroot *os.
 
 // deleteOnClose marks a file to be deleted when the handle is closed.
 func deleteOnClose(f *os.File) error {
-	disposition := fileDispositionInformationEx{Flags: FILE_DISPOSITION_DELETE}
+	disposition := winapi.FileDispositionInformationEx{Flags: winapi.FILE_DISPOSITION_DELETE}
-	var iosb ioStatusBlock
+	var iosb winapi.IOStatusBlock
-	status := ntSetInformationFile(
+	status := winapi.NtSetInformationFile(
 		f.Fd(),
 		&iosb,
 		uintptr(unsafe.Pointer(&disposition)),
 		uint32(unsafe.Sizeof(disposition)),
-		_FileDispositionInformationEx,
+		winapi.FileDispositionInformationExClass,
 	)
 	if status != 0 {
-		return rtlNtStatusToDosError(status)
+		return winapi.RtlNtStatusToDosError(status)
 	}
 	return nil
 }
@@ -291,10 +235,10 @@ func RemoveRelative(path string, root *os.File) error {
 	f, err := openRelativeInternal(
 		path,
 		root,
-		FILE_READ_ATTRIBUTES|FILE_WRITE_ATTRIBUTES|DELETE,
+		winapi.FILE_READ_ATTRIBUTES|winapi.FILE_WRITE_ATTRIBUTES|winapi.DELETE,
 		syscall.FILE_SHARE_READ|syscall.FILE_SHARE_WRITE|syscall.FILE_SHARE_DELETE,
-		FILE_OPEN,
+		winapi.FILE_OPEN,
-		FILE_OPEN_REPARSE_POINT)
+		winapi.FILE_OPEN_REPARSE_POINT)
 	if err == nil {
 		defer f.Close()
 		err = deleteOnClose(f)
@@ -385,8 +329,8 @@ func MkdirRelative(path string, root *os.File) error {
 		root,
 		0,
 		syscall.FILE_SHARE_READ|syscall.FILE_SHARE_WRITE|syscall.FILE_SHARE_DELETE,
-		FILE_CREATE,
+		winapi.FILE_CREATE,
-		FILE_DIRECTORY_FILE)
+		winapi.FILE_DIRECTORY_FILE)
 	if err == nil {
 		f.Close()
 	} else {
@@ -401,10 +345,10 @@ func LstatRelative(path string, root *os.File) (os.FileInfo, error) {
 	f, err := openRelativeInternal(
 		path,
 		root,
-		FILE_READ_ATTRIBUTES,
+		winapi.FILE_READ_ATTRIBUTES,
 		syscall.FILE_SHARE_READ|syscall.FILE_SHARE_WRITE|syscall.FILE_SHARE_DELETE,
-		FILE_OPEN,
+		winapi.FILE_OPEN,
-		FILE_OPEN_REPARSE_POINT)
+		winapi.FILE_OPEN_REPARSE_POINT)
 	if err != nil {
 		return nil, &os.PathError{Op: "stat", Path: filepath.Join(root.Name(), path), Err: err}
 	}
@@ -421,7 +365,7 @@ func EnsureNotReparsePointRelative(path string, root *os.File) error {
 		root,
 		0,
 		syscall.FILE_SHARE_READ|syscall.FILE_SHARE_WRITE|syscall.FILE_SHARE_DELETE,
-		FILE_OPEN,
+		winapi.FILE_OPEN,
 		0)
 	if err != nil {
 		return err

vendor/github.com/Microsoft/hcsshim/internal/safefile/zsyscall_windows.go

@@ -1,79 +0,0 @@
-// Code generated by 'go generate'; DO NOT EDIT.
-
-package safefile
-
-import (
-	"syscall"
-	"unsafe"
-
-	"golang.org/x/sys/windows"
-)
-
-var _ unsafe.Pointer
-
-// Do the interface allocations only once for common
-// Errno values.
-const (
-	errnoERROR_IO_PENDING = 997
-)
-
-var (
-	errERROR_IO_PENDING error = syscall.Errno(errnoERROR_IO_PENDING)
-)
-
-// errnoErr returns common boxed Errno values, to prevent
-// allocations at runtime.
-func errnoErr(e syscall.Errno) error {
-	switch e {
-	case 0:
-		return nil
-	case errnoERROR_IO_PENDING:
-		return errERROR_IO_PENDING
-	}
-	// TODO: add more here, after collecting data on the common
-	// error values see on Windows. (perhaps when running
-	// all.bat?)
-	return e
-}
-
-var (
-	modntdll    = windows.NewLazySystemDLL("ntdll.dll")
-	modkernel32 = windows.NewLazySystemDLL("kernel32.dll")
-
-	procNtCreateFile               = modntdll.NewProc("NtCreateFile")
-	procNtSetInformationFile       = modntdll.NewProc("NtSetInformationFile")
-	procRtlNtStatusToDosErrorNoTeb = modntdll.NewProc("RtlNtStatusToDosErrorNoTeb")
-	procLocalAlloc                 = modkernel32.NewProc("LocalAlloc")
-	procLocalFree                  = modkernel32.NewProc("LocalFree")
-)
-
-func ntCreateFile(handle *uintptr, accessMask uint32, oa *objectAttributes, iosb *ioStatusBlock, allocationSize *uint64, fileAttributes uint32, shareAccess uint32, createDisposition uint32, createOptions uint32, eaBuffer *byte, eaLength uint32) (status uint32) {
-	r0, _, _ := syscall.Syscall12(procNtCreateFile.Addr(), 11, uintptr(unsafe.Pointer(handle)), uintptr(accessMask), uintptr(unsafe.Pointer(oa)), uintptr(unsafe.Pointer(iosb)), uintptr(unsafe.Pointer(allocationSize)), uintptr(fileAttributes), uintptr(shareAccess), uintptr(createDisposition), uintptr(createOptions), uintptr(unsafe.Pointer(eaBuffer)), uintptr(eaLength), 0)
-	status = uint32(r0)
-	return
-}
-
-func ntSetInformationFile(handle uintptr, iosb *ioStatusBlock, information uintptr, length uint32, class uint32) (status uint32) {
-	r0, _, _ := syscall.Syscall6(procNtSetInformationFile.Addr(), 5, uintptr(handle), uintptr(unsafe.Pointer(iosb)), uintptr(information), uintptr(length), uintptr(class), 0)
-	status = uint32(r0)
-	return
-}
-
-func rtlNtStatusToDosError(status uint32) (winerr error) {
-	r0, _, _ := syscall.Syscall(procRtlNtStatusToDosErrorNoTeb.Addr(), 1, uintptr(status), 0, 0)
-	if r0 != 0 {
-		winerr = syscall.Errno(r0)
-	}
-	return
-}
-
-func localAlloc(flags uint32, size int) (ptr uintptr) {
-	r0, _, _ := syscall.Syscall(procLocalAlloc.Addr(), 2, uintptr(flags), uintptr(size), 0)
-	ptr = uintptr(r0)
-	return
-}
-
-func localFree(ptr uintptr) {
-	syscall.Syscall(procLocalFree.Addr(), 1, uintptr(ptr), 0, 0)
-	return
-}

vendor/github.com/Microsoft/hcsshim/internal/schema2/container_credential_guard_add_instance_request.go

@@ -0,0 +1,16 @@
+/*
+ * HCS API
+ *
+ * No description provided (generated by Swagger Codegen https://github.com/swagger-api/swagger-codegen)
+ *
+ * API version: 2.4
+ * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git)
+ */
+
+package hcsschema
+
+type ContainerCredentialGuardAddInstanceRequest struct {
+	Id             string `json:"Id,omitempty"`
+	CredentialSpec string `json:"CredentialSpec,omitempty"`
+	Transport      string `json:"Transport,omitempty"`
+}

vendor/github.com/Microsoft/hcsshim/internal/schema2/container_credential_guard_hv_socket_service_config.go

@@ -0,0 +1,15 @@
+/*
+ * HCS API
+ *
+ * No description provided (generated by Swagger Codegen https://github.com/swagger-api/swagger-codegen)
+ *
+ * API version: 2.4
+ * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git)
+ */
+
+package hcsschema
+
+type ContainerCredentialGuardHvSocketServiceConfig struct {
+	ServiceId     string                 `json:"ServiceId,omitempty"`
+	ServiceConfig *HvSocketServiceConfig `json:"ServiceConfig,omitempty"`
+}

vendor/github.com/Microsoft/hcsshim/internal/schema2/container_credential_guard_instance.go

@@ -0,0 +1,16 @@
+/*
+ * HCS API
+ *
+ * No description provided (generated by Swagger Codegen https://github.com/swagger-api/swagger-codegen)
+ *
+ * API version: 2.4
+ * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git)
+ */
+
+package hcsschema
+
+type ContainerCredentialGuardInstance struct {
+	Id              string                                         `json:"Id,omitempty"`
+	CredentialGuard *ContainerCredentialGuardState                 `json:"CredentialGuard,omitempty"`
+	HvSocketConfig  *ContainerCredentialGuardHvSocketServiceConfig `json:"HvSocketConfig,omitempty"`
+}

vendor/github.com/Microsoft/hcsshim/internal/schema2/container_credential_guard_modify_operation.go

@@ -0,0 +1,17 @@
+/*
+ * HCS API
+ *
+ * No description provided (generated by Swagger Codegen https://github.com/swagger-api/swagger-codegen)
+ *
+ * API version: 2.4
+ * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git)
+ */
+
+package hcsschema
+
+type ContainerCredentialGuardModifyOperation string
+
+const (
+	AddInstance    ContainerCredentialGuardModifyOperation = "AddInstance"
+	RemoveInstance ContainerCredentialGuardModifyOperation = "RemoveInstance"
+)

vendor/github.com/Microsoft/hcsshim/internal/schema2/container_credential_guard_operation_request.go

@@ -0,0 +1,15 @@
+/*
+ * HCS API
+ *
+ * No description provided (generated by Swagger Codegen https://github.com/swagger-api/swagger-codegen)
+ *
+ * API version: 2.4
+ * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git)
+ */
+
+package hcsschema
+
+type ContainerCredentialGuardOperationRequest struct {
+	Operation        ContainerCredentialGuardModifyOperation `json:"Operation,omitempty"`
+	OperationDetails interface{}                             `json:"OperationDetails,omitempty"`
+}

vendor/github.com/Microsoft/hcsshim/internal/schema2/container_credential_guard_remove_instance_request.go

@@ -0,0 +1,14 @@
+/*
+ * HCS API
+ *
+ * No description provided (generated by Swagger Codegen https://github.com/swagger-api/swagger-codegen)
+ *
+ * API version: 2.4
+ * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git)
+ */
+
+package hcsschema
+
+type ContainerCredentialGuardRemoveInstanceRequest struct {
+	Id string `json:"Id,omitempty"`
+}

vendor/github.com/Microsoft/hcsshim/internal/schema2/container_credential_guard_system_info.go

@@ -0,0 +1,14 @@
+/*
+ * HCS API
+ *
+ * No description provided (generated by Swagger Codegen https://github.com/swagger-api/swagger-codegen)
+ *
+ * API version: 2.4
+ * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git)
+ */
+
+package hcsschema
+
+type ContainerCredentialGuardSystemInfo struct {
+	Instances []ContainerCredentialGuardInstance `json:"Instances,omitempty"`
+}

vendor/github.com/Microsoft/hcsshim/internal/schema2/device.go

@@ -9,8 +9,19 @@
 
 package hcsschema
 
-type Device struct {
+type DeviceType string
 
-	//  The interface class guid of the device to assign to container.
+const (
+	ClassGUID      DeviceType = "ClassGuid"
+	DeviceInstance            = "DeviceInstance"
+	GPUMirror                 = "GpuMirror"
+)
+
+type Device struct {
+	//  The type of device to assign to the container.
+	Type DeviceType `json:"Type,omitempty"`
+	//  The interface class guid of the device interfaces to assign to the  container.  Only used when Type is ClassGuid.
 	InterfaceClassGuid string `json:"InterfaceClassGuid,omitempty"`
+	//  The location path of the device to assign to the container.  Only used when Type is DeviceInstance.
+	LocationPath string `json:"LocationPath,omitempty"`
 }

vendor/github.com/Microsoft/hcsshim/internal/schema2/hv_socket_address.go

@@ -0,0 +1,17 @@
+/*
+ * HCS API
+ *
+ * No description provided (generated by Swagger Codegen https://github.com/swagger-api/swagger-codegen)
+ *
+ * API version: 2.4
+ * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git)
+ */
+
+package hcsschema
+
+//  This class defines address settings applied to a VM
+//  by the GCS every time a VM starts or restores.
+type HvSocketAddress struct {
+	LocalAddress  string `json:"LocalAddress,omitempty"`
+	ParentAddress string `json:"ParentAddress,omitempty"`
+}

vendor/github.com/Microsoft/hcsshim/internal/schema2/logical_processor.go

@@ -0,0 +1,18 @@
+/*
+ * HCS API
+ *
+ * No description provided (generated by Swagger Codegen https://github.com/swagger-api/swagger-codegen)
+ *
+ * API version: 2.4
+ * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git)
+ */
+
+package hcsschema
+
+type LogicalProcessor struct {
+	LpIndex     uint32 `json:"LpIndex,omitempty"`
+	NodeNumber  uint8  `json:"NodeNumber, omitempty"`
+	PackageId   uint32 `json:"PackageId, omitempty"`
+	CoreId      uint32 `json:"CoreId, omitempty"`
+	RootVpIndex int32  `json:"RootVpIndex, omitempty"`
+}

vendor/github.com/Microsoft/hcsshim/internal/schema2/memory.go

@@ -10,5 +10,5 @@
 package hcsschema
 
 type Memory struct {
-	SizeInMB int32 `json:"SizeInMB,omitempty"`
+	SizeInMB uint64 `json:"SizeInMB,omitempty"`
 }

vendor/github.com/Microsoft/hcsshim/internal/schema2/memory_2.go

@@ -10,7 +10,7 @@
 package hcsschema
 
 type Memory2 struct {
-	SizeInMB int32 `json:"SizeInMB,omitempty"`
+	SizeInMB uint64 `json:"SizeInMB,omitempty"`
 
 	AllowOvercommit bool `json:"AllowOvercommit,omitempty"`
 

vendor/github.com/Microsoft/hcsshim/internal/schema2/modification_request.go

@@ -0,0 +1,15 @@
+/*
+ * HCS API
+ *
+ * No description provided (generated by Swagger Codegen https://github.com/swagger-api/swagger-codegen)
+ *
+ * API version: 2.4
+ * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git)
+ */
+
+package hcsschema
+
+type ModificationRequest struct {
+	PropertyType PropertyType `json:"PropertyType,omitempty"`
+	Settings     interface{}  `json:"Settings,omitempty"`
+}

vendor/github.com/Microsoft/hcsshim/internal/schema2/processor_topology.go

@@ -0,0 +1,15 @@
+/*
+ * HCS API
+ *
+ * No description provided (generated by Swagger Codegen https://github.com/swagger-api/swagger-codegen)
+ *
+ * API version: 2.4
+ * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git)
+ */
+
+package hcsschema
+
+type ProcessorTopology struct {
+	LogicalProcessorCount uint32             `json:"LogicalProcessorCount,omitempty"`
+	LogicalProcessors     []LogicalProcessor `json:"LogicalProcessors,omitempty"`
+}

vendor/github.com/Microsoft/hcsshim/internal/schema2/property_type.go

@@ -18,6 +18,8 @@ const (
 	PTProcessList                 PropertyType = "ProcessList"
 	PTTerminateOnLastHandleClosed PropertyType = "TerminateOnLastHandleClosed"
 	PTSharedMemoryRegion          PropertyType = "SharedMemoryRegion"
+	PTContainerCredentialGuard    PropertyType = "ContainerCredentialGuard" // This field is not generated by swagger. This was added manually.
 	PTGuestConnection             PropertyType = "GuestConnection"
 	PTICHeartbeatStatus           PropertyType = "ICHeartbeatStatus"
+	PTProcessorTopology           PropertyType = "ProcessorTopology"
 )

vendor/github.com/Microsoft/hcsshim/internal/schema2/service_properties.go

@@ -0,0 +1,18 @@
+/*
+ * HCS API
+ *
+ * No description provided (generated by Swagger Codegen https://github.com/swagger-api/swagger-codegen)
+ *
+ * API version: 2.4
+ * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git)
+ */
+
+package hcsschema
+
+import "encoding/json"
+
+type ServiceProperties struct {
+	// Changed Properties field to []json.RawMessage from []interface{} to avoid having to
+	// remarshal sp.Properties[n] and unmarshal into the type(s) we want.
+	Properties []json.RawMessage `json:"Properties,omitempty"`
+}

vendor/github.com/Microsoft/hcsshim/internal/vmcompute/vmcompute.go

@@ -26,6 +26,7 @@ import (
 //sys hcsResumeComputeSystem(computeSystem HcsSystem, options string, result **uint16) (hr error) = vmcompute.HcsResumeComputeSystem?
 //sys hcsGetComputeSystemProperties(computeSystem HcsSystem, propertyQuery string, properties **uint16, result **uint16) (hr error) = vmcompute.HcsGetComputeSystemProperties?
 //sys hcsModifyComputeSystem(computeSystem HcsSystem, configuration string, result **uint16) (hr error) = vmcompute.HcsModifyComputeSystem?
+//sys hcsModifyServiceSettings(settings string, result **uint16) (hr error) = vmcompute.HcsModifyServiceSettings?
 //sys hcsRegisterComputeSystemCallback(computeSystem HcsSystem, callback uintptr, context uintptr, callbackHandle *HcsCallback) (hr error) = vmcompute.HcsRegisterComputeSystemCallback?
 //sys hcsUnregisterComputeSystemCallback(callbackHandle HcsCallback) (hr error) = vmcompute.HcsUnregisterComputeSystemCallback?
 
@@ -337,6 +338,27 @@ func HcsModifyComputeSystem(ctx gcontext.Context, computeSystem HcsSystem, confi
 	})
 }
 
+func HcsModifyServiceSettings(ctx gcontext.Context, settings string) (result string, hr error) {
+	ctx, span := trace.StartSpan(ctx, "HcsModifyServiceSettings")
+	defer span.End()
+	defer func() {
+		if result != "" {
+			span.AddAttributes(trace.StringAttribute("result", result))
+		}
+		oc.SetSpanStatus(span, hr)
+	}()
+	span.AddAttributes(trace.StringAttribute("settings", settings))
+
+	return result, execute(ctx, timeout.SyscallWatcher, func() error {
+		var resultp *uint16
+		err := hcsModifyServiceSettings(settings, &resultp)
+		if resultp != nil {
+			result = interop.ConvertAndFreeCoTaskMemString(resultp)
+		}
+		return err
+	})
+}
+
 func HcsRegisterComputeSystemCallback(ctx gcontext.Context, computeSystem HcsSystem, callback uintptr, context uintptr) (callbackHandle HcsCallback, hr error) {
 	ctx, span := trace.StartSpan(ctx, "HcsRegisterComputeSystemCallback")
 	defer span.End()

vendor/github.com/Microsoft/hcsshim/internal/vmcompute/zsyscall_windows.go

@@ -50,6 +50,7 @@ var (
 	procHcsResumeComputeSystem             = modvmcompute.NewProc("HcsResumeComputeSystem")
 	procHcsGetComputeSystemProperties      = modvmcompute.NewProc("HcsGetComputeSystemProperties")
 	procHcsModifyComputeSystem             = modvmcompute.NewProc("HcsModifyComputeSystem")
+	procHcsModifyServiceSettings           = modvmcompute.NewProc("HcsModifyServiceSettings")
 	procHcsRegisterComputeSystemCallback   = modvmcompute.NewProc("HcsRegisterComputeSystemCallback")
 	procHcsUnregisterComputeSystemCallback = modvmcompute.NewProc("HcsUnregisterComputeSystemCallback")
 	procHcsCreateProcess                   = modvmcompute.NewProc("HcsCreateProcess")
@@ -314,6 +315,29 @@ func _hcsModifyComputeSystem(computeSystem HcsSystem, configuration *uint16, res
 	return
 }
 
+func hcsModifyServiceSettings(settings string, result **uint16) (hr error) {
+	var _p0 *uint16
+	_p0, hr = syscall.UTF16PtrFromString(settings)
+	if hr != nil {
+		return
+	}
+	return _hcsModifyServiceSettings(_p0, result)
+}
+
+func _hcsModifyServiceSettings(settings *uint16, result **uint16) (hr error) {
+	if hr = procHcsModifyServiceSettings.Find(); hr != nil {
+		return
+	}
+	r0, _, _ := syscall.Syscall(procHcsModifyServiceSettings.Addr(), 2, uintptr(unsafe.Pointer(settings)), uintptr(unsafe.Pointer(result)), 0)
+	if int32(r0) < 0 {
+		if r0&0x1fff0000 == 0x00070000 {
+			r0 &= 0xffff
+		}
+		hr = syscall.Errno(r0)
+	}
+	return
+}
+
 func hcsRegisterComputeSystemCallback(computeSystem HcsSystem, callback uintptr, context uintptr, callbackHandle *HcsCallback) (hr error) {
 	if hr = procHcsRegisterComputeSystemCallback.Find(); hr != nil {
 		return

vendor/github.com/Microsoft/hcsshim/internal/wclayer/baselayer.go

@@ -11,6 +11,7 @@ import (
 	"github.com/Microsoft/hcsshim/internal/hcserror"
 	"github.com/Microsoft/hcsshim/internal/oc"
 	"github.com/Microsoft/hcsshim/internal/safefile"
+	"github.com/Microsoft/hcsshim/internal/winapi"
 	"go.opencensus.io/trace"
 )
 
@@ -37,7 +38,7 @@ type dirInfo struct {
 func reapplyDirectoryTimes(root *os.File, dis []dirInfo) error {
 	for i := range dis {
 		di := &dis[len(dis)-i-1] // reverse order: process child directories first
-		f, err := safefile.OpenRelative(di.path, root, syscall.GENERIC_READ|syscall.GENERIC_WRITE, syscall.FILE_SHARE_READ, safefile.FILE_OPEN, safefile.FILE_DIRECTORY_FILE)
+		f, err := safefile.OpenRelative(di.path, root, syscall.GENERIC_READ|syscall.GENERIC_WRITE, syscall.FILE_SHARE_READ, winapi.FILE_OPEN, winapi.FILE_DIRECTORY_FILE|syscall.FILE_FLAG_OPEN_REPARSE_POINT)
 		if err != nil {
 			return err
 		}
@@ -47,6 +48,7 @@ func reapplyDirectoryTimes(root *os.File, dis []dirInfo) error {
 		if err != nil {
 			return err
 		}
+
 	}
 	return nil
 }
@@ -92,14 +94,12 @@ func (w *baseLayerWriter) Add(name string, fileInfo *winio.FileBasicInfo) (err e
 
 	extraFlags := uint32(0)
 	if fileInfo.FileAttributes&syscall.FILE_ATTRIBUTE_DIRECTORY != 0 {
-		extraFlags |= safefile.FILE_DIRECTORY_FILE
+		extraFlags |= winapi.FILE_DIRECTORY_FILE
-		if fileInfo.FileAttributes&syscall.FILE_ATTRIBUTE_REPARSE_POINT == 0 {
 		w.dirInfo = append(w.dirInfo, dirInfo{name, *fileInfo})
 	}
-	}
 
 	mode := uint32(syscall.GENERIC_READ | syscall.GENERIC_WRITE | winio.WRITE_DAC | winio.WRITE_OWNER | winio.ACCESS_SYSTEM_SECURITY)
-	f, err = safefile.OpenRelative(name, w.root, mode, syscall.FILE_SHARE_READ, safefile.FILE_CREATE, extraFlags)
+	f, err = safefile.OpenRelative(name, w.root, mode, syscall.FILE_SHARE_READ, winapi.FILE_CREATE, extraFlags)
 	if err != nil {
 		return hcserror.New(err, "Failed to safefile.OpenRelative", name)
 	}

vendor/github.com/Microsoft/hcsshim/internal/wclayer/createscratchlayer.go

@@ -10,9 +10,7 @@ import (
 )
 
 // CreateScratchLayer creates and populates new read-write layer for use by a container.
-// This requires both the id of the direct parent layer, as well as the full list
+// This requires the full list of paths to all parent layers up to the base
-// of paths to all parent layers up to the base (and including the direct parent
-// whose id was provided).
 func CreateScratchLayer(ctx context.Context, path string, parentLayerPaths []string) (err error) {
 	title := "hcsshim::CreateScratchLayer"
 	ctx, span := trace.StartSpan(ctx, title)

vendor/github.com/Microsoft/hcsshim/internal/wclayer/importlayer.go

@@ -93,6 +93,19 @@ func (r *legacyLayerWriterWrapper) Close() (err error) {
 			return err
 		}
 	}
+
+	// The reapplyDirectoryTimes must be called AFTER we are done with Tombstone
+	// deletion and hard link creation. This is because Tombstone deletion and hard link
+	// creation updates the directory last write timestamps so that will change the
+	// timestamps added by the `Add` call. Some container applications depend on the
+	// correctness of these timestamps and so we should change the timestamps back to
+	// the original value (i.e the value provided in the Add call) after this
+	// processing is done.
+	err = reapplyDirectoryTimes(r.destRoot, r.changedDi)
+	if err != nil {
+		return err
+	}
+
 	// Prepare the utility VM for use if one is present in the layer.
 	if r.HasUtilityVM {
 		err := safefile.EnsureNotReparsePointRelative("UtilityVM", r.destRoot)

vendor/github.com/Microsoft/hcsshim/internal/wclayer/legacy.go

@@ -15,6 +15,7 @@ import (
 	"github.com/Microsoft/go-winio"
 	"github.com/Microsoft/hcsshim/internal/longpath"
 	"github.com/Microsoft/hcsshim/internal/safefile"
+	"github.com/Microsoft/hcsshim/internal/winapi"
 )
 
 var errorIterationCanceled = errors.New("")
@@ -341,7 +342,7 @@ type legacyLayerWriter struct {
 	backupWriter    *winio.BackupFileWriter
 	Tombstones      []string
 	HasUtilityVM    bool
-	uvmDi           []dirInfo
+	changedDi       []dirInfo
 	addedFiles      map[string]bool
 	PendingLinks    []pendingLink
 	pendingDirs     []pendingDir
@@ -472,8 +473,8 @@ func copyFileWithMetadata(srcRoot, destRoot *os.File, subPath string, isDir bool
 		srcRoot,
 		syscall.GENERIC_READ|winio.ACCESS_SYSTEM_SECURITY,
 		syscall.FILE_SHARE_READ,
-		safefile.FILE_OPEN,
+		winapi.FILE_OPEN,
-		safefile.FILE_OPEN_REPARSE_POINT)
+		winapi.FILE_OPEN_REPARSE_POINT)
 	if err != nil {
 		return nil, err
 	}
@@ -488,14 +489,14 @@ func copyFileWithMetadata(srcRoot, destRoot *os.File, subPath string, isDir bool
 
 	extraFlags := uint32(0)
 	if isDir {
-		extraFlags |= safefile.FILE_DIRECTORY_FILE
+		extraFlags |= winapi.FILE_DIRECTORY_FILE
 	}
 	dest, err := safefile.OpenRelative(
 		subPath,
 		destRoot,
 		syscall.GENERIC_READ|syscall.GENERIC_WRITE|winio.WRITE_DAC|winio.WRITE_OWNER|winio.ACCESS_SYSTEM_SECURITY,
 		syscall.FILE_SHARE_READ,
-		safefile.FILE_CREATE,
+		winapi.FILE_CREATE,
 		extraFlags)
 	if err != nil {
 		return nil, err
@@ -555,7 +556,7 @@ func cloneTree(srcRoot *os.File, destRoot *os.File, subPath string, mutatedFiles
 			if err != nil {
 				return err
 			}
-			if isDir && !isReparsePoint {
+			if isDir {
 				di = append(di, dirInfo{path: relPath, fileInfo: *fi})
 			}
 		} else {
@@ -583,6 +584,10 @@ func (w *legacyLayerWriter) Add(name string, fileInfo *winio.FileBasicInfo) erro
 		return w.initUtilityVM()
 	}
 
+	if (fileInfo.FileAttributes & syscall.FILE_ATTRIBUTE_DIRECTORY) != 0 {
+		w.changedDi = append(w.changedDi, dirInfo{path: name, fileInfo: *fileInfo})
+	}
+
 	name = filepath.Clean(name)
 	if hasPathPrefix(name, utilityVMPath) {
 		if !w.HasUtilityVM {
@@ -591,7 +596,7 @@ func (w *legacyLayerWriter) Add(name string, fileInfo *winio.FileBasicInfo) erro
 		if !hasPathPrefix(name, utilityVMFilesPath) && name != utilityVMFilesPath {
 			return errors.New("invalid UtilityVM layer")
 		}
-		createDisposition := uint32(safefile.FILE_OPEN)
+		createDisposition := uint32(winapi.FILE_OPEN)
 		if (fileInfo.FileAttributes & syscall.FILE_ATTRIBUTE_DIRECTORY) != 0 {
 			st, err := safefile.LstatRelative(name, w.destRoot)
 			if err != nil && !os.IsNotExist(err) {
@@ -612,16 +617,13 @@ func (w *legacyLayerWriter) Add(name string, fileInfo *winio.FileBasicInfo) erro
 					return err
 				}
 			}
-			if fileInfo.FileAttributes&syscall.FILE_ATTRIBUTE_REPARSE_POINT == 0 {
-				w.uvmDi = append(w.uvmDi, dirInfo{path: name, fileInfo: *fileInfo})
-			}
 		} else {
 			// Overwrite any existing hard link.
 			err := safefile.RemoveRelative(name, w.destRoot)
 			if err != nil && !os.IsNotExist(err) {
 				return err
 			}
-			createDisposition = safefile.FILE_CREATE
+			createDisposition = winapi.FILE_CREATE
 		}
 
 		f, err := safefile.OpenRelative(
@@ -630,7 +632,7 @@ func (w *legacyLayerWriter) Add(name string, fileInfo *winio.FileBasicInfo) erro
 			syscall.GENERIC_READ|syscall.GENERIC_WRITE|winio.WRITE_DAC|winio.WRITE_OWNER|winio.ACCESS_SYSTEM_SECURITY,
 			syscall.FILE_SHARE_READ,
 			createDisposition,
-			safefile.FILE_OPEN_REPARSE_POINT,
+			winapi.FILE_OPEN_REPARSE_POINT,
 		)
 		if err != nil {
 			return err
@@ -667,7 +669,7 @@ func (w *legacyLayerWriter) Add(name string, fileInfo *winio.FileBasicInfo) erro
 		w.currentIsDir = true
 	}
 
-	f, err := safefile.OpenRelative(fname, w.root, syscall.GENERIC_READ|syscall.GENERIC_WRITE, syscall.FILE_SHARE_READ, safefile.FILE_CREATE, 0)
+	f, err := safefile.OpenRelative(fname, w.root, syscall.GENERIC_READ|syscall.GENERIC_WRITE, syscall.FILE_SHARE_READ, winapi.FILE_CREATE, 0)
 	if err != nil {
 		return err
 	}
@@ -805,11 +807,5 @@ func (w *legacyLayerWriter) Close() error {
 			return err
 		}
 	}
-	if w.HasUtilityVM {
-		err := reapplyDirectoryTimes(w.destRoot, w.uvmDi)
-		if err != nil {
-			return err
-		}
-	}
 	return nil
 }

vendor/github.com/Microsoft/hcsshim/internal/wclayer/wclayer.go

@@ -1,3 +1,6 @@
+// Package wclayer provides bindings to HCS's legacy layer management API and
+// provides a higher level interface around these calls for container layer
+// management.
 package wclayer
 
 import "github.com/Microsoft/go-winio/pkg/guid"

vendor/github.com/Microsoft/hcsshim/internal/winapi/devices.go

@@ -0,0 +1,13 @@
+package winapi
+
+import "github.com/Microsoft/go-winio/pkg/guid"
+
+//sys CMGetDeviceIDListSize(pulLen *uint32, pszFilter *byte, uFlags uint32) (hr error) = cfgmgr32.CM_Get_Device_ID_List_SizeA
+//sys CMGetDeviceIDList(pszFilter *byte, buffer *byte, bufferLen uint32, uFlags uint32) (hr error)= cfgmgr32.CM_Get_Device_ID_ListA
+//sys CMLocateDevNode(pdnDevInst *uint32, pDeviceID string, uFlags uint32) (hr error) = cfgmgr32.CM_Locate_DevNodeW
+//sys CMGetDevNodeProperty(dnDevInst uint32, propertyKey *DevPropKey, propertyType *uint32, propertyBuffer *uint16, propertyBufferSize *uint32, uFlags uint32) (hr error) = cfgmgr32.CM_Get_DevNode_PropertyW
+
+type DevPropKey struct {
+	Fmtid guid.GUID
+	Pid   uint32
+}

vendor/github.com/Microsoft/hcsshim/internal/winapi/errors.go

@@ -0,0 +1,15 @@
+package winapi
+
+import "syscall"
+
+//sys RtlNtStatusToDosError(status uint32) (winerr error) = ntdll.RtlNtStatusToDosError
+
+const (
+	STATUS_REPARSE_POINT_ENCOUNTERED               = 0xC000050B
+	ERROR_NO_MORE_ITEMS                            = 0x103
+	ERROR_MORE_DATA                  syscall.Errno = 234
+)
+
+func NTSuccess(status uint32) bool {
+	return status == 0
+}

vendor/github.com/Microsoft/hcsshim/internal/winapi/filesystem.go

@@ -0,0 +1,61 @@
+package winapi
+
+//sys NtCreateFile(handle *uintptr, accessMask uint32, oa *ObjectAttributes, iosb *IOStatusBlock, allocationSize *uint64, fileAttributes uint32, shareAccess uint32, createDisposition uint32, createOptions uint32, eaBuffer *byte, eaLength uint32) (status uint32) = ntdll.NtCreateFile
+//sys NtSetInformationFile(handle uintptr, iosb *IOStatusBlock, information uintptr, length uint32, class uint32) (status uint32) = ntdll.NtSetInformationFile
+
+//sys NtOpenDirectoryObject(handle *uintptr, accessMask uint32, oa *ObjectAttributes) (status uint32) = ntdll.NtOpenDirectoryObject
+//sys NtQueryDirectoryObject(handle uintptr, buffer *byte, length uint32, singleEntry bool, restartScan bool, context *uint32, returnLength *uint32)(status uint32) = ntdll.NtQueryDirectoryObject
+
+const (
+	FileLinkInformationClass          = 11
+	FileDispositionInformationExClass = 64
+
+	FILE_READ_ATTRIBUTES  = 0x0080
+	FILE_WRITE_ATTRIBUTES = 0x0100
+	DELETE                = 0x10000
+
+	FILE_OPEN   = 1
+	FILE_CREATE = 2
+
+	FILE_LIST_DIRECTORY          = 0x00000001
+	FILE_DIRECTORY_FILE          = 0x00000001
+	FILE_SYNCHRONOUS_IO_NONALERT = 0x00000020
+	FILE_OPEN_FOR_BACKUP_INTENT  = 0x00004000
+	FILE_OPEN_REPARSE_POINT      = 0x00200000
+
+	FILE_DISPOSITION_DELETE = 0x00000001
+
+	OBJ_DONT_REPARSE = 0x1000
+
+	STATUS_MORE_ENTRIES    = 0x105
+	STATUS_NO_MORE_ENTRIES = 0x8000001a
+)
+
+type FileDispositionInformationEx struct {
+	Flags uintptr
+}
+
+type IOStatusBlock struct {
+	Status, Information uintptr
+}
+
+type ObjectAttributes struct {
+	Length             uintptr
+	RootDirectory      uintptr
+	ObjectName         uintptr
+	Attributes         uintptr
+	SecurityDescriptor uintptr
+	SecurityQoS        uintptr
+}
+
+type ObjectDirectoryInformation struct {
+	Name     UnicodeString
+	TypeName UnicodeString
+}
+
+type FileLinkInformation struct {
+	ReplaceIfExists bool
+	RootDirectory   uintptr
+	FileNameLength  uint32
+	FileName        [1]uint16
+}

vendor/github.com/Microsoft/hcsshim/internal/winapi/jobobject.go

@@ -0,0 +1,120 @@
+package winapi
+
+import (
+	"golang.org/x/sys/windows"
+)
+
+// Messages that can be received from an assigned io completion port.
+// https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-jobobject_associate_completion_port
+const (
+	JOB_OBJECT_MSG_END_OF_JOB_TIME       = 1
+	JOB_OBJECT_MSG_END_OF_PROCESS_TIME   = 2
+	JOB_OBJECT_MSG_ACTIVE_PROCESS_LIMIT  = 3
+	JOB_OBJECT_MSG_ACTIVE_PROCESS_ZERO   = 4
+	JOB_OBJECT_MSG_NEW_PROCESS           = 6
+	JOB_OBJECT_MSG_EXIT_PROCESS          = 7
+	JOB_OBJECT_MSG_ABNORMAL_EXIT_PROCESS = 8
+	JOB_OBJECT_MSG_PROCESS_MEMORY_LIMIT  = 9
+	JOB_OBJECT_MSG_JOB_MEMORY_LIMIT      = 10
+	JOB_OBJECT_MSG_NOTIFICATION_LIMIT    = 11
+)
+
+// IO limit flags
+//
+// https://docs.microsoft.com/en-us/windows/win32/api/jobapi2/ns-jobapi2-jobobject_io_rate_control_information
+const JOB_OBJECT_IO_RATE_CONTROL_ENABLE = 0x1
+
+// https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-jobobject_cpu_rate_control_information
+const (
+	JOB_OBJECT_CPU_RATE_CONTROL_ENABLE = 1 << iota
+	JOB_OBJECT_CPU_RATE_CONTROL_WEIGHT_BASED
+	JOB_OBJECT_CPU_RATE_CONTROL_HARD_CAP
+	JOB_OBJECT_CPU_RATE_CONTROL_NOTIFY
+	JOB_OBJECT_CPU_RATE_CONTROL_MIN_MAX_RATE
+)
+
+// JobObjectInformationClass values. Used for a call to QueryInformationJobObject
+//
+// https://docs.microsoft.com/en-us/windows/win32/api/jobapi2/nf-jobapi2-queryinformationjobobject
+const (
+	JobObjectBasicAccountingInformation      uint32 = 1
+	JobObjectBasicProcessIdList              uint32 = 3
+	JobObjectBasicAndIoAccountingInformation uint32 = 8
+	JobObjectLimitViolationInformation       uint32 = 13
+	JobObjectNotificationLimitInformation2   uint32 = 33
+)
+
+// https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-jobobject_basic_limit_information
+type JOBOBJECT_BASIC_LIMIT_INFORMATION struct {
+	PerProcessUserTimeLimit int64
+	PerJobUserTimeLimit     int64
+	LimitFlags              uint32
+	MinimumWorkingSetSize   uintptr
+	MaximumWorkingSetSize   uintptr
+	ActiveProcessLimit      uint32
+	Affinity                uintptr
+	PriorityClass           uint32
+	SchedulingClass         uint32
+}
+
+// https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-jobobject_cpu_rate_control_information
+type JOBOBJECT_CPU_RATE_CONTROL_INFORMATION struct {
+	ControlFlags uint32
+	Rate         uint32
+}
+
+// https://docs.microsoft.com/en-us/windows/win32/api/jobapi2/ns-jobapi2-jobobject_io_rate_control_information
+type JOBOBJECT_IO_RATE_CONTROL_INFORMATION struct {
+	MaxIops         int64
+	MaxBandwidth    int64
+	ReservationIops int64
+	BaseIOSize      uint32
+	VolumeName      string
+	ControlFlags    uint32
+}
+
+// https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-jobobject_basic_process_id_list
+type JOBOBJECT_BASIC_PROCESS_ID_LIST struct {
+	NumberOfAssignedProcesses uint32
+	NumberOfProcessIdsInList  uint32
+	ProcessIdList             [1]uintptr
+}
+
+// https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-jobobject_associate_completion_port
+type JOBOBJECT_ASSOCIATE_COMPLETION_PORT struct {
+	CompletionKey  uintptr
+	CompletionPort windows.Handle
+}
+
+// BOOL IsProcessInJob(
+// 		HANDLE ProcessHandle,
+// 		HANDLE JobHandle,
+// 		PBOOL  Result
+// );
+//
+//sys IsProcessInJob(procHandle windows.Handle, jobHandle windows.Handle, result *bool) (err error) = kernel32.IsProcessInJob
+
+// BOOL QueryInformationJobObject(
+//		HANDLE             hJob,
+//		JOBOBJECTINFOCLASS JobObjectInformationClass,
+//		LPVOID             lpJobObjectInformation,
+//		DWORD              cbJobObjectInformationLength,
+//		LPDWORD            lpReturnLength
+// );
+//
+//sys QueryInformationJobObject(jobHandle windows.Handle, infoClass uint32, jobObjectInfo uintptr, jobObjectInformationLength uint32, lpReturnLength *uint32) (err error) = kernel32.QueryInformationJobObject
+
+// HANDLE OpenJobObjectW(
+//		DWORD   dwDesiredAccess,
+//		BOOL    bInheritHandle,
+//		LPCWSTR lpName
+// );
+//
+//sys OpenJobObject(desiredAccess uint32, inheritHandle bool, lpName *uint16) (handle windows.Handle, err error) = kernel32.OpenJobObjectW
+
+// DWORD SetIoRateControlInformationJobObject(
+//		HANDLE                                hJob,
+//		JOBOBJECT_IO_RATE_CONTROL_INFORMATION *IoRateControlInfo
+// );
+//
+//sys SetIoRateControlInformationJobObject(jobHandle windows.Handle, ioRateControlInfo *JOBOBJECT_IO_RATE_CONTROL_INFORMATION) (ret uint32, err error) = kernel32.SetIoRateControlInformationJobObject

vendor/github.com/Microsoft/hcsshim/internal/winapi/logon.go

@@ -0,0 +1,30 @@
+package winapi
+
+// BOOL LogonUserA(
+// 	LPCWSTR  lpszUsername,
+// 	LPCWSTR  lpszDomain,
+// 	LPCWSTR  lpszPassword,
+// 	DWORD   dwLogonType,
+// 	DWORD   dwLogonProvider,
+// 	PHANDLE phToken
+// );
+//
+//sys LogonUser(username *uint16, domain *uint16, password *uint16, logonType uint32, logonProvider uint32, token *windows.Token) (err error) = advapi32.LogonUserW
+
+// Logon types
+const (
+	LOGON32_LOGON_INTERACTIVE       uint32 = 2
+	LOGON32_LOGON_NETWORK           uint32 = 3
+	LOGON32_LOGON_BATCH             uint32 = 4
+	LOGON32_LOGON_SERVICE           uint32 = 5
+	LOGON32_LOGON_UNLOCK            uint32 = 7
+	LOGON32_LOGON_NETWORK_CLEARTEXT uint32 = 8
+	LOGON32_LOGON_NEW_CREDENTIALS   uint32 = 9
+)
+
+// Logon providers
+const (
+	LOGON32_PROVIDER_DEFAULT uint32 = 0
+	LOGON32_PROVIDER_WINNT40 uint32 = 2
+	LOGON32_PROVIDER_WINNT50 uint32 = 3
+)

vendor/github.com/Microsoft/hcsshim/internal/winapi/memory.go

@@ -0,0 +1,11 @@
+package winapi
+
+// VOID RtlMoveMemory(
+// 	_Out_       VOID UNALIGNED *Destination,
+// 	_In_  const VOID UNALIGNED *Source,
+// 	_In_        SIZE_T         Length
+// );
+//sys RtlMoveMemory(destination *byte, source *byte, length uintptr) (err error) = kernel32.RtlMoveMemory
+
+//sys LocalAlloc(flags uint32, size int) (ptr uintptr) = kernel32.LocalAlloc
+//sys LocalFree(ptr uintptr) = kernel32.LocalFree

vendor/github.com/Microsoft/hcsshim/internal/winapi/path.go

@@ -0,0 +1,11 @@
+package winapi
+
+// DWORD SearchPathW(
+// 	LPCWSTR lpPath,
+// 	LPCWSTR lpFileName,
+// 	LPCWSTR lpExtension,
+// 	DWORD   nBufferLength,
+// 	LPWSTR  lpBuffer,
+// 	LPWSTR  *lpFilePart
+// );
+//sys SearchPath(lpPath *uint16, lpFileName *uint16, lpExtension *uint16, nBufferLength uint32, lpBuffer *uint16, lpFilePath **uint16) (size uint32, err error) = kernel32.SearchPathW

vendor/github.com/Microsoft/hcsshim/internal/winapi/process.go

@@ -0,0 +1,3 @@
+package winapi
+
+const PROCESS_ALL_ACCESS uint32 = 2097151

vendor/github.com/Microsoft/hcsshim/internal/winapi/processor.go

@@ -0,0 +1,7 @@
+package winapi
+
+// Get count from all processor groups.
+// https://docs.microsoft.com/en-us/windows/win32/procthread/processor-groups
+const ALL_PROCESSOR_GROUPS = 0xFFFF
+
+//sys GetActiveProcessorCount(groupNumber uint16) (amount uint32) = kernel32.GetActiveProcessorCount

vendor/github.com/Microsoft/hcsshim/internal/winapi/utils.go

@@ -0,0 +1,60 @@
+package winapi
+
+import (
+	"errors"
+	"syscall"
+	"unicode/utf16"
+	"unsafe"
+)
+
+type UnicodeString struct {
+	Length        uint16
+	MaximumLength uint16
+	Buffer        *uint16
+}
+
+//String converts a UnicodeString to a golang string
+func (uni UnicodeString) String() string {
+	p := (*[0xffff]uint16)(unsafe.Pointer(uni.Buffer))
+
+	// UnicodeString is not guaranteed to be null terminated, therefore
+	// use the UnicodeString's Length field
+	lengthInChars := uni.Length / 2
+	return syscall.UTF16ToString(p[:lengthInChars])
+}
+
+// NewUnicodeString allocates a new UnicodeString and copies `s` into
+// the buffer of the new UnicodeString.
+func NewUnicodeString(s string) (*UnicodeString, error) {
+	ws := utf16.Encode(([]rune)(s))
+	if len(ws) > 32767 {
+		return nil, syscall.ENAMETOOLONG
+	}
+
+	uni := &UnicodeString{
+		Length:        uint16(len(ws) * 2),
+		MaximumLength: uint16(len(ws) * 2),
+		Buffer:        &make([]uint16, len(ws))[0],
+	}
+	copy((*[32768]uint16)(unsafe.Pointer(uni.Buffer))[:], ws)
+	return uni, nil
+}
+
+// ConvertStringSetToSlice is a helper function used to convert the contents of
+// `buf` into a string slice. `buf` contains a set of null terminated strings
+// with an additional null at the end to indicate the end of the set.
+func ConvertStringSetToSlice(buf []byte) ([]string, error) {
+	var results []string
+	prev := 0
+	for i := range buf {
+		if buf[i] == 0 {
+			if prev == i {
+				// found two null characters in a row, return result
+				return results, nil
+			}
+			results = append(results, string(buf[prev:i]))
+			prev = i + 1
+		}
+	}
+	return nil, errors.New("string set malformed: missing null terminator at end of buffer")
+}

vendor/github.com/Microsoft/hcsshim/internal/winapi/winapi.go

@@ -0,0 +1,5 @@
+// Package winapi contains various low-level bindings to Windows APIs. It can
+// be thought of as an extension to golang.org/x/sys/windows.
+package winapi
+
+//go:generate go run ..\..\mksyscall_windows.go -output zsyscall_windows.go jobobject.go path.go logon.go memory.go processor.go devices.go filesystem.go errors.go

vendor/github.com/Microsoft/hcsshim/internal/winapi/zsyscall_windows.go

@@ -0,0 +1,271 @@
+// Code generated mksyscall_windows.exe DO NOT EDIT
+
+package winapi
+
+import (
+	"syscall"
+	"unsafe"
+
+	"golang.org/x/sys/windows"
+)
+
+var _ unsafe.Pointer
+
+// Do the interface allocations only once for common
+// Errno values.
+const (
+	errnoERROR_IO_PENDING = 997
+)
+
+var (
+	errERROR_IO_PENDING error = syscall.Errno(errnoERROR_IO_PENDING)
+)
+
+// errnoErr returns common boxed Errno values, to prevent
+// allocations at runtime.
+func errnoErr(e syscall.Errno) error {
+	switch e {
+	case 0:
+		return nil
+	case errnoERROR_IO_PENDING:
+		return errERROR_IO_PENDING
+	}
+	// TODO: add more here, after collecting data on the common
+	// error values see on Windows. (perhaps when running
+	// all.bat?)
+	return e
+}
+
+var (
+	modkernel32 = windows.NewLazySystemDLL("kernel32.dll")
+	modadvapi32 = windows.NewLazySystemDLL("advapi32.dll")
+	modcfgmgr32 = windows.NewLazySystemDLL("cfgmgr32.dll")
+	modntdll    = windows.NewLazySystemDLL("ntdll.dll")
+
+	procIsProcessInJob                       = modkernel32.NewProc("IsProcessInJob")
+	procQueryInformationJobObject            = modkernel32.NewProc("QueryInformationJobObject")
+	procOpenJobObjectW                       = modkernel32.NewProc("OpenJobObjectW")
+	procSetIoRateControlInformationJobObject = modkernel32.NewProc("SetIoRateControlInformationJobObject")
+	procSearchPathW                          = modkernel32.NewProc("SearchPathW")
+	procLogonUserW                           = modadvapi32.NewProc("LogonUserW")
+	procRtlMoveMemory                        = modkernel32.NewProc("RtlMoveMemory")
+	procLocalAlloc                           = modkernel32.NewProc("LocalAlloc")
+	procLocalFree                            = modkernel32.NewProc("LocalFree")
+	procGetActiveProcessorCount              = modkernel32.NewProc("GetActiveProcessorCount")
+	procCM_Get_Device_ID_List_SizeA          = modcfgmgr32.NewProc("CM_Get_Device_ID_List_SizeA")
+	procCM_Get_Device_ID_ListA               = modcfgmgr32.NewProc("CM_Get_Device_ID_ListA")
+	procCM_Locate_DevNodeW                   = modcfgmgr32.NewProc("CM_Locate_DevNodeW")
+	procCM_Get_DevNode_PropertyW             = modcfgmgr32.NewProc("CM_Get_DevNode_PropertyW")
+	procNtCreateFile                         = modntdll.NewProc("NtCreateFile")
+	procNtSetInformationFile                 = modntdll.NewProc("NtSetInformationFile")
+	procNtOpenDirectoryObject                = modntdll.NewProc("NtOpenDirectoryObject")
+	procNtQueryDirectoryObject               = modntdll.NewProc("NtQueryDirectoryObject")
+	procRtlNtStatusToDosError                = modntdll.NewProc("RtlNtStatusToDosError")
+)
+
+func IsProcessInJob(procHandle windows.Handle, jobHandle windows.Handle, result *bool) (err error) {
+	r1, _, e1 := syscall.Syscall(procIsProcessInJob.Addr(), 3, uintptr(procHandle), uintptr(jobHandle), uintptr(unsafe.Pointer(result)))
+	if r1 == 0 {
+		if e1 != 0 {
+			err = errnoErr(e1)
+		} else {
+			err = syscall.EINVAL
+		}
+	}
+	return
+}
+
+func QueryInformationJobObject(jobHandle windows.Handle, infoClass uint32, jobObjectInfo uintptr, jobObjectInformationLength uint32, lpReturnLength *uint32) (err error) {
+	r1, _, e1 := syscall.Syscall6(procQueryInformationJobObject.Addr(), 5, uintptr(jobHandle), uintptr(infoClass), uintptr(jobObjectInfo), uintptr(jobObjectInformationLength), uintptr(unsafe.Pointer(lpReturnLength)), 0)
+	if r1 == 0 {
+		if e1 != 0 {
+			err = errnoErr(e1)
+		} else {
+			err = syscall.EINVAL
+		}
+	}
+	return
+}
+
+func OpenJobObject(desiredAccess uint32, inheritHandle bool, lpName *uint16) (handle windows.Handle, err error) {
+	var _p0 uint32
+	if inheritHandle {
+		_p0 = 1
+	} else {
+		_p0 = 0
+	}
+	r0, _, e1 := syscall.Syscall(procOpenJobObjectW.Addr(), 3, uintptr(desiredAccess), uintptr(_p0), uintptr(unsafe.Pointer(lpName)))
+	handle = windows.Handle(r0)
+	if handle == 0 {
+		if e1 != 0 {
+			err = errnoErr(e1)
+		} else {
+			err = syscall.EINVAL
+		}
+	}
+	return
+}
+
+func SetIoRateControlInformationJobObject(jobHandle windows.Handle, ioRateControlInfo *JOBOBJECT_IO_RATE_CONTROL_INFORMATION) (ret uint32, err error) {
+	r0, _, e1 := syscall.Syscall(procSetIoRateControlInformationJobObject.Addr(), 2, uintptr(jobHandle), uintptr(unsafe.Pointer(ioRateControlInfo)), 0)
+	ret = uint32(r0)
+	if ret == 0 {
+		if e1 != 0 {
+			err = errnoErr(e1)
+		} else {
+			err = syscall.EINVAL
+		}
+	}
+	return
+}
+
+func SearchPath(lpPath *uint16, lpFileName *uint16, lpExtension *uint16, nBufferLength uint32, lpBuffer *uint16, lpFilePath **uint16) (size uint32, err error) {
+	r0, _, e1 := syscall.Syscall6(procSearchPathW.Addr(), 6, uintptr(unsafe.Pointer(lpPath)), uintptr(unsafe.Pointer(lpFileName)), uintptr(unsafe.Pointer(lpExtension)), uintptr(nBufferLength), uintptr(unsafe.Pointer(lpBuffer)), uintptr(unsafe.Pointer(lpFilePath)))
+	size = uint32(r0)
+	if size == 0 {
+		if e1 != 0 {
+			err = errnoErr(e1)
+		} else {
+			err = syscall.EINVAL
+		}
+	}
+	return
+}
+
+func LogonUser(username *uint16, domain *uint16, password *uint16, logonType uint32, logonProvider uint32, token *windows.Token) (err error) {
+	r1, _, e1 := syscall.Syscall6(procLogonUserW.Addr(), 6, uintptr(unsafe.Pointer(username)), uintptr(unsafe.Pointer(domain)), uintptr(unsafe.Pointer(password)), uintptr(logonType), uintptr(logonProvider), uintptr(unsafe.Pointer(token)))
+	if r1 == 0 {
+		if e1 != 0 {
+			err = errnoErr(e1)
+		} else {
+			err = syscall.EINVAL
+		}
+	}
+	return
+}
+
+func RtlMoveMemory(destination *byte, source *byte, length uintptr) (err error) {
+	r1, _, e1 := syscall.Syscall(procRtlMoveMemory.Addr(), 3, uintptr(unsafe.Pointer(destination)), uintptr(unsafe.Pointer(source)), uintptr(length))
+	if r1 == 0 {
+		if e1 != 0 {
+			err = errnoErr(e1)
+		} else {
+			err = syscall.EINVAL
+		}
+	}
+	return
+}
+
+func LocalAlloc(flags uint32, size int) (ptr uintptr) {
+	r0, _, _ := syscall.Syscall(procLocalAlloc.Addr(), 2, uintptr(flags), uintptr(size), 0)
+	ptr = uintptr(r0)
+	return
+}
+
+func LocalFree(ptr uintptr) {
+	syscall.Syscall(procLocalFree.Addr(), 1, uintptr(ptr), 0, 0)
+	return
+}
+
+func GetActiveProcessorCount(groupNumber uint16) (amount uint32) {
+	r0, _, _ := syscall.Syscall(procGetActiveProcessorCount.Addr(), 1, uintptr(groupNumber), 0, 0)
+	amount = uint32(r0)
+	return
+}
+
+func CMGetDeviceIDListSize(pulLen *uint32, pszFilter *byte, uFlags uint32) (hr error) {
+	r0, _, _ := syscall.Syscall(procCM_Get_Device_ID_List_SizeA.Addr(), 3, uintptr(unsafe.Pointer(pulLen)), uintptr(unsafe.Pointer(pszFilter)), uintptr(uFlags))
+	if int32(r0) < 0 {
+		if r0&0x1fff0000 == 0x00070000 {
+			r0 &= 0xffff
+		}
+		hr = syscall.Errno(r0)
+	}
+	return
+}
+
+func CMGetDeviceIDList(pszFilter *byte, buffer *byte, bufferLen uint32, uFlags uint32) (hr error) {
+	r0, _, _ := syscall.Syscall6(procCM_Get_Device_ID_ListA.Addr(), 4, uintptr(unsafe.Pointer(pszFilter)), uintptr(unsafe.Pointer(buffer)), uintptr(bufferLen), uintptr(uFlags), 0, 0)
+	if int32(r0) < 0 {
+		if r0&0x1fff0000 == 0x00070000 {
+			r0 &= 0xffff
+		}
+		hr = syscall.Errno(r0)
+	}
+	return
+}
+
+func CMLocateDevNode(pdnDevInst *uint32, pDeviceID string, uFlags uint32) (hr error) {
+	var _p0 *uint16
+	_p0, hr = syscall.UTF16PtrFromString(pDeviceID)
+	if hr != nil {
+		return
+	}
+	return _CMLocateDevNode(pdnDevInst, _p0, uFlags)
+}
+
+func _CMLocateDevNode(pdnDevInst *uint32, pDeviceID *uint16, uFlags uint32) (hr error) {
+	r0, _, _ := syscall.Syscall(procCM_Locate_DevNodeW.Addr(), 3, uintptr(unsafe.Pointer(pdnDevInst)), uintptr(unsafe.Pointer(pDeviceID)), uintptr(uFlags))
+	if int32(r0) < 0 {
+		if r0&0x1fff0000 == 0x00070000 {
+			r0 &= 0xffff
+		}
+		hr = syscall.Errno(r0)
+	}
+	return
+}
+
+func CMGetDevNodeProperty(dnDevInst uint32, propertyKey *DevPropKey, propertyType *uint32, propertyBuffer *uint16, propertyBufferSize *uint32, uFlags uint32) (hr error) {
+	r0, _, _ := syscall.Syscall6(procCM_Get_DevNode_PropertyW.Addr(), 6, uintptr(dnDevInst), uintptr(unsafe.Pointer(propertyKey)), uintptr(unsafe.Pointer(propertyType)), uintptr(unsafe.Pointer(propertyBuffer)), uintptr(unsafe.Pointer(propertyBufferSize)), uintptr(uFlags))
+	if int32(r0) < 0 {
+		if r0&0x1fff0000 == 0x00070000 {
+			r0 &= 0xffff
+		}
+		hr = syscall.Errno(r0)
+	}
+	return
+}
+
+func NtCreateFile(handle *uintptr, accessMask uint32, oa *ObjectAttributes, iosb *IOStatusBlock, allocationSize *uint64, fileAttributes uint32, shareAccess uint32, createDisposition uint32, createOptions uint32, eaBuffer *byte, eaLength uint32) (status uint32) {
+	r0, _, _ := syscall.Syscall12(procNtCreateFile.Addr(), 11, uintptr(unsafe.Pointer(handle)), uintptr(accessMask), uintptr(unsafe.Pointer(oa)), uintptr(unsafe.Pointer(iosb)), uintptr(unsafe.Pointer(allocationSize)), uintptr(fileAttributes), uintptr(shareAccess), uintptr(createDisposition), uintptr(createOptions), uintptr(unsafe.Pointer(eaBuffer)), uintptr(eaLength), 0)
+	status = uint32(r0)
+	return
+}
+
+func NtSetInformationFile(handle uintptr, iosb *IOStatusBlock, information uintptr, length uint32, class uint32) (status uint32) {
+	r0, _, _ := syscall.Syscall6(procNtSetInformationFile.Addr(), 5, uintptr(handle), uintptr(unsafe.Pointer(iosb)), uintptr(information), uintptr(length), uintptr(class), 0)
+	status = uint32(r0)
+	return
+}
+
+func NtOpenDirectoryObject(handle *uintptr, accessMask uint32, oa *ObjectAttributes) (status uint32) {
+	r0, _, _ := syscall.Syscall(procNtOpenDirectoryObject.Addr(), 3, uintptr(unsafe.Pointer(handle)), uintptr(accessMask), uintptr(unsafe.Pointer(oa)))
+	status = uint32(r0)
+	return
+}
+
+func NtQueryDirectoryObject(handle uintptr, buffer *byte, length uint32, singleEntry bool, restartScan bool, context *uint32, returnLength *uint32) (status uint32) {
+	var _p0 uint32
+	if singleEntry {
+		_p0 = 1
+	} else {
+		_p0 = 0
+	}
+	var _p1 uint32
+	if restartScan {
+		_p1 = 1
+	} else {
+		_p1 = 0
+	}
+	r0, _, _ := syscall.Syscall9(procNtQueryDirectoryObject.Addr(), 7, uintptr(handle), uintptr(unsafe.Pointer(buffer)), uintptr(length), uintptr(_p0), uintptr(_p1), uintptr(unsafe.Pointer(context)), uintptr(unsafe.Pointer(returnLength)), 0, 0)
+	status = uint32(r0)
+	return
+}
+
+func RtlNtStatusToDosError(status uint32) (winerr error) {
+	r0, _, _ := syscall.Syscall(procRtlNtStatusToDosError.Addr(), 1, uintptr(status), 0, 0)
+	if r0 != 0 {
+		winerr = syscall.Errno(r0)
+	}
+	return
+}

vendor/github.com/Microsoft/hcsshim/osversion/windowsbuilds.go

@@ -24,4 +24,12 @@ const (
 	// V19H1 (version 1903) corresponds to Windows Server 1903 (semi-annual
 	// channel).
 	V19H1 = 18362
+
+	// V19H2 (version 1909) corresponds to Windows Server 1909 (semi-annual
+	// channel).
+	V19H2 = 18363
+
+	// V20H1 (version 2004) corresponds to Windows Server 2004 (semi-annual
+	// channel).
+	V20H1 = 19041
 )

vendor/github.com/Microsoft/hcsshim/test/go.mod

@@ -10,18 +10,16 @@ require (
 	github.com/containerd/go-runc v0.0.0-20180907222934-5a6d9f37cfa3
 	github.com/containerd/ttrpc v0.0.0-20190828154514-0e0f228740de
 	github.com/containerd/typeurl v0.0.0-20180627222232-a93fcdb778cd
-	github.com/coreos/go-systemd v0.0.0-20190719114852-fd7a80b32e1f // indirect
 	github.com/docker/distribution v0.0.0-20190905152932-14b96e55d84c // indirect
 	github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c // indirect
-	github.com/godbus/dbus v4.1.0+incompatible // indirect
 	github.com/gogo/googleapis v1.2.0 // indirect
 	github.com/gogo/protobuf v1.3.1
 	github.com/hashicorp/errwrap v0.0.0-20141028054710-7554cd9344ce // indirect
 	github.com/hashicorp/go-multierror v0.0.0-20161216184304-ed905158d874 // indirect
 	github.com/imdario/mergo v0.3.8 // indirect
-	github.com/opencontainers/runtime-spec v0.1.2-0.20190507144316-5b71a03e2700
+	github.com/opencontainers/runtime-spec v1.0.2
 	github.com/opencontainers/runtime-tools v0.0.0-20181011054405-1d69bd0f9c39
-	github.com/pkg/errors v0.8.1
+	github.com/pkg/errors v0.9.1
 	github.com/sirupsen/logrus v1.4.2
 	github.com/syndtr/gocapability v0.0.0-20170704070218-db04d3cc01c8 // indirect
 	github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f // indirect