Runtime v2

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>

runtime/v2/bundle.go

@@ -0,0 +1,120 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package v2
+
+import (
+	"context"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+
+	"github.com/containerd/containerd/identifiers"
+	"github.com/containerd/containerd/namespaces"
+	"github.com/pkg/errors"
+)
+
+const configFilename = "config.json"
+
+// LoadBundle loads an existing bundle from disk
+func LoadBundle(ctx context.Context, root, id string) (*Bundle, error) {
+	ns, err := namespaces.NamespaceRequired(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return &Bundle{
+		ID:        id,
+		Path:      filepath.Join(root, ns, id),
+		Namespace: ns,
+	}, nil
+}
+
+// NewBundle returns a new bundle on disk
+func NewBundle(ctx context.Context, root, state, id string, spec []byte) (b *Bundle, err error) {
+	if err := identifiers.Validate(id); err != nil {
+		return nil, errors.Wrapf(err, "invalid task id %s", id)
+	}
+
+	ns, err := namespaces.NamespaceRequired(ctx)
+	if err != nil {
+		return nil, err
+	}
+	work := filepath.Join(root, ns, id)
+	b = &Bundle{
+		ID:        id,
+		Path:      filepath.Join(state, ns, id),
+		Namespace: ns,
+	}
+	paths := []string{b.Path, work}
+	// create base directories
+	for _, d := range paths {
+		if err := os.MkdirAll(filepath.Dir(d), 0711); err != nil {
+			return nil, err
+		}
+		if err := os.Mkdir(d, 0711); err != nil {
+			return nil, err
+		}
+	}
+	defer func() {
+		if err != nil {
+			for _, d := range paths {
+				os.RemoveAll(d)
+			}
+		}
+	}()
+	// create rootfs dir
+	if err := os.Mkdir(filepath.Join(b.Path, "rootfs"), 0711); err != nil {
+		return nil, err
+	}
+	// symlink workdir
+	if err := os.Symlink(work, filepath.Join(b.Path, "work")); err != nil {
+		return nil, err
+	}
+	// write the spec to the bundle
+	err = ioutil.WriteFile(filepath.Join(b.Path, configFilename), spec, 0666)
+	return b, err
+}
+
+// Bundle represents an OCI bundle
+type Bundle struct {
+	// ID of the bundle
+	ID string
+	// Path to the bundle
+	Path string
+	// Namespace of the bundle
+	Namespace string
+}
+
+// Delete a bundle atomically
+func (b *Bundle) Delete() error {
+	work, werr := os.Readlink(filepath.Join(b.Path, "work"))
+	err := os.RemoveAll(b.Path)
+	if err == nil {
+		if werr == nil {
+			return os.RemoveAll(work)
+		}
+		return nil
+	}
+	// error removing the bundle path; still attempt removing work dir
+	var err2 error
+	if werr == nil {
+		err2 = os.RemoveAll(work)
+		if err2 == nil {
+			return err
+		}
+	}
+	return errors.Wrapf(err, "failed to remove both bundle and workdir locations: %v", err2)
+}

runtime/v2/manager.go

@@ -0,0 +1,213 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package v2
+
+import (
+	"context"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+
+	"github.com/boltdb/bolt"
+	"github.com/containerd/containerd/containers"
+	"github.com/containerd/containerd/events/exchange"
+	"github.com/containerd/containerd/log"
+	"github.com/containerd/containerd/metadata"
+	"github.com/containerd/containerd/mount"
+	"github.com/containerd/containerd/namespaces"
+	"github.com/containerd/containerd/platforms"
+	"github.com/containerd/containerd/plugin"
+	"github.com/containerd/containerd/runtime"
+	ptypes "github.com/gogo/protobuf/types"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/pkg/errors"
+)
+
+var empty = &ptypes.Empty{}
+
+func init() {
+	plugin.Register(&plugin.Registration{
+		Type: plugin.RuntimePluginV2,
+		ID:   "task",
+		Requires: []plugin.Type{
+			plugin.MetadataPlugin,
+		},
+		InitFn: func(ic *plugin.InitContext) (interface{}, error) {
+			ic.Meta.Platforms = []ocispec.Platform{platforms.DefaultSpec()}
+			if err := os.MkdirAll(ic.Root, 0711); err != nil {
+				return nil, err
+			}
+			if err := os.MkdirAll(ic.State, 0711); err != nil {
+				return nil, err
+			}
+			m, err := ic.Get(plugin.MetadataPlugin)
+			if err != nil {
+				return nil, err
+			}
+			return New(ic.Context, ic.Root, ic.State, ic.Address, ic.Events, m.(*metadata.DB))
+		},
+	})
+}
+
+// New task manager for v2 shims
+func New(ctx context.Context, root, state, containerdAddress string, events *exchange.Exchange, db *metadata.DB) (*TaskManager, error) {
+	for _, d := range []string{root, state} {
+		if err := os.MkdirAll(d, 0711); err != nil {
+			return nil, err
+		}
+	}
+	m := &TaskManager{
+		root:              root,
+		state:             state,
+		containerdAddress: containerdAddress,
+		tasks:             runtime.NewTaskList(),
+		events:            events,
+		db:                db,
+	}
+	if err := m.loadExistingTasks(ctx); err != nil {
+		return nil, err
+	}
+	return m, nil
+}
+
+// TaskManager manages v2 shim's and their tasks
+type TaskManager struct {
+	root              string
+	state             string
+	containerdAddress string
+
+	tasks  *runtime.TaskList
+	events *exchange.Exchange
+	db     *metadata.DB
+}
+
+// ID of the task manager
+func (m *TaskManager) ID() string {
+	return fmt.Sprintf("%s.%s", plugin.RuntimePluginV2, "task")
+}
+
+// Create a new task
+func (m *TaskManager) Create(ctx context.Context, id string, opts runtime.CreateOpts) (_ runtime.Task, err error) {
+	bundle, err := NewBundle(ctx, m.root, m.state, id, opts.Spec.Value)
+	if err != nil {
+		return nil, err
+	}
+	defer func() {
+		if err != nil {
+			bundle.Delete()
+		}
+	}()
+	shim, err := newShim(ctx, bundle, opts.Runtime, m.containerdAddress, m.events, m.tasks)
+	if err != nil {
+		return nil, err
+	}
+	defer func() {
+		if err != nil {
+			shim.Shutdown(ctx)
+			shim.Close()
+		}
+	}()
+	t, err := shim.Create(ctx, opts)
+	if err != nil {
+		return nil, err
+	}
+	m.tasks.Add(ctx, t)
+	return t, nil
+}
+
+// Get a specific task
+func (m *TaskManager) Get(ctx context.Context, id string) (runtime.Task, error) {
+	return m.tasks.Get(ctx, id)
+}
+
+// Tasks lists all tasks
+func (m *TaskManager) Tasks(ctx context.Context, all bool) ([]runtime.Task, error) {
+	return m.tasks.GetAll(ctx, all)
+}
+
+func (m *TaskManager) loadExistingTasks(ctx context.Context) error {
+	nsDirs, err := ioutil.ReadDir(m.state)
+	if err != nil {
+		return err
+	}
+	for _, nsd := range nsDirs {
+		if !nsd.IsDir() {
+			continue
+		}
+		ns := nsd.Name()
+		log.G(ctx).WithField("namespace", ns).Debug("loading tasks in namespace")
+		if err := m.loadTasks(namespaces.WithNamespace(ctx, ns)); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (m *TaskManager) loadTasks(ctx context.Context) error {
+	ns, err := namespaces.NamespaceRequired(ctx)
+	if err != nil {
+		return err
+	}
+	shimDirs, err := ioutil.ReadDir(filepath.Join(m.state, ns))
+	if err != nil {
+		return err
+	}
+	for _, sd := range shimDirs {
+		if !sd.IsDir() {
+			continue
+		}
+		id := sd.Name()
+		bundle, err := LoadBundle(ctx, m.state, id)
+		if err != nil {
+			return err
+		}
+		shim, err := loadShim(ctx, bundle, m.events, m.tasks)
+		if err != nil {
+			log.G(ctx).WithError(err).Errorf("cleanup dead shim %s", id)
+			container, err := m.container(ctx, id)
+			if err != nil {
+				log.G(ctx).WithError(err).Errorf("loading dead container %s", id)
+				if err := mount.UnmountAll(filepath.Join(bundle.Path, "rootfs"), 0); err != nil {
+					log.G(ctx).WithError(err).Errorf("forceful unmount of rootfs %s", id)
+				}
+				bundle.Delete()
+				continue
+			}
+			binaryCall := shimBinary(ctx, bundle, container.Runtime.Name, m.containerdAddress, m.events, m.tasks)
+			if _, err := binaryCall.Delete(ctx); err != nil {
+				return errors.Wrapf(err, "remove disk state %s", id)
+			}
+			continue
+		}
+		m.tasks.Add(ctx, shim)
+	}
+	return nil
+}
+
+func (m *TaskManager) container(ctx context.Context, id string) (*containers.Container, error) {
+	var container containers.Container
+	if err := m.db.View(func(tx *bolt.Tx) error {
+		store := metadata.NewContainerStore(tx)
+		var err error
+		container, err = store.Get(ctx, id)
+		return err
+	}); err != nil {
+		return nil, err
+	}
+	return &container, nil
+}

runtime/v2/process.go

@@ -0,0 +1,153 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package v2
+
+import (
+	"context"
+
+	eventstypes "github.com/containerd/containerd/api/events"
+	tasktypes "github.com/containerd/containerd/api/types/task"
+	"github.com/containerd/containerd/errdefs"
+	"github.com/containerd/containerd/runtime"
+	"github.com/containerd/containerd/runtime/v2/task"
+	"github.com/containerd/ttrpc"
+	"github.com/pkg/errors"
+)
+
+type process struct {
+	id   string
+	shim *shim
+}
+
+func (p *process) ID() string {
+	return p.id
+}
+
+func (p *process) Kill(ctx context.Context, signal uint32, _ bool) error {
+	_, err := p.shim.task.Kill(ctx, &task.KillRequest{
+		Signal: signal,
+		ID:     p.id,
+	})
+	if err != nil {
+		return errdefs.FromGRPC(err)
+	}
+	return nil
+}
+
+func (p *process) State(ctx context.Context) (runtime.State, error) {
+	response, err := p.shim.task.State(ctx, &task.StateRequest{
+		ID: p.id,
+	})
+	if err != nil {
+		if errors.Cause(err) != ttrpc.ErrClosed {
+			return runtime.State{}, errdefs.FromGRPC(err)
+		}
+		return runtime.State{}, errdefs.ErrNotFound
+	}
+	var status runtime.Status
+	switch response.Status {
+	case tasktypes.StatusCreated:
+		status = runtime.CreatedStatus
+	case tasktypes.StatusRunning:
+		status = runtime.RunningStatus
+	case tasktypes.StatusStopped:
+		status = runtime.StoppedStatus
+	case tasktypes.StatusPaused:
+		status = runtime.PausedStatus
+	case tasktypes.StatusPausing:
+		status = runtime.PausingStatus
+	}
+	return runtime.State{
+		Pid:        response.Pid,
+		Status:     status,
+		Stdin:      response.Stdin,
+		Stdout:     response.Stdout,
+		Stderr:     response.Stderr,
+		Terminal:   response.Terminal,
+		ExitStatus: response.ExitStatus,
+		ExitedAt:   response.ExitedAt,
+	}, nil
+}
+
+// ResizePty changes the side of the process's PTY to the provided width and height
+func (p *process) ResizePty(ctx context.Context, size runtime.ConsoleSize) error {
+	_, err := p.shim.task.ResizePty(ctx, &task.ResizePtyRequest{
+		ID:     p.id,
+		Width:  size.Width,
+		Height: size.Height,
+	})
+	if err != nil {
+		return errdefs.FromGRPC(err)
+	}
+	return nil
+}
+
+// CloseIO closes the provided IO pipe for the process
+func (p *process) CloseIO(ctx context.Context) error {
+	_, err := p.shim.task.CloseIO(ctx, &task.CloseIORequest{
+		ID:    p.id,
+		Stdin: true,
+	})
+	if err != nil {
+		return errdefs.FromGRPC(err)
+	}
+	return nil
+}
+
+// Start the process
+func (p *process) Start(ctx context.Context) error {
+	response, err := p.shim.task.Start(ctx, &task.StartRequest{
+		ID: p.id,
+	})
+	if err != nil {
+		return errdefs.FromGRPC(err)
+	}
+	p.shim.events.Publish(ctx, runtime.TaskExecStartedEventTopic, &eventstypes.TaskExecStarted{
+		ContainerID: p.shim.ID(),
+		Pid:         response.Pid,
+		ExecID:      p.id,
+	})
+	return nil
+}
+
+// Wait on the process to exit and return the exit status and timestamp
+func (p *process) Wait(ctx context.Context) (*runtime.Exit, error) {
+	response, err := p.shim.task.Wait(ctx, &task.WaitRequest{
+		ID: p.id,
+	})
+	if err != nil {
+		return nil, errdefs.FromGRPC(err)
+	}
+	return &runtime.Exit{
+		Timestamp: response.ExitedAt,
+		Status:    response.ExitStatus,
+	}, nil
+}
+
+func (p *process) Delete(ctx context.Context) (*runtime.Exit, error) {
+	response, err := p.shim.task.Delete(ctx, &task.DeleteRequest{
+		ID: p.id,
+	})
+	if err != nil {
+		return nil, errdefs.FromGRPC(err)
+	}
+	return &runtime.Exit{
+		Status:    response.ExitStatus,
+		Timestamp: response.ExitedAt,
+		Pid:       response.Pid,
+	}, nil
+}

runtime/v2/runc/options/doc.go

@@ -0,0 +1,17 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package options

runtime/v2/runc/options/oci.proto

@@ -0,0 +1,39 @@
+syntax = "proto3";
+
+package containerd.runc.v1;
+
+import weak "gogoproto/gogo.proto";
+
+option go_package = "github.com/containerd/containerd/runtime/v2/runc/options;options";
+
+message Options {
+	bool no_pivot_root = 1;
+	bool open_tcp = 2;
+	bool external_unix_sockets = 3;
+	bool terminal = 4;
+	bool file_locks = 5;
+	repeated string empty_namespaces = 6;
+	string cgroups_mode = 7;
+	bool no_new_keyring = 8;
+	string shim_cgroup = 9;
+	uint32 io_uid = 10;
+	uint32 io_gid = 11;
+	string binary_name = 12;
+	string root = 13;
+	string criu_path = 14;
+	bool systemd_cgroup = 15;
+}
+
+message CheckpointOptions {
+	bool exit = 1;
+	bool open_tcp = 2;
+	bool external_unix_sockets = 3;
+	bool terminal = 4;
+	bool file_locks = 5;
+	repeated string empty_namespaces = 6;
+	string cgroups_mode = 7;
+}
+
+message ProcessDetails {
+	string exec_id = 1;
+}

runtime/v2/runc/service.go

@@ -0,0 +1,665 @@
+// +build linux
+
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package runc
+
+import (
+	"context"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"sync"
+	"time"
+
+	"github.com/containerd/cgroups"
+	"github.com/containerd/console"
+	eventstypes "github.com/containerd/containerd/api/events"
+	"github.com/containerd/containerd/api/types/task"
+	"github.com/containerd/containerd/errdefs"
+	"github.com/containerd/containerd/events"
+	"github.com/containerd/containerd/mount"
+	"github.com/containerd/containerd/namespaces"
+	"github.com/containerd/containerd/runtime"
+	rproc "github.com/containerd/containerd/runtime/proc"
+	"github.com/containerd/containerd/runtime/v1/linux/proc"
+	"github.com/containerd/containerd/runtime/v2/runc/options"
+	"github.com/containerd/containerd/runtime/v2/shim"
+	taskAPI "github.com/containerd/containerd/runtime/v2/task"
+	runcC "github.com/containerd/go-runc"
+	"github.com/containerd/typeurl"
+	ptypes "github.com/gogo/protobuf/types"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"golang.org/x/sys/unix"
+)
+
+var (
+	empty   = &ptypes.Empty{}
+	bufPool = sync.Pool{
+		New: func() interface{} {
+			buffer := make([]byte, 32<<10)
+			return &buffer
+		},
+	}
+)
+
+var _ = (taskAPI.TaskService)(&service{})
+
+// New returns a new shim service that can be used via GRPC
+func New(ctx context.Context, id string, publisher events.Publisher) (shim.Shim, error) {
+	s := &service{
+		id:        id,
+		context:   ctx,
+		processes: make(map[string]rproc.Process),
+		events:    make(chan interface{}, 128),
+		ec:        shim.Default.Subscribe(),
+	}
+	go s.processExits()
+	runcC.Monitor = shim.Default
+	if err := s.initPlatform(); err != nil {
+		return nil, errors.Wrap(err, "failed to initialized platform behavior")
+	}
+	go s.forward(publisher)
+	return s, nil
+}
+
+// service is the shim implementation of a remote shim over GRPC
+type service struct {
+	mu sync.Mutex
+
+	context   context.Context
+	processes map[string]rproc.Process
+	events    chan interface{}
+	platform  rproc.Platform
+	ec        chan runcC.Exit
+
+	id string
+	// Filled by Create()
+	bundle string
+	cg     cgroups.Cgroup
+}
+
+func (s *service) Cleanup(ctx context.Context) (*taskAPI.DeleteResponse, error) {
+	path, err := os.Getwd()
+	if err != nil {
+		return nil, err
+	}
+	ns, err := namespaces.NamespaceRequired(ctx)
+	if err != nil {
+		return nil, err
+	}
+	runtime, _ := s.readRuntime(path)
+	if runtime != "" {
+		r := proc.NewRunc(proc.RuncRoot, path, ns, runtime, "", false)
+		if err := r.Delete(ctx, s.id, &runcC.DeleteOpts{
+			Force: true,
+		}); err != nil {
+			logrus.WithError(err).Warn("runc delete")
+		}
+	}
+	if err := mount.UnmountAll(filepath.Join(path, "rootfs"), 0); err != nil {
+		logrus.WithError(err).Warn("failed to cleanup rootfs mount")
+	}
+	return &taskAPI.DeleteResponse{
+		ExitedAt:   time.Now(),
+		ExitStatus: 128 + uint32(unix.SIGKILL),
+	}, nil
+}
+
+func (s *service) readRuntime(path string) (string, error) {
+	data, err := ioutil.ReadFile(filepath.Join(path, "runtime"))
+	if err != nil {
+		return "", err
+	}
+	return string(data), nil
+}
+
+func (s *service) writeRuntime(path, runtime string) error {
+	return ioutil.WriteFile(filepath.Join(path, "runtime"), []byte(runtime), 0600)
+}
+
+// Create a new initial process and container with the underlying OCI runtime
+func (s *service) Create(ctx context.Context, r *taskAPI.CreateTaskRequest) (_ *taskAPI.CreateTaskResponse, err error) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	ns, err := namespaces.NamespaceRequired(ctx)
+	if err != nil {
+		return nil, errors.Wrap(err, "create namespace")
+	}
+
+	var opts options.Options
+	if r.Options != nil {
+		v, err := typeurl.UnmarshalAny(r.Options)
+		if err != nil {
+			return nil, err
+		}
+		opts = *v.(*options.Options)
+	}
+
+	var mounts []proc.Mount
+	for _, m := range r.Rootfs {
+		mounts = append(mounts, proc.Mount{
+			Type:    m.Type,
+			Source:  m.Source,
+			Target:  m.Target,
+			Options: m.Options,
+		})
+	}
+	config := &proc.CreateConfig{
+		ID:               r.ID,
+		Bundle:           r.Bundle,
+		Runtime:          opts.BinaryName,
+		Rootfs:           mounts,
+		Terminal:         r.Terminal,
+		Stdin:            r.Stdin,
+		Stdout:           r.Stdout,
+		Stderr:           r.Stderr,
+		Checkpoint:       r.Checkpoint,
+		ParentCheckpoint: r.ParentCheckpoint,
+		Options:          r.Options,
+	}
+	if err := s.writeRuntime(r.Bundle, opts.BinaryName); err != nil {
+		return nil, err
+	}
+	rootfs := filepath.Join(r.Bundle, "rootfs")
+	defer func() {
+		if err != nil {
+			if err2 := mount.UnmountAll(rootfs, 0); err2 != nil {
+				logrus.WithError(err2).Warn("failed to cleanup rootfs mount")
+			}
+		}
+	}()
+	for _, rm := range mounts {
+		m := &mount.Mount{
+			Type:    rm.Type,
+			Source:  rm.Source,
+			Options: rm.Options,
+		}
+		if err := m.Mount(rootfs); err != nil {
+			return nil, errors.Wrapf(err, "failed to mount rootfs component %v", m)
+		}
+	}
+	process, err := newInit(
+		ctx,
+		r.Bundle,
+		filepath.Join(r.Bundle, "work"),
+		ns,
+		s.platform,
+		config,
+		&opts,
+	)
+	if err != nil {
+		return nil, errdefs.ToGRPC(err)
+	}
+	if err := process.Create(ctx, config); err != nil {
+		return nil, errdefs.ToGRPC(err)
+	}
+	// save the main task id and bundle to the shim for additional requests
+	s.id = r.ID
+	s.bundle = r.Bundle
+	pid := process.Pid()
+	if pid > 0 {
+		cg, err := cgroups.Load(cgroups.V1, cgroups.PidPath(pid))
+		if err != nil {
+			logrus.WithError(err).Errorf("loading cgroup for %d", pid)
+		}
+		s.cg = cg
+	}
+	s.processes[r.ID] = process
+	return &taskAPI.CreateTaskResponse{
+		Pid: uint32(pid),
+	}, nil
+
+}
+
+// Start a process
+func (s *service) Start(ctx context.Context, r *taskAPI.StartRequest) (*taskAPI.StartResponse, error) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	p := s.processes[r.ID]
+	if p == nil {
+		return nil, errdefs.ToGRPCf(errdefs.ErrNotFound, "process %s", r.ID)
+	}
+	if err := p.Start(ctx); err != nil {
+		return nil, err
+	}
+	if s.cg == nil && p.Pid() > 0 {
+		cg, err := cgroups.Load(cgroups.V1, cgroups.PidPath(p.Pid()))
+		if err != nil {
+			logrus.WithError(err).Errorf("loading cgroup for %d", p.Pid())
+		}
+		s.cg = cg
+	}
+	return &taskAPI.StartResponse{
+		ID:  p.ID(),
+		Pid: uint32(p.Pid()),
+	}, nil
+}
+
+// Delete the initial process and container
+func (s *service) Delete(ctx context.Context, r *taskAPI.DeleteRequest) (*taskAPI.DeleteResponse, error) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	p := s.processes[r.ID]
+	if p == nil {
+		return nil, errors.Wrapf(errdefs.ErrNotFound, "process %s", r.ID)
+	}
+	if err := p.Delete(ctx); err != nil {
+		return nil, err
+	}
+	delete(s.processes, r.ID)
+	if r.ID == s.id && s.platform != nil {
+		s.platform.Close()
+	}
+	return &taskAPI.DeleteResponse{
+		ExitStatus: uint32(p.ExitStatus()),
+		ExitedAt:   p.ExitedAt(),
+		Pid:        uint32(p.Pid()),
+	}, nil
+}
+
+// Exec an additional process inside the container
+func (s *service) Exec(ctx context.Context, r *taskAPI.ExecProcessRequest) (*ptypes.Empty, error) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	if p := s.processes[r.ID]; p != nil {
+		return nil, errdefs.ToGRPCf(errdefs.ErrAlreadyExists, "id %s", r.ID)
+	}
+
+	p := s.processes[s.id]
+	if p == nil {
+		return nil, errdefs.ToGRPCf(errdefs.ErrFailedPrecondition, "container must be created")
+	}
+
+	process, err := p.(*proc.Init).Exec(ctx, s.bundle, &proc.ExecConfig{
+		ID:       r.ID,
+		Terminal: r.Terminal,
+		Stdin:    r.Stdin,
+		Stdout:   r.Stdout,
+		Stderr:   r.Stderr,
+		Spec:     r.Spec,
+	})
+	if err != nil {
+		return nil, errdefs.ToGRPC(err)
+	}
+	s.processes[r.ID] = process
+	return empty, nil
+}
+
+// ResizePty of a process
+func (s *service) ResizePty(ctx context.Context, r *taskAPI.ResizePtyRequest) (*ptypes.Empty, error) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	if r.ID == "" {
+		return nil, errdefs.ToGRPCf(errdefs.ErrInvalidArgument, "id not provided")
+	}
+	ws := console.WinSize{
+		Width:  uint16(r.Width),
+		Height: uint16(r.Height),
+	}
+	p := s.processes[r.ID]
+	if p == nil {
+		return nil, errors.Errorf("process does not exist %s", r.ID)
+	}
+	if err := p.Resize(ws); err != nil {
+		return nil, errdefs.ToGRPC(err)
+	}
+	return empty, nil
+}
+
+// State returns runtime state information for a process
+func (s *service) State(ctx context.Context, r *taskAPI.StateRequest) (*taskAPI.StateResponse, error) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	p := s.processes[r.ID]
+	if p == nil {
+		return nil, errdefs.ToGRPCf(errdefs.ErrNotFound, "process id %s", r.ID)
+	}
+	st, err := p.Status(ctx)
+	if err != nil {
+		return nil, err
+	}
+	status := task.StatusUnknown
+	switch st {
+	case "created":
+		status = task.StatusCreated
+	case "running":
+		status = task.StatusRunning
+	case "stopped":
+		status = task.StatusStopped
+	case "paused":
+		status = task.StatusPaused
+	case "pausing":
+		status = task.StatusPausing
+	}
+	sio := p.Stdio()
+	return &taskAPI.StateResponse{
+		ID:         p.ID(),
+		Bundle:     s.bundle,
+		Pid:        uint32(p.Pid()),
+		Status:     status,
+		Stdin:      sio.Stdin,
+		Stdout:     sio.Stdout,
+		Stderr:     sio.Stderr,
+		Terminal:   sio.Terminal,
+		ExitStatus: uint32(p.ExitStatus()),
+		ExitedAt:   p.ExitedAt(),
+	}, nil
+}
+
+// Pause the container
+func (s *service) Pause(ctx context.Context, r *ptypes.Empty) (*ptypes.Empty, error) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	p := s.processes[s.id]
+	if p == nil {
+		return nil, errdefs.ToGRPCf(errdefs.ErrFailedPrecondition, "container must be created")
+	}
+	if err := p.(*proc.Init).Pause(ctx); err != nil {
+		return nil, err
+	}
+	return empty, nil
+}
+
+// Resume the container
+func (s *service) Resume(ctx context.Context, r *ptypes.Empty) (*ptypes.Empty, error) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	p := s.processes[s.id]
+	if p == nil {
+		return nil, errdefs.ToGRPCf(errdefs.ErrFailedPrecondition, "container must be created")
+	}
+	if err := p.(*proc.Init).Resume(ctx); err != nil {
+		return nil, err
+	}
+	return empty, nil
+}
+
+// Kill a process with the provided signal
+func (s *service) Kill(ctx context.Context, r *taskAPI.KillRequest) (*ptypes.Empty, error) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	if r.ID == "" {
+		p := s.processes[s.id]
+		if p == nil {
+			return nil, errdefs.ToGRPCf(errdefs.ErrFailedPrecondition, "container must be created")
+		}
+		if err := p.Kill(ctx, r.Signal, r.All); err != nil {
+			return nil, errdefs.ToGRPC(err)
+		}
+		return empty, nil
+	}
+
+	p := s.processes[r.ID]
+	if p == nil {
+		return nil, errdefs.ToGRPCf(errdefs.ErrNotFound, "process id %s not found", r.ID)
+	}
+	if err := p.Kill(ctx, r.Signal, r.All); err != nil {
+		return nil, errdefs.ToGRPC(err)
+	}
+	return empty, nil
+}
+
+// Pids returns all pids inside the container
+func (s *service) Pids(ctx context.Context, r *taskAPI.PidsRequest) (*taskAPI.PidsResponse, error) {
+	pids, err := s.getContainerPids(ctx, r.ID)
+	if err != nil {
+		return nil, errdefs.ToGRPC(err)
+	}
+	var processes []*task.ProcessInfo
+	for _, pid := range pids {
+		pInfo := task.ProcessInfo{
+			Pid: pid,
+		}
+		for _, p := range s.processes {
+			if p.Pid() == int(pid) {
+				d := &options.ProcessDetails{
+					ExecID: p.ID(),
+				}
+				a, err := typeurl.MarshalAny(d)
+				if err != nil {
+					return nil, errors.Wrapf(err, "failed to marshal process %d info", pid)
+				}
+				pInfo.Info = a
+				break
+			}
+		}
+		processes = append(processes, &pInfo)
+	}
+	return &taskAPI.PidsResponse{
+		Processes: processes,
+	}, nil
+}
+
+// CloseIO of a process
+func (s *service) CloseIO(ctx context.Context, r *taskAPI.CloseIORequest) (*ptypes.Empty, error) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	p := s.processes[r.ID]
+	if p == nil {
+		return nil, errdefs.ToGRPCf(errdefs.ErrNotFound, "process does not exist %s", r.ID)
+	}
+	if stdin := p.Stdin(); stdin != nil {
+		if err := stdin.Close(); err != nil {
+			return nil, errors.Wrap(err, "close stdin")
+		}
+	}
+	return empty, nil
+}
+
+// Checkpoint the container
+func (s *service) Checkpoint(ctx context.Context, r *taskAPI.CheckpointTaskRequest) (*ptypes.Empty, error) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	p := s.processes[s.id]
+	if p == nil {
+		return nil, errdefs.ToGRPCf(errdefs.ErrFailedPrecondition, "container must be created")
+	}
+	var opts options.CheckpointOptions
+	if r.Options != nil {
+		v, err := typeurl.UnmarshalAny(r.Options)
+		if err != nil {
+			return nil, err
+		}
+		opts = *v.(*options.CheckpointOptions)
+	}
+	if err := p.(*proc.Init).Checkpoint(ctx, &proc.CheckpointConfig{
+		Path:                     r.Path,
+		Exit:                     opts.Exit,
+		AllowOpenTCP:             opts.OpenTcp,
+		AllowExternalUnixSockets: opts.ExternalUnixSockets,
+		AllowTerminal:            opts.Terminal,
+		FileLocks:                opts.FileLocks,
+		EmptyNamespaces:          opts.EmptyNamespaces,
+	}); err != nil {
+		return nil, errdefs.ToGRPC(err)
+	}
+	return empty, nil
+}
+
+// Connect returns shim information such as the shim's pid
+func (s *service) Connect(ctx context.Context, r *taskAPI.ConnectRequest) (*taskAPI.ConnectResponse, error) {
+	return &taskAPI.ConnectResponse{
+		ShimPid: uint32(os.Getpid()),
+		TaskPid: uint32(s.processes[s.id].Pid()),
+	}, nil
+}
+
+func (s *service) Shutdown(ctx context.Context, r *taskAPI.ShutdownRequest) (*ptypes.Empty, error) {
+	os.Exit(0)
+	return empty, nil
+}
+
+func (s *service) Stats(ctx context.Context, r *taskAPI.StatsRequest) (*taskAPI.StatsResponse, error) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	if s.cg == nil {
+		return nil, errdefs.ToGRPCf(errdefs.ErrNotFound, "cgroup does not exist")
+	}
+	stats, err := s.cg.Stat(cgroups.IgnoreNotExist)
+	if err != nil {
+		return nil, err
+	}
+	data, err := typeurl.MarshalAny(stats)
+	if err != nil {
+		return nil, err
+	}
+	return &taskAPI.StatsResponse{
+		Stats: data,
+	}, nil
+}
+
+// Update a running container
+func (s *service) Update(ctx context.Context, r *taskAPI.UpdateTaskRequest) (*ptypes.Empty, error) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	p := s.processes[s.id]
+	if p == nil {
+		return nil, errdefs.ToGRPCf(errdefs.ErrFailedPrecondition, "container must be created")
+	}
+	if err := p.(*proc.Init).Update(ctx, r.Resources); err != nil {
+		return nil, errdefs.ToGRPC(err)
+	}
+	return empty, nil
+}
+
+// Wait for a process to exit
+func (s *service) Wait(ctx context.Context, r *taskAPI.WaitRequest) (*taskAPI.WaitResponse, error) {
+	s.mu.Lock()
+	p := s.processes[r.ID]
+	s.mu.Unlock()
+	if p == nil {
+		return nil, errdefs.ToGRPCf(errdefs.ErrFailedPrecondition, "container must be created")
+	}
+	p.Wait()
+
+	return &taskAPI.WaitResponse{
+		ExitStatus: uint32(p.ExitStatus()),
+		ExitedAt:   p.ExitedAt(),
+	}, nil
+}
+
+func (s *service) processExits() {
+	for e := range s.ec {
+		s.checkProcesses(e)
+	}
+}
+
+func (s *service) checkProcesses(e runcC.Exit) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	for _, p := range s.processes {
+		if p.Pid() == e.Pid {
+			if ip, ok := p.(*proc.Init); ok {
+				// Ensure all children are killed
+				if err := ip.KillAll(s.context); err != nil {
+					logrus.WithError(err).WithField("id", ip.ID()).
+						Error("failed to kill init's children")
+				}
+			}
+			p.SetExited(e.Status)
+			s.events <- &eventstypes.TaskExit{
+				ContainerID: s.id,
+				ID:          p.ID(),
+				Pid:         uint32(e.Pid),
+				ExitStatus:  uint32(e.Status),
+				ExitedAt:    p.ExitedAt(),
+			}
+			return
+		}
+	}
+}
+
+func (s *service) getContainerPids(ctx context.Context, id string) ([]uint32, error) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	p := s.processes[s.id]
+	if p == nil {
+		return nil, errors.Wrapf(errdefs.ErrFailedPrecondition, "container must be created")
+	}
+
+	ps, err := p.(*proc.Init).Runtime().Ps(ctx, id)
+	if err != nil {
+		return nil, err
+	}
+	pids := make([]uint32, 0, len(ps))
+	for _, pid := range ps {
+		pids = append(pids, uint32(pid))
+	}
+	return pids, nil
+}
+
+func (s *service) forward(publisher events.Publisher) {
+	for e := range s.events {
+		if err := publisher.Publish(s.context, getTopic(s.context, e), e); err != nil {
+			logrus.WithError(err).Error("post event")
+		}
+	}
+}
+
+func getTopic(ctx context.Context, e interface{}) string {
+	switch e.(type) {
+	case *eventstypes.TaskCreate:
+		return runtime.TaskCreateEventTopic
+	case *eventstypes.TaskStart:
+		return runtime.TaskStartEventTopic
+	case *eventstypes.TaskOOM:
+		return runtime.TaskOOMEventTopic
+	case *eventstypes.TaskExit:
+		return runtime.TaskExitEventTopic
+	case *eventstypes.TaskDelete:
+		return runtime.TaskDeleteEventTopic
+	case *eventstypes.TaskExecAdded:
+		return runtime.TaskExecAddedEventTopic
+	case *eventstypes.TaskExecStarted:
+		return runtime.TaskExecStartedEventTopic
+	case *eventstypes.TaskPaused:
+		return runtime.TaskPausedEventTopic
+	case *eventstypes.TaskResumed:
+		return runtime.TaskResumedEventTopic
+	case *eventstypes.TaskCheckpointed:
+		return runtime.TaskCheckpointedEventTopic
+	default:
+		logrus.Warnf("no topic for type %#v", e)
+	}
+	return runtime.TaskUnknownTopic
+}
+
+func newInit(ctx context.Context, path, workDir, namespace string, platform rproc.Platform, r *proc.CreateConfig, options *options.Options) (*proc.Init, error) {
+	rootfs := filepath.Join(path, "rootfs")
+	runtime := proc.NewRunc(options.Root, path, namespace, options.BinaryName, options.CriuPath, options.SystemdCgroup)
+	p := proc.New(r.ID, runtime, rproc.Stdio{
+		Stdin:    r.Stdin,
+		Stdout:   r.Stdout,
+		Stderr:   r.Stderr,
+		Terminal: r.Terminal,
+	})
+	p.Bundle = r.Bundle
+	p.Platform = platform
+	p.Rootfs = rootfs
+	p.WorkDir = workDir
+	p.IoUID = int(options.IoUid)
+	p.IoGID = int(options.IoGid)
+	p.NoPivotRoot = options.NoPivotRoot
+	p.NoNewKeyring = options.NoNewKeyring
+	return p, nil
+}

runtime/v2/runc/service_linux.go

@@ -0,0 +1,111 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package runc
+
+import (
+	"context"
+	"io"
+	"sync"
+	"syscall"
+
+	"github.com/containerd/console"
+	"github.com/containerd/fifo"
+	"github.com/pkg/errors"
+)
+
+type linuxPlatform struct {
+	epoller *console.Epoller
+}
+
+func (p *linuxPlatform) CopyConsole(ctx context.Context, console console.Console, stdin, stdout, stderr string, wg, cwg *sync.WaitGroup) (console.Console, error) {
+	if p.epoller == nil {
+		return nil, errors.New("uninitialized epoller")
+	}
+
+	epollConsole, err := p.epoller.Add(console)
+	if err != nil {
+		return nil, err
+	}
+
+	if stdin != "" {
+		in, err := fifo.OpenFifo(ctx, stdin, syscall.O_RDONLY, 0)
+		if err != nil {
+			return nil, err
+		}
+		cwg.Add(1)
+		go func() {
+			cwg.Done()
+			p := bufPool.Get().(*[]byte)
+			defer bufPool.Put(p)
+			io.CopyBuffer(epollConsole, in, *p)
+		}()
+	}
+
+	outw, err := fifo.OpenFifo(ctx, stdout, syscall.O_WRONLY, 0)
+	if err != nil {
+		return nil, err
+	}
+	outr, err := fifo.OpenFifo(ctx, stdout, syscall.O_RDONLY, 0)
+	if err != nil {
+		return nil, err
+	}
+	wg.Add(1)
+	cwg.Add(1)
+	go func() {
+		cwg.Done()
+		p := bufPool.Get().(*[]byte)
+		defer bufPool.Put(p)
+		io.CopyBuffer(outw, epollConsole, *p)
+		epollConsole.Close()
+		outr.Close()
+		outw.Close()
+		wg.Done()
+	}()
+	return epollConsole, nil
+}
+
+func (p *linuxPlatform) ShutdownConsole(ctx context.Context, cons console.Console) error {
+	if p.epoller == nil {
+		return errors.New("uninitialized epoller")
+	}
+	epollConsole, ok := cons.(*console.EpollConsole)
+	if !ok {
+		return errors.Errorf("expected EpollConsole, got %#v", cons)
+	}
+	return epollConsole.Shutdown(p.epoller.CloseConsole)
+}
+
+func (p *linuxPlatform) Close() error {
+	return p.epoller.Close()
+}
+
+// initialize a single epoll fd to manage our consoles. `initPlatform` should
+// only be called once.
+func (s *service) initPlatform() error {
+	if s.platform != nil {
+		return nil
+	}
+	epoller, err := console.NewEpoller()
+	if err != nil {
+		return errors.Wrap(err, "failed to initialize epoller")
+	}
+	s.platform = &linuxPlatform{
+		epoller: epoller,
+	}
+	go epoller.Wait()
+	return nil
+}

runtime/v2/shim.go

@@ -0,0 +1,486 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package v2
+
+import (
+	"context"
+	"path/filepath"
+	"time"
+
+	eventstypes "github.com/containerd/containerd/api/events"
+	"github.com/containerd/containerd/api/types"
+	tasktypes "github.com/containerd/containerd/api/types/task"
+	"github.com/containerd/containerd/errdefs"
+	"github.com/containerd/containerd/events/exchange"
+	"github.com/containerd/containerd/identifiers"
+	"github.com/containerd/containerd/log"
+	"github.com/containerd/containerd/runtime"
+	"github.com/containerd/containerd/runtime/v2/task"
+	"github.com/containerd/ttrpc"
+	ptypes "github.com/gogo/protobuf/types"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+type binary struct {
+	runtime           string
+	containerdAddress string
+	bundle            *Bundle
+	events            *exchange.Exchange
+	rtTasks           *runtime.TaskList
+}
+
+func (b *binary) Delete(ctx context.Context) (*runtime.Exit, error) {
+	cmd, err := shimCommand(ctx, b.runtime, b.containerdAddress, b.bundle, "-debug", "delete")
+	if err != nil {
+		return nil, err
+	}
+	out, err := cmd.CombinedOutput()
+	if err != nil {
+		return nil, errors.Wrapf(err, "%s", out)
+	}
+	var response task.DeleteResponse
+	if err := response.Unmarshal(out); err != nil {
+		return nil, err
+	}
+	if err := b.bundle.Delete(); err != nil {
+		return nil, err
+	}
+	// remove self from the runtime task list
+	// this seems dirty but it cleans up the API across runtimes, tasks, and the service
+	b.rtTasks.Delete(ctx, b.bundle.ID)
+	// shim will send the exit event
+	b.events.Publish(ctx, runtime.TaskDeleteEventTopic, &eventstypes.TaskDelete{
+		ContainerID: b.bundle.ID,
+		ExitStatus:  response.ExitStatus,
+		ExitedAt:    response.ExitedAt,
+		Pid:         response.Pid,
+	})
+	return &runtime.Exit{
+		Status:    response.ExitStatus,
+		Timestamp: response.ExitedAt,
+		Pid:       response.Pid,
+	}, nil
+}
+
+func shimBinary(ctx context.Context, bundle *Bundle, runtime, containerdAddress string, events *exchange.Exchange, rt *runtime.TaskList) *binary {
+	return &binary{
+		bundle:            bundle,
+		runtime:           runtime,
+		containerdAddress: containerdAddress,
+		events:            events,
+		rtTasks:           rt,
+	}
+}
+
+// newShim starts and returns a new shim
+func newShim(ctx context.Context, bundle *Bundle, runtime, containerdAddress string, events *exchange.Exchange, rt *runtime.TaskList) (_ *shim, err error) {
+	cmd, err := shimCommand(ctx, runtime, containerdAddress, bundle, "-debug")
+	if err != nil {
+		return nil, err
+	}
+	address, err := abstractAddress(ctx, bundle.ID)
+	if err != nil {
+		return nil, err
+	}
+	socket, err := newSocket(address)
+	if err != nil {
+		return nil, err
+	}
+	defer socket.Close()
+	f, err := socket.File()
+	if err != nil {
+		return nil, err
+	}
+	defer f.Close()
+
+	cmd.ExtraFiles = append(cmd.ExtraFiles, f)
+
+	if err := cmd.Start(); err != nil {
+		return nil, err
+	}
+	defer func() {
+		if err != nil {
+			cmd.Process.Kill()
+		}
+	}()
+	// make sure to wait after start
+	go cmd.Wait()
+	if err := writePidFile(filepath.Join(bundle.Path, "shim.pid"), cmd.Process.Pid); err != nil {
+		return nil, err
+	}
+	log.G(ctx).WithFields(logrus.Fields{
+		"pid":     cmd.Process.Pid,
+		"address": address,
+	}).Infof("shim %s started", cmd.Args[0])
+	if err := setScore(cmd.Process.Pid); err != nil {
+		return nil, errors.Wrap(err, "failed to set OOM Score on shim")
+	}
+	conn, err := connect(address, annonDialer)
+	if err != nil {
+		return nil, err
+	}
+	client := ttrpc.NewClient(conn)
+	client.OnClose(func() { conn.Close() })
+	return &shim{
+		bundle:  bundle,
+		client:  client,
+		task:    task.NewTaskClient(client),
+		shimPid: cmd.Process.Pid,
+		events:  events,
+		rtTasks: rt,
+	}, nil
+}
+
+func loadShim(ctx context.Context, bundle *Bundle, events *exchange.Exchange, rt *runtime.TaskList) (_ *shim, err error) {
+	address, err := abstractAddress(ctx, bundle.ID)
+	if err != nil {
+		return nil, err
+	}
+	conn, err := connect(address, annonDialer)
+	if err != nil {
+		return nil, err
+	}
+	client := ttrpc.NewClient(conn)
+	client.OnClose(func() { conn.Close() })
+	s := &shim{
+		client:  client,
+		task:    task.NewTaskClient(client),
+		bundle:  bundle,
+		events:  events,
+		rtTasks: rt,
+	}
+	if err := s.Connect(ctx); err != nil {
+		return nil, err
+	}
+	return s, nil
+}
+
+type shim struct {
+	bundle  *Bundle
+	client  *ttrpc.Client
+	task    task.TaskService
+	shimPid int
+	taskPid int
+	events  *exchange.Exchange
+	rtTasks *runtime.TaskList
+}
+
+func (s *shim) Connect(ctx context.Context) error {
+	response, err := s.task.Connect(ctx, &task.ConnectRequest{})
+	if err != nil {
+		return err
+	}
+	s.shimPid = int(response.ShimPid)
+	s.taskPid = int(response.TaskPid)
+	return nil
+}
+
+func (s *shim) Shutdown(ctx context.Context) error {
+	_, err := s.task.Shutdown(ctx, &task.ShutdownRequest{})
+	if err != nil {
+		// handle conn closed error type
+		return errdefs.FromGRPC(err)
+	}
+	return nil
+}
+
+func (s *shim) waitShutdown(ctx context.Context) error {
+	dead := make(chan struct{})
+	go func() {
+		if err := s.Shutdown(ctx); err != nil {
+			log.G(ctx).WithError(err).Error("shim shutdown error")
+		}
+		close(dead)
+	}()
+	select {
+	case <-time.After(1 * time.Second):
+		if err := terminate(s.shimPid); err != nil {
+			log.G(ctx).WithError(err).Error("terminate shim")
+		}
+		<-dead
+		return nil
+	case <-dead:
+		return nil
+	}
+}
+
+// ID of the shim/task
+func (s *shim) ID() string {
+	return s.bundle.ID
+}
+
+func (s *shim) Namespace() string {
+	return s.bundle.Namespace
+}
+
+func (s *shim) Close() error {
+	return s.client.Close()
+}
+
+func (s *shim) Delete(ctx context.Context) (*runtime.Exit, error) {
+	response, err := s.task.Delete(ctx, &task.DeleteRequest{
+		ID: s.ID(),
+	})
+	if err != nil {
+		return nil, errdefs.FromGRPC(err)
+	}
+	if err := s.waitShutdown(ctx); err != nil {
+		return nil, err
+	}
+	if err := s.bundle.Delete(); err != nil {
+		return nil, err
+	}
+	// remove self from the runtime task list
+	// this seems dirty but it cleans up the API across runtimes, tasks, and the service
+	s.rtTasks.Delete(ctx, s.ID())
+	s.events.Publish(ctx, runtime.TaskDeleteEventTopic, &eventstypes.TaskDelete{
+		ContainerID: s.ID(),
+		ExitStatus:  response.ExitStatus,
+		ExitedAt:    response.ExitedAt,
+		Pid:         response.Pid,
+	})
+	return &runtime.Exit{
+		Status:    response.ExitStatus,
+		Timestamp: response.ExitedAt,
+		Pid:       response.Pid,
+	}, nil
+}
+
+func (s *shim) Create(ctx context.Context, opts runtime.CreateOpts) (runtime.Task, error) {
+	topts := opts.TaskOptions
+	if topts == nil {
+		topts = opts.RuntimeOptions
+	}
+	request := &task.CreateTaskRequest{
+		ID:         s.ID(),
+		Bundle:     s.bundle.Path,
+		Stdin:      opts.IO.Stdin,
+		Stdout:     opts.IO.Stdout,
+		Stderr:     opts.IO.Stderr,
+		Terminal:   opts.IO.Terminal,
+		Checkpoint: opts.Checkpoint,
+		Options:    topts,
+	}
+	for _, m := range opts.Rootfs {
+		request.Rootfs = append(request.Rootfs, &types.Mount{
+			Type:    m.Type,
+			Source:  m.Source,
+			Options: m.Options,
+		})
+	}
+	response, err := s.task.Create(ctx, request)
+	if err != nil {
+		return nil, errdefs.FromGRPC(err)
+	}
+	s.taskPid = int(response.Pid)
+	return s, nil
+}
+
+func (s *shim) Pause(ctx context.Context) error {
+	if _, err := s.task.Pause(ctx, empty); err != nil {
+		return errdefs.FromGRPC(err)
+	}
+	s.events.Publish(ctx, runtime.TaskPausedEventTopic, &eventstypes.TaskPaused{
+		ContainerID: s.ID(),
+	})
+	return nil
+}
+
+func (s *shim) Resume(ctx context.Context) error {
+	if _, err := s.task.Resume(ctx, empty); err != nil {
+		return errdefs.FromGRPC(err)
+	}
+	s.events.Publish(ctx, runtime.TaskResumedEventTopic, &eventstypes.TaskResumed{
+		ContainerID: s.ID(),
+	})
+	return nil
+}
+
+func (s *shim) Start(ctx context.Context) error {
+	response, err := s.task.Start(ctx, &task.StartRequest{
+		ID: s.ID(),
+	})
+	if err != nil {
+		return errdefs.FromGRPC(err)
+	}
+	s.taskPid = int(response.Pid)
+	s.events.Publish(ctx, runtime.TaskStartEventTopic, &eventstypes.TaskStart{
+		ContainerID: s.ID(),
+		Pid:         uint32(s.taskPid),
+	})
+	return nil
+}
+
+func (s *shim) Kill(ctx context.Context, signal uint32, all bool) error {
+	if _, err := s.task.Kill(ctx, &task.KillRequest{
+		ID:     s.ID(),
+		Signal: signal,
+		All:    all,
+	}); err != nil {
+		return errdefs.FromGRPC(err)
+	}
+	return nil
+}
+
+func (s *shim) Exec(ctx context.Context, id string, opts runtime.ExecOpts) (runtime.Process, error) {
+	if err := identifiers.Validate(id); err != nil {
+		return nil, errors.Wrapf(err, "invalid exec id %s", id)
+	}
+	request := &task.ExecProcessRequest{
+		ID:       id,
+		Stdin:    opts.IO.Stdin,
+		Stdout:   opts.IO.Stdout,
+		Stderr:   opts.IO.Stderr,
+		Terminal: opts.IO.Terminal,
+		Spec:     opts.Spec,
+	}
+	if _, err := s.task.Exec(ctx, request); err != nil {
+		return nil, errdefs.FromGRPC(err)
+	}
+	return &process{
+		id:   id,
+		shim: s,
+	}, nil
+}
+
+func (s *shim) Pids(ctx context.Context) ([]runtime.ProcessInfo, error) {
+	resp, err := s.task.Pids(ctx, &task.PidsRequest{
+		ID: s.ID(),
+	})
+	if err != nil {
+		return nil, errdefs.FromGRPC(err)
+	}
+	var processList []runtime.ProcessInfo
+	for _, p := range resp.Processes {
+		processList = append(processList, runtime.ProcessInfo{
+			Pid:  p.Pid,
+			Info: p.Info,
+		})
+	}
+	return processList, nil
+}
+
+func (s *shim) ResizePty(ctx context.Context, size runtime.ConsoleSize) error {
+	_, err := s.task.ResizePty(ctx, &task.ResizePtyRequest{
+		ID:     s.ID(),
+		Width:  size.Width,
+		Height: size.Height,
+	})
+	if err != nil {
+		return errdefs.FromGRPC(err)
+	}
+	return nil
+}
+
+func (s *shim) CloseIO(ctx context.Context) error {
+	_, err := s.task.CloseIO(ctx, &task.CloseIORequest{
+		ID:    s.ID(),
+		Stdin: true,
+	})
+	if err != nil {
+		return errdefs.FromGRPC(err)
+	}
+	return nil
+}
+
+func (s *shim) Wait(ctx context.Context) (*runtime.Exit, error) {
+	response, err := s.task.Wait(ctx, &task.WaitRequest{
+		ID: s.ID(),
+	})
+	if err != nil {
+		return nil, errdefs.FromGRPC(err)
+	}
+	return &runtime.Exit{
+		Pid:       uint32(s.taskPid),
+		Timestamp: response.ExitedAt,
+		Status:    response.ExitStatus,
+	}, nil
+}
+
+func (s *shim) Checkpoint(ctx context.Context, path string, options *ptypes.Any) error {
+	request := &task.CheckpointTaskRequest{
+		Path:    path,
+		Options: options,
+	}
+	if _, err := s.task.Checkpoint(ctx, request); err != nil {
+		return errdefs.FromGRPC(err)
+	}
+	s.events.Publish(ctx, runtime.TaskCheckpointedEventTopic, &eventstypes.TaskCheckpointed{
+		ContainerID: s.ID(),
+	})
+	return nil
+}
+
+func (s *shim) Update(ctx context.Context, resources *ptypes.Any) error {
+	if _, err := s.task.Update(ctx, &task.UpdateTaskRequest{
+		Resources: resources,
+	}); err != nil {
+		return errdefs.FromGRPC(err)
+	}
+	return nil
+}
+
+func (s *shim) Stats(ctx context.Context) (*ptypes.Any, error) {
+	response, err := s.task.Stats(ctx, &task.StatsRequest{})
+	if err != nil {
+		return nil, errdefs.FromGRPC(err)
+	}
+	return response.Stats, nil
+}
+
+func (s *shim) Process(ctx context.Context, id string) (runtime.Process, error) {
+	return &process{
+		id:   id,
+		shim: s,
+	}, nil
+}
+
+func (s *shim) State(ctx context.Context) (runtime.State, error) {
+	response, err := s.task.State(ctx, &task.StateRequest{
+		ID: s.ID(),
+	})
+	if err != nil {
+		if errors.Cause(err) != ttrpc.ErrClosed {
+			return runtime.State{}, errdefs.FromGRPC(err)
+		}
+		return runtime.State{}, errdefs.ErrNotFound
+	}
+	var status runtime.Status
+	switch response.Status {
+	case tasktypes.StatusCreated:
+		status = runtime.CreatedStatus
+	case tasktypes.StatusRunning:
+		status = runtime.RunningStatus
+	case tasktypes.StatusStopped:
+		status = runtime.StoppedStatus
+	case tasktypes.StatusPaused:
+		status = runtime.PausedStatus
+	case tasktypes.StatusPausing:
+		status = runtime.PausingStatus
+	}
+	return runtime.State{
+		Pid:        response.Pid,
+		Status:     status,
+		Stdin:      response.Stdin,
+		Stdout:     response.Stdout,
+		Stderr:     response.Stderr,
+		Terminal:   response.Terminal,
+		ExitStatus: response.ExitStatus,
+		ExitedAt:   response.ExitedAt,
+	}, nil
+}

runtime/v2/shim/reaper_unix.go

@@ -0,0 +1,110 @@
+// +build !windows
+
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package shim
+
+import (
+	"os/exec"
+	"sync"
+	"time"
+
+	"github.com/containerd/containerd/sys"
+	runc "github.com/containerd/go-runc"
+	"github.com/pkg/errors"
+)
+
+// ErrNoSuchProcess is returned when the process no longer exists
+var ErrNoSuchProcess = errors.New("no such process")
+
+const bufferSize = 32
+
+// Reap should be called when the process receives an SIGCHLD.  Reap will reap
+// all exited processes and close their wait channels
+func Reap() error {
+	now := time.Now()
+	exits, err := sys.Reap(false)
+	Default.Lock()
+	for c := range Default.subscribers {
+		for _, e := range exits {
+			c <- runc.Exit{
+				Timestamp: now,
+				Pid:       e.Pid,
+				Status:    e.Status,
+			}
+		}
+
+	}
+	Default.Unlock()
+	return err
+}
+
+// Default is the default monitor initialized for the package
+var Default = &Monitor{
+	subscribers: make(map[chan runc.Exit]struct{}),
+}
+
+// Monitor monitors the underlying system for process status changes
+type Monitor struct {
+	sync.Mutex
+
+	subscribers map[chan runc.Exit]struct{}
+}
+
+// Start starts the command a registers the process with the reaper
+func (m *Monitor) Start(c *exec.Cmd) (chan runc.Exit, error) {
+	ec := m.Subscribe()
+	if err := c.Start(); err != nil {
+		m.Unsubscribe(ec)
+		return nil, err
+	}
+	return ec, nil
+}
+
+// Wait blocks until a process is signal as dead.
+// User should rely on the value of the exit status to determine if the
+// command was successful or not.
+func (m *Monitor) Wait(c *exec.Cmd, ec chan runc.Exit) (int, error) {
+	for e := range ec {
+		if e.Pid == c.Process.Pid {
+			// make sure we flush all IO
+			c.Wait()
+			m.Unsubscribe(ec)
+			return e.Status, nil
+		}
+	}
+	// return no such process if the ec channel is closed and no more exit
+	// events will be sent
+	return -1, ErrNoSuchProcess
+}
+
+// Subscribe to process exit changes
+func (m *Monitor) Subscribe() chan runc.Exit {
+	c := make(chan runc.Exit, bufferSize)
+	m.Lock()
+	m.subscribers[c] = struct{}{}
+	m.Unlock()
+	return c
+}
+
+// Unsubscribe to process exit changes
+func (m *Monitor) Unsubscribe(c chan runc.Exit) {
+	m.Lock()
+	delete(m.subscribers, c)
+	close(c)
+	m.Unlock()
+}

runtime/v2/shim/shim.go

@@ -0,0 +1,290 @@
+// +build !windows
+
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package shim
+
+import (
+	"bytes"
+	"context"
+	"flag"
+	"fmt"
+	"net"
+	"os"
+	"os/exec"
+	"os/signal"
+	"runtime"
+	"runtime/debug"
+	"strings"
+	"syscall"
+	"time"
+
+	"github.com/containerd/containerd/events"
+	"github.com/containerd/containerd/namespaces"
+	shimapi "github.com/containerd/containerd/runtime/v2/task"
+	"github.com/containerd/ttrpc"
+	"github.com/containerd/typeurl"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"golang.org/x/sys/unix"
+)
+
+// Client for a shim server
+type Client struct {
+	service shimapi.TaskService
+	context context.Context
+	signals chan os.Signal
+}
+
+// Init func for the creation of a shim server
+type Init func(context.Context, string, events.Publisher) (Shim, error)
+
+// Shim server interface
+type Shim interface {
+	shimapi.TaskService
+	Cleanup(ctx context.Context) (*shimapi.DeleteResponse, error)
+}
+
+var (
+	debugFlag            bool
+	idFlag               string
+	namespaceFlag        string
+	socketFlag           string
+	addressFlag          string
+	containerdBinaryFlag string
+	action               string
+)
+
+func parseFlags() {
+	flag.BoolVar(&debugFlag, "debug", false, "enable debug output in logs")
+	flag.StringVar(&namespaceFlag, "namespace", "", "namespace that owns the shim")
+	flag.StringVar(&idFlag, "id", "", "id of the shim")
+	flag.StringVar(&socketFlag, "socket", "", "abstract socket path to serve")
+
+	flag.StringVar(&addressFlag, "address", "", "grpc address back to main containerd")
+	flag.StringVar(&containerdBinaryFlag, "publish-binary", "containerd", "path to publish binary (used for publishing events)")
+
+	flag.Parse()
+	action = flag.Arg(0)
+}
+
+func setRuntime() {
+	debug.SetGCPercent(40)
+	go func() {
+		for range time.Tick(30 * time.Second) {
+			debug.FreeOSMemory()
+		}
+	}()
+	if debugFlag {
+		f, err := os.OpenFile("shim.log", os.O_CREATE|os.O_WRONLY|os.O_APPEND, 0600)
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "open should log %s", err)
+			os.Exit(1)
+		}
+		logrus.SetLevel(logrus.DebugLevel)
+		logrus.SetOutput(f)
+	}
+	if os.Getenv("GOMAXPROCS") == "" {
+		// If GOMAXPROCS hasn't been set, we default to a value of 2 to reduce
+		// the number of Go stacks present in the shim.
+		runtime.GOMAXPROCS(2)
+	}
+}
+
+// Run initializes and runs a shim server
+func Run(initFunc Init) error {
+	parseFlags()
+	setRuntime()
+
+	signals, err := setupSignals()
+	if err != nil {
+		return err
+	}
+	if err := subreaper(); err != nil {
+		return err
+	}
+	publisher := &remoteEventsPublisher{
+		address:              addressFlag,
+		containerdBinaryPath: containerdBinaryFlag,
+	}
+	if namespaceFlag == "" {
+		return fmt.Errorf("shim namespace cannot be empty")
+	}
+	ctx := namespaces.WithNamespace(context.Background(), namespaceFlag)
+	service, err := initFunc(ctx, idFlag, publisher)
+	if err != nil {
+		return err
+	}
+	switch action {
+	case "delete":
+		logger := logrus.WithFields(logrus.Fields{
+			"pid":       os.Getpid(),
+			"namespace": namespaceFlag,
+		})
+		go handleSignals(logger, signals)
+		response, err := service.Cleanup(ctx)
+		if err != nil {
+			return err
+		}
+		data, err := response.Marshal()
+		if err != nil {
+			return err
+		}
+		if _, err := os.Stdout.Write(data); err != nil {
+			return err
+		}
+		return nil
+	default:
+		client := NewShimClient(ctx, service, signals)
+		return client.Serve()
+	}
+}
+
+// NewShimClient creates a new shim server client
+func NewShimClient(ctx context.Context, svc shimapi.TaskService, signals chan os.Signal) *Client {
+	s := &Client{
+		service: svc,
+		context: ctx,
+		signals: signals,
+	}
+	return s
+}
+
+// Serve the shim server
+func (s *Client) Serve() error {
+	dump := make(chan os.Signal, 32)
+	signal.Notify(dump, syscall.SIGUSR1)
+
+	path, err := os.Getwd()
+	if err != nil {
+		return err
+	}
+	server, err := newServer()
+	if err != nil {
+		return errors.Wrap(err, "failed creating server")
+	}
+
+	logrus.Debug("registering ttrpc server")
+	shimapi.RegisterTaskService(server, s.service)
+
+	if err := serve(s.context, server, socketFlag); err != nil {
+		return err
+	}
+	logger := logrus.WithFields(logrus.Fields{
+		"pid":       os.Getpid(),
+		"path":      path,
+		"namespace": namespaceFlag,
+	})
+	go func() {
+		for range dump {
+			dumpStacks(logger)
+		}
+	}()
+	return handleSignals(logger, s.signals)
+}
+
+// serve serves the ttrpc API over a unix socket at the provided path
+// this function does not block
+func serve(ctx context.Context, server *ttrpc.Server, path string) error {
+	var (
+		l   net.Listener
+		err error
+	)
+	if path == "" {
+		l, err = net.FileListener(os.NewFile(3, "socket"))
+		path = "[inherited from parent]"
+	} else {
+		if len(path) > 106 {
+			return errors.Errorf("%q: unix socket path too long (> 106)", path)
+		}
+		l, err = net.Listen("unix", "\x00"+path)
+	}
+	if err != nil {
+		return err
+	}
+	logrus.WithField("socket", path).Debug("serving api on unix socket")
+	go func() {
+		defer l.Close()
+		if err := server.Serve(ctx, l); err != nil &&
+			!strings.Contains(err.Error(), "use of closed network connection") {
+			logrus.WithError(err).Fatal("containerd-shim: ttrpc server failure")
+		}
+	}()
+	return nil
+}
+
+func handleSignals(logger *logrus.Entry, signals chan os.Signal) error {
+	logger.Info("starting signal loop")
+	for {
+		select {
+		case s := <-signals:
+			switch s {
+			case unix.SIGCHLD:
+				if err := Reap(); err != nil {
+					logger.WithError(err).Error("reap exit status")
+				}
+			case unix.SIGPIPE:
+			}
+		}
+	}
+}
+
+func dumpStacks(logger *logrus.Entry) {
+	var (
+		buf       []byte
+		stackSize int
+	)
+	bufferLen := 16384
+	for stackSize == len(buf) {
+		buf = make([]byte, bufferLen)
+		stackSize = runtime.Stack(buf, true)
+		bufferLen *= 2
+	}
+	buf = buf[:stackSize]
+	logger.Infof("=== BEGIN goroutine stack dump ===\n%s\n=== END goroutine stack dump ===", buf)
+}
+
+type remoteEventsPublisher struct {
+	address              string
+	containerdBinaryPath string
+}
+
+func (l *remoteEventsPublisher) Publish(ctx context.Context, topic string, event events.Event) error {
+	ns, _ := namespaces.Namespace(ctx)
+	encoded, err := typeurl.MarshalAny(event)
+	if err != nil {
+		return err
+	}
+	data, err := encoded.Marshal()
+	if err != nil {
+		return err
+	}
+	cmd := exec.CommandContext(ctx, l.containerdBinaryPath, "--address", l.address, "publish", "--topic", topic, "--namespace", ns)
+	cmd.Stdin = bytes.NewReader(data)
+	c, err := Default.Start(cmd)
+	if err != nil {
+		return err
+	}
+	status, err := Default.Wait(cmd, c)
+	if err != nil {
+		return err
+	}
+	if status != 0 {
+		return errors.New("failed to publish event")
+	}
+	return nil
+}

runtime/v2/shim/shim_darwin.go

@@ -0,0 +1,45 @@
+// +build darwin
+
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package shim
+
+import (
+	"os"
+	"os/signal"
+
+	"github.com/containerd/ttrpc"
+)
+
+// setupSignals creates a new signal handler for all signals and sets the shim as a
+// sub-reaper so that the container processes are reparented
+func setupSignals() (chan os.Signal, error) {
+	signals := make(chan os.Signal, 2048)
+	signal.Notify(signals)
+	return signals, nil
+}
+
+func newServer() (*ttrpc.Server, error) {
+	// for darwin, we omit the socket credentials because these syscalls are
+	// slightly different. since we don't have darwin support yet, this can be
+	// implemented later and the build can continue without issue.
+	return ttrpc.NewServer()
+}
+
+func subreaper() error {
+	return nil
+}

runtime/v2/shim/shim_linux.go

@@ -0,0 +1,42 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package shim
+
+import (
+	"os"
+	"os/signal"
+
+	"github.com/containerd/containerd/sys"
+	"github.com/containerd/ttrpc"
+	"golang.org/x/sys/unix"
+)
+
+// setupSignals creates a new signal handler for all signals and sets the shim as a
+// sub-reaper so that the container processes are reparented
+func setupSignals() (chan os.Signal, error) {
+	signals := make(chan os.Signal, 32)
+	signal.Notify(signals, unix.SIGTERM, unix.SIGINT, unix.SIGCHLD, unix.SIGPIPE)
+	return signals, nil
+}
+
+func newServer() (*ttrpc.Server, error) {
+	return ttrpc.NewServer(ttrpc.WithServerHandshaker(ttrpc.UnixSocketRequireSameUser()))
+}
+
+func subreaper() error {
+	return sys.SetSubreaper(1)
+}

runtime/v2/shim/shim_unix.go

@@ -0,0 +1,42 @@
+// +build !linux,!windows,!darwin
+
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package shim
+
+import (
+	"os"
+	"os/signal"
+
+	"github.com/containerd/ttrpc"
+)
+
+// setupSignals creates a new signal handler for all signals and sets the shim as a
+// sub-reaper so that the container processes are reparented
+func setupSignals() (chan os.Signal, error) {
+	signals := make(chan os.Signal, 2048)
+	signal.Notify(signals)
+	return signals, nil
+}
+
+func newServer() (*ttrpc.Server, error) {
+	return ttrpc.NewServer(ttrpc.WithServerHandshaker(ttrpc.UnixSocketRequireSameUser()))
+}
+
+func subreaper() error {
+	return nil
+}

runtime/v2/shim_linux.go

@@ -0,0 +1,38 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package v2
+
+import (
+	"syscall"
+
+	"github.com/containerd/containerd/sys"
+	"golang.org/x/sys/unix"
+)
+
+func getSysProcAttr() *syscall.SysProcAttr {
+	return &syscall.SysProcAttr{
+		Setpgid: true,
+	}
+}
+
+func terminate(pid int) error {
+	return unix.Kill(pid, unix.SIGKILL)
+}
+
+func setScore(pid int) error {
+	return sys.SetOOMScore(pid, sys.OOMScoreMaxKillable)
+}

runtime/v2/shim_unix.go

@@ -0,0 +1,39 @@
+// +build !linux,!windows
+
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package v2
+
+import (
+	"syscall"
+
+	"golang.org/x/sys/unix"
+)
+
+func getSysProcAttr() *syscall.SysProcAttr {
+	return &syscall.SysProcAttr{
+		Setpgid: true,
+	}
+}
+
+func terminate(pid int) error {
+	return unix.Kill(pid, unix.SIGKILL)
+}
+
+func setScore(pid int) error {
+	return nil
+}

runtime/v2/shim_windows.go

@@ -0,0 +1,38 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package v2
+
+import (
+	"os"
+	"syscall"
+)
+
+func getSysProcAttr() *syscall.SysProcAttr {
+	return nil
+}
+
+func terminate(pid int) error {
+	p, err := os.FindProcess(pid)
+	if err != nil {
+		return err
+	}
+	return p.Kill()
+}
+
+func setScore(pid int) error {
+	return nil
+}

runtime/v2/task/doc.go

@@ -0,0 +1,17 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package task

runtime/v2/task/shim.proto

@@ -0,0 +1,166 @@
+syntax = "proto3";
+
+package containerd.task.v2;
+
+import "google/protobuf/any.proto";
+import "google/protobuf/empty.proto";
+import weak "gogoproto/gogo.proto";
+import "google/protobuf/timestamp.proto";
+import "github.com/containerd/containerd/api/types/mount.proto";
+import "github.com/containerd/containerd/api/types/task/task.proto";
+
+option go_package = "github.com/containerd/containerd/runtime/v2/task;task";
+
+// Shim service is launched for each container and is responsible for owning the IO
+// for the container and its additional processes.  The shim is also the parent of
+// each container and allows reattaching to the IO and receiving the exit status
+// for the container processes.
+service Task {
+	rpc State(StateRequest) returns (StateResponse);
+	rpc Create(CreateTaskRequest) returns (CreateTaskResponse);
+	rpc Start(StartRequest) returns (StartResponse);
+	rpc Delete(DeleteRequest) returns (DeleteResponse);
+	rpc Pids(PidsRequest) returns (PidsResponse);
+	rpc Pause(google.protobuf.Empty) returns (google.protobuf.Empty);
+	rpc Resume(google.protobuf.Empty) returns (google.protobuf.Empty);
+	rpc Checkpoint(CheckpointTaskRequest) returns (google.protobuf.Empty);
+	rpc Kill(KillRequest) returns (google.protobuf.Empty);
+	rpc Exec(ExecProcessRequest) returns (google.protobuf.Empty);
+	rpc ResizePty(ResizePtyRequest) returns (google.protobuf.Empty);
+	rpc CloseIO(CloseIORequest) returns (google.protobuf.Empty);
+	rpc Update(UpdateTaskRequest) returns (google.protobuf.Empty);
+	rpc Wait(WaitRequest) returns (WaitResponse);
+	rpc Stats(StatsRequest) returns (StatsResponse);
+	rpc Connect(ConnectRequest) returns (ConnectResponse);
+	rpc Shutdown(ShutdownRequest) returns (google.protobuf.Empty);
+}
+
+message CreateTaskRequest {
+	string id = 1;
+	string bundle = 2;
+	repeated containerd.types.Mount rootfs = 3;
+	bool terminal = 4;
+	string stdin = 5;
+	string stdout = 6;
+	string stderr = 7;
+	string checkpoint = 8;
+	string parent_checkpoint = 9;
+	google.protobuf.Any options = 10;
+}
+
+message CreateTaskResponse {
+	uint32 pid = 1;
+}
+
+message DeleteRequest {
+	string id = 1;
+}
+
+message DeleteResponse {
+	uint32 pid = 1;
+	uint32 exit_status = 2;
+	google.protobuf.Timestamp exited_at = 3 [(gogoproto.stdtime) = true, (gogoproto.nullable) = false];
+}
+
+message ExecProcessRequest {
+	string id = 1;
+	bool terminal = 2;
+	string stdin = 3;
+	string stdout = 4;
+	string stderr = 5;
+	google.protobuf.Any spec = 6;
+}
+
+message ExecProcessResponse {
+}
+
+message ResizePtyRequest {
+	string id = 1;
+	uint32 width = 2;
+	uint32 height = 3;
+}
+
+message StateRequest {
+	string id = 1;
+}
+
+message StateResponse {
+	string id = 1;
+	string bundle = 2;
+	uint32 pid = 3;
+	containerd.v1.types.Status status = 4;
+	string stdin = 5;
+	string stdout = 6;
+	string stderr = 7;
+	bool terminal = 8;
+	uint32 exit_status = 9;
+	google.protobuf.Timestamp exited_at = 10 [(gogoproto.stdtime) = true, (gogoproto.nullable) = false];
+}
+
+message KillRequest {
+	string id = 1;
+	uint32 signal = 2;
+	bool all = 3;
+}
+
+message CloseIORequest {
+	string id = 1;
+	bool stdin = 2;
+}
+
+message PidsRequest {
+	string id = 1;
+}
+
+message PidsResponse {
+	repeated containerd.v1.types.ProcessInfo processes = 1;
+}
+
+message CheckpointTaskRequest {
+	string path = 1;
+	google.protobuf.Any options = 2;
+}
+
+message UpdateTaskRequest {
+	google.protobuf.Any resources = 1;
+}
+
+message StartRequest {
+	string id = 1;
+}
+
+message StartResponse {
+	string id = 1;
+	uint32 pid = 2;
+}
+
+message WaitRequest {
+	string id = 1;
+}
+
+message WaitResponse {
+	uint32 exit_status = 1;
+	google.protobuf.Timestamp exited_at = 2 [(gogoproto.stdtime) = true, (gogoproto.nullable) = false];
+}
+
+message StatsRequest {
+
+}
+
+message StatsResponse {
+	google.protobuf.Any stats = 1;
+}
+
+message ConnectRequest {
+
+}
+
+message ConnectResponse {
+	uint32 shim_pid = 1;
+	uint32 task_pid = 2;
+	string version = 3;
+}
+
+message ShutdownRequest {
+	bool now = 1;
+}

runtime/v2/util.go

@@ -0,0 +1,115 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package v2
+
+import (
+	"context"
+	"fmt"
+	"net"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strings"
+	"time"
+
+	"github.com/containerd/containerd/namespaces"
+	"github.com/pkg/errors"
+)
+
+const shimBinaryFormat = "containerd-shim-%s-%s"
+
+func shimCommand(ctx context.Context, runtime, containerdAddress string, bundle *Bundle, cmdArgs ...string) (*exec.Cmd, error) {
+	ns, err := namespaces.NamespaceRequired(ctx)
+	if err != nil {
+		return nil, err
+	}
+	self, err := os.Executable()
+	if err != nil {
+		return nil, err
+	}
+	args := []string{
+		"-namespace", ns,
+		"-address", containerdAddress,
+		"-publish-binary", self,
+	}
+	args = append(args, cmdArgs...)
+	name := getShimBinaryName(runtime)
+	if _, err := exec.LookPath(name); err != nil {
+		if eerr, ok := err.(*exec.Error); ok {
+			if eerr.Err == exec.ErrNotFound {
+				return nil, errors.Wrapf(os.ErrNotExist, "runtime %q binary not installed %q", runtime, name)
+			}
+		}
+	}
+	cmd := exec.Command(name, args...)
+	cmd.Dir = bundle.Path
+	cmd.Env = append(os.Environ(), "GOMAXPROCS=2")
+	cmd.SysProcAttr = getSysProcAttr()
+	return cmd, nil
+}
+
+func getShimBinaryName(runtime string) string {
+	parts := strings.Split(runtime, ".")
+	// TODO: add validation for runtime
+	return fmt.Sprintf(shimBinaryFormat, parts[len(parts)-2], parts[len(parts)-1])
+}
+
+func abstractAddress(ctx context.Context, id string) (string, error) {
+	ns, err := namespaces.NamespaceRequired(ctx)
+	if err != nil {
+		return "", err
+	}
+	return filepath.Join(string(filepath.Separator), "containerd-shim", ns, id, "shim.sock"), nil
+}
+
+func connect(address string, d func(string, time.Duration) (net.Conn, error)) (net.Conn, error) {
+	return d(address, 100*time.Second)
+}
+
+func annonDialer(address string, timeout time.Duration) (net.Conn, error) {
+	address = strings.TrimPrefix(address, "unix://")
+	return net.DialTimeout("unix", "\x00"+address, timeout)
+}
+
+func newSocket(address string) (*net.UnixListener, error) {
+	if len(address) > 106 {
+		return nil, errors.Errorf("%q: unix socket path too long (> 106)", address)
+	}
+	l, err := net.Listen("unix", "\x00"+address)
+	if err != nil {
+		return nil, errors.Wrapf(err, "failed to listen to abstract unix socket %q", address)
+	}
+	return l.(*net.UnixListener), nil
+}
+
+func writePidFile(path string, pid int) error {
+	path, err := filepath.Abs(path)
+	if err != nil {
+		return err
+	}
+	tempPath := filepath.Join(filepath.Dir(path), fmt.Sprintf(".%s", filepath.Base(path)))
+	f, err := os.OpenFile(tempPath, os.O_RDWR|os.O_CREATE|os.O_EXCL|os.O_SYNC, 0666)
+	if err != nil {
+		return err
+	}
+	_, err = fmt.Fprintf(f, "%d", pid)
+	f.Close()
+	if err != nil {
+		return err
+	}
+	return os.Rename(tempPath, path)
+}